Dumb debit and credit cards that can be easily replicated by hackers after stealing the data in their magnetic strips — which is what happened with card data stolen in cyber attacks hitting Target, Home Depot and many others — will be a thing of the past in the U.S. starting on October 1, 2015, as they will be replaced by more secure chip-and-PIN (also known as EMV) cards. However, Wired reports these cards aren’t as secure as you expect, and hackers have already found a way to steal money from them without actually needing access to the cards.

FROM EARLIER: The ultimate ATM heist still works, has netted hackers ‘millions of dollars’

EMV cards are harder to counterfeit, as the personal information is contained in the chip of the card instead of the magnetic strip, and the data is protected by a PIN. Even when stolen, these cards are practically useless as long as the thief doesn’t know the PIN number.

But researchers from Newcastle University in the U.K. have figured out a way to steal money from cards made by VISA for use in the country, as they don’t recognize transactions made in non-U.K. currencies and do not require PINs for them. These cards can be fooled into accepting any transaction up to 999,999.99 in a specific currency.

More importantly, these EMV cards that also have contactless transaction support, can be attacked with a smartphone, while they’re in the user’s wallet, thus raising no suspicion that something is wrong. The hack basically ignores the £20 contactless limit for transactions, and thus hackers would be able to easily transfer more money without being observed.

“With just a mobile phone we created a POS terminal that could read a card through a wallet,” lead researcher Martin Emms said. “All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved.”

“We have not yet tested the back-end of the system, and we appreciate that banks will have a number of security systems in place to prevent fraud.  Nevertheless, our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system. It is not clear from reading the payment protocol how banks would deal with the inconsistencies we have found through our research, hence we believe the vulnerability poses a potential threat,” Emms added.

The researcher said that in order to further fool banks, a hacker should simply choose a place where transactions in other currencies are often encountered, such as an airport or the London underground.

More information about this particular hack, which will be presented at the ACM Conference on Computer and Communications Security in Arizona, is available at the source link.

Comments