Payment card cloning?
- Thread starter void
- Start date
- Status
Absolutely, that's just like taking a crash course in lock-picking and safe-cracking because you've misplaced your house keys and forgotten the combination to your safe, but you urgently need your jewels for the gala tonight.
wtf? yet another self-proclaimed security expert? can't you simply say what's wrong with my question or keep you mouth shut?
Cloning the mag stripe is relatively easy. You just need a card reader/writer. First read your card, save the data, and then run a blank card through the machine and encode your data to the mag stripe of that card.
Cloning EMV chips is much harder. The chip itself cannot be cloned but there are some security vulnerabilities that make it possible to trick a POS terminal or ATM. I'm not entirely sure about the technicalities of it. You can probably dig up some articles about it. The gist of it appears to be that EMV chips are still considered generally safe enough, but not as 100% secure as they were initially touted.
Toggle signature
This is the probably the answer to your question.
Cloning EMV chips is much harder. The chip itself cannot be cloned but there are some security vulnerabilities that make it possible to trick a POS terminal or ATM. I'm not entirely sure about the technicalities of it. You can probably dig up some articles about it. The gist of it appears to be that EMV chips are still considered generally safe enough, but not as 100% secure as they were initially touted.
Do you have something useful to contribute?
Toggle signature
This is the probably the answer to your question.
that's basically the root of my question - if any ATM or POS terminal can read the chip what makes it hard to make a copy (or device with the same physical interface) that presents the same data
Regarding the ease of cloning magnetic stripes, you're correct. Magnetic stripe data can be relatively easily captured and duplicated. This vulnerability is precisely why the industry has been shifting towards EMV (chip + PIN) technology. Globally there is a decrease in amount of places where there is swiping instead of dipping, so in the 'cool' places this would not be that useful.
EMV chips generate a unique transaction code for each payment, a feature that is meant to stop any cloning attempt. This makes EMV dynamic by nature, unlike magnetic stripes that present static information (basically saves you the unencrypted hassle of typing your numbers in). Also track data is encrypted on EMV, so you would also need a mathematical breakthrough to get info directly from the cards.
[1]
The most recent significant incident I can think of is probably OLB in Germany, where a gang in Brazil was able to clone and abuse cards that resulted in a ±1.5m euro payout [2]. But even in this case there was not really a flaw in EMV that was exploited, but flaws in applications/infra that assume EMV is trusted. E.g. there have been attacks where non-EMV transactions have been encoded as EMV transactions and passed through payment networks.
To really be able to pull this off on EMV chips you need to be able to insert yourself into pos/payment terminals and start there with deception, which is why currently organised groups are able to make this happen. You will need infra, technical expertise and a way to simultaneously cash out with all cards since fraud detection systems will kick in and nerds will make sure the attack stops.
Regarding my earlier reply, there really is no legitimate reason to clone your card. There was a better way to ask, but also a better way to respond to your question. Also I understand the sentiment since there are more areas of expertise than there are experts in security.
1. CS101 Introduction to Computing Principles
2. German bank loses €1.5 million in mysterious cashout of EMV cards
depends on your definition of "legitimate" - from my perspective there is an obvious use case that doesn't involve any theft/scam/whatever illicit motivation - I simply want to use my card in more than one place
fair enough, I appreciate your constructive response
this clearly needs more study and insight however on the first look I can imagine a specialized terminal that acts as a proxy and communicates with other devices presenting (not simultaneously) the same untampered data to the POS terminal for instance
Let's assume you are able to clone the card to use it in multiple places, now approach this theory from the Bank's POV. Even the shittiest fraud systems will employ anomaly detection based on impossible/infrequent travel. You will definitely trigger some alerts that will result in your card being blocked/reissued/investigated. Your bank will not accept that risk multiple times, so you are not even able to get stuck in the cycle of detection and replacement. Better would be to request an additional card, unless there is a specific reason why this is not possible that I am missing.
If you possess the necessary resources, executing an attack on EMV systems will be successful. There are certain implementation flaws that can be exploited for the use case you're describing. As previously mentioned, EMV transactions are dynamic. If you gain control over a POS terminal, it's possible to manipulate the card into generating a new cryptogram, which boils down to unique transaction data that is signed by the card. I was curious about recent developments and this method seems to be used by the Brazilian group I mentioned before. Found a figure that demonstrates the chain of attack.
Here's how it works: First, you initiate a legitimate transaction with the card and process it through the payment system. Then you trick the card into another transaction, capturing a new set of dynamic data. This data is then transmitted to a server under your control. Effectively, this process provides you with what can be likened to a 'blank cheque' that can be utilized on a terminal you manage.
This 'blank cheque' needs to be used quickly before the card is involved in another transaction. If the card engages in a new transaction, the data you hold becomes outdated. The bank will recognize this outdated information and the issuer will likely flag it as suspicious.
there are hundred of websites selling card copy machines, you can find them easily on google. I agree with the rest, it's something belonging the past, chip & pin is what they use today.
- Status