Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Recently, Jason Knowles of ABC 7's I-Team asked us, "What is the security risk if your EMV chip falls off your credit card? What could someone do with that?" My first thought was, "How in the hell does the chip fall off your card?" I immediately checked all my cards and came to a quick conclusion that there is no way that could possibly happen without some malicious intent behind it. It's factory sealed and pretty tight, right?
Much to my surprise, after a bit of research, I found some articles and news bites from people that actually reported their chip falling out. Here, the woman describes gluing it back in place and continuing to use it. Apparently, any number of reasons could lead to the chip falling out including, normal wear and tear, manufacturing issues, excessive heat, moisture or any number of these combinations that would compromise the integrity of the glue that holds the chip in place.
At this point, I understand that yes, indeed a chip has the potential of coming off your card without malicious intent, but what can be done with that? Can a person pick that chip up off the ground and use it fraudulently? Can it simply just be glued onto something else? In theory, if the chip and the metal contact on top are not damaged in any way this should work. That's not good enough though. As a consultant in the Incident Response – Forensics field, I need to see the evidence to base my claims. There is no other way around it. I have to test!
Test 1
In this first test, I was probably a little too eager to get this thing under way. I was lucky enough to have a credit card that I had recently received a replacement for. I had not activated the new card yet, so I felt it was safe to go ahead and use this as my test chip.
What I quickly found out was that I didn't really have the tools to melt the glue without destroying some part of the metal contact so I hacked it up with scissors and an Xacto knife. It wasn't pretty to say the least. Lots of bending and cutting but you can see the outline of the chip on the backside of the card.
Once I had the back off the chip is revealed. This is of course connected to the metal contact pad on the top of the card which is what you typically see on any chip-enabled card.
So, at this point, I wasn't sure how I was going to lift the chip off without completely destroying it, so I opted to cut around it.
Yea I know this is pretty much crap but you have to start somewhere. So, the next question is what do I do now? This is where this first trial gets very funny. At least for me.
My first thought is to overlay it on another card, run over to the store and go to the ATM. If you're laughing right now, then you probably know how that was an epic fail. The card did not fit in the slot so I had to move on to Plan B.
Plan B
I knew exactly how to recover from my FAIL. Just measure the placement on the card and instead of overlaying it on another credit card, place it on a business card. Perfect!
This probably would have worked but I made one misstep in this approach. I used two-sided tape to adhere the chip on my old business card. Ugh! Failing to see the err of my ways, I went to a hardware store, picked up some items and of course I wanted to use self-checkout because this absolutely looks shady. At the prompt, I inserted my faux card and the chip came off in the reader. Seriously, what is wrong with me?!?!? Now I'm down a chip and my test is a major FAIL.
I can't stop there though. Now I'm on a mission.
Test 2
This time I wanted to be a little more precise in my card mangling and I'm nearly out of cards I can use for this experiment. For this second test I very carefully, used an Xacto knife and cut around the contact pad on the top of the card. Once it was separated from the plastic, I very carefully pried the contact pad and attached chip from the card. I repeated this process on another credit card and I swapped the chips. I used some super glue this time to "embed" the chips onto the card.
It's certainly not very pretty but I thought it was worth a shot. Next step, head over to the store, make a purchase and hope we have a winner here.
The picture above are the last 4 digits of this card and below is a picture of me making my purchase using the card with the swapped chip.
Eureka, the transaction worked and my purchase was successful.
As you can see the last four digits do not match the last four of the card I used. They are in fact the last four digits of the card I swapped the chip from.
Conclusion
So, what was the point of all of this? If you recall I simply wanted to know if a chip came off your card, could someone then put that on another card or medium and would it work. The answer is an absolute Yes provided that it is completely intact and undamaged.
The probability of your chip becoming unglued is pretty low, compounded with someone subsequently finding your chip and doing something malicious with it further decreases the overall risk in this situation. I had to do quite a bit of work to get the chip off without damaging it and making it inoperable. That being said, manufacturing issues, wear and tear, excessive moisture and heat could lead to the glue weakening and you should be aware that there is a real possibility of your chip falling off.
Try to stay aware of your credit cards integrity and if you find that the chip has come off, treat it like a lost card. Call your bank and have them issue a new one immediately. It is not advised that you glue the chip back on and continue usage.
Jason Knowles and the I-Team also covered this story. Their story can be found at: http://abc7chicago.com/finance/credit-card-chips-can-fall-out-posing-a-security-risk/2284510/
Shawn Kanady is Senior Director, SpiderLabs Hunt and Intelligence at Trustwave with over 20 years of experience in IT and security. He leads the team by example, applying his DFIR knowledge to create industry best practices. Follow Shawn on LinkedIn.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.