Page 108 - Cyber Warnings August 2017
P. 108

Secure or Not?


               The “Improved” Chipped Credit Cards
               by Charles Parker, II

               Attackers have become rather resilient and tenacious over time. Vulnerabilities are noted and
               exploited by the attackers. This has, at this point, has become an academic venture. The target
               may note this from their SIEM alarm, other systems not working as anticipated, or a vendor
               mentioning there may be an issue. The vulnerability is addressed with a patch or other tool. The
               attackers notice this is no longer working and have their call to action to update or pivot their
               attack as needed, and deploy the modified attack on malware. This is then noted, patched, and
               the process starts again.

               The credit card industry is no different. We are all exceptionally familiar with the standard
               physical manifestation of the credit card, with the magnetic stripe on the rear of the card. This
               form had been used throughout the planet. As a result of the mass usage, the attackers noticed
               the potential for theft. The fraud/theft associated with this began to grow as the number of
               counterfeited credit cards and fraudulent charges elapsed the critical mass for the industry to
               become exceptionally involved.

               To alleviate the issue the chip and PIN method created and implemented. The added chip onto
               the credit card and allows for an additional layer of security. To defeat this, the attacker would
               also have to bypass the chip. This is being used more often as it pushed by the industry. At this
               time a majority of the credit cards have this. The intent with this has been to make the
               counterfeiting process more difficult. In theory this would decrease the credit cards as a target.

               Intent
               The credit card companies did not enjoy or appreciate the increased losses experienced. To
               decrease the loss potential from these cases of fraud, the credit card companies knew
               something had to be done. To work towards this goal, the credit card companies began to utilize
               their R&D. The addition was the chip seen in many of the cards. This was engineered to add
               security to the process. This added technology has been in use for years in non-US countries.
               With this in place, in theory, the fraudulent charges should decrease. This should create a fool-
               proof method to secure the credit card transactions.

               Vulnerability
               In theory, there should be no further vulnerabilities. The credit card company has the card
               coded as requiring the chip with the specific data on the chip. If a card is presented and the data
               on the chip is not communicated, the transaction would be cancelled. The effect, in theory, is to
               exponentially increase the security. This has not been the case though.

               There was an issue or oversight with the system as designed. The attack methodology was
               presented at the 2016 Black Hat conference. The method used to compromise the system was
               to encode the code on the magnetic strip on the card. The code on the cards appears to be the
               standard used by the Europay, Mastercard, and Visa (EMV) cards. In effect, the modified

                  108    Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   103   104   105   106   107   108   109   110   111   112   113