Carder
Professional
- Messages
- 2,635
- Reaction score
- 2,055
- Points
- 113
Researchers at Kaspersky Lab spoke about how in Brazil they steal information about cards with a chip and clone them.
There are two types of bank cards - the older ones with a magnetic stripe, and the newer and more secure ones with a chip. New technologies in the banking sector are not being introduced very quickly, and in some countries it is even slow at all, so chip cards spread slowly. For example, in the US, until recently, they continued to use magnetic stripe cards in the old-fashioned way - and switched to chip cards only a couple of years ago.
The problem with magnetic stripe cards is that all the information required for payment is stored on them in an open form - so it is very easy to steal and write to another card. The chip is more and more reliable - it uses cryptography.
With the transition to cards with a chip, it seemed to many that such a criminal business as cloning credit cards would finally soon sink into oblivion. But that was not the case: at the Security Analyst Summit 2021 conference, our researchers made a presentation on a Brazilian group that learned how to steal data on cards with a chip and quite successfully clone them. In this post, we will try to summarize as briefly and simply as possible the essence of their research.
This version of the malware changed the terminal software libraries so that attackers could intercept the data that the terminal received from the card and sent to the bank. That is, conditionally, it cost you once to pay with a card in a store with an infected terminal - and everything, your card details are already with the criminals.
However, getting the data is half the battle. In order to steal your money, you need to make a copy of your card, registering the stolen data in it. In the case of chip cards, this is not so easy to do - for which thanks to the chip itself and the numerous authentication procedures that are provided for by the EMV standard.
However, the Prilex group managed to realize this: the attackers built an entire infrastructure that allowed their "clients" to easily create cloned cards, although in theory this should be impossible.
In order to understand how they did it, we suggest that you first very briefly get acquainted with the EMV standard, that is, with how the cards with a chip are arranged.
Initialization starts first. At this stage, the terminal receives basic information about the card, such as the owner's name, expiration date, and so on, as well as a list of applications that are on the card.
Next comes the optional data authentication stage . At this stage, using cryptographic algorithms, the terminal verifies that the card is real. However, according to the standard, this step is optional - that is, it can be skipped.
The next step is also optional - this is verification of the owner . That is, the terminal must make sure that the person who inserted the card is its real owner. To do this, a person must either enter a PIN-code or sign the check - depending on how the card is programmed.
Finally, the next stage is the actual transaction, that is, the transfer of money.
Once again, we draw your attention: only the first and fourth stages are mandatory, and the second and third are optional. This is what the Brazilian scammers took advantage of.
Solution: The Brazilians wrote a Java application for the map that does essentially two things. First, it tells the payment terminal that there is no need to authenticate the data, that is, the second stage. That is, no further cryptography is used, which greatly simplifies the task.
There remains the stage of verification of the owner using a PIN code. But the standard provides for different options for confirming the pin, including one when the correctness of its input is confirmed by ... in fact, the card itself. Or rather, the application installed on it.
The criminals wrote an application that, when asked whether the PIN was entered correctly, always answers the terminal “yes, everything is fine”. That is, an attacker with a cloned card can enter four completely random numbers on the terminal - and these numbers will be accepted as the correct PIN.
"Clients" are invited to buy a sort of "beginner attacker kit" from a Java application, the "Daphne" program and some amount of card data. You can buy a card recorder and blank smart cards absolutely legally for a few tens of dollars. It doesn't matter if it's a credit card or a debit card - Daphne allows you to clone any.
(c) https://www.kaspersky.ru/blog/chip-n-pin-cloning/19864/
There are two types of bank cards - the older ones with a magnetic stripe, and the newer and more secure ones with a chip. New technologies in the banking sector are not being introduced very quickly, and in some countries it is even slow at all, so chip cards spread slowly. For example, in the US, until recently, they continued to use magnetic stripe cards in the old-fashioned way - and switched to chip cards only a couple of years ago.
The problem with magnetic stripe cards is that all the information required for payment is stored on them in an open form - so it is very easy to steal and write to another card. The chip is more and more reliable - it uses cryptography.
With the transition to cards with a chip, it seemed to many that such a criminal business as cloning credit cards would finally soon sink into oblivion. But that was not the case: at the Security Analyst Summit 2021 conference, our researchers made a presentation on a Brazilian group that learned how to steal data on cards with a chip and quite successfully clone them. In this post, we will try to summarize as briefly and simply as possible the essence of their research.
Hacking ATMs and more
This story began when our experts studied the malware used by the Brazilian group Prilex to hack ATMs. In the process of studying, they discovered a modified version of such a malware designed to work on payment terminals - the very boxes into which you insert a card and on which you enter a PIN code when buying in a store.This version of the malware changed the terminal software libraries so that attackers could intercept the data that the terminal received from the card and sent to the bank. That is, conditionally, it cost you once to pay with a card in a store with an infected terminal - and everything, your card details are already with the criminals.
However, getting the data is half the battle. In order to steal your money, you need to make a copy of your card, registering the stolen data in it. In the case of chip cards, this is not so easy to do - for which thanks to the chip itself and the numerous authentication procedures that are provided for by the EMV standard.
However, the Prilex group managed to realize this: the attackers built an entire infrastructure that allowed their "clients" to easily create cloned cards, although in theory this should be impossible.
In order to understand how they did it, we suggest that you first very briefly get acquainted with the EMV standard, that is, with how the cards with a chip are arranged.
How do bank cards with a chip work?
A chip on a card is not just a flash memory chip. It is actually a small computer that can run applications. When you insert a chip card into the terminal, this is what happens:Initialization starts first. At this stage, the terminal receives basic information about the card, such as the owner's name, expiration date, and so on, as well as a list of applications that are on the card.
Next comes the optional data authentication stage . At this stage, using cryptographic algorithms, the terminal verifies that the card is real. However, according to the standard, this step is optional - that is, it can be skipped.
The next step is also optional - this is verification of the owner . That is, the terminal must make sure that the person who inserted the card is its real owner. To do this, a person must either enter a PIN-code or sign the check - depending on how the card is programmed.
Finally, the next stage is the actual transaction, that is, the transfer of money.
Once again, we draw your attention: only the first and fourth stages are mandatory, and the second and third are optional. This is what the Brazilian scammers took advantage of.
The card agrees to everything
So, the conditions of the problem: the card can launch applications and, when communicating with the terminal, first of all informs it about itself and the list of available applications. The number of stages in making a payment is determined by the terminal and the card.Solution: The Brazilians wrote a Java application for the map that does essentially two things. First, it tells the payment terminal that there is no need to authenticate the data, that is, the second stage. That is, no further cryptography is used, which greatly simplifies the task.
There remains the stage of verification of the owner using a PIN code. But the standard provides for different options for confirming the pin, including one when the correctness of its input is confirmed by ... in fact, the card itself. Or rather, the application installed on it.
The criminals wrote an application that, when asked whether the PIN was entered correctly, always answers the terminal “yes, everything is fine”. That is, an attacker with a cloned card can enter four completely random numbers on the terminal - and these numbers will be accepted as the correct PIN.
Card fraud as a service
The infrastructure created by the Prilex group includes the Java application described above, a client program called "Daphne" with which you can overwrite smart cards, and the actual database of stolen cards stored on the server."Clients" are invited to buy a sort of "beginner attacker kit" from a Java application, the "Daphne" program and some amount of card data. You can buy a card recorder and blank smart cards absolutely legally for a few tens of dollars. It doesn't matter if it's a credit card or a debit card - Daphne allows you to clone any.
Conclusion
Prilex operates only in Brazil and neighboring countries, but it is better not only for Brazilians to think about the safety of their finances. Here are some tips you can follow to reduce your risk of being hurt by scammers:- Keep track of the movement of funds on the account - either through notifications in the mobile application or via SMS. As soon as you see any suspicious spending, immediately call the bank and immediately block the card.
- Use AndroidPay or ApplePay whenever possible. Both of these systems do not transmit your card details to the terminal, so they can be considered more secure than regular card payments when you insert it into the terminal.
- Get a separate card for online purchases. The chance that her data will leak somewhere is much greater than in the case of those cards with which you pay only in offline stores. So you shouldn't store more than the amount on this card.
(c) https://www.kaspersky.ru/blog/chip-n-pin-cloning/19864/
