Chip-and-pin payment cards can be cloned using Prilex malware

UK adopted chip and PIN cards in 2004, but criminals are now trying to break down the security barriers

Cyber criminals have developed a way to steal card data and successfully clone supposedly secure chip-and-pin cards.

While the UK adopted chip-and-pin cards in 2004, the US has only recently shifted from 1950s-era magnetic stripes on credit and debit cards in a bid to improve the security of transactions and reduce card fraud.

But cyber criminals are already making headway in breaking down the security of chip-and-pin cards, according to research from Kaspersky Lab.

Researchers at Kaspersky found that the Prilex malware, which had been active since 2014, had been used to modify malware with some additional features used to infect point-of-service (POS) terminals and collect card data.

This meant that POS software could be modified, enabling a third-party to capture the data transmitted by the terminal to a bank. This means that when a consumer pays with their card at an infected POS terminal, their data is transferred to the criminal.

Collecting this data is just half of the job - Kaspersky found that the Prilex group, based in Brazil, developed an infrastructure that enables its customers to create cloned cards.

As there has been a faulty implementation of the EMV standard in Brazil, this means that all of the data required in the approval process is not verified. These cloned cards can work on any POS system in the country.

For normal chip-and-pin cards to work, there are four basic steps it goes through when the chip is put into a POS terminal: initialisation, data authentication, cardholder verification and transaction. As only the first and last steps are mandatory, the other two steps can, technically, be skipped.

The card-cloners created a Java application for cards to run, this tells the POS terminal that there is no need to perform data authentication, meaning that they don't need to obtain the card's private cryptographic keys, which ought to be almost impossible.

There is then an option in the EMV standard that enables the card in question to validate whether the PIN is correct - in other words the cybercriminals' app can say the PIN is valid, regardless of what was entered.

Kaspersky believes the infrastructure Prilex created includes the Java applet, a client application dubbed ‘Daphne' for writing the data on smart cards, and for checking the amount of money that can be withdrawn.

In addition, Prilex's service includes the database with card numbers and other data - the group then sells all of this as a package to others in Brazil, who can crearte and use the cloned cards.