The new credit card with a chip in it in your wallet ‒ touted as being less vulnerable than the old magnetic swipe version ‒ isn’t as safe as you think. Hackers at Black Hat proved once again the chip-and-PIN cards are not as impenetrable as they seem.
It only takes small modifications to equipment to bypass the chip-and-PIN protections and enable unauthorized payments, multiple researchers at the Black Hat convention in Las Vegas, Nevada demonstrated on Wednesday.
The new cards, which began rolling out in the US in October 2015, use technology ‒ called Europay, MasterCard and Visa (EMV) ‒ that has long been standard in Europe. It’s designed to prevent the duplication of cards and crack down on cards that have been stolen. The tech works by inserting the chip into a card reader, then entering a personal identification number, or PIN. However, in the US, the financial industry only requires a signature after the chip is read, which is less secure. Some retailers have ignored the new technology altogether, and just ask customers to swipe their chip cards, the same as a traditional credit or debit card. At Black Hat 2016, as in past conferences, hackers focused on the more secure chip-and-PIN requirements.
A team from Rapid7, a cybersecurity consulting firm, made a mostly unmodified ATM spit out hundreds of dollars in cash.
“The modifications on the ATM are on the outside,” Tod Beardsley, security research manager for Rapid7 and who oversaw the hack, told the BBC. “I don’t have to open it up. It’s really just a card that is capable of impersonating a chip. It’s not cloning.”
The team used a shimmer device called La-Cara, a $2,000 automated cash out machine that works on current EMV ATMs that is placed in card …