When in 2010 a team of computer scientists at Cambridge University demonstrated how the chip and PIN system used on many modern payment cards can be bypassed by making the POS system accept any PIN as valid, the reaction of the EMVCo and the UK Cards Association was to brand the attack as “improbable”.
After all, the researchers used a bulky tech setup that had to be carried around in a backpack but, as it ultimately turned out, a year later an engineer based in France found a less obvious way to perform the attack.
He (or she) soldered a FUNcard chip to one from a stolen cards, then inserted the lot into the body of another stolen card.
The FUNcard chip was programmed to intercept the POS systems’ PIN query and return an answer that says that the PIN is correct.
The card itself didn’t look suspicious – the “double” chip still allowed the card to be inserted into POS systems.
Thusly modified cards were used in France by a group of fraudsters that were ultimately arrested in 2011 and 2012 because they repeatedly used them at the same few locations.
According to Wired, the French authorities estimated that before getting arrested, they managed to spend nearly 600,000 euros.
The technicalities of this successful approach have been recently shared by a group of researchers from the École Normale Supérieure (ENS) and the French Alternative Energies and Atomic Energy Commission (CEA). The group was called in to do forensic analysis of the cards used by the fraudsters once they were apprehended.
Since this discovery, EMVCo has implemented countermeasures that would prevent the exploitation of the vulnerabilities that lead to this attack, but they did not share them with the public so that criminals would have a tougher time bypassing them.