Forensic researchers from France have called a scam that saw thieves embed two chips in a payment card to carry out a man-in-the-middle attack "the most sophisticated smart card fraud encountered to date".
In 2011 and 2012, five French citizens were arrested in connection with a fraud that saw them manage to spend around EUR600,000 in 7000 transactions using 40 modified, stolen chip and PIN credit cards.
In a new paper investigating the case, researchers from École Normale Supérieure as well as the Centre Microélectronique de Provence analyse how the fraud was pulled off.
Examining the cards, the researchers found that they contained two chips wired top-to-tail. The first chip from a genuine stolen card and the second a "spoof" that played the role of a man-in-the-middle, communicating with POS terminals.
At the checkout, POS terminals would communicate, as is normal, with the chip to ask whether the PIN entered by the crooks was correct. However, the spoof chip could preempt the real one and answer in the affirmative, regardless of what PIN had been entered.
EMVCo, the card scheme-owned consortium that manages the EMV standard, says the vulnerabilities that enabled the hack have now been fixed.