Card fraud House of Cards

Banks say their card payment systems are secure, but security experts and criminals know better. As the cat and mouse game between banks and fraudsters intensifies, one thief reveals the secrets of his dark craft.
No card transaction system is 100 percent secure.


Alexander is nervous; today is not a good day. Bad news has reached him from London. Friends of his have been arrested. People with whom he did business. Will they spill the beans to the police? If they do, he will go to jail – that is clear.

He glances around the Brussels cafe and notices a suspicious man at the back. Is that a plainclothes policeman? “What a life!” says Alexander in a moment of self-pity. “Being somewhere else every day, sleeping at another place; and always the fear that someone will suddenly appear and snap handcuffs on you.”

Alexander came to Brussels because he is a dropout. For that reason, he is willing to revel a new method for breaking the codes of credit cards. A method, he says, that can outsmart even the highest security standards of the financial industry. It is just as seductive for criminals as the key to the vault of a bank.

Alexander, an Eastern European, is in his mid-30s. He arranged to meet in Brussels, an anonymous, complex city that he can reach by train. Rail travel is good; there are no identity checks. The conversations with him last for many hours, in Brussels and later in a second city.

While speaking, he repeatedly takes a credit card out of his pocket and gestures with his hand, as if he were a conductor and the credit card were his baton. What he has to say revolves around a special piece of software that fits onto a USB stick and is based on no more than 40 lines of programming code.

In two out of three cases of all crimes involving credit cards, stolen credit-card information is used.

Credit-card fraud is a vast business. The Economist reports that in 2012, damages amounted to some $11.3 billion (€10.4 billion) worldwide. In the United States alone, criminals stole $3.4 billion from banks and credit-card companies, and another $1.9 billion from retailers. No surprise in a country whose citizens collectively own 1.2 billion debit, credit and prepaid cards – an average of five cards for every adult.

In the 32 European countries of the Single Euro Payments Area – the SEPA union, in which cashless payments are standardized – the volume of fraud was €1.44 billion in 2013. This is also a huge amount, even if it affected only 0.039 percent of all transactions. German crime statistics show around 26,000 cases of fraud by means of stolen cards or card data in 2014.

In two out of three cases of all crimes involving credit cards, stolen credit-card information is used. At the end of 2013, for example, hackers accessed 40 million sets of data concerning transactions at the huge American retailer Target.

Last week, it became known that banks intend to replace 90,000 credit cards from MasterCard and Visa as a precaution – because data just may have been compromised. Criminals can use stolen credit-card data to make purchases on the Internet or by telephone, even without a PIN.

The other third of cases involves fraud at the point of transaction, be it at the cash register of a store, a point-of-sale device or through a cash withdrawal at an automatic teller. This only works, however, if signatures are forged – or, if needed, the PIN was stolen together with the card.

The banking industry has considered the combination of chip and PIN to be a wonder weapon against fraud. The chip can generate unique and changeable authentication data; it is supposed to make transactions significantly more secure. The underlying system behind it is called EMV, named after the initiators Europay International, MasterCard and Visa.

After the SEPA countries introduced it, credit-card fraud in stores declined. By 2012, 45 percent of all cards had chips, and 76 percent of all reading devices were able to effect transactions on that basis. The United States began the conversion last year. “This situation should improve further as more countries outside SEPA migrate to the EMV security standard,” wrote the European Central Bank in July 2015.

But the system is vulnerable, Alexander says. It is “broken.” The proof lies in the software, he says. All that is needed is the data set for a genuine credit card, which can be bought from other criminals; blank cards with attached chips, easily available on the Internet; and equipment for printing.

He says that the software can be used to produce a copy of a genuine card, a so-called clone. The software also programs the chip so that any combination of numbers whatsoever is recognized as the correct PIN. This creates a “yes card” that can be used for making purchases.


Quelle: Pressebild
Non-contact transactions are particularly vulnerable to fraud.
(Source: Pressebild)


Alexander is not a professional mathematician, nor a computer expert; he doesn't understand what happens inside the small chip in the credit card. But he quickly understands what others explain to him – and what is good for his business. That was already the case when he dealt in mobile phones and cars, and also later when he switched to cybercrime and shopped with stolen credit-card data or sold something that didn't exist.

His partner, a hacker, cracked or constructed eBay accounts – for example, to offer non-existent cars for $9,000. An account was set up under a false identity, and the buyer was cajoled into transferring the money to the account in advance. They pulled off something like that about 60 times over five months in the United States.

Alexander shows a photo on his mobile phone: There he is, suntanned, with sunglasses, somewhere in the southern United States, a blonde girlfriend beside him. “That was a great time. Although my girlfriend wondered why I always paid for everything in cash.” Does he have scruples? He shrugs: “No, you push that aside.”

In October 2014, news reached him about the magical software that makes every PIN function. Alexander and his accomplice invested in the software and tested it in Germany and Luxembourg. It didn't work most of the time, but sometimes it did. The new method was appealing but also risky, because goods purchased in this way have to be sold further. “Ninety percent of my friends were arrested one after the other,” Alexander says. “I knew that I'd get caught if I continued.”

The method Alexander was using exists because not only has the economy become globalized, but so has the underworld. The software most likely comes from experts in Brazil and was commissioned by the Mafia there. The stolen data sets needed for the fraud are provided by professional criminals, particularly from Russia.

Eastern European gangs combine the software and the data sets and test how far they can penetrate Western European countries: Which Indian bank issues cards whose clones function in Luxembourg? Which American bank makes it possible to fleece its customers in Berlin?

The software can be purchased or rented by the week. It is illegal to simply try it out and produce the clone of a credit card; even with one’s own cards. But experts such as Frank Boldewin and Tillmann Werner can examine the software without using it.

Mr. Boldewin is a reverse engineer and, in the summer of 2010, was one of the first experts to focus on the cyberweapon program Stuxnet. Mr. Werner, a young man in a hoodie, works for CrowdStrike, an American company that specializes in analyzing criminal software. Further insights were gained through a test of the software by a large German computing center for financial-service providers, which wants to remain anonymous.

“This software,” Mr. Werner says, “is definitely an advanced piece of work.” Even if it can't do as much as Alexander believes, nevertheless it is an “important piece of the puzzle” for understanding how the most recent generation of credit-card fraud works.

The software exploits the complexity of the EMV standard. It is based on the assumption that banks make mistakes when implementing the standard. “You have to be extremely familiar with how EMV functions in order to come up with this idea,” Mr. Werner says.

The main reason that security checks are not properly performed is due to concerns that changes to systems will cause legitimate transactions to be declined. Steven J. Murdoch, University College London

For example, whoever inserts his credit card into the card slot at a cash register starts an authentication protocol. In the first step, the possessor of the card must identify himself; this occurs with the PIN. This procedure can be manipulated, but it is not enough for payment to be made.

Because in another step, the card must prove its own authenticity. The first attempt – with a sort of digital certificate – always fails with the cloned cards. But because the aim is to have as few failed transactions as possible, the reading device automatically switches to an alternative form of authentication.

The card is required to provide the terminal online with a certain cryptogram consisting of data from the card, terminal and transaction and encoded with a secret key. The terminal then sends this cryptogram to the bank, which answers with a corresponding cryptogram – whereupon the transaction is authorized.

A cloned card cannot generate a valid cryptogram; instead it always sends the same false set of data. Nevertheless, at this point in the authentication process the transaction is authorized by some less-thorough banks. Banks that have taken care to properly install the EMV standard cannot be deceived in this way. Experts include almost all German banks in this category.

But according to research by the newspaper Die Zeit and the technology magazine c't, two banks from India and one from the United States number among the vulnerable banks, for example. Moreover, on forums on the darknet, a sort of blackmarket Internet, there are offers of credit-card data fitting the software and coming from banks from Brazil, Mexico, Korea, Japan, Canada and several Arab countries.

Credit-card companies say they are not worried. “The fraud rate involving Visa transactions in Europe is currently 0.044 percent,” Visa states. “Ever since the comprehensive introduction of the chip and PIN technology, the rate of fraud in credit-card payments has fallen by more than half.” Further procedures are said to make it more difficult “to access and misuse credit-card data.”

American Express says: “We know of only a few cases in the world where individual cards with chips of the first generation (Static Data Authentication, SDA) were used for illegal transactions. But we know of no such transactions in Germany. The current chip technology (Dynamic Data Authentication, DDA) minimizes the risk of fraudulent activities.”

MasterCard speaks of a “complex approach to security” that includes the EMV standard. “Dynamic authentication” uses “unique and individual information” that is “practically impossible to copy.” So everything is under control?

In 2014, American journalist Brian Krebs reported on a fraudulent transaction in Brazil in which €100,000 was withdrawn from a bank in New Zealand. At that time, MasterCard argued that the transaction had been authorized with chip and PIN. In fact, the bank had not yet issued cards with chips. A Canadian bank was also tricked. In both cases, the evidence points to use of the cloning software.

Now for the first time, Germany’s Federal Office of Criminal Investigation (BKA) confirms that there are suspicious indications in Germany and that investigators have the method outlined by Alexander in their sights.

“The described circumstances have already been known to the BKA since the first half of 2015,” says the agency's experts, who are tasked with combating criminal activities involving credit cards. “The BKA has already seen several foreign credit cards created through the procedures described.”

The BKA experts concur with the assessment of Mr. Boldewin and Mr. Werner that such fraud is made possible by financial institutions that do not carefully implement the security standards. “This sort of attack on the EMV system can only be successful because the authentication of the cards doesn't conform to the rules,” they said. “Even if up to now the BKA knows only of cases involving foreign credit cards, all participating German entities should make sure that all regulations are adhered to in checking their cards or card data.”

It is impossible to say how widespread fraud is with the clone software, because cases occurring in Germany, for example, might in certain circumstances be noticeable only in the original country of the cloned cards, and not in Germany. But the reports from Alexander, various security experts and the BKA make it clear that the newest, supposedly best standard is also vulnerable.

This could also be due to the fact that banks and credit-card companies don't want to worry their customers and endanger their revenues. “The main reason that security checks are not properly performed is due to concerns that changes to systems will cause legitimate transactions to be declined,” says Steven J. Murdoch from the Information Security Research Group at University College London. “Each bank will make its own choice based on their estimate of the risk of such problems, the risk of fraud if they don’t make changes and the cost of performing the changes.”

Alexander has no interest in theories. He is a man of action. He can only laugh at the assertion that the chip and PIN system is secure. Come again? He points to his credit card: “With the software, I've made money – and not just a little bit. And I know many people who are now working with this software.”

Alexander uses the word “working.” Of course, things don't always function properly: “Otherwise, I would have become a millionaire in three days. Try, try, fail, fail, it works one time, another time it doesn't. That's how the business is.”

He says that up to €20,000 is paid on the black market for this software, “and the people who pay it aren't stupid.” He says that new versions of the software are constantly coming onto the black market: “Everything is a big race.”

The first meetings with Alexander took place last summer; the last one was just two weeks ago, during the winter. He is wearing a jacket that seems too light for the temperature. He repeatedly asserts that he has gotten out, is through with this world. Alexander is someone who it is better not to believe unreservedly, but his fear of prison is clearly genuine.

Once again, he is looking for a new field of business. He says that one good opportunity at the moment is the business with refugees: “You get a thousand euros and bring them somewhere.” But he would prefer to get involved with textiles: import, export, focus on China. That sounds interesting, he says.


This article originally appeared in the newspaepr Die Zeit. To contact the authors: [email protected]