Researcher Hacks into Credit Card Magnetic Strips

2008-02-21

RFID security guru releases a test program that can read chip and PIN credit cards using the EMV standard.

WASHINGTON – Personally identifiable information baked into the magnetic strip on your credit card can be easily hijacked by hackers using lightweight tools, according to a warning from RFID security guru Adam Laurie.

At the Black Hat DC briefings here, Laurie announced the release of CHaP.py, a test program created to read chip and PIN credit cards using the EMV standard.

EMV, named for the three companies that developed the standard – Europay, MasterCard and VISA – handles authentication of credit and debit card payments.

Laurie, who works as chief security officer and director of U.K.-based The Bunker Secure Hosting Ltd., plans to integrate CHaP.py into the RFIDIOt, the popular open-source python library for exploring RFID devices.

The early version of CHaP.py only works with PC/SC readers, Laurie said during a Black Hat demo. However, it does support both the physical chip and RFID interfaces, meaning that AmEx Expresspay and MasterCard PayPass can be easily hacked.

He said the tool can be used to hijack sensitive information off the magnet strip, including the card owner's name, the primary credit card account number and other identifiable account information.

Using this data, a malicious attacker can use existing tools to clone the hacked credit card, he said.


http://www.eweek.com/c/a/Security/Researcher-Hacks-Into-Credit-Card-Magnetic-Strips/

There's nothing wrong with Python, per say. Much serious work is done with Python and Perl.

-Hoot

They used up all this time and money figuring out how to decipher and duplicate a credit card. Why bother when you already have the card in your possession?

Oh, and they can read the card account number of the strip? But the account number is already printed on the front of the card!!!

The article does not go into much more detail regarding what 'personal' information is being obtained.

Maybe the hardware technology is impressive or I'm just failing to see the point.

If a machine that reads the card info off the magnetic strip did not already exist, what have I been swiping my f'ing cards through all these years when making purchases?

i don't know the technology but there's some sort of skimming program that is getting the information when you use your card for whatever

then at their end they put the information onto a duplicate card and go on a spending spree but it can be in a distant city or even in another country -- as i say in my other post, this most recently happened to a buddy who was in central america and the clone was being used in new york

if you are robbed at gunpoint or have your pocket picked, you know the card is missing and they don't even get one chance to spend on the card any more, this way they can slip in a few charges before the cc co. figures it out -- you as the customer still have your physical card so you have no idea what's going on until the credit card co. closes your account

I think that was the main distinction of the technology in the article.

Either way, good reason to use cash.

I use cash because it makes it easier to stay on budget, now there's another reason.

i wonder if amex is esp. easy to hack because a buddy who uses it has already had this happen twice

fortunately he could show he was in central america while the clone was being used in new york, in fact, amez is the one who alerted him and told him that they thought he'd been cloned