Touted as a safer solution to magnetic stripe cards, it seems thechip-and-pin (or EMV) counterpart might not be as secure as we once thought.After retailers around the globe made the switch to the new technology we’re nowuncovering vulnerabilities in the cards that make them only marginally superior to their predecessor.
A new ATM hack demonstration shows just how vulnerable they are. In the demonstration, hackers were able to use a commonchip-and-pin card to withdraw money from an ATM in under 15 minutes.Rapid7, a small team of security engineers, demonstrated the hack at Black Hat, a hacker conference in Las Vegas.
Credit: Krebs on Security
A ‘shimmer’ device
New York, are you ready?We’re building Momentum: an all killer, no filler event this November.
Find out more
The hack involves a ‘shimmer,’ a skimming device that intercepts the signal between the ATM (or POS) machine that facilitates a MiTM (man-in-the-middle) attack once the card is inserted. The device then allows hackers to not just retrieve data from the card, but replicate both the chip and the magnetic stripe in addition to the PIN as the customer enters it. From there, hackers need onlydownload this data to re-create the victim’s card and use it in the same ATM.
If you’re thinking the thieves need elaborate or hard-to-find tools to pull off the hack, think again. All of this was done with around $2,000 and some really common items, such as a Raspberry Pi.
Credit: Krebs on Security
A ‘shimmer’ device inside an ATM
It should be noted, however, that the chip-and-pin card does have a security feature that offers some help should this happen to you ― the chip creates a unique transaction code for each new transaction. Since hackers can only use the card once, it’s marginally safer than its magnetic stripe predecessor.
But don’t get too excited; the researchers at Rapid7 say they could acquire up to $50,000 of your funds in a single go.
This ATM Hack Allows Crooks to Steal Money from Chip-and-Pin Cards on The Hacker News