Malware prototype exposes smartcard security flaws

Hand coming out of screen stealing credit card

A research team from IT security consultancy itrust have created a proof-of-concept malware that lets attackers gain access to smartcard readers attached to infected Windows PCs via the internet.

The attack happens when a smartcard reader is connected to the affected computer via USB.

The malware installs a driver onto the USB device that allows the attacker to access information on the victim's smartcard as if it were attached to their own PC.

The researchers, led by IT security consultant Paul Rascagneres, used the Belgian eID national electronic identity card and a selection of smartcards used by Belgian banks to test drive the malware prototype.

As with the British Chip and PIN credit and debit cards, most smartcards use a PIN or password as a secondary authentication method to enhance security.

However, the malware developed by the itrust team also contains a keylogger that can steal these credentials as unwitting users type them on their keyboard.

Victims are unlikely to be unaware they have been attacked until they suffer some kind of identity or financial fraud.

Rascagneres claims the attack is completely transparent to the user as they will not be prevented from using their card reader in the usual way.

Marcin Kleczynski, CEO of Malwarebytes told IT Pro: "The research is another clear indicator of the fact that intelligent malware can breach even the most seemingly watertight counter-measure."

"There has been a massive increase in the value of sensitive business data amongst the criminal underground, so breaches such as this, using new attack vectors, will only increase," Kleczynski added.

A full exposition of the development of the prototype and the threat this kind of malware poses will be delivered in a presentation by Rascagneres, entitled Smartcards Reloaded Remotely! at the upcoming MalCon security conference in New Dehli on 24 November.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.