Cyber criminals have already figured out a way to hack the new chip-and-PIN credit card system currently being introduced at businesses throughout the United States. Five French citizens have been convicted of manipulating vulnerabilities in the system with a card-switching technique that included substituting the PIN on a stolen card with a cheap piece of plastic.
French researchers from the École Normale Sperieure, a technology university, published a research paper revealing the case of five thieves who were arrested in 2011 and 2012 for spending 600,000 euros (roughly $680,000) with stolen credit cards. Using X-ray analysis and other microscopic scans, the researchers figured out that the criminals actually inserted a second chip onto stolen chip-and-PIN cards, enabling them to dupe the PIN verification on many registers' point-of-sale (POS) terminal.
The fake chip, known as a FUNcard, enabled the thieves to carry out a Man In The Middle attack, which involves intercepting communications on the point-of-sale (POS) terminal. When a shopper inserts his or her card into a POS terminal, the terminal automatically tries to verify its authenticity. In this case, the FUNcard was waiting with its own, fake “yes” signal when the authenticity check arrived.
“The attacker intercepts the PIN query and replies that it's correct, whatever the code is,” ENS researcher Remi Geraud told Wired magazine Tuesday. “That's the core of the attack.”
Until 2011, the concept of spoofing the PIN on a chip-and-PIN card was largely theoretical. A group of Cambridge University researchers discovered similar flaws, but this French crime ring appears to have been the first time the trick was discovered in the wild. Malicious software used on ATMs in Russia and Europe has also broken through chip-and-PIN safeguards, allowing thieves to drain ATMs of cash in at least one case.