Can You Make a Million Dollars a Second? Hackers Can, Thanks to a New Chip-n-PIN Flaw

Halloween has just come and gone, but news of a flaw recently found in Chip-n-PIN credit cards is enough to turn anyone pale as a ghost.

Imagine this: a hacker, armed with nothing more than a mobile phone, can steal up to a million dollars from you, simply by bumping into you for less than a second.

Unfortunately, this flaw is all too real. Researchers at Newcastle University in the UK have discovered that chip-n-PIN cards can be tricked into approving transactions made in foreign currencies, with a max limit of 999,999.99.

Worse yet, these cards allow for contactless transactions, and mobile phones turned into makeshift POS systems can scan and approve transactions just by being near a victim. Your credit card could be in your wallet which is tucked away in your back pocket, but a hacker would only have to bump into you lightly to get the transaction approved.

Researchers found that a contact time of less than a second is enough for hackers to siphon your simoleons, so they won’t even have to resort to strange means of maintaining a long contact time, such as pretending to give out free hugs.

For a long time, the US has been racing to implement chip-n-PIN technology in their own credit card systems. Data breaches are taking place left and right because outdated magnetic-stripe credit cards are still widely used across the US, and consumer data is much easier to steal off a magnetic-stripe card than a chip-n-PIN one (for more information, check out this earlier blog post). It’s somewhat ironic that the very technology thought to save the US from data breaches is now proving perhaps even more vulnerable. It’s like finding an oasis in a desert and getting closer only to find that it was a mirage all along.

New exploits and flaws are always being discovered, and hackers are always ready to take advantage of them. For example, a new criminal software, “Voxis Platform”, allows criminals to launder money and bypass the fraud detection systems of popular payment providers like PayPal, WorldPay and Stripe. And recently Lucas Zaichkowsky at Black Hat 2014 stated “People think that if we switch to EMV, these breaches will go away, but that’s not true”, highlighting the hidden truths behind EMV technology in a presentation on POS system architecture and security.

Even two-factor authentication, which is so widely regarded as being a much needed layer of security over passwords, is not foolproof. A teenage whitehat hacker managed to bypass PayPal’s two-factor authentication system “easily”, by simply spoofing a browser cookie set when users link their eBay and PayPal accounts.

The point is this: data security is like a sandcastle built on the seaside. “Secure” is but a temporary state; technology is always changing, and hackers are always looking for new ways to get into secure systems to cash in big.

While technology is constantly changing, data security methods have not. The conventional wisdom still largely applies, whether you’re out to protect yourself or an entire organisation: stay informed, patch everything, monitor your data, and don’t store anything you don’t need and encrypt what you have a business justified reason to store.

For the people tasked with protecting sensitive data like credit card or social security numbers, one extra level of security Ground Labs offers is the scanning and securing of sensitive data from data systems. By taking the very data that hackers are trying to steal out of the equation, even if you do suffer a breach you’ll be much better off than if you were storing countless records of sensitive data.

Free trial licenses for Card Recon and Enterprise Recon are available on the Ground Labs website, and if you’re looking for that something extra to make yourself that much more secure, give our products a shot.