Carding has been around for many years and has become increasingly sophisticated over time. Even with a serious approach to ensuring the cybersecurity of POS systems - which in itself is very rare - retail equipment remains vulnerable to carders [11]
The material is designed for a prepared reader: qualified specialists from the “red team”. You should not use the techniques described here without proper authority. Carding is a serious crime
EMV Banking Smart Card Fiasco
More and more criminals are getting into carding and joining the ranks of the high-tech underground mafia. These criminals include not only tech-savvy experts, but also green, technical novices. The latter manage to socialize in the underground carding ecosystem thanks to FaaS (fraud-as-a-service) marketing programs [15].
EMV smart cards have replaced magnetic MSR cards in order to somehow complicate the life of carders. EMV cards store information on a chip in encrypted form, which in theory should complicate the skimming procedure. In addition, it is believed that smart cards are more difficult to clone - since it is problematic to quietly replace the chip on the front side of the card. However, in practice, it turned out that smart cards are susceptible to the same vulnerabilities as their magnetic predecessors, and even on a wider scale [15].
Key disadvantages of EMV smart cards:
Figure 1. MITM attack on EMV cards
As a result, we can see that “more secure” POI readers working on the EMV protocol have simply become another step in the “cat and mouse” game, where the mouse always remains one step ahead. Carders are in constant search of easy money, and therefore look for (and always find) current vulnerabilities in trading equipment [15].
EMV smart cards were developed as a more secure alternative to MSR magnetic cards. However, practice has shown that the arrival of EMV only added security problems, and thus this technology was a complete fiasco [13]. For example, in [11, 13] a technique for hacking a secure POS system supporting advanced EMV smart cards is described - through widespread vulnerabilities in the POI reader (an integral component of any POS system). The mentioned vulnerabilities allow an attacker to make transactions with a stolen bank card without even knowing its PIN code, bypassing EMV protection.
[13] presents many fascinating attacks on EMV smart cards. Among them: compromise of that part of the EMV protocol that is designed to prevent the same transaction from being carried out repeatedly. The secure algorithm for conducting transactions using the EMV protocol uses random numbers in its calculations, the generation of which is the responsibility of the POS system. However, the random number generator in a POS system is usually replaced by a regular counter. Therefore, an attacker can predict all the “random” numbers generated by the POS system and thus bypass the system “preventing the same transaction from happening again.” This gives an attacker the opportunity to perform a “relay attack,” which is the high-tech equivalent of “old-fashioned” magnetic bank card cloning.
These and other attacks on secure POS systems supporting EMV smart cards demonstrate that all their fancy electronic tamper protection is completely inadequate [13].
Read the entire article in the magazine “System Administrator”, No. 12, 2017 on pages 28-36.
A PDF version of this issue can be purchased in our store.
(c) https://samag.ru/archive/article/3557
The material is designed for a prepared reader: qualified specialists from the “red team”. You should not use the techniques described here without proper authority. Carding is a serious crime
EMV Banking Smart Card Fiasco
More and more criminals are getting into carding and joining the ranks of the high-tech underground mafia. These criminals include not only tech-savvy experts, but also green, technical novices. The latter manage to socialize in the underground carding ecosystem thanks to FaaS (fraud-as-a-service) marketing programs [15].
EMV smart cards have replaced magnetic MSR cards in order to somehow complicate the life of carders. EMV cards store information on a chip in encrypted form, which in theory should complicate the skimming procedure. In addition, it is believed that smart cards are more difficult to clone - since it is problematic to quietly replace the chip on the front side of the card. However, in practice, it turned out that smart cards are susceptible to the same vulnerabilities as their magnetic predecessors, and even on a wider scale [15].
Key disadvantages of EMV smart cards:
- the ability to disable the improved authorization protocol (with the transition to an old, more vulnerable one) [24];
- lack of protection against relay attack [35];
- lack of protection against MITM attacks with bypass of PIN code authorization for contact (see Fig. 1) [31] and contactless [20] payments;
- predictable random number generators [13];
- transmission of confidential data in clear text [14].
Figure 1. MITM attack on EMV cards
As a result, we can see that “more secure” POI readers working on the EMV protocol have simply become another step in the “cat and mouse” game, where the mouse always remains one step ahead. Carders are in constant search of easy money, and therefore look for (and always find) current vulnerabilities in trading equipment [15].
EMV smart cards were developed as a more secure alternative to MSR magnetic cards. However, practice has shown that the arrival of EMV only added security problems, and thus this technology was a complete fiasco [13]. For example, in [11, 13] a technique for hacking a secure POS system supporting advanced EMV smart cards is described - through widespread vulnerabilities in the POI reader (an integral component of any POS system). The mentioned vulnerabilities allow an attacker to make transactions with a stolen bank card without even knowing its PIN code, bypassing EMV protection.
[13] presents many fascinating attacks on EMV smart cards. Among them: compromise of that part of the EMV protocol that is designed to prevent the same transaction from being carried out repeatedly. The secure algorithm for conducting transactions using the EMV protocol uses random numbers in its calculations, the generation of which is the responsibility of the POS system. However, the random number generator in a POS system is usually replaced by a regular counter. Therefore, an attacker can predict all the “random” numbers generated by the POS system and thus bypass the system “preventing the same transaction from happening again.” This gives an attacker the opportunity to perform a “relay attack,” which is the high-tech equivalent of “old-fashioned” magnetic bank card cloning.
These and other attacks on secure POS systems supporting EMV smart cards demonstrate that all their fancy electronic tamper protection is completely inadequate [13].
Read the entire article in the magazine “System Administrator”, No. 12, 2017 on pages 28-36.
A PDF version of this issue can be purchased in our store.
- Slava Gomzin. Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions. 2014.
- Dan Rosenberg. Reflections on trusting TrustZone // Black Hat. 2014.
- Jaehyuk Lee, Jinsoo Jang. Hacking in Darkness: Return-oriented Programming against Secure Enclaves // Proceedings of the 26th USENIX Security Symposium. 2017. pp. 523-539.
- Jo Van Bulck. Telling Your Secrets Without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution // Proceedings of the 26th USENIX Security Symposium. 2017. pp. 1041-1056.
- Darren Pauli. World's most complex cash register malware plunders millions in US // 2015. URL: https://www.theregister.co.uk/2015/11/24/modpos_point_of_sale_malware/ (accessed August 31, 2017).
- VISA security alert. “Kuhook” point of sale malware // 2015. URL: http://busfin.colostate.edu/Forms/Merchant_Svcs/Alert_KuhookPOS.pdf (accessed August 31, 2017).
- Alex Hern. Ransomware attack 'not designed to make money', researchers claim // 2017. URL: https://www.theguardian.com/technology/2017/jun/28/notpetya-ransomware-attack-ukraine-russia (access date: 31 August 2017).
- Cybersecurity needs attention // 2017. URL: https://www.malwarebytes.com/pdf/white-papers/cybersecurity_needs_attention.pdf (accessed August 31, 2017).
- Stacy Collett. Credit card fraud: What you need to know now // 2017. URL: https://www.csoonline.com/article/3...espionage/credit-card-fraud-what-you-need-to- know-now.html (accessed September 7, 2017).
- Wu Zhou, Yajin. Zhou. Detecting repackaged smartphone applications in third-party android marketplaces // Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. 2012. pp. 317-326.
- Nir Valtman, Patrick Watson. Breaking payment Points of Interaction (POI) // Black Hat. 2016.
- Alexandrea Mellen, John Moore. Mobile Point of Scam: attacking the Square Reader // Black Hat. 2015.
- Ross Anderson. How smartcard payment systems fail // Black Hat. 2014.
- Lucas Zaichkowsky. Point of Sale system architecture and security // Black Hat. 2014.
- Abhinav Singh. The underground ecosystem of credit card frauds // Black Hat. 2015.
- Doomed Point of Sale Systems // DEFCON. 2017.
- Xiaolong Bai. Picking Up My Tab: Understanding and Mitigating Synchronized Token Lifting and Spending in Mobile Payment // Proceedings of the 26th USENIX Security Symposium. 2017. pp. 593-608.
- WesLee Frisby. Security Analysis of Smartphone Point-of-Sale Systems // Proceedings of the 6th USENIX Workshop on Offensive Technologies. 2012. pp. 22-33.
- E. Haselsteiner, K. Breitfuss. Security in Near Field Communication (NFC) – Strengths and Weaknesses // Proceedings of the Workshop on RFID Security. 2006.
- Haoqi Shan. Man in the NFC: Build a NFC proxy tool from sketch // DEFCON. 2017.
- Weston Hecker. Hacking next-gen ATMs: from capture to cashout // Black Hat. 2016.
- Peter Fillmore. Crash & pay: how to own and clone contactless payment devices // Black Hat. 2015.
- KH Conway. On Numbers and Games. Academic Press, 1976.
- Ross Anderson. Chip and spin // Computer Security Journal. 22(2), 2006. pp. 1-6.
- G. P. Hancke. A Practical Relay Attack on ISO 14443 Proximity Cards // 2005. URL: http://www.rfidblog.org.uk/hancke-rfidrelay.pdf (accessed September 6, 2017).
- Jonathan Zdziarski. The Dark Art of iOS Application Hacking // Black Hat. 2012.
- L. Francis, G. P. Hancke, K. E. Mayes. On the security issues of NFC enabled mobile phones // International Journal of Internet Technology and Secured Transactions. 2(3/4), 2010. pp. 336-356.
- Nils, Jon Butler. Mission mPOSsible // Black Hat. 2014.
- Nils, Rafael Dominguez Vega. PinPadPwn //BlackHat. 2012.
- L. Francis, G. P. Hancke, K. E. Mayes. Practical NFC Peer-to-Peer Relay Attack Using Mobile Phones // Radio Frequency Identification: Security and Privacy Issues. vol. 6370, 2010. pp. 35-49.
- SJ Murdoch. Chip and PIN is Broken // Proceedings of the IEEE Symposium on Security and Privacy. 2010. pp. 433-446.
- Chip and Skim: cloning EMV cards with the pre-play attack // Computing Research Repository (CoRR), arXiv:1209.2531 [cs.CY], Sept. 2012.
- Michael Roland, Josef Langer. Cloning Credit Cards: A Combined Pre-play and Downgrade Attack on EMV Contactless // Proceedings of the 7th USENIX Workshop on Offensive Technologies. 2013.
- Charlie Miller. Don't stand so close to me: an analysis of the NFC attack surface // Black Hat. 2012.
- Saar Drimer, Steven J. Murdoch. Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks // Proceedings of the 16th USENIX Security Symposium. 2007. pp. 87-102.
- Timur Yunusov. The Future of ApplePwn – How to Save Your Money // Black Hat. 2017.
- Karev A.A. Side-channel cache attacks. // “Hacker”, No. 222, 2017.
- Karev A.A. Dirty secrets of cyber defenders. // “System Administrator”, No. 7-8, 2017. – pp. 50-55. URL: http://samag.ru/archive/article/3471.
(c) https://samag.ru/archive/article/3557
