Chip cards have not being cloned, but fraud involving cards and terminals gain media attention in Brazil (16.nov.2014)

The news story “Gang uses bluetooth to clone the chip cards and moves millions”, aired last Sunday (11/16/2014) in Brazilian television show “Fantástico”, made strong statements about the security of electronic payment systems in Brazil and left many people worried.

Images of skimming devices installed by the gang in payment terminals, blank chip cards and statements like “there is strong evidence that carders achieved the cloning of chip chards” gained great media attention (20.6 rating points in the “Fantástico” show, almost the same as in the elections, when the program reached 24 points, according to OTVFoco.com.br).

Some facts, however, need to be clarified and contextualized.

First, it is important to clarify the difference between cloning — which by definition would be a perfect, indistinguishable, copy of the original card — and a rough copy of some public data, which is what has apparently happened.

We have evidence the attacks reported on the show are based on two well-known techniques:

  1. Generating fraudulent cards from public data: this attack consists in capturing public data from legit cards and generating new (but not identical) cards. These new, fraudulent, cards do not have the same security credentials of the originals, but can be used in environments where issuers do not correctly implement all necessary authentication mechanisms. In environments where all security processes are implemented, these imperfect “clones” simply do not work.
  2. Replay attacks: in these attacks, an opponent resends previous, legit transaction data, typically mixed with new fraudulent data. When issuers do not properly evaluate all data  received, duplicate transactions may be mistaken for genuine.

The news story also highlights the supposed uniqueness of the attacks (“the first time in the world where this sophisticated technology has been violated!”), whereas similar attacks have been recorded (and prevented) in the past.

The show used analogies to try to explain the fact that the attack takes advantage of flaws in the implementation of authorization systems:

“The chip is like a house that needs some security in order not to be hijacked by thieves. The house is safe, you cannot enter in normal conditions. Normally, that street would have police control. (…) What happened is that some institutions have implemented streets with no guards or with very few guards.”

The analogy is valid — some institutions were not implementing all necessary authentication mechanisms. However, the show fails to clarify that this is basically a problem of terminals and authorization systems and not “chip card cloning”.

We have been contacted by dozens of people worried by the news and would like to reiterate here what we have already explained to each of them:

  1. The fraud was not “cloning” itself, but a rough copy of public data. Chip cards have not been cloned by these criminals and, in fact, continue infinitely more secure than magnetic stripe cards, these, yes, easily clonable.
  2. As an industry, we need to emphasize the need to implement the best practices of chip card authorization, which include validating the cryptograms generated by the cards and validate all transaction parameters to avoid replay attacks.
  3. PaySmart customers are protected from the attacks described in the show and protected from several other attacks. To learn more, please contact us here.