Crime Syndicate gets RFID Savvy
A gang of Sri Lankan credit card fraudsters ran amok in the city three months ago and may have heralded in a new type of cyber crime. The Deccan Chronicle and The Hindu reported that the gang of four men were caught with 116 international credit cards, rs. 6.5 lakhs ($14,000) and 31 stolen passports.
They had allegedly stolen credit card information from unsuspecting people in the UK and had managed to manufacture fake cards that would work on Indian ATMS.
What the stories didn't report was why the men had to travel half-way across the world to withdraw cash. It was a question that would fuel several days of research and a flurry of e-mails across cyberspace. A few days beforehand I had read an article in Wired by Annalee Newitz about hackers who managed to sneak their way past poorly encrypted radio frequency identification chips (RFID) to gain access to credit card information, access into restricted areas and to copy passports. I thought there could be a link between the thieve's copied cards and their trips to India. While Newitz's story focused on the ways to hack past RFID security, the gang of Sri Lankan thieves seemed to have come across an even more effective solution. Why hack when you can bypass the problem completely?
All new credit cards in the UK come embedded come with RFID chips that contain different pieces of user information, in order to access the account and withdraw cash the ATMs has to verify both the magnetic strip and the RFID tag. Without this double verification the ATM will confiscate the card, and possibly even notify the police. ATM's in India, however, only verify magnetic strips and have yet to catch up with advances in western technology.
Under the direction of a computer savvy crime boss, the thieves collected credit card numbers from an unscrupulus gas station attendant in London and uploaded the electronic information to the magnetic strips on the back of phone cards. Then they caught a flight to India.
Since the Indian ATMs only had single point verification the gang was able to exploit the technology gap all across Tamil Nadu and netted a neat sum. They would have gotten away with it, too. The police didn't have a clue it was happening, and it was only when an unusually attentive security guard posted outside an ATM noticed a man withdrawing cash from multiple cards in succession that he was able to tip off the cops.
I arrived at the police station early the next day after the cops had had time to interrogate the prisoners. I interviewed the Assistant Commissioner of Police who proudly proclaimed that this was the cyber crimes unit first arrest in its three years history, and he was eager to fill me in on the details. He said that while the prisoners were initially reluctant to spill information on their boss, it was only after a long night of interrogation they proffered up the name of a man in central London.
I spoke with him for almost an hour until it was clear to me that the Cyber Crime Unit was entirely unfamiliar with recent developments in credit card security. The commissioner had never heard of RFID chips, and he asked me to fill him in on everything I knew. I directed him to Wired's website and suggested he read Newitz's article.
The next frontier in cyber crime just may be thieves exploiting the gap between new and old technologies in different parts of the world. While security in the West ramps up at an alarming rate, much of India (and the rest of the third world), has no ability to keep up. Law enforcement is generally unaware of what is happening globally so that criminals in the Western world don't even need to be on the top of their game to beat the system. All they need is a plane ticket. Had these fraudsters just been a little less greedy they would have traveled back to the UK rich men.
**Aug 9 UPDATE: Several people have written in that UK cards don't use RFID, but a different kind of double verification system. Not having been to the UK in almost 25 years, I am going to have to assume they are correct. The mechanics of the crime, however, remain the same. There is a gap between technologies that thieves are able to exploit.
14 Comments:
hmmm...Real scary, Scott!!
See more here
http://www.schneier.com/blog/archives/2006/08/hackers_clone_r.html
shanks
Agreed.. Scary and yet cool..
Sorry but this is incorrect.
UK ATM cards do not have RFID. We now use Chip&PIN (a contact based circuit) backed up by the traditional magstripe.
Retailers who don't have a functioning Chip&PIN system running (a substantial investment) can still accept payment using the magstripe and signature.
How did they get the PINs? I've never used an ATM anywhere in the world that didn't require a PIN in addition to the card.
The PIN would be the same as the one UK cardholders have to enter when making credit card purchases. The gas station attendant would probably just watch the customer enter the pin having just swiped the card.
Technically, shopkeepers are not allowed to touch your card any more - you have the right to insert the card into the reader, and enter the pin.
The PIN would be the same as the one UK cardholders have to enter when making credit card purchases. The gas station attendant would probably just watch the customer enter the pin having just swiped the card.
Technically, shopkeepers are not allowed to touch your card any more - you have the right to insert the card into the reader, and enter the pin.
I would have thought that ATMs don't use the chip and the magnetic stripe at the same time. On chip and PIN terminals in shops, the left-hand end of the card (which is where the chip sits) is inserted into a slot on the PIN keypad. It's impossible for the magnetic stripe to be read, because only part of the card goes into the slot.
Erm UK bank cards don't use RFID, they use contact based smartcards. This article is incorrect.
(Others have pointed out that it's not RFID).
This is just a continuation of the fraud at the petrol (gasoline) stations, where they'd modified the PIN pad to take a copy of the PINs as they were typed in. (Something you weren't meant to be able to do, but they were cheapskates and didn't buy the anti-tamper versions apparently.)
It was reported quite some time ago, and was in all the newspapers,
BBC News
and on ukcrypto
looks like pure greed got them scumbags caught! LOL
This idea isn't exactly new. In pre-internet days, it wasn't unheard of for carders to run a stolen high-limit card until it quit working, then take off on an around-the-world spending spree - knowing they had at least another 24 hours before the "stolen card" warning propagated to the foreign procesors.
I don't know about the UK, but we have lots of cash machines that only dispense cash. They're not ATMs, they just have a swiping card reader, keypad for the PIN, display and printer (and cash mechanism). Sounds like these machines would be a good target for this kind of fraud since the machine cannot capture the card.
Actually, we also have lots of ATMs that have swipe readers that couldn't capture cards either. But they could notify authorities and take pictures.
Well......I am Zapped!
I guess thieves are always one step ahead of technology!
Joydeep Saha
Post a Comment
<< Home