The hidden lab where bankcards are hacked

Decoding PIN numbers and credit cards can bring criminal groups vast wealth. Paul Marks visits a secret facility where one financial giant is fighting back – by trying to hack their own products.

It couldn't get any more steampunk if it tried: a wooden robot hisses like an airbrake as a blast of compressed air shoves its arm sideways, sending a credit card attached to it clattering through a card reader. The machine then hisses again and yanks the card back, ready for yet another swipe. This pneumatic push-me-pull-you routine is comically hypnotic to watch – and it continues until someone decides its task is complete.

This wheezing automaton is no museum exhibit, however. It has a key job in pre- and post-crime forensics at payment firm MasterCard's digital security lab in the north of England. This is where MasterCard's engineers try to work out how thieves will attack the vast array of digital payment systems we all use today – whether they are old-style magnetic stripe credit cards, contactless chip-and-PIN debit cards, smartphone-based biometric systems like Apple Pay – or even upcoming wearables that will use novel biometrics like your heartbeat pattern for payment authentication.

To do this, the Mastercard DigiSec Lab, as it is called, has an impressive arsenal of hi-tech machinery - including electron beams, lasers, x-rays and ionising radiation to try and break the payment technology encryption, passwords and PINs we use – and that increasingly well-resourced cybercriminals are desperate to break. They can also work out how and where criminals who try to game such systems will leave tell-tale traces of their own DNA on ATMs, cards and hacked PIN-entry machines.

But it is results that count – and if an improvised steampunk lash-up can do the job as well as an expensive piece of kit, the lab's chief researcher Simon Blythe appears to have relished the task of building it. "I got the wood from my local hardware store and the pneumatic actuator online," he says, grinning.

Watch the wooden card tester in action (Credit: Paul Marks)

The wooden robot's aim is to see if a suspect payment card had been tampered with by a hacker group. If fitted with a malicious RFID chip it could broadcast a radio signal containing account and PIN details to an attacker who has hidden a receiver antenna near, say, a shop's point-of-sale terminal or an ATM. But it must be swiped many times to allow the team to tune into the signal – so the robot automates that swiping.

On top of this, the robot operates in an electromagnetic version of an anechoic chamber which, rather than eradicate sound, screens out all powerline, wi-fi, cellphone and broadcast radio/TV signals, allowing the hacker's feeble signal to be detected. And to prevent absorption of this weak signal by a regular robot's metallic structure, it had to be made of wood with plastic and rubber pneumatics.

So how do we know what is going on inside this secure lab? After decades of keeping the activities of its security lab secret, Mastercard has decided to bring it – and its sister labs in New York and St Louis, Missouri – out of the shadows. In an era when criminals are pillaging our payment and online data seemingly at will – the 56 million payment card details taken in the Home Depot hack, for instance, or the Target attack, in which 40 million were plundered – MasterCard wants to shed light on the constant arms race to both predict and prevent such crime.

"We've not spoken about this before but we have a huge investment in predicting attacks and protecting payment systems both digitally, in a cyber sense, and physically," says Ajay Bhalla, MasterCard's president of enterprise security solutions.

The first surprise on arrival at the facility is its startling anonymity. On a small industrial lot squeezed between a sprawling country park and a working dairy farm – languid cows chomping grass can be seen from the lab's front door – it does not exactly shout about its existence. "Locals know it's there but they don't know what it does. Basically, the less eyeballs the less interference," says a MasterCard spokesman.

That matters because mass e-fraud and hacktivist denial-of-service attacks on banks means payment resilience has become a matter of national security – and the MasterCard labs have their share of visitors from the intelligence sector as well as law enforcement, says Bhalla. "In a bank hack, the intelligence agencies like the Secret Service in the US cover multiple jurisdictions and get an overall view. But most of our lab effort is focused on ensuring it does not happen."

The lab's work starts with the oldest payment tech: the magnetic stripe credit card. While this is being slowly phased out in major markets like the US in favour of Europay, MasterCard and Visa (EMV) – otherwise known as chip-and-PIN technology – there are plenty of card-issuing banks still using the old strip technology elsewhere in the world.

To highlight its vulnerability, lab chief Alan Mushing sprays a sample magnetic stripe with a fluid suspension of iron filings – instantly showing up the patterns of zeroes and ones on the card as a series of light and dark bands. "You can work out the account number, the expiry date and other key data. The issuers are all surprised to see how vulnerable it is," he says.

Researchers from MasterCard's laboratory explain their hacking work in this video produced by the company (Credit: MasterCard)

This is speeding the move to chip-and-PIN – so the lab is trying to predict the technologies cybergangs will use to break that as well. The chip in an EMV card is a complex beast containing 250,000 logic gates – arrangements of transistors that execute the series of instructions in a computer program – on a three-millimetre-square slice of silicon. It contains programmable memory for storing data like PINs and cryptographic keys, rewritable memory (RAM), read-only memory (ROM) and a microprocessor. What is critical is that it is as hard as possible to copy through reverse engineering. "It mustn't be easily cloned or counterfeited," says Mushing.

By watching how electrical charge – which shows up under an electron microscope as bright flashes – play out across the connections on top of the EMV chip, it's possible to work out the sequence of 0s and 1s being generated. That could help hackers reverse engineer the chip or work out how to extract the cryptographic keys. Or both. So the trick is to learn how an EMV chip's connecting tracks can be buried or rerouted, or logic gate positions shuffled, to head off such attacks. "So far it is working. Up until now, we have not seen a cloned chip card," says Mushing.

No one at the lab looks terribly convinced it won't ever happen, however: attack attempts are constant – indeed, two engineers leave our visit briefly to discuss a just-breaking attack – and the impression is that it's only a matter of time. "Criminals tend to work on an entrepreneurial scale where they look for weak spots and ways to get in. They are not nine-to-five workers," says Paul Trueman, senior vice-president of enterprise security solutions at MasterCard. One of those ways is power analysis: monitor how the power use of a chip changes during a cryptographic operation and you might get clues to the encryption tricks in the chip. That’s yet another thing to defend against.

Another criminal way in is to attack the PIN-entry devices (PEDs) used at points of sale – the devices the teller hands us to put our cards into. That means adding memory chips (like SD cards) and connectors inside the device that an attacker can access at some point to, for instance, download a few days’ worth of card numbers and associated PINs. That is where the lab's X-ray machines, much like those at airports, come in. By looking right through a device, the lab's engineers can look for tiny changes that suggest circuitry that has been added by attackers. It can sometimes be as little as a stray wire leading to an illicit USB connector. The trick, says Mushing, is to keep perfecting the tamper resistance functions in the PED, ensuring anyone trying to add something untoward wipes the device's cryptographic software and renders its unusable.

To see how transistors are connected in suspect chips the lab uses red and infrared laser-scanning microscopes and – because chip geometries are ever-shrinking – electron microscopes, too. This is becoming more important because the criminals are getting much smarter, says Mushing. They are distributing the task of reverse engineering across crime teams cooperating on the internet – a crime cloud, of sorts.

Should a hacked contactless chip make it into service – the kind the steampunk robot is trying to detect – the lab has also been trying to predict the kind of receivers hackers might place unobtrusively nearby to steal data. One, suitably dubbed the 'bintenna' by Blythe, is a wastepaper basket with a receiver coil wound around a hidden core. You pay for your goods or use an ATM but while you are stood still and at close range a gamed RFID chip (which may even be in the ATM) chirps your details and PIN to a receiver like the bintenna. The DigiSec team seem to get quite a kick out of second guessing such bizarre crime mechanisms.

The future, however, looks like being based on wireless payment via smartphones. So how can phone biometric readers be protected from fraudulent fingerprint imprints – the kind that hackers make from wax or soft-set wood glue? The lab team demonstrates the wood glue option – and gets into an iPhone6 via its Touch ID scanner in seconds. So MasterCard is trialling two ways to tackle this. With the Royal Bank of Canada it is working on consumer tests with heartbeat monitors on a bracelet, which could operate alone – or be used to authenticate alongside the fingerprint to double check ID. "And in Europe we are testing facial recognition from a phone's camera alongside fingerprints," says Trueman.

"A fingerprint is OK for opening your phone – but for making sure it is safe when paying something like 1,000 euros from a bank account is different. So we are doing a massive amount of work on identifying you."

As part of that, cardmakers are having to work with Apple on its biometrics/EMV-based Apple Pay system – and indeed Google's Android Pay. But with Apple well-known for its high levels of secrecy, even amongst its own senior staff, does that make them hard to deal with?

Bhalla is diplomatic about his Silicon Valley client. "I like their secrecy. It keeps things secure."

Yet what's clear is that secrecy is not enough any more. Digital security is an arms race and constant vigilance is needed if businesses are to stay anywhere near on top of it. Just the job, in fact, for a steampunk robot on a tireless quest for hacked credit cards.

Follow us on Facebook, Twitter, Google+ and Linked in