At Blackhat Conference 2016, researchers from NCR corporation demonstrated that Chip and Pin Credit and Debit cards could be hacked and the user data can be extracted from the chip inside the card. This hack comes as a blow to these cards which are considered highly secure and safe for financial transactions.
Chip Cards are also known as EMV standing for EuroPay, Mastercard and Visa because these three companies are responsible for developing and standardising Chip technology in cards. These cards are considered highly secure as compared to the old magnetic stripes based “Swipe and Signature” cards and have gradually replaced them in the market. Researchers Nir Valtman and Patrick Watson demonstrating how they could capture Track 2 data and bypass chip and pin protections.
They used a Point of Sale (POS) device with an integrated PIN pad which was connected to a Raspberry Pi 3 Microcomputer. The crux of the entire hack was based on attacking the built-in security system and not the operating system of POI or POS devices. This included the attack on the integrated cryptographic security schemes. With this system, they were able to capture the full name of the card owner, the card’s expiration date, and the account number. The only thing missing was the CVV2, and the user’s PIN. The duo also showed how, by simply changing a single digit, an attacker could trick POS devices into detecting an EMV transaction as a swipe card transaction, making attacks much easier.
For stealing the CVV2 and the PIN, they resorted to social engineering. Just before the Pin Pad send out the victim information, the team used an API built in the payment system to inject their own call to the Pin pad and prompt a screen asking for security code. As and when the victim enters the security code, the Raspberry Pi grabs it. The rest of the transaction is not affected at all. For capturing the PIN, the duo created an error message that appears immediately after POS device’s legitimate prompt for the PIN. The prompt informs the card owner that there was a problem and they must re-enter the pin. It works because the victim have full faith in the PIN pad.
The conclusion of the act was that if someone can take control of the information flowing from an external PIN pad, then that person can present a duplicate card with altered Track 2 data telling the POS system that the PIN pad has received a card that doesn’t have a chip in it, even if it does.