3

Reading a security blog I found an article about an EMV skimmer designed to be inserted into the ATM's chip card slot.

EMV skimmer

What info was this device actually capture? As far as I know there's definitely not enough info on an EMV card to perform an offline transaction (the CVV2 used by online transactions isn't even known by the chip), and EMV cards can't be copied so it's not possible for them to clone a card either.

Any ideas?

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • I believe the EMV chip contains the track 1 and 2 data, so it could read cardholder name, PAN and expiry dates. probably enough to encode the mag strips on a clone card. – iainpb Jun 08 '17 at 15:15

3 Answers3

4

The article itself addresses this:

Banks can run a simple check to see if any card inserted into an ATM is a counterfeit magnetic stripe card that is encoded with data stolen from a chip card. But there may be some instances in which banks are doing this checking incorrectly or not at all during some periods, and experts say the thieves have figured out which ATMs will accept magnetic stripe cards that are cloned from chip cards.

“This suggests to me that the thieves plan to target an issuer where they know the CVV is not going to be checked,” said Charlie Harrow, solutions manager for global security at NCR, an ATM manufacturer.

My guess is that they're specifically capturing tag 57 (Track 2 equivalent data). As the article says, this is not the same data that's encoded on the magstripe, but it does have the same account number. If they have managed to figure out when an ATM is operating in offline mode (where it doesn't immediately check with the bank), this information is good enough to make a withdrawal - although it'll be detected as soon as the ATM goes back online and reports it.

Community
  • 1
Bobson
  • 1,456
  • 10
  • 12
0

It's very similar to "man in the middle" device. Probably they tried to copy data from old SDA only card or relied on some errors of bank they known. On the other hand, a more complex "pre-play attack" is possible.

http://ieeexplore.ieee.org/document/6956556/?reload=true

Alexander Vgn
  • 135
  • 3
-2

One of the verification methods supported by chip cards is "Offline with PIN", in which the PIN is transmitted to the card, potentially in plaintext. Thus, a skimmer like this can not only read the cardholder data from the chip, but it can also intercept the PIN in that particular situation.

This is enough data to encode a new magstripe card without the magstripe CCV,and for some reason some issuers do not check this CCV. Once you've captured the user's PIN you can then use this new card and the user's PIN in a terminal which does not support chip authentication and which does not check the magstripe CCV.

What's the point? With older magstripe cards the PIN is never transmitted to the card, so skimming a user's PIN requires a magstripe skimmer in addition to a hidden camera to watch users enter their PIN numbers. This actually seems like an easier way to skim PIN numbers than the previous approach.

https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/

https://en.wikipedia.org/wiki/EMV#Vulnerabilities

Slightly more technical references: (CTRL-F for "Offline PIN")

http://www.emv-connection.com/emv-faq/

http://tsys.com/Assets/TSYS/downloads/br_faq-on-pins-and-signature-in-the-context-of-chip.pdf

David
  • 1,386
  • 8
  • 8
  • 2
    As far as I know ATM uses Online Pin only. – Alexander Vgn Jun 09 '17 at 09:10
  • The Track 2 data stored in the chip is different from that which gets encoded on the magstripe. So you can't make a swipeable clone from chip data. – Bobson Jun 09 '17 at 11:27
  • @Bobson There *is* enough data to create a swipeable clone, especially in the presence of other software flaws that allow you to circumvent security features. https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/ – David Jun 09 '17 at 15:59
  • No sane security will transfer PIN over the card. – mootmoot Jun 09 '17 at 16:23
  • @David - From the article you linked: "The only way for this attack to be successful is if a [bank card] issuer neglects to check the CVV when authorizing a transaction," which is something outside the control of the attacker. So the clone will only work against a bank that *allows* itself to be hacked, or in an offline scenario... and in the latter, it doesn't matter whether the track data is valid to begin with. – Bobson Jun 09 '17 at 16:48
  • @mootmoot Offline PIN validation via plain text transfer to the card is a supported form of cardholder validation in the standard. The transaction process is broken down into three steps: card authentication, cardholder authentication, and then transaction authentication. "Offline PIN" is a method to verify the cardholder is actually the genuine cardholder. In this scenario the PIN entered at a POS terminal is compared to the PIN stored on the card itself. The standard also supports dynamically enciphered PINs for offline cardholder verification. The tradeoff is system cost vs. rate of fraud. – David Jun 10 '17 at 01:37
  • @mootmoot The following paper discusses all the options available in the standard, see page 18 for a table: https://www.securetechalliance.org/resources/pdf/Payments_Roadmap_in_the_US_020111.pdf – David Jun 10 '17 at 01:39
  • @Bobson That's what I meant by "software flaws that allow you to circumvent security features". I'm not sure what point you're trying to make- the skimmer from the question still allows you to gather all of the data from a card (and something like it could potentially gather all of the magstripe data as well). This lets you fake a magstripe card, or it lets you fake a card-not-present (internet) transaction, etc. – David Jun 10 '17 at 01:44
  • @AlexanderVgn ATMs do only support online card authentication and cardholder verification, but many point of sale terminals permit offline versions. – David Jun 10 '17 at 01:49
  • @David - The point in trying to make is that there's no software *flaw*. Accepting transactions without contacting the issuing bank's system directly is a deliberate choice by the bank that runs the ATM, choosing convenience over security. Having this happen on a know, predictable schedule is a *security* flaw, but in the bank's policies - it's not a software flaw that can be exploited at will. ..... – Bobson Jun 11 '17 at 02:48
  • And while you're completely right that a thing like this could also include a magstripe reader, without it all you get is the account number and expiration date, not enough to usefully duplicate the card or use it anywhere that asks for the CVV off the back. Which, again, is the *merchant's* choice between convenience and security that can be taken advantage of, not a flaw. – Bobson Jun 11 '17 at 02:51