DIY Credit Card - Chips and Smart Cards

Posted by Gunter Ollmann on June 09, 2008 at 1:33 PM EDT.

Following on from last week’s blog concerning the apparent ease in acquiring online all the technologies necessary for making your own fake credit cards, I received several queries about how this relates to the newer contact-based smart card’s rollouts – i.e. credit cards with embedded chips.

I’m sure that it comes as no surprise that getting hold of the necessary smart cards and their readers/writers isn’t that difficult. Once again, they can all be purchased online. For example, some of the more popular reader/writers can be picked up for as little $25 – and are capable of supporting the most current chip and data standards.

The cards themselves are even easier to acquire – it just takes a little time to figure out which type of card you need – and they can be acquired for as little as 90 cents each.

I guess a follow-on question is whether you can create a fully working clone of someone else’s smart card credit card. After several searches I didn’t really uncover evidence of people actually cloning the chip-based credit cards to that degree. I suspect that some of this is due to the fact that unless you’re already in the smart card industry (or have spent a bit more time researching it) there’s a fair degree of alphabet soup as you try to get to grips with all the acronyms. That said, I doubt that most criminals would need to undertake that level of sophistication.

As long as the fake credit card looks real enough, it’ll probably be good enough to carry out the fraud. For example, a visual inspection of the fake card would be satisfied if the chip looked like a real one (i.e. shiny, made of metal, borders between the contacts, etc.). As for the credit card actually working inside the PIN Entry Device (PED) it's probably not a necessity in many cases.

PED’s are typically designed to use multiple methods for carrying out a transaction payment. If one option is unavailable, alternatives are presented. For example, if the magnetic stripe of the card cannot be read, the operator it prompted to manually type in the card number and expiry date. I believe that the same thing applies to credit cards using smart card technologies.

If the chip cannot be read, it is likely that the operator will then try the magnetic stripe on the card and then get the customer (i.e. fraudster in our case) to either type in their PIN number or sign the receipt.

So, as long as the chip looks real, the fact that it cannot be read by the merchants PED could be explained away easily enough (e.g. “I don’t know, it was working yesterday” or “yeah, my wallet got wet the other day when I was sailing in my yacht”). Having said that, I’ve heard that some fraudsters have gotten away with not even using cards with real chips in them – and just printed the card with a fake chip picture on it.

Hacking Smart Card Systems

While I was searching for information on smart card systems and how to acquire the technologies necessary to clone or make fully functional chip-based credit cards, I found several things that would lead me to believe that it would be relatively easy to experiment with the technologies in search of new vulnerabilities.

For example, the smart card readers and writers are very easy to come by, and most support the very latest chip designs. You can couple this with the fact that the full and detailed specifications of how chip-based credit cards are supposed to operate (at a physical and software level) can be found in glorious detail on the EMVCo Web site.

“The EMV standard defines the interaction at the physical, electrical, data and application levels between IC cards and IC card processing devices for financial transactions. Portions of the standard are heavily based on the IC Chip card interface defined in ISO 7816.”

Even a cursory scan of the documentation hinted at lots of places where specially crafted data contained on a smart card could be used to try to uncover vulnerabilities. I have little doubt that a few (budding) researchers have already been experimenting in this area and that there’ll be papers and conference talks in the near future covering their progress/findings (and I look forward to seeing those).

The equipment necessary to “tinker” with contact-based chip cards is easy to find, in fact you can pick up a PED developer kit (including the PED, software development kit, sample cards, etc.) can be picked up new for less than $500.

While I’m sure that researchers in the future will find interesting flaws in the way PED manufacturers have implemented the EMV standards, the important flaws are the ones that make their way back to the credit card clearing houses and backend systems – because that’s where the criminals would make their money.

Is it possible to use a chip-based credit card to launch a profitable SQL Injection attack against a banks back-end system? At the moment, I have no idea. I suspect that the probability is very remote (if at all possible) – mainly because it would be very difficult to figure out whether the attack worked without having any insider information necessary to craft the payload.

Meanwhile, I hope very much that these banks (and credit card clearing houses) are employing good/qualified technical pentesters and reverse engineers to uncover any possible flaws. Engaging such a team, and working closely with them from the backend services perspective, would help identify any security weaknesses in the entire system – not just the PED.

    Copyright 2001-2008 © Gunter Ollmann