Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Recently, Jason Knowles of ABC 7's I-Team asked us, "What is the security risk if your EMV chip falls off your credit card? What could someone do with that?" My first thought was, "How in the hell does the chip fall off your card?" I immediately checked all my cards and came to a quick conclusion that there is no way that could possibly happen without some malicious intent behind it. It's factory sealed and pretty tight, right?

Much to my surprise, after a bit of research, I found some articles and news bites from people that actually reported their chip falling out. Here, the woman describes gluing it back in place and continuing to use it. Apparently, any number of reasons could lead to the chip falling out including, normal wear and tear, manufacturing issues, excessive heat, moisture or any number of these combinations that would compromise the integrity of the glue that holds the chip in place.

At this point, I understand that yes, indeed a chip has the potential of coming off your card without malicious intent, but what can be done with that? Can a person pick that chip up off the ground and use it fraudulently? Can it simply just be glued onto something else? In theory, if the chip and the metal contact on top are not damaged in any way this should work. That's not good enough though. As a consultant in the Incident Response – Forensics field, I need to see the evidence to base my claims. There is no other way around it. I have to test!

Test 1

In this first test, I was probably a little too eager to get this thing under way. I was lucky enough to have a credit card that I had recently received a replacement for. I had not activated the new card yet, so I felt it was safe to go ahead and use this as my test chip.

What I quickly found out was that I didn't really have the tools to melt the glue without destroying some part of the metal contact so I hacked it up with scissors and an Xacto knife. It wasn't pretty to say the least. Lots of bending and cutting but you can see the outline of the chip on the backside of the card.


9304_534b2d35-0d97-4e68-a071-349d7b39b307

Once I had the back off the chip is revealed. This is of course connected to the metal contact pad on the top of the card which is what you typically see on any chip-enabled card.

9058_48703d63-42b8-46d8-93cc-483f117890c6

So, at this point, I wasn't sure how I was going to lift the chip off without completely destroying it, so I opted to cut around it.

BSL_10925_a02115d0-58fb-4f53-a0da-df7f257168ec

Yea I know this is pretty much crap but you have to start somewhere. So, the next question is what do I do now? This is where this first trial gets very funny. At least for me.

My first thought is to overlay it on another card, run over to the store and go to the ATM. If you're laughing right now, then you probably know how that was an epic fail. The card did not fit in the slot so I had to move on to Plan B.

Plan B

I knew exactly how to recover from my FAIL. Just measure the placement on the card and instead of overlaying it on another credit card, place it on a business card. Perfect!

BSL_12005_d474831d-7efc-42de-8629-2a59242140e7

This probably would have worked but I made one misstep in this approach. I used two-sided tape to adhere the chip on my old business card. Ugh! Failing to see the err of my ways, I went to a hardware store, picked up some items and of course I wanted to use self-checkout because this absolutely looks shady. At the prompt, I inserted my faux card and the chip came off in the reader. Seriously, what is wrong with me?!?!? Now I'm down a chip and my test is a major FAIL.

I can't stop there though. Now I'm on a mission.

Test 2

This time I wanted to be a little more precise in my card mangling and I'm nearly out of cards I can use for this experiment. For this second test I very carefully, used an Xacto knife and cut around the contact pad on the top of the card. Once it was separated from the plastic, I very carefully pried the contact pad and attached chip from the card. I repeated this process on another credit card and I swapped the chips. I used some super glue this time to "embed" the chips onto the card.

11145_ab15bd98-0930-4c15-bddf-c2ceb1364508

It's certainly not very pretty but I thought it was worth a shot. Next step, head over to the store, make a purchase and hope we have a winner here.

9879_705dbda5-dca8-49e7-8bb7-23ee44467154

The picture above are the last 4 digits of this card and below is a picture of me making my purchase using the card with the swapped chip.

7734_06522aca-286a-42a2-852e-2cc0e26a38ca

Eureka, the transaction worked and my purchase was successful.

BSL_12516_ed044605-7b8b-4214-8665-6ca749b4c4bc

As you can see the last four digits do not match the last four of the card I used. They are in fact the last four digits of the card I swapped the chip from.

Conclusion

So, what was the point of all of this? If you recall I simply wanted to know if a chip came off your card, could someone then put that on another card or medium and would it work. The answer is an absolute Yes provided that it is completely intact and undamaged.

The probability of your chip becoming unglued is pretty low, compounded with someone subsequently finding your chip and doing something malicious with it further decreases the overall risk in this situation. I had to do quite a bit of work to get the chip off without damaging it and making it inoperable. That being said, manufacturing issues, wear and tear, excessive moisture and heat could lead to the glue weakening and you should be aware that there is a real possibility of your chip falling off.

Try to stay aware of your credit cards integrity and if you find that the chip has come off, treat it like a lost card. Call your bank and have them issue a new one immediately. It is not advised that you glue the chip back on and continue usage.

Jason Knowles and the I-Team also covered this story. Their story can be found at: http://abc7chicago.com/finance/credit-card-chips-can-fall-out-posing-a-security-risk/2284510/

About the Author

Shawn Kanady is Senior Director, SpiderLabs Hunt and Intelligence at Trustwave with over 20 years of experience in IT and security. He leads the team by example, applying his DFIR knowledge to create industry best practices. Follow Shawn on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo