How Criminals Cracked EMVResearchers Describe How Fraudsters Developed Fake Cards to Steal $680,000
European criminals cannibalized stolen EMV cards, combining clipped smartcard chips with miniature microprocessors to construct fake payment cards that defeated point-of-sale security checks, enabling them to commit as much as 600,000 euros ($680,000) in fraud.
While that fraud occurred in 2011 and attack countermeasures were thereafter put in place by the card industry, details of the EMV-defeating fraud spree have only now come to light in a newly released research paper. The report, "When Organized Crime Applies Academic Results: A Forensic Analysis of an In-Card Listening Device," was published by four researchers from the computer science department at the EÌcole Normale SupeÌrieure in Paris and the Centre MicroeÌlectronique de Provence in the south of France.
Their discoveries are further proof that, from a security standpoint, despite what card issuers might claim, the EMV protocol is not foolproof, says University of Surrey computer science professor Alan Woodward. "This particular attack no longer works as it was 'fixed,' but I have to say experience shows that where there is one [attack], there will be others."
As the U.S. EMV migration continues, one benefit often touted by card issuers is that EMV chips cannot be counterfeited. And some analysts predict that the U.S. card industry will soon attempt to redefine consumer protection laws so that issuers are no longer liable for card-present fraud because the chips cannot be counterfeited. But Ross Anderson, a professor of security engineering at the University of Cambridge, says the French report is just the latest research to demonstrate how EMV protections can be bypassed by criminals to commit card-present fraud (see Gartner's Litan Warns of EMV Fraud Risks).
How French Police Busted Gang
In the case of the European fraud campaign, the French Ministry of Justice commissioned the four researchers - Houda Ferradi, ReÌmi GeÌraud, David Naccache and Assia Tria - to conduct a forensic analysis of the attacks after France's Cartes Bancaires national interbank network noticed in May 2011 that a dozen stolen EMV credit cards were being used to commit fraud in Belgium, which triggered a related police investigation.
The researchers say that police were able to quickly identify and arrest suspects after obtaining a list of the date, time and place where each fraudulent transaction occurred from Cartes Bancaires. Police then cross-referenced this information with records from mobile-phone network providers showing which unique ISMI - International Mobile Subscriber Identity - codes of SIM cards were present at the same time and location as when the thefts took place.
"A 25-year-old woman was subsequently identified and arrested while carrying a large number of cigarette packs and scratch games," the researchers say. "Such larceny was the fraudsters' main target, as they resold these goods on the black market." Police then arrested four more people - including a man who later admitted to engineering the fake cards - and recovered 25 stolen cards, 40 modified cards, specialized software that was used to make fake cards as well as about 5,000 euros ($5,700) in cash.
Before they were arrested, the gang successfully executed 7,000 transactions, netting them up to 600,000 euros ($680,000) in fraudulent proceeds, the researchers say.
As part of their forensic analysis of the fake cards, the researchers say they had to rely in large part on X-ray chip imaging and microscopic optical inspections to identify the engineering and miniaturization techniques at work. Based on that analysis, however, the French researchers report that the gang appeared to have gleaned their attack techniques from the 2010 "Chip and PIN is Broken" paper published by University of Cambridge computer science researchers Steven J. Murdoch, Saar Drimer, Ross Anderson and Mike Bond. In that paper, they warned that the EMV protocol that had been deployed in the field was broken. They described and demonstrated "a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card's PIN, and to remain undetected even when the merchant has an online connection to the banking network."
Such an attack would use genuine parts of an EMV chip to handle the transaction, while employing a separate chip - either miniaturized and implanted inside the same card, or perhaps connected by wires to a microprocessor hidden up a fraudster's sleeve - to execute the man-in-the-middle attack that subverted the cardholder-authorization process.
The French researchers found that the fraudsters behind the 2011 campaign built fake cards that combined a legitimate EMV chip - which was used to authorize a transaction - with a module from a hobbyist device known as a Funcard, which was programmed to tell a POS device that any PIN code the attacker entered was correct. "These forgeries are remarkable in that they embed two chips wired top-to-tail," the French researchers say. "The first chip is clipped from a genuine stolen card. The second chip plays the role of the man-in-the-middle and communicates directly with the point of sale terminal. The entire assembly is embedded in the plastic body of yet another stolen card."
Did Crooks Copy Academics?
Anderson, the security engineering researcher at the University of Cambridge whose work the French researchers cited, says he's well aware of the findings. "I knew of the French work three years ago, as the prosecution expert talked to me privately," he tells Information Security Media Group. "I asked him to publish what he could when he could, which he's now done."
But Anderson questions whether these criminals learned from his group's research, noting that related exploits predated the 2010 paper. "The impression I got at the time was that the French crooks developed this attack independently of us," he says. "In fact, we did our own research because we got persistent reports from credible witnesses that they'd had EMV cards stolen and used in stores in circumstances where the PIN could not have been compromised, yet their banks claimed it must have been and refused a refund. That's what drove us to look hard at the protocol."
Regardless of whether criminals learned from academic research, University of Surrey's Woodward says such research remains crucial for finding EMV flaws so they can be fixed. "If you go back to the original work that Ross et al did, it was only because of his persistence - in the face of banks saying [EMV] was foolproof - that we found that there were some issues," he says.
Improving the EMV Protocol
Indeed, the French researchers report in their paper that after conducting a forensic analysis of the fake EMV cards, Cartes Bancaires added a new Combined Data Authentication mode for verifying transactions as well as network-level countermeasures, to block copycat attacks. "In addition, four other software-updatable countermeasures were developed and tested, but never deployed," they say. "These were left for future fraud control, if necessary."
One takeaway, the French researchers say, is that for EMV to remain secure, "an unmalleable cryptographic secure channel must always exist between cards and readers."
But man-in-the-middle attacks that might defeat this channel - such as those used by the French gang - are quite difficult to detect, Woodward says. "The reason man-in-the-middle attacks are so effective is that you might think you have just such an encrypted link but it has been subverted by the crooks. In many ways, the strength of the encryption is irrelevant as what you do is construct a scenario where there is no encryption," he says. "You can fool people quite easily, and systems for that matter, if the default is not checked, and you simply assume everything is fine unless a warning appears."
No Current Attacks Spotted
Woodward, who's a cybersecurity adviser to Europol - the association of European police agencies - says he's not aware of any new EMV-defeating attacks in the wild. "But the problem is there is always a lag between them being developed and showing up in crimes," he says.
Furthermore, such attacks don't tend to be discovered until enough cardholders report related fraud cases, and that takes time. "After all, if they showed up easily, this [French] crew wouldn't have walked off with hundreds of thousands of dollars," he says. "It's one of the many reason I always say people should report fraud [to police], even if they get the money back. Only with enough data can you spot trends and detect that a crime is sometimes occurring."