Turbinator
New member
The attack targets the way the various security mechanisms interact in the cardholder verification process. In this process, the chip in the card and the terminal decide how to authenticate the transaction.
The cards examined by the researchers all recognised as authentication, in descending order of preference: PIN verification; signature verification; and no verification. The majority of transactions require PIN verification. The customer enters their number on a PIN entry device. The PIN is then sent to the card, which compares it to a PIN that it stores on its chip. If the PIN is correct, the card sends a verification code — 0x9000 — back to the terminal, which completes the transaction.
The researchers succeeded in building a man-in-the-middle device that reads a card and — at the appropriate time in the verification process — sends a 0x9000 code to the terminal, regardless of the PIN that has been entered.
As a demonstration, the researchers inserted a genuine card into a standard smartcard reader from Alcor Micro, which was connected to a laptop running a Python script. The laptop was connected to an FPGA board via a serial link. The FPGA board the researchers used was a Spartan-3E Starter Kit, which was used to convert the interfaces for the card and PC.
The FPGA board was connected to a Maxim 1740 interface chip, which was linked via thin wires to a fake card, used for insertion in the terminal.
Once the fake card was inserted, the Python script running on the laptop relayed the transaction, suppressed the verify PIN command issued by the terminal, and responded with the 0x9000 code.
The researchers said that attackers could carry similar kit in a backpack, with the wires trailing down a sleeve, for use with a stolen valid card.
Such a simple, simple exploit.
.
The cards examined by the researchers all recognised as authentication, in descending order of preference: PIN verification; signature verification; and no verification. The majority of transactions require PIN verification. The customer enters their number on a PIN entry device. The PIN is then sent to the card, which compares it to a PIN that it stores on its chip. If the PIN is correct, the card sends a verification code — 0x9000 — back to the terminal, which completes the transaction.
The researchers succeeded in building a man-in-the-middle device that reads a card and — at the appropriate time in the verification process — sends a 0x9000 code to the terminal, regardless of the PIN that has been entered.
As a demonstration, the researchers inserted a genuine card into a standard smartcard reader from Alcor Micro, which was connected to a laptop running a Python script. The laptop was connected to an FPGA board via a serial link. The FPGA board the researchers used was a Spartan-3E Starter Kit, which was used to convert the interfaces for the card and PC.
The FPGA board was connected to a Maxim 1740 interface chip, which was linked via thin wires to a fake card, used for insertion in the terminal.
Once the fake card was inserted, the Python script running on the laptop relayed the transaction, suppressed the verify PIN command issued by the terminal, and responded with the 0x9000 code.
The researchers said that attackers could carry similar kit in a backpack, with the wires trailing down a sleeve, for use with a stolen valid card.
Such a simple, simple exploit.
.
Last edited:
