Scammers are raking in money with cloned credit cards in the US, in Brazil and in Europe's large cities. They accomplish this in spite of cards secured with chips and with PINs they can chose at will. c't magazine documents their tricks, the software they use and the underlying security problem.

German version of this article. Translated by Fabian A. Scherschel.

Credit cards with chips are generally considered secure. However, an investigation in the current issue of c't magazine shows that fraudsters are using cloned cards to great effect. They are using deep credit card data reserves, constantly replenished by breaches such as the Target hack. The PIN doesn't matter and can be chosen on a whim. Together with Die Zeit, c't magazin has analysed the software used by fraudsters to clone cards and investigated the underlying weaknesses of the EMV payment process.

These JCOP cards are freely sold on the net and can be used as a basis for the fraudulent clones.

In recent months there have been reports of fraudulent EMV transactions, especially in the US and in Brazil. Until now, there were only suspicions on how this would have worked, given that the chip+PIN system is still regarded as secure. Based on exclusive information from an informant belonging to the carder milieu, c't and Die Zeit were able to collect the missing pieces of the puzzle and analyse the software that was most likely also used in those cases.

Enter MacGyver

The software that can spoof EMV cards can be had for more than 20,000 Euros and is sold via black market sites. It writes an app with the apt name of MacGyver and some additional data onto Java smart cards which are freely sold over the Internet. A card printer and an embossing machine turn these cards into an approximation of the real thing that is pretty hard to spot, unless you specifically know what to watch out for.

The user interface of the cloning software is kept simple. The fraudsters only need to select the card type, enter a name and feed it data from a magnetic stripe.

The name MacGyver is appropriate, because just like the well known TV character, the software cobbles together a clone of the card that doesn't follow the EMV specifications, but does what the fraudsters need to accomplish. With the help of Java security expert Marc Schönefeld and the experienced reverse engineers Frank Boldewin and Tillmann Werner c't was able to fully decompile the MacGyver app and understand its inner workings.

When in contact with a point of sale terminal, the MacGyver app pretends to be a Visa, Mastercard or Amex card and accepts arbitrary PINs, like "0000". The card holder verification is always successful – this is called a "yes card" in the carder's jargon.

The offline card authentication that follows fails, because the MacGuyver app cannot provide valid credentials. As a result, the POS terminal switches into online mode. The transaction is then processed online via Static Data Authentication (SDA) in accordance with the EMV standard. Cryptographically signed information is now sent as a so called Authorization Request Cryptogram (ARQC) to the card issuer.

There are a number of different clone software products that all use the MacGyver app in the background.

This ARCQ normally is encrypted with a secret 3DES key that is shared between the original card and the issuer. According to c't magazine's analysis, MacGyver cannot create valid ARCQs. This is is not surprising as it does not have the necessary 3DES key to do this. But it doesn't have to.

Sloppy Banks

Some issuers apparently skimp on the elaborate crypto checks of the transaction data being sent to them and instead authorise the money based on unsecured data sent alongside it – just like they would if the transaction in question was initiated by magnetic stripe. This is mostly the case for banks in countries new to EMV and chip+PIN, like those in Asia and the Americas (including some US banks).

Portuguese text points at Brazil as a possible origin for the software.

During our investigation, experts from a large data processing center for financial services in Germany confirmed that MacGyver's transactions are likely to succeed if the issuing bank does not check the information closely enough. German card issuers should be, according to the experts, immune to these tricks. According to our informant, the same is not true for issuers especially in India, Japan and the US among others.

Police Investigations

Confronted with our findings about credit card fraud in spite of chip+PIN, the German Federal Police (Bundeskriminalamt, BKA) corroborated our story. "We first learned about this during the first half of 2015," we were told. Furthermore: "The BKA has analysed several foreign credit cards that were manufactured in the way you described."

It's quite hard to tell the cloned cards from the real thing.

BKA financial fraud experts from the agency's Cybercrime Group also agreed with the rest of the analysis carried out by c't: "Attacks on EMV systems in this way are only possible, because the verification of the cards in question wasn't carried out according to the rules. So far, the BKA has only seen cases in which foreign cards were used. However, all relevant German institutions should make sure that cards and card data is validated in a compliant way."