magnetic stripe code tricks the terminal into believing the card really does not have a chip.
               Within the code located in the magnetic stripe is an area that indicates the card has the chip.
               Usually, when the card is read, the stripe, if used, indicates there should be a chip and directs
               the user to place the chip end of the card into the reader. In this case, the attack toggles the
               code so this indicates there should not be a chip. The credit card is then accepted when it
               should not be.

               Although this is curious in its own right, this issue continued with the issuing bank. The
               communication from the terminal is the card does not and should not have the chip, while the
               issuing bank’s system shows it should. The bank, although it appears to be a significant error,
               the bank’s system may still over-rule the issue.

               In the alternative, the attackers could have directly attacked the chip. Although this would be a
               great scene in Mr. Robot, this attack would have taken much more time for the attacker to work
               on. Based on the chip and encryption, this may not be crack-able in several lifetimes.

               Remediation

               This was such or significant issue, even the FBI took notice and became involved. The FBI
               Internet Crime Complaint Center publicly warned of the attack was viable. One aspect of
               security to apply to the situation would be end-to-end encryption. This service is not free, but
               would act as an added service. Although not free, this would provide savings in that potential
               fraud would decrease. With the potential fraud, measuring this could be an issue, as there is not
               an actual number compare against. One measure could be the baseline amount adjusted for
               inflation. With whichever method chosen, this would be the better alternative as compared to the
               opportunity for the fraud to continue and grow.

               Resources

               Aol.com Editors. (2016, August 4). Researchers find security flaw with chip-based credit cards.
               Retrieved from http://www.aol.com/article/2016/08/04/researchers-find-security-flaw-with-chip-
               based-credit-cards/21444927/

               Bond, M., Choudary, O. Murdocy, S.J., Skorobogatov, S., & Anderson, R. (2014, May). IEEE
               Symposium on Security and Privacy; San Jose, CA. Retrieved from
               http://sec.CS.uclac.uk/users/smurdoch/papers/oakland14chipandskim.pdf

               Brandon, R. (2015, October 9). The FBI warns of weaknesses in chip-and-sign credit card
               systems. Retrieved from http://www.theverge.com/2016/10/0/9486715/fbi-vulnerability-chip-
               credit-card

               CNN Wire. (2016, August 3). Researchers find new security flaw in chip-based credit cards.
               Retrieved from http://wtvv.com/2016/08/03/researchers-find-new-security-flaw-in-chip-based-
               credit-cards/


               Eddy, M. (n.d.). Black hat demo cracks chip-n-PIN. Retrieved from
               http://www.pcmag.com/news/346753/black-hat-demo-cracks-chip-and-pin



                  109    Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.