"Clonagem" de Chips de Cartão no Brasil?

No Fantástico deste Domingo foi ao ar uma matéria sobre a prisão de uma "Quadrilha usa bluetooth para clonar cartões de chip e movimenta milhões - Grupo adulterava máquinas de restaurantes de luxo e transferia dados entre aparelhos. Golpe inédito garantia gastos com boates, carros e imóveis de luxo".

Veja a reportagem no link a seguir:

http://g1.globo.com/fantastico/noticia/2014/11/quadrilha-usa-bluetooth-para-clonar-cartoes-de-chip-e-movimenta-milhoes.html


Informações oficiais da Polícia Civil do RJ:

http://www.policiacivil.rj.gov.br/exibir.asp?id=19651

"Segundo o delegado Rodrigo Freitas, titular da DAIRJ, desde fevereiro a quadrilha movimentou aproximadamente R$ 3,5 milhões. " Nunca houve esse tipo de metodologia. Há indícios de que a quadrilha conseguiu, pela primeira vez, captar os dados do chip do cartão das vítimas. É uma ação muito sofisticada", disse o delegado.

De acordo com Rodrigo Freitas, eles colocavam o dispositivo, que não era visível por fora, dentro da máquina, e o recurso tecnológico captava os dados do chip do cartão por celular, notebook ou tablet. "Enquanto a vítima inseria o cartão no caixa eletrônico, um dos integrantes ficava próximo como se estivesse usando o celular ou laptop. Na verdade, estava captando os dados da vítima".

A quadrilha também comprava "cartões virgens" pela internet e imprimia com o nome de um deles, mas os dados internos do cliente lesado. De acordo com o delegado, a investigação começou quando a polícia percebeu a forma de ação da quadrilha. Os criminosos agiam na madrugada das terças e quintas - dias de desembarques internacionais -, com foco nos caixas eletrônicos do Aeroporto Internacional Tom Jobim.  O objetivo era atuar contra turistas estrangeiros e fraudar cartões internacionais."


Há alguns meses, estrangeiros que vieram ao Brasil com seus cartões "com chip" foram vítimas de fraude e há documentação de várias fontes citando o problema. Uma leitura recomendada é o blog do Brian Krebs - de três semanas atrás:

‘Replay’ Attacks Spoof Chip Card Charges:

http://krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-card-charges/

Alguns trechos relevantes:

"Avivah Litan, a fraud analyst with Gartner Inc., said banks in Canada saw the same EMV-spoofing attacks emanating from Brazil several months ago. One of the banks there suffered a fairly large loss, she said, because the bank wasn’t checking the cryptograms or counters on the EMV transactions."

"MasterCard officials explained that the thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly."


A técnica - que depende da utilização de uma máquina de leitura de cartões adulterada e da implementação insegura de mecanismos de segurança das transações feitas utilizando o chip e é uma das descritas neste excelente paper da Universidade de Cambridge sobre "Skimming" de cartões com chip: 

"Chip and Skim: cloning EMV cards with the pre-play attack."


http://www.cl.cam.ac.uk/~sjm217/papers/oakland14chipandskim.pdf

"Abstract:

EMV, also known as “Chip and PIN”, is the leading system for card payments worldwide. It is used throughout Europe and much of Asia, and is starting to be introduced in North America too. Payment cards contain a chip so they can execute an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh. We have discovered two serious problems: a widespread implementation flaw and a deeper, more difficult to fix flaw with the EMV protocol itself. The first flaw is that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this nonce. This exposes them to a “pre-play” attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically. Card cloning is the very type of fraud that EMV was supposed to prevent. We describe how we detected the vulnerability, a survey methodology we developed to chart the scope of the weakness, evidence from ATM and terminal experiments in the field, and our implementation of proof-of-concept attacks. We found flaws in widely-used ATMs from the largest manufacturers. We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit. The second problem was exposed by the above work. Independent of the random number quality, there is a protocol failure: the actual random number generated by the terminal can
simply be replaced by one the attacker used earlier when capturing an authentication code from the card. This variant of the pre-play attack may be carried out by malware in an ATM or POS terminal, or by a man-in-the-middle between the terminal and the acquirer. We explore the design and implementation mistakes that enabled these flaws to evade detection until now: shortcomings of the EMV specification, of the EMV kernel certification process, of implementation testing, formal analysis, and monitoring customer complaints. Finally we discuss countermeasures. More than a year after our initial responsible disclosure of these flaws to the banks, action has only been taken to mitigate the first of them, while we have seen a likely case of the second in the wild, and the spread of ATM and POS malware is making it ever more of a threat."