Researchers Bypass Chip-and-Pin Protections at Black Hat

chip and PIN

Researchers demonstrated how they can capture both Track 2 data and bypass chip and pin protections with a Raspberry Pi and infected pin pads at Black Hat.

LAS VEGAS – Credit card companies for the most part have moved away from “swipe and signature” credit cards to chip and pin cards by this point; the technology known as EMV (Europay, MasterCard, and Visa) which is supposed to provide consumers with an added layer of security is beginning to see some wear, according to researchers.

Nir Valtman and Patrick Watson, researchers with NCR Corporation, staged a series of malicious transactions in a talk here at Black Hat on Wednesday, demonstrating how they could capture Track 2 data and bypass chip and pin protections.

The standard’s intent is to prevent the duplication of cards and crack down on stolen card usage, but doesn’t prevent that card data from being used or modified elsewhere, the two said.

In their first demonstration, the duo used a Raspberry Pi to capture Track 2 data packets in real time. Via a passive man-in-the-middle compromise, Wireshark picked up two interactions from data entered into a pinpad running flawed production software that’s currently in the wild. The two declined to specify the company’s name, but claimed they had spoken with the vendor and asked them to implement TLS connections, but said they couldn’t as they ran old hardware.

Afterwards the two showed how chip and pin cards aren’t immune to hacks, either.

The garbled data can be transformed into readable bits, service code expiration data, discretionary data, and so on, data that can tip a hacker off whether the card is a chip card.

“You can write the data to a magstripe card and if you’re offline, no one’s the wiser,” Watson told the crowd.

“Offline mode can be very attractive to a hacker,” Nir added.

The pair showed how easy it’d be to use a malicious form to trick a consumer into re-entering their PIN or a CVV on a card machine.

“Consumers trust pinpads, they usually think they entered it wrong,” Nir said.

According to the two researchers, attackers could compromise a pinpad – by injecting a form, Malform.FRM in this instance, when no one’s in the store and quickly change it back to a customized “Welcome!” message.

Both Valtman and Watson advocate that pin pads leverage strong crypto algorithms and allow only signed whitelist updates. Point of sale pin pads are usually PCI certified but the two pointed out PCI doesn’t require encryption over a local area network, which is how an attacker could carry out a MiTM attack.

Consumers should never re-enter their PIN, as it’s a telltale giveaway that a pin pad may have been compromised, Valtman claimed, before adding that he usually frequents stores that allow him to pay with his Apple Watch, as he finds the technology more secure than EMV.

“It’s cool, but not a secure standard,” Nir said.

Suggested articles