CarderPlanet
Professional
Bank card cloning is one of the most common fraudulent methods in this area. It allows attackers not only to make one-time unauthorized transactions or steal personal data, but also to create an exact copy of the card, suitable for multiple payments. Therefore, everyone should know how to protect themselves from such troubles. Moreover, with the development of technology, this method of fraud is becoming more and more accessible.
A plastic card, depending on the type and bank that issued it, has from one to three elements where payment details are stored: a magnetic stripe, an EMV chip and an RFID module. The former are used for contact, and the latter is used for contactless payments. The least secure cards are cards with only a magnetic stripe, from which it is easy to read data. The most secure models have all three protective elements (including a weakly protected magnetic stripe).
ATMs and POS terminals work in different ways. Many modern models do not use a magnetic stripe if they fix an EMV chip on the card. This module is similar to a SIM card and resembles it in functionality. It serves as an element of additional protection for cashless payment instruments. Data is usually not written to this chip, but it generates the correct response to the terminal request.
If it is difficult to counterfeit an EMV chip, and an RFID module is almost impossible, then it is quite simple to read information from a magnetic stripe using special devices. The strip can be cloned, and the fraudster will receive a card (a full copy of yours), which can be paid in stores. However, there is a problem with the PIN code, which is now not recorded on the magnetic track. But an attacker can use other tricks to find out. For example, a call to the owner disguised as a bank employee. As for technical means, special overlays are often used on the keyboard of ATMs or mini-cameras, which allow reading the entered PIN code. The danger is that, according to Russian law, if an attacker made a transaction with the introduction of a PIN, then it would be simply impossible to prove the fact of fraud.
Currently, there are many devices and programs that can read and copy data from a card. But this is possible if you managed to get it directly into your hands, and the owner did not notice it and did not have time to block it. For unobtrusive reading of information, a whole set of equipment is used, which is installed on ATMs and payment terminals:
What to look for
Sometimes, instead of a transmitter, a miniature storage medium is used, on which data is recorded. But this is not very convenient, since it requires additional actions from the attackers to dismantle flash memory or read information.
The skimmer and keyboard cover look like an exact replica of the card reader and the ATM keyboard itself. They are attached to double-sided tape, so it is almost impossible to notice their presence. There are also miniature skimmers that allow copying if the victim's card is in the hands of the attacker.
Avoiding copying and not becoming a victim of fraudsters is possible if you exercise care and accuracy when using the card. It is enough to remember and strictly follow a few simple rules:
There are two types of bank cards - the older ones, with a magnetic stripe, and the newer and more secure ones, with a chip. New technologies in the banking sector are not being introduced very quickly, and in some countries it is even slow at all, so that cards with a chip spread slowly. For example, in the United States, until recently, they continued to use magnetic stripe cards in the old fashioned way - and switched to chip cards only a couple of years ago.
The problem with magnetic stripe cards is that all the information required for payment is stored on them in an open form - so it is very easy to steal and write to another card. The chip is more and more reliable - it uses cryptography.
Useful Tips
With the transition to cards with a chip, it seemed to many that such a criminal business as cloning credit cards would finally soon sink into oblivion. But that was not the case: at the Security Analyst Summit 2018 conference, our researchers made a presentation on a Brazilian group that learned how to steal data on cards with a chip and clone them quite successfully. In this post, we will try to summarize as briefly and simply as possible the essence of their research.
This story began when our experts studied the malware used by the Brazilian group Prilex to hack ATMs. In the process of studying, they discovered a modified version of such a malware designed to work on payment terminals - the very boxes into which you insert a card and on which you enter a PIN code when buying in a store.
This version of the malware changed the terminal software libraries so that attackers could intercept the data that the terminal received from the card and sent to the bank. That is, conditionally, it cost you once to pay with a card in a store with an infected terminal - and everything, your card details are already with the criminals.
However, getting the data is half the battle. In order to steal your money, you need to make a copy of your card, registering the stolen data in it. In the case of chip cards, this is not so easy to do - for which thanks to the chip itself and the numerous authentication procedures provided by the EMV standard.
In order to understand how they did it, we first propose to very briefly get acquainted with the EMV standard, that is, with how cards with a chip are arranged.
A chip on a card is not just a flash memory chip. It is actually a small computer that can run applications. When you insert a chip card into the terminal, this is what happens:
Reader's advice
Initialization starts first. At this stage, the terminal receives basic information about the card, such as the owner's name, expiration date, and so on, as well as a list of applications that are on the card.
Next comes the optional data authentication stage. At this stage, using cryptographic algorithms, the terminal verifies that the card is real. However, according to the standard, this step is optional - that is, it can be skipped.
The next step is also optional - this is verification of the owner. That is, the terminal must make sure that the person who inserted the card is its real owner. To do this, a person must either enter a PIN-code or sign the check - depending on how the card is programmed.
Finally, the next stage is the actual transaction, that is, the transfer of money.
Once again, we draw your attention: only the first and fourth stages are mandatory, and the second and third are optional. This is what the Brazilian scammers took advantage of.
So, the conditions of the problem: the card can launch applications and, when communicating with the terminal, first of all informs it about itself and the list of available applications. The number of stages in making a payment is determined by the terminal and the card.
Solution: The Brazilians wrote a Java application for the map that does essentially two things. First, it informs the payment terminal that there is no need to authenticate the data, that is, the second stage. That is, no further cryptography is used, which greatly simplifies the task.
Expert opinion
There remains the stage of verification of the owner using a PIN-code. But the standard provides for different options for confirming the pin, including one when the correctness of its input is confirmed by ... in fact, the card itself. Or rather, the application installed on it.
Prilex operates only on the territory of Brazil and neighboring countries, but it is better not only for Brazilians to think about the safety of their finances. Here are some tips you can follow to reduce your risk of getting hurt at the hands of scammers:
The most common way to bypass access control is by cloning cards. The most common cards used in access control systems use RFID technology at a frequency of 125 kHz, and the information is stored on them in the public domain.
For example, in cards of the Em-Marine standard, the identifier is not protected from unauthorized reading, therefore they are most often copied.
An intruder reads data from a card using a compact and very affordable device - a duplicator. To do this, you just need to approach the card, send a signal from the duplicator to it simulating the reader's signal, receive a response signal from the card, write it to the device memory, and then to the card blank.
Cards not of all standards lend themselves to such a simple hack; many modern identifiers are protected from such threats using advanced technologies.
Nevertheless, with the help of the software, you can configure access control, which will ensure greater reliability of access control systems that use low-frequency cards.
Proxmark 3 is positioned as a research tool for studying RFID and NFC systems. However, a simple Internet search reveals a detailed description of its use for cloning access cards. This method does not require cracking skills or in-depth knowledge of technology - it is enough for Proxmark 3 to simply contact the access control card.
On a popular site for ordering goods from China, the cost of the device starts at about $ 100, while the suppliers promise compatibility with the following popular access card formats:
Material of the special project "Without a key"
The special project "Without a Key" is an accumulator of information about ACS, converged access and personalization of cards.
A plastic card, depending on the type and bank that issued it, has from one to three elements where payment details are stored: a magnetic stripe, an EMV chip and an RFID module. The former are used for contact, and the latter is used for contactless payments. The least secure cards are cards with only a magnetic stripe, from which it is easy to read data. The most secure models have all three protective elements (including a weakly protected magnetic stripe).
ATMs and POS terminals work in different ways. Many modern models do not use a magnetic stripe if they fix an EMV chip on the card. This module is similar to a SIM card and resembles it in functionality. It serves as an element of additional protection for cashless payment instruments. Data is usually not written to this chip, but it generates the correct response to the terminal request.
If it is difficult to counterfeit an EMV chip, and an RFID module is almost impossible, then it is quite simple to read information from a magnetic stripe using special devices. The strip can be cloned, and the fraudster will receive a card (a full copy of yours), which can be paid in stores. However, there is a problem with the PIN code, which is now not recorded on the magnetic track. But an attacker can use other tricks to find out. For example, a call to the owner disguised as a bank employee. As for technical means, special overlays are often used on the keyboard of ATMs or mini-cameras, which allow reading the entered PIN code. The danger is that, according to Russian law, if an attacker made a transaction with the introduction of a PIN, then it would be simply impossible to prove the fact of fraud.
Currently, there are many devices and programs that can read and copy data from a card. But this is possible if you managed to get it directly into your hands, and the owner did not notice it and did not have time to block it. For unobtrusive reading of information, a whole set of equipment is used, which is installed on ATMs and payment terminals:
- Skimmer is an overlay that is attached to the ATM card reader and reads information from the magnetic stripe of the card.
- A miniature camera mounted on or near an ATM (to monitor the entered PIN code).
- Keyboard overlay (also used to read the PIN).
- A transmitter that sends scanned data to attackers via a mobile network or Wi-Fi.
What to look for
Sometimes, instead of a transmitter, a miniature storage medium is used, on which data is recorded. But this is not very convenient, since it requires additional actions from the attackers to dismantle flash memory or read information.
The skimmer and keyboard cover look like an exact replica of the card reader and the ATM keyboard itself. They are attached to double-sided tape, so it is almost impossible to notice their presence. There are also miniature skimmers that allow copying if the victim's card is in the hands of the attacker.
Avoiding copying and not becoming a victim of fraudsters is possible if you exercise care and accuracy when using the card. It is enough to remember and strictly follow a few simple rules:
- Do not give your bank card to sellers, waiters, service personnel and do not leave it unattended.
- Use proven ATMs and terminals that are installed in bank branches, 24-hour supermarkets and shops.
- Inspect the ATM carefully before using it. Suspicions should be caused by differences in colors between adjacent elements, gaps and gaps, backlash at a card reader or keyboard, etc.
There are two types of bank cards - the older ones, with a magnetic stripe, and the newer and more secure ones, with a chip. New technologies in the banking sector are not being introduced very quickly, and in some countries it is even slow at all, so that cards with a chip spread slowly. For example, in the United States, until recently, they continued to use magnetic stripe cards in the old fashioned way - and switched to chip cards only a couple of years ago.
The problem with magnetic stripe cards is that all the information required for payment is stored on them in an open form - so it is very easy to steal and write to another card. The chip is more and more reliable - it uses cryptography.
Useful Tips
With the transition to cards with a chip, it seemed to many that such a criminal business as cloning credit cards would finally soon sink into oblivion. But that was not the case: at the Security Analyst Summit 2018 conference, our researchers made a presentation on a Brazilian group that learned how to steal data on cards with a chip and clone them quite successfully. In this post, we will try to summarize as briefly and simply as possible the essence of their research.
This story began when our experts studied the malware used by the Brazilian group Prilex to hack ATMs. In the process of studying, they discovered a modified version of such a malware designed to work on payment terminals - the very boxes into which you insert a card and on which you enter a PIN code when buying in a store.
This version of the malware changed the terminal software libraries so that attackers could intercept the data that the terminal received from the card and sent to the bank. That is, conditionally, it cost you once to pay with a card in a store with an infected terminal - and everything, your card details are already with the criminals.
However, getting the data is half the battle. In order to steal your money, you need to make a copy of your card, registering the stolen data in it. In the case of chip cards, this is not so easy to do - for which thanks to the chip itself and the numerous authentication procedures provided by the EMV standard.
In order to understand how they did it, we first propose to very briefly get acquainted with the EMV standard, that is, with how cards with a chip are arranged.
A chip on a card is not just a flash memory chip. It is actually a small computer that can run applications. When you insert a chip card into the terminal, this is what happens:
Reader's advice
Initialization starts first. At this stage, the terminal receives basic information about the card, such as the owner's name, expiration date, and so on, as well as a list of applications that are on the card.
Next comes the optional data authentication stage. At this stage, using cryptographic algorithms, the terminal verifies that the card is real. However, according to the standard, this step is optional - that is, it can be skipped.
The next step is also optional - this is verification of the owner. That is, the terminal must make sure that the person who inserted the card is its real owner. To do this, a person must either enter a PIN-code or sign the check - depending on how the card is programmed.
Finally, the next stage is the actual transaction, that is, the transfer of money.
Once again, we draw your attention: only the first and fourth stages are mandatory, and the second and third are optional. This is what the Brazilian scammers took advantage of.
So, the conditions of the problem: the card can launch applications and, when communicating with the terminal, first of all informs it about itself and the list of available applications. The number of stages in making a payment is determined by the terminal and the card.
Solution: The Brazilians wrote a Java application for the map that does essentially two things. First, it informs the payment terminal that there is no need to authenticate the data, that is, the second stage. That is, no further cryptography is used, which greatly simplifies the task.
Expert opinion
There remains the stage of verification of the owner using a PIN-code. But the standard provides for different options for confirming the pin, including one when the correctness of its input is confirmed by ... in fact, the card itself. Or rather, the application installed on it.
Prilex operates only on the territory of Brazil and neighboring countries, but it is better not only for Brazilians to think about the safety of their finances. Here are some tips you can follow to reduce your risk of getting hurt at the hands of scammers:
- Keep track of the movement of funds on the account - either through notifications in the mobile application, or via SMS. As soon as you see any suspicious spending, immediately call the bank and immediately block the card.
- Use Andro whenever possible />
The most common way to bypass access control is by cloning cards. The most common cards used in access control systems use RFID technology at a frequency of 125 kHz, and the information is stored on them in the public domain.
For example, in cards of the Em-Marine standard, the identifier is not protected from unauthorized reading, therefore they are most often copied.
An intruder reads data from a card using a compact and very affordable device - a duplicator. To do this, you just need to approach the card, send a signal from the duplicator to it simulating the reader's signal, receive a response signal from the card, write it to the device memory, and then to the card blank.
Cards not of all standards lend themselves to such a simple hack; many modern identifiers are protected from such threats using advanced technologies.
Nevertheless, with the help of the software, you can configure access control, which will ensure greater reliability of access control systems that use low-frequency cards.
Proxmark 3 is positioned as a research tool for studying RFID and NFC systems. However, a simple Internet search reveals a detailed description of its use for cloning access cards. This method does not require cracking skills or in-depth knowledge of technology - it is enough for Proxmark 3 to simply contact the access control card.
On a popular site for ordering goods from China, the cost of the device starts at about $ 100, while the suppliers promise compatibility with the following popular access card formats:
Material of the special project "Without a key"
The special project "Without a Key" is an accumulator of information about ACS, converged access and personalization of cards.
