Just in Time for the Holidays; History’s Worst Credit Card Hack

If you ever attend a black hat hacker convention, you will be warned not to carry credit cards. You are advised to keep all credit cards in your hotel room or, if you must carry them, to bunch them together or put them in a special holder. But wait a minute. Aren’t retailers supposed to be using the new chip-and-PIN cards (aka EMV cards)? Well, yes, but as of the last survey, 75% of businesses aren’t really using the technology to its full, secure extent. They haven’t purchased the new chip card readers and many chip-and-PIN cards are actually being converted into chip-and-signature cards. In other words, credit cards are still vulnerable to the same old hacking attacks.

 Individual credit cards are hackable because they emit signals. That’s why swiping them can give the retailer the necessary information they need to allow you make a purchase. The card’s information is in the signals. If a criminal carried a device that could read these signals, say, from your wallet or purse, they could get this information. “So what?” I hear you saying. “They still don’t have my card, only my information. How can they buy something without the card.?” Yeah, in ancient times you’d be correct. They would have to clone a new card with your information on it and then fake your signature. This is actually pretty easy to do. As far as faking the signature is concerned, how many times do clerks really subject it to close scrutiny when you buy something? The new chip-and-PIN cards are safer because the two-factor authentication needed to use them involves using a special PIN number at the point of purchase that only the user knows. The user types this PIN into a special card reader. In addition, each transaction is encrypted.

 In the past, crooks would try to make a cloned card. Nowadays, most purchases are CNP (Card Not Present) transactions. People buy online with credit card numbers and maybe the special 3-digit code on the back of the card. You don’t need to enter a PIN number for that. If I can get enough of your personal information, I can open an account in your name and use your stolen credit card information, or I can simply use your existing accounts. My own European credit cards have chip-and-PIN capabilities, but they also have a magnetic strip in case I find myself in a country where they lack the instrumentation for dealing with chip-based cards… like most of America. In other words, my secure cards are only secure if I use them in the correct card readers. European ATM machines require PIN numbers and this often dumbfounds many American tourists who have no idea what their PIN number is.

 Most American chip-and-PIN credit cards will also have magnetic strips. They will, therefore, continue to be vulnerable to hacking attacks. This is especially important to keep in mind during the holiday season when many major PoS (point of sale) credit card attacks occur, like the infamous Target hack which compromised 40 million credit cards. The malware for such attacks is already in place. In fact, it has even been identified. This new, sophisticated, credit-card-stealing malware has been named, ModPOS.

 Let me make it clear that ModPOS is not the only credit card hacking program out there. There are, in fact, quite a few of them. It is only that ModPOS is the ‘best’ of the lot. In fact some have called it “the most complex PoS malware ever seen.” The bad news; It was only discovered by most retailers after the big Thanksgiving shopping sales, though a report on its existence appeared a month before this. This means that millions of credit cards have probably already been compromised and the malware is probably still installed in the network of major retailers who know absolutely nothing about it. This malware is so complex that it must have taken considerable effort and expense to create. You don’t spend so much time building such malware to only attack a few individuals or small firms. You go for the top. For those interested in the more technical details of this malware, the main report on the attack vector can be found here and is best summarized in the following diagram:


The malware cannot be detected with normal antivirus programs or, for that matter, with anything else. It leaves very few clues to its existence. As the analysts point out, ModPOS can “use multiple methods of obfuscation and encryption to evade even the most sophisticated security controls.” In other words, the holiday season will be long past before the world learns of any major breaches. Who’s behind it? The report does not make this clear, although they do say that indications are that it may come from Eastern Europe. All we know for sure is that it is made to target US retailers, probably because of the widespread use of insecure credit cards.

 The correct use of chip-and-PIN cards will go a long way towards keeping your information safe. Yes, like any technology that relies on software, they can still be vulnerable to certain types of attacks, especially man-in-the-middle attacks. Criminals looking to profit from PoS credit card hacks will always find ways to do so.

Protecting your own cards from attacks involves  using other strategies. As long as your card has a magnetic strip, it is emitting information that anyone with a good RFID (radio frequency identification) reader can intercept. Some of these readers you can buy online and others you can download as apps to use on your smartphone. True, you usually have to get within 6 inches (15cm) of someone’s card to get the information, but some of these readers claim they can work from up to three feet (1m) away. To stop someone from stealing your personal data, you can bunch your credit cards together to confuse the reader or you can buy a special RFID blocking sleeve. Metal foil can also be used. All of this may seem to be a bit paranoid, but for those who would rather be safe than sorry, these strategies are good to know. However, attacks on individual credit cards will be quite rare. The truth is that most people will lose control of their credit cards through PoS hacks over which they have no real control. As usual, always keep a careful eye on your credit card records and report any questionable transaction. This is the only way most retailers will ever know that their networks have been compromised by malware. The rest of us will learn of the current attacks later next year; a rather grim late Christmas present.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s