Half a croissant, on a plate, with a sign in front of it saying '50c'
h a l f b a k e r y
Experiencing technical difficulties since 1999

idea: add, search, annotate, link, view, overview, recent, by name, random

meta: news, help, about, links, report a problem

account: browse anonymously, or get an account and write.

user:
pass:
register,


                           

Credit card chip theft

a credit card reader that steals the chips off of cards
  (+6, -3)
(+6, -3)
  [vote for,
against]

Chip and pin cards are hard to clone. The simple solution is to steal the chip off the card. chips are usually installed into cards as a small package that is inset in a small hole. There's some hot melt(like hot glue) around it that holds this package into the card. A malicious card reader accepts the card, melts the hot melt and pulls the chip off. It then fills the empty space with hot melt and puts a hard thin shiny piece of metal over it that looks somewhat like the original package. it records the pin as well. the chip packages are stored inside the reader for future recovery.

the card owner would end up with a non working card, but that's ok, chips break all the time, that's why you have a backup mag stripe. they may or may not send off for a new card which will probably arrive in a month or so. The card hasn't been stolen so they will assume they are safe.

A criminal would break into a store and replace the card reader he then come back the next day and puts back the old one. he now has about 50 credit card chips and pins.

All card data is stored on the card's chip. This includes name, card number and expiry date all of which can be easily read from the chip and are every time a transaction takes place. The chips would be read for said information and installed in new counterfeit cards with correctly embossed info ready for use.

RichardT, Feb 27 2010

chip installation diagram http://en.wikipedia...e_and_packaging.svg
how chips are installed into cards [RichardT, Feb 27 2010]

smart card problems http://en.wikipedia...Smart_card#Problems
Chip failure is quite common [RichardT, Feb 27 2010]

smart card chip package http://commons.wiki...-Card-Chip_back.jpg
smart card chip package, back shot [RichardT, Feb 27 2010]

//Chip and pin cards are hard to clone. The simple solution is to steal the chip off the card// http://www.bbc.co.u...p_and_pin_syst.html
Yeah. Right. [DrBob, Mar 01 2010]

Please log in.
If you're not logged in, you can see what this page looks like, but you will not be able to add anything.
Short name, e.g., Bob's Coffee
Destination URL. E.g., https://www.coffee.com/
Description (displayed with the short name and URL.)






       I am not familiar with smart cards. But I think the decorative decal piece would be a giveaway, since it would be an idiosyncrasy of the theft scheme not associated with a normally working card reader.   

       Also I wonder what the effect of the heat would be on card / card components. How would it be applied? New hot glue must be applied too. I might notice the presence of 300 degree glue on my card when I retrieved it from the machine.
bungston, Feb 27 2010
  

       I'm not familiar with these type of cards (in the USA magstripes are still the standard), but why not just read the data & PIN and upload it to a thief-operated server?   

       The thief would only need one burglary, the target's card is unaltered, and until the altered reader is discovered, the thief has an endless amount of new data.   

       //that's why you have a backup mag stripe// If the cards have a magstripe anyway as a backup, just create a counterfeit that uses a magstripe. As far as tellers/clerks are concerned, the chip is just dead.
wolstech, Feb 27 2010
  

       for many large purchases vendors will not accept mag stripe cards. It is there as a backup and can be used for buying coffee but most people will be suspicious if your chip is broken and you're buying 5 bigscreen tv's. The more suspicious they are the more likely they are to ask for photo id. You also have to worry about the bank. They shut down your card if there is "suspicious activity". They'll feel better about large unusual transactions if they are done with a chip.
RichardT, Feb 27 2010
  

       [RichardT] Can you explain about the difficulty of cloning chip + pin cards? The idea makes sense if physical possession of the chip is better than possession of data that can be read off it. Why is that? Your statement that "All card data is stored on the card's chip.... all of which can be easily read from the chip and are every time a transaction takes place." seems to contradict it. Remember, the big money's in selling the data, not in purchasing 5 bigscreen TVs.   

       Also, I think the punch-and-fill idea is overelaborate, and that people would notice the resulting seam, or change in texture of the card. Better to return a whole new card. The machine would need to get the correct bank, so that color and logo were correct, but the name & numbers could be wrong without, at first, being noticed.   

       Finally, breaking into a store and replacing the ATM sounds more difficult, and less likely to escape detection, than simply setting up an ATM in a new location.
mouseposture, Mar 01 2010
  

       // Can you explain about the difficulty of cloning chip + pin cards? The idea makes sense if physical possession of the chip is better than possession of data that can be read off it. Why is that? Your statement that "All card data is stored on the card's chip.... all of which can be easily read from the chip and are every time a transaction takes place." seems to contradict it.//   

       I'm not an expert on chip-and-pin, but I believe that the chip doesn't just blurt out all the data it knows. It has some secret which it doesn't reveal - probably it provides a hash of the answer to some challenge which comes from the bank. So its output is different each time and can't just be recorded.   

       Regarding supplying a new card, that wouldn't be feasible in most stores - where the machines are at the checkout till (rather than as a cash dispenser) Only the chip end of the card goes into the machine. Since the idea is to hide the acquisition of the chip, the crims probably can't just set up a new ATM - it would make people very much more suspicious. That's before you get to the difficulties of matching cards, copying embossed and printed text and the signature.
Loris, Mar 01 2010
  

       [RichardT] Thanks for explaining that. Where I am, magstripes are the standard, hence why I didn't think it'd be suspicious to use one.   

       Some companies in the USA are starting to put chips on cards now, but they're next to worthless since very few stores have readers for them, at least in my region.   

       I'm also surprised malware hasn't come up. It eliminates the whole physical aspect.
wolstech, Mar 02 2010
  

       This is why cards have the "security code" on the signature strip.   

       This data is unique to a physical card, is different when the card is changed and is not stored on the chip.   

       The security code effectively makes this technique of limited use.
webfishrune, Mar 02 2010
  

       Chip & PIN cards are easy to clone. Furthermore, the PIN readers are not terribly secure either. The device that you put your card in can relatively easy to hack.   

       Ah - yes. [DrBob] beat me to it. Some of the security guys at Cambridge have demonstrated a variety of attacks.
Jinbish, Mar 02 2010
  

       been reading up on the attacks. There are several out there. but first to get things straight(I was a bit unclear before). The card contains a chip. this chip has stored in it a cryptographic key. it also contains the data that is or would normally be on the magstrip. For compatibility reasons, it gives the card reader the mag strip data. It does not give out the cryptographic key. Payment terminals are tamper resiststant. The electronics inside them are difficult to tamper with and or modify. You can still of course replace them wholesale at that point you can mount several attacks. 1 the terminal can relay data from itself to your accomplice down the street, you remotely connect the victim's card to an ATM or payment terminal. the accomplice types in the pin provided by the victim and that allows you to impersonate the victim. This is a real time thing. you have to mount this attack while the victim's card is in the reader. 2 you can steal online banking credentials, sometimes they're good for a while, sometimes they expire almost immidiately and you have to use them in real time. You cannot get the cryptographic key from the card, nondestructively, as of yet. The key is what the card uses to prove it's identity to the bank and generate credentials. If you steal the chip and pin (maybe mag strip data, and scans of the card too). you've stolen the card's identity. You have also extended the time the chip stays in the reader and thus have more time to mount a relay attack.   

       As for getting the machine to make a replica card, that would be difficult. In most readers, ATM's excluded, the card can always be withdrawn, and is never fully inside the machine The chip part is. My second revision includes a piece of thin metal coated plastic sheet. the sheet is made so that it can break to match the profiles of common chip slots. as it is pushed into the slot the metal breaks to match the profile of the hole. that would eliminate or reduce any seams that would form.
RichardT, Mar 03 2010
  


 

back: main index

business  computer  culture  fashion  food  halfbakery  home  other  product  public  science  sport  vehicle