Abstract. This paper describes the forensic analysis of what the authors believe to be the most sophisticated smart card fraud encountered to date. In 2010, Murdoch et al. [7] described a man-inthe-middle attack against EMV cards. [7] demonstrated the attack using a general purpose FPGA board, noting that “miniaturization is mostly a mechanical challenge, and well within the expertise of criminal gangs”. This indeed happened in 2011, when about 40 sophisticated card forgeries surfaced in the field.
These forgeries are remarkable in that they embed two chips wired top-to-tail. The first chip is clipped from a genuine stolen card. The second chip plays the role of the man-in-the-middle and communicates directly with the point of sale (PoS) terminal. The entire assembly is embedded in the plastic body of yet another stolen card.
The forensic analysis relied on X-ray chip imaging, side-channel analysis, protocol analysis, and microscopic optical inspections.
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
When organized crime applies academic results powerpoint
1. When Organized Crime Applies Academic Results
A Forensic Analysis of an In-Card Listening Device
Assia Tria
assia.tria@cea.fr
David Naccache, Houda Ferradi, Rémi Géraud
Toulouse : 27 janvier 2016
Assia Tria , Toulouse : 27 janvier 2016
2. 15867 techniciens, ingénieurs,
chercheurs et collaborateurs
10 centres de recherche
4,3 Mds € de budget
1608 brevets prioritaires délivrés
et en vigueur en portefeuille
>650 dépôts de brevets prioritaires
150 start-up depuis 1984 dans
le secteur des technologies innovantes
45 Unités mixtes de recherche (UMR)
25 Laboratoires de recherche correspondants
Le Commissariat à l’Energie Atomique et aux Energies Alternatives
Technologies
Clés Génériques
Direction
de la Recherche
Technologique
Direction Générale du CEA
TechnologieScience
Défense
Sécurité
Direction
des Applications
Militaires
Energie
Nucléaire
Direction
de l’Energie
Nucléaire
Mission DAM : indépendance stratégique de la France
Mission DEN : indépendance énergétique de la France
Mission DRT : ré-industrialisation de la France par l’innovation
Recherche fondamentale
Direction des Sciences de la Matière
Direction des Sciences du Vivant
Assia Tria , Toulouse : 27 janvier 2016
3. 3 Instituts
thématiques
1 Institut
de diffusion
en régions
(2003)
Saclay
(1967)
Grenoble
(2005)
Grenoble / Chambéry
280 M€ - 2100 pers. (1800 CEA)
80 M€ - 1000 pers. ( 800 CEA)
180 M€ - 1200 pers. (1000 CEA)
CEA Tech
Régions
(2012)
CEA-Tech acteur français majeur en recherche technologique
Assia Tria , Toulouse : 27 janvier 2016
4. Teams
• ITSEF (CESTI)
– Evaluations (15p)
• LSOC laboratory
– 20p, Security for applications
• CMP – Gardanne: ENMSE – LETI
– Components Security (30p incl 6 CEA)
• Resources from other LETI’s dpts (1500 p)
– Design, Technology,
Characterization
Assia Tria , Toulouse : 27 janvier 2016
5. Security in LETI and CEA-TECH
PACA
Characterization of the Threats
• Implementing attacks on device
Evaluation of the security
• Common criteria, EMVCo
evaluations
Improvement of the security
• Technology, architectures and
software protections
Physical devices with physical access
from the attacker:
Crypto boards, HSM
Biometrics
Phones,
smartphones
TPM,
Trusted computing
Smarcards, e-passports,
E-Id, RIFD
Assia Tria , Toulouse : 27 janvier 2016
6. Goal of This Presentation
• Illustrate to what length white collar criminals can
go to hack embedded electronic devices.
• To date, the following is the most sophisticated
smart card fraud encountered in the field.
• Goal: raise awareness to the level of resistance
that IoT devices must have to resist real attacks in
the field.
Assia Tria , Toulouse : 27 janvier 2016
9. The Judicial Seizure
• What appears as an ISO/IEC 7816 smart card.
• The plastic body indicates that this is a VISA card
issued by Caisse d’Épargne (a French bank).
• Embossed details are:
– PAN5= 4978***********89;
– expiry date in 2013;
– and a cardholder name, hereafter abridged as P.S.
– The forgery’s backside shows a normally looking CVV.
• PAN corresponds to a Caisse d’Épargne VISA card.
PAN=Permanent Account Number (partially anonymized here).
CVV=Card Verification Value.
Assia Tria , Toulouse : 27 janvier 2016
10. The backside is deformed around the chip area.
Such a deformation is typically caused by heating.
Heating (around 80°C) allows melting the potting glue
to detach the card module.
Visual Inspection
Assia Tria , Toulouse : 27 janvier 2016
11. Visual Inspection
The module looks unusual in two ways:
• it is engraved with the inscription “FUN”;
• glue traces (in red) clearly show that a foreign module was
implanted to replace the **89 card’s original chip
Assia Tria , Toulouse : 27 janvier 2016
14. Side-views show that forgery is somewhat thicker than
a standard card (0.83mm).
Extra thickness varies from 0.4 to 0.7mm suggesting the
existence of more components under the card module,
besides the FUNcard.
Assia Tria , Toulouse : 27 janvier 2016
15. FUNCard Under X-Ray
External memory (AT24C64)
µ-controller (AT90S85515A)
Connection wires
Connection grid
Assia Tria , Toulouse : 27 janvier 2016
17. Forgery vs. FunCard
Stolen card module
Connection wires added by fraudster
Welding points added by the fraudster
Assia Tria , Toulouse : 27 janvier 2016
18. Pseudo-Color Analysis
Materials may have the same color in the visible region
of the EM spectrum and thus be indistinguishable to
the Human eye. However, these materials may have
different properties in other EM spectrum parts. The
reflectance or transmittance spectra of these materials
may be similar in the visible region, but differ in other
regions.
Pseudo-coloring uses information included in the near-
infrared region (NIR) i.e. 800-1000nm to discriminate
materials beyond the visible region.
Assia Tria , Toulouse : 27 janvier 2016
22. Forgery Structure Suggested so Far
Stolen card speaks to reader but
instead of the reader the communication
Is intercepted by the fun card
Assia Tria , Toulouse : 27 janvier 2016
23. Forgery Structure Suggested so Far
What the stolen card says goes into the
FUNcard
Assia Tria , Toulouse : 27 janvier 2016
25. Electronic Analysis Attempt
It is possible to read-back FunCard code.
If the card is not locked
Attempted read-back failed. Device locked.
Anti-forensic protection by fraudster.
Assia Tria , Toulouse : 27 janvier 2016
26. Magnetic Stripe Analysis
The magnetic stripe was read and decoded.
ISO1 and ISO2 tracks perfectly agree with embossed data.
ISO3 is empty, as is usual for European cards.
Assia Tria , Toulouse : 27 janvier 2016
27. Electronic Information Query
Data exchanges between the forgery and the PoS were
monitored.
– The forgery responded with the following information:
– PAN = 4561**********79;
– expiry date in 2011;
– cardholder name henceforth referred to as H.D.
All this information is in blatant contradiction with data
embossed on the card.
The forgery is hence a combination of two genuine cards
Assia Tria , Toulouse : 27 janvier 2016
39. PoS sends the ISO command 00 A4 04 00 07
Command echoed to the stolen card by the FunCard
Stolen card sends the procedure byte A4 to the FunCard
FunCard retransmits the procedure byte to the PoS
PoS sends data to FunCard
FunCard echoes data to stolen card
Stolen card sends SW to FunCard
FunCard transmits SW to PoS
Color Code:
PoS FunCard
FunCard Stolen Card
Stolen Card FunCard
FunCard PoS
Assia Tria , Toulouse : 27 janvier 2016
40. Power Consuption During GetData
Confirms the modus operandi
Assia Tria , Toulouse : 27 janvier 2016
41. Power trace of the forgery during VerifyPIN command.
Note the absence of retransmission on the power trace before
the sending of the SW
VerifyPIN Power Trace Analysis
Assia Tria , Toulouse : 27 janvier 2016
42. Having Finished All Experiments
We can ask the judge’s authorization to perform invasive
analysis.
Authorization granted.
Assia Tria , Toulouse : 27 janvier 2016
43. Connection grid
Stolen card module
(outlined in blue)
Stolen card’s chip
FunCard module
Welding of connection
wires
Invasive Analysis
Assia Tria , Toulouse : 27 janvier 2016
44. FunCard module
Genuine stolen card
Welded wire
Invasive Analysis
Assia Tria , Toulouse : 27 janvier 2016
45. Original EMV Chip Clipped by
Fraudster
Cut-out pattern over laid
Assia Tria , Toulouse : 27 janvier 2016
46. Wiring Diagram of the Forgery
Assia Tria , Toulouse : 27 janvier 2016
47. In Conclusion
Attackers of modern embedded IoT devices
• Use advanced tools
• Are very skilled engineers
• Are well aware of academic publications
• Use s/w and h/w anti-forensic countermeasures
If you do not design your IoT device with that in mind
and if stakes are high enough, the device will be broken.
Assia Tria , Toulouse : 27 janvier 2016
48. Economical Damage
Cost of device replacement in the field
Cost of fraud (stolen money)
Damage to reputation
plus:
Forensic analysis cost. Here: 3 months of full time work.
Assia Tria , Toulouse : 27 janvier 2016