LAS VEGAS — That fancy new chip card that you have to insert into the credit card reader at checkout isn’t safe, either.
Though most credit card companies are moving away from cards that swipe to chip cards — or EMV for Europay, MasterCard, and Visa — two researchers presenting at the Black Hat security conference last week demonstrated how a criminal can steal the data from cards that are being billed as more secure.
“EMV is cool,” said Nir Valtman, head of application security at NCR Corporation. “But it is not a secure standard.”
In a demonstration of the research on Wednesday, Valtman and his colleague Patrick Watson showed that an attacker can capture what is called Track 2 data that’s transmitted from the card to the card reader using a small Raspberry Pi computer. The captured data, which is sent unencrypted, can then be used to create a normal magstripe card for use on older, offline systems.
“You can write the data to a magstripe card and if you’re offline, no one’s the wiser,” Watson said.
Obviously, this type of hack requires physical access to a store’s card reader. A bad guy would have to actually hook up a Pi to grab this data, which would be very suspicious to both consumer and retailer alike.
But, as is often the case, criminals are smart, and technology keeps getting smaller. Just like the proliferation of credit card and ATM “skimmers” that are often incredibly difficult to spot, a Pi-enabled EMV skimmer sending this data wirelessly back to a thief isn’t that far outside the realm of possibility.
Valtman and Watson also demonstrated other ways to go after the old swipe cards, by updating the software on the machine to run their own malicious code. The new firmware would not only capture card data, but it could also be programmed to give an error message telling a person they entered their PIN incorrectly, so once they re-enter it, an attacker has it.
The pair did not disclose the model of the card reader they conducted their demo on, but said it was a popular one that is being used right now. They also said they disclosed their findings to the manufacturer and recommended encryption usage, but were told by the company that the hardware was too old to use even the most basic standards.
A slide in their presentation responded to this from a hacker’s perspective, saying, “It wasn’t encrypted. I had to steal it.”
The two men did suggest fixes to the problem, which include the use of strong encryption in the payment process, and the allowance of firmware updates that are signed only by the vendor. But for consumers, they said people should never re-enter their PIN number, and be weary of any prompts not often seen. They also recommended app-based systems like Apple Pay since they often utilise better security.
EXCLUSIVE FREE REPORT:
5 Top Fintech Predictions by the BI Intelligence Research Team. Get the Report Now »
Business Insider Emails & Alerts
Site highlights each day to your inbox.