Incident: Chip-and-PIN Credit Card System Vulnerability Exploited by Fraudsters

Published Date: 2015-10-19

Postmortem Analysis
Timeline 1. The software failure incident of the French PIN-spoofing attack happened in 2010 as it was first demonstrated by a group of Cambridge University security researchers in that year [52548].
System 1. Chip-and-PIN system [52548]
Responsible Organization 1. French fraudsters [52548]
Impacted Organization 1. Credit card users in Europe and potentially America were impacted by the software failure incident involving the chip-and-PIN system being outsmarted by fraudsters [52548].
Software Causes 1. The software cause of the failure incident was a vulnerability in the chip-and-PIN system used in credit cards, which allowed criminals to implant a second chip inside stolen credit cards to spoof the PIN verification required by point-of-sale terminals [52548].
Non-software Causes 1. The criminals altered stolen credit cards by implanting a second chip inside them to spoof the PIN verification required by point-of-sale terminals [52548]. 2. The fraudsters miniaturized a backpack setup into a tiny FUNcard chip, which was used to bypass chip-and-PIN security [52548]. 3. The fraudsters used the FUNcard chip to create stealthy forgeries capable of performing the PIN-bypass technique [52548]. 4. The fraudsters used the forged cards to make fraudulent transactions, leading to their eventual detection [52548].
Impacts 1. The software failure incident involving the chip-and-PIN system allowed criminals to outsmart the system and conduct fraudulent transactions totaling nearly 600,000 euros (about $680,000) [Article 52548]. 2. The incident led to the arrest of five French citizens involved in the fraud ring, including the engineer who built the fraudulent cards [Article 52548]. 3. The fraudsters were able to create 40 PIN-spoofing forgeries from stolen credit cards, leading to over 7,000 fraudulent transactions [Article 52548]. 4. The incident highlighted vulnerabilities in the chip-and-PIN system that were previously considered unassailable, prompting the need for new security measures to be implemented [Article 52548].
Preventions 1. Enhanced security measures such as sending a command to verify a PIN before the user enters it to check if the card responds with a spoofed "verified" signal could have prevented the incident [52548]. 2. Implementing additional protections at the network level without disclosing specific details to avoid tipping off criminals could have helped prevent such attacks [52548].
Fixes 1. Implement new countermeasures to the vulnerabilities exploited by the fraudsters in both card readers and banking networks [52548]. 2. Enhance chip-and-PIN card readers to send a command to verify a PIN before the user enters it to check if the card responds with a spoofed "verified" signal [52548].
References 1. École Normale Supérieure university and the science and technology institute CEA 2. Cambridge University security researchers 3. EMVCo 4. UK Cards Association

Software Taxonomy of Faults

Category Option Rationale
Recurring unknown The articles do not provide information about a software failure incident happening again at either one_organization or multiple_organization.
Phase (Design/Operation) design The software failure incident described in the articles is related to the design phase. The incident involved a vulnerability in the chip-and-PIN system used in credit cards, which was exploited by criminals through a "man-in-the-middle" attack that took advantage of how cards and card readers communicate [52548]. This vulnerability allowed fraudsters to implant a second chip inside stolen credit cards, enabling them to spoof the PIN verification required by point-of-sale terminals. The incident highlights a flaw in the design of the chip-and-PIN system that criminals were able to exploit, leading to significant financial losses.
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident described in the articles is related to a chip-and-PIN system used in credit cards. The failure occurred within the system due to vulnerabilities in the chip-and-PIN technology itself. Criminals were able to exploit a known vulnerability in the system by implanting a second chip inside stolen credit cards, allowing them to spoof the PIN verification required by point-of-sale terminals [52548]. (b) outside_system: The failure was also influenced by factors outside the system, such as the criminal activities of the fraudsters who exploited the vulnerability in the chip-and-PIN system. The criminals used sophisticated techniques to alter credit cards and execute a "man-in-the-middle" attack, demonstrating how external threats can impact the security and functionality of a system [52548].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case was primarily due to non-human actions, specifically the vulnerabilities in the chip-and-PIN system that were exploited by criminals. The fraudsters altered stolen credit cards by implanting a second chip inside them, capable of spoofing the PIN verification required by point-of-sale terminals. This manipulation allowed them to execute a "man-in-the-middle" attack, intercepting the PIN query and replying with a spoofed "verified" signal regardless of the actual PIN entered by the fraudster [52548]. (b) However, human actions were also involved in this software failure incident. The criminals behind the fraud scheme actively exploited the vulnerabilities in the chip-and-PIN system by altering the credit cards with a second chip to bypass the PIN verification process. They used their technical skills to create stealthy forgeries that could be used for fraudulent transactions, demonstrating a high level of sophistication in their criminal activities [52548].
Dimension (Hardware/Software) hardware (a) The software failure incident in the article is related to hardware. The incident involved criminals altering stolen credit cards by implanting a second chip inside them to spoof the PIN verification required by point-of-sale terminals. This hardware manipulation allowed the fraudsters to execute a "man-in-the-middle" attack by intercepting the PIN query and replying with a spoofed "verified" signal regardless of the entered PIN. The fraudsters miniaturized the attack setup into a tiny FUNcard chip, which was then soldered to the stolen credit card's chip and glued back-to-back onto the plastic body of another stolen card, creating a stealthy device capable of bypassing chip-and-PIN security [52548]. (b) The software failure incident in the article is not directly related to software issues but rather to the manipulation of hardware components (chips) to exploit vulnerabilities in the chip-and-PIN system.
Objective (Malicious/Non-malicious) malicious The software failure incident described in the articles is malicious in nature. The incident involved criminals who outsmarted the chip-and-PIN system by altering stolen credit cards to implant a second chip inside them, capable of spoofing the PIN verification required by point-of-sale terminals. This attack was described as a "man-in-the-middle" attack that took advantage of vulnerabilities in the communication between cards and card readers [52548]. The fraudsters were able to execute this attack to spend nearly 600,000 euros from stolen credit cards, demonstrating a deliberate intent to bypass security measures for financial gain.
Intent (Poor/Accidental Decisions) accidental_decisions The software failure incident described in the articles is related to a security vulnerability in the chip-and-PIN system used in credit cards. This incident can be categorized as an accidental_decisions failure. The vulnerability exploited by the French fraudsters was a result of a flaw in the communication between the card's chip and the card reader, allowing for a "man-in-the-middle" attack to spoof PIN verification ([52548]). The incident was not due to poor decisions but rather a clever exploitation of a known theoretical vulnerability in the system.
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident in the article is related to development incompetence. The French fraudsters were able to outsmart the chip-and-PIN system by implanting a second chip inside stolen credit cards, capable of spoofing the PIN verification required by point-of-sale terminals. This attack took advantage of a long-known vulnerability in chip-and-PIN systems, demonstrating a high level of technical sophistication and expertise on the part of the criminals [52548]. (b) The software failure incident was not accidental but rather a deliberate and calculated attack carried out by the French fraudsters. They meticulously altered stolen credit cards to implant a second chip inside them, demonstrating a premeditated effort to bypass the security measures of the chip-and-PIN system [52548].
Duration temporary The software failure incident described in the articles is more of a temporary nature rather than permanent. The incident involved a specific vulnerability in the chip-and-PIN system that allowed criminals to exploit a flaw in the communication between the card's chip and the card reader to spoof PIN verification [52548]. This temporary failure was due to the specific circumstances and vulnerabilities present in the system that were exploited by the fraudsters. The vulnerabilities were later addressed and fixed in Europe, indicating that the failure was not permanent but rather a result of certain factors that were mitigated through new security measures.
Behaviour value, other (a) crash: The incident described in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. Instead, the fraudsters manipulated the credit card system to bypass security measures and conduct fraudulent transactions [52548]. (b) omission: The incident does not involve the system omitting to perform its intended functions at an instance(s). The fraudsters actively altered the credit cards to implant a second chip inside them, allowing them to spoof the PIN verification required by point-of-sale terminals [52548]. (c) timing: The incident does not involve the system performing its intended functions correctly but too late or too early. The fraudsters' manipulation of the credit cards was aimed at bypassing the PIN verification process in real-time during transactions [52548]. (d) value: The incident does involve the system performing its intended functions incorrectly. The fraudsters altered the credit cards to implant a second chip capable of spoofing the PIN verification, leading to incorrect verification signals being sent to the card readers [52548]. (e) byzantine: The incident does not involve the system behaving erroneously with inconsistent responses and interactions. The fraudsters' manipulation of the credit cards was consistent in providing false verification signals to the card readers to authorize fraudulent transactions [52548]. (f) other: The behavior of the software failure incident in this case could be categorized as a sophisticated attack on the security system rather than a traditional software failure. The fraudsters exploited vulnerabilities in the chip-and-PIN system by altering credit cards to deceive the verification process, showcasing a high level of ingenuity and criminal sophistication [52548].

IoT System Layer

Layer Option Rationale
Perception network_communication, embedded_software <Article 52548> provides information about a software failure incident related to the embedded software layer of the cyber physical system. The incident involved a chip-and-PIN system used in credit cards where criminals altered stolen credit cards to implant a second chip inside them, capable of spoofing the PIN verification required by point-of-sale terminals. This manipulation of the embedded software within the credit cards allowed the fraudsters to execute a "man-in-the-middle" attack, intercepting PIN queries and replying with a spoofed "verified" signal regardless of the entered PIN. The fraudsters exploited a vulnerability in the chip-and-PIN system, showcasing how criminals can outthink security systems by manipulating the embedded software within the cards [52548]. Additionally, the incident also involved network communication errors as the fraudulent chip within the altered credit cards was able to listen for queries from the card reader and pre-empt the real chip with its own responses. This manipulation of network communication allowed the fraudsters to bypass the PIN verification process and successfully conduct fraudulent transactions [52548].
Communication link_level The software failure incident described in the articles is related to the communication layer of the cyber physical system that failed at the link_level. The incident involved a vulnerability in the chip-and-PIN system used in credit cards, where criminals were able to execute a "man-in-the-middle" attack by altering stolen credit cards to implant a second chip inside them. This fraudulent chip intercepted the PIN query and replied with a spoofed "yes" signal, bypassing the legitimate chip's verification process [52548]. This attack exploited the communication between the card reader and the chip in the credit card, indicating a failure at the link_level of the cyber physical system.
Application TRUE The software failure incident described in the articles is related to the application layer of the cyber physical system. The failure was due to contributing factors introduced by bugs and unhandled exceptions in the chip-and-PIN system used in credit cards. The criminals exploited a vulnerability in the system by implanting a second chip inside stolen credit cards to spoof the PIN verification required by point-of-sale terminals. This manipulation allowed them to execute a "man-in-the-middle" attack, intercepting PIN queries and replying with a spoofed "verified" signal regardless of the entered PIN, thus bypassing the security measures [52548].

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence, other (a) death: People lost their lives due to the software failure - There is no mention of any deaths resulting from the software failure incident described in the article [52548]. (b) harm: People were physically harmed due to the software failure - There is no mention of physical harm to individuals due to the software failure incident described in the article [52548]. (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted by the software failure incident described in the article [52548]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident described in the article [52548] resulted in financial losses, with criminals managing to spend nearly 600,000 euros (about $680,000) from stolen credit cards by exploiting vulnerabilities in the chip-and-PIN system. (e) delay: People had to postpone an activity due to the software failure - There is no mention of people having to postpone activities due to the software failure incident described in the article [52548]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident described in the article [52548] primarily impacted the security of credit card transactions and the vulnerabilities in the chip-and-PIN system, with fraudsters successfully altering stolen credit cards to bypass PIN verification. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident described in the article [52548] had real observed consequences, including financial losses resulting from fraudulent transactions. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The article [52548] discusses the theoretical vulnerability in chip-and-PIN systems that was exploited by the fraudsters, which had potential consequences that were realized in this case. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The primary consequence of the software failure incident described in the article [52548] was financial loss due to fraudulent transactions carried out by exploiting vulnerabilities in the chip-and-PIN system.
Domain finance (a) The failed system in the article is related to the finance industry. The incident involved a chip-and-PIN system used in credit cards to prevent fraud, but criminals were able to outsmart the system and conduct fraudulent transactions amounting to nearly 600,000 euros [Article 52548].

Sources

Back to List