Faulty standard
Prilex was discovered by Kaspersky while it monitored financial cybercrime in Latin America. It found that a group of Brazilian “cybercrooks” engineered the software to steal chip data and create functioning clones of cards. The company demonstrated its research at the Security Analyst Summit 2018.
Chip-and-pin cards have spread across the world over the past decade. Although they’re already common in Europe, the U.S. has only recently switched from less sophisticated magnetic swipe cards. Cybercriminals are now adapting their techniques to work with the newer cards. Prilex is emerging as a favoured malware solution for chip-and-pin thieves.
READ NEXT: Microsoft patches “critical” flaw in Windows’ Remote Desktop
The malware was created in 2014 and has since been upgraded with new features. It collects card data by infecting point-of-service terminals used to read the contents of card chips. Prilex works by hijacking the chip and intercepting the data sent to terminals. This allows it to take control of transactions as they are made.
Chip-and-pin cards don’t just store data. The chip also contains its own code that runs basic applications. Prilex adds an application which begins by telling the point-of-sale terminal that there’s no need to authenticate the data. The terminal disables its regular checks of the cryptographic integrity of the card’s data, allowing the malware authors to skip straight to cracking the PIN.
The EMV standard used by chip-and-pin cards states that cards can inform the terminal that an entered PIN was valid, irrespective of what the user actually entered. Because the attackers already have control of the code running on the card, they use this flaw in the standard to accept any PIN code. This leaves them with a cloned card that can be unlocked by entering a random string of digits.
Serious threat
The criminals behind Prilex are selling the malware as a complete package to card thieves. It works with both debit and credit cards and includes an end-to-end infrastructure to execute successful attacks. Thieves are provided with the special card application, a smart card writing utility called Daphne and access to a database of card numbers and other data. Kaspersky said the ability to clone cards presents a “very serious” threat to consumers.
“According to Aite’s 2016 Global Consumer Card Fraud report, it is safe to assume that all users have been compromised,” said Kaspersky. “Whether you use a card with a magnetic stripe or a more secure chip-and-PIN card doesn’t matter – if you have a card, its information has probably been stolen. Now that criminals have developed a method to actually clone the cards, that starts to look like a very serious financial threat.”
Kaspersky advised consumers to remain vigilant when checking card statements. Any suspicious transactions should be flagged to the bank as soon as they’re spotted. The company noted that mobile payment solutions such as Apple Pay and Android Pay can present a safer alternative to cards. When using these technologies, the service terminal doesn’t directly receive any information about your card.