Aussie hacker flips Coin into fraudster fob

Kiwicon Criminals can empty stolen credit cards with new-found stealth using payment gadget Coin, thanks to the device's weak and pwnable authentication checks.

Hacker Peter Fillmore (@typhoonfilsy) of Melbourne, Australia, found Coin's weak authentication scheme can be manipulated using man-in-the-middle attacks that allow fraudsters to load and verify stolen cards.

As Fillmore notes, pilfered cards are easy to buy from criminal sites like Rescator. Then they can be loaded and verified with Coin, and used at retailers.

It's also a stealthy approach for fraudsters, since they no longer need to DIY-build possibly dodgy credit cards – instead using Coin at US retailers already familiar with the gadget.

Coin security boss and chief operating officer Russell Taga says the company is investigating the attacks.

"This is the first that Coin is hearing about what you're sharing, so we'd need more information before fully responding,” Taga told Vulture South.

Fillmore says the fix will require an expensive overhaul of Coin's authentication mechanism so it resembles that used in traditional payment terminals. It is a timely and costly repair that stands in stark comparison to his hack, which he says took a total of half a day to discover and write up.

The payment card and fraud boffin tells Vulture South ahead of his talk at the Kiwicon conference in Wellington Friday it is also possible to load Coin with expired credit cards, or predictable American Express cards that have yet to be issued (via a separate hack detailed last week).

Fillmore says the hack is possible because the authentication request Coin pushes to processor Stripe can be intercepted and altered. That would allow an attacker to load a stolen or expired credit card, or yet-to-be-released American Express card, into Coin, and capture and alter the authentication check such that the dodgy card details can be replaced with the data of a card a fraudster owns.

Stripe would then see the fraudster's card details and issue an approved token that Coin would apply to the stolen or expired card.

“You enter the stolen card data and if you put in a man-in-the-middle proxy, you change the details to a valid card, say a prepaid card, and they will place a charge check for say $1,” Fillmore says.

“Stripe doesn't care how you send the credit card details – as long as it's a valid credit card, they'll send back a valid token. It's a lot easier for a criminal using Coin because they don't need to try to create a legitimate-looking credit card.”

Attackers can also directly edit the Coin app database to have the device accept dodgey credit cards. Then the Stripe authentication check would not even need to occur.

“Coin claims they are doing authentication checks – they're not – they trust the local database,” he says. The local hack which can happen with phones placed in airplane mode needs more time to develop than Fillmore allocated to his quick and dirty exploit.

Attackers would need to work out the encryption key, which he says is achievable.

Fillmore says he has long considered Coin and similar devices as assets to fraudsters. He says Coin needs a significant redesign so that it would use expensive and proven authentication schemes like point-to-point encryption.

“Coin can't fix this without a hell of a lot of work. They need to set up their own authentication service to ensure cards are correct.” ®

Youtube Video