August 29, 2016
New Chip Cards May Not Be As Secure As Expected
Remember not long ago, when the big credit card issuers went on at some length touting their latest advances in smart chip technology? The new tech was supposed to vastly improve the security of credit cards, rendering them virtually immune to hacking. Well, it turns out that might have been a bit of an overstatement.
At a recent Black Hat security conference in Las Vegas, a pair of presentations were made, giving the attendees a taste of what’s to come. Both presentations revealed flaws in the security as currently designed. While these flaws present a significant challenge for even a skilled hacker, the fact that they were found and revealed at all is disturbing, and no doubt, it means that toolkits will be developed and made accessible to less talented hackers, which will broaden the scope of the threat.
In the first presentation, a technique was demonstrated whereby the card reader was fooled into thinking that the credit card in question had no smart chip, thus circumventing the added security protocols entirely.
The second, and more ambitious of the two demonstrations, involved stealing the temporary, dynamic number generated by a smart chip. There’s only a very brief window of time to pull this off, but the attempt was successfully made and demonstrated on stage.
These two hacking methods are added to the technique demonstrated by a security researcher last year, in which he reverse-engineered the algorithm to determine the number of a replacement card on American Express cards. Simply get enough information to report the card stolen, have the company issue a replacement, and a hacker can use the new card number to make purchases.
We’ve seen all this before.
In the 1990s, Sony spent billions in an attempt to create DVDs that could not be copied, only to see their significant investment undone in about a week’s time, and with something as simple as a permanent marker, no less. Suffice it to say that there has yet to be a security measure devised that some hacker, somewhere has not been able to figure a way around.