Reports about cloning debit cards have been all around, for instance here. The combination of cloning cards and making millions with a fraud scheme instantly makes smart card people happy: we told you that your magstripe cards would lead to big problems!
OK. But let’s try to analyze this a bit deeper.
First, the attack:
- It relies on cloning. A good point for smart cards, which claim to be more difficult to clone.
- It can interest organized crime. We are talking millions here. If this can be repeated, it is a strong point in favor of good security, because the attackers can invest a few thousand dollars in breaking the card.
Again, I told you so! But I also need to bring up a few not so strong points:
- No authentication issues. Apparently, in these attacks, the attackers know the PIN code, either because they own the original card, or because they stole the PIN code with the card (not that hard, try it while waiting in supermarket of money dispenser lanes).
- A key part of the attack consists in hacking a server somewhere, to make a system believe that a card has no limit (or a very high limit). No card involved here, so no good point for a smart card.
Of course, I will now tell you that these arguments don’t hold.
- Smart card PIN authentication also authenticates the card. When performing an EMV transaction, the PIN is verified by the card, and that fact allows a cryptogram to be generated. When the payment terminal or server verifies its cryptogram, it will know that the user has been authenticated and the original card has been used. That links authentication to cloning, which is good for our case.
- About servers, there is nothing to say. There are so many breaches in all kinds of servers worldwide that nobody would rely solely on servers for reaching a good level of security.
So, I can now safely conclude that this attack would not work without actually cloning the card, which means that smart cards are better than magstripe, because they are in all cases harder to clone (even on cards with very poor security, there is no command to get the value of the secret; some kind of attack is required to get it). In addition, since the potential revenue is important, such schemes may interest organized crime, which means that they should be able to get the secrets out of at least the weakest available cards.
That leads us to the bleak side of things. A typical smart card in use today has been issued in 2007, by a bank who selected a platform vendor in 2005 after one year of negotiation with a card certified in 2003. And since 2003, a lot of attacks have been invented, and I am quite convinced that at least most CC-approved labs would be able to break these cards.
As a conclusion, I would say that smart cards are a good defense against these attacks, because they significantly raise the cost of preparing for the attack. However, I have no clue of the amount of money that it would cost to break a typical card used today, and this may still be very accessible to your typical mafia guy.