{
	"id": "7e4894ed-a1f9-4c74-b4ee-95b4d0ab4e49",
	"created_at": "2026-04-06T00:11:31.961781Z",
	"updated_at": "2026-04-10T03:21:17.12218Z",
	"deleted_at": null,
	"sha1_hash": "c0a81af599ffb63906dc87786f4dcb68e4dfb107",
	"title": "Cloning chip-and-PIN cards: Brazilian job",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48892,
	"plain_text": "Cloning chip-and-PIN cards: Brazilian job\r\nBy Alex Perekalin\r\nPublished: 2018-03-09 · Archived: 2026-04-05 14:48:00 UTC\r\nRecently, the United States shifted from using insecure magnetic stripe in credit and debit cards to better-protected\r\nchip-and-PIN cards, which are regulated by the EMV standard. That’s a big step toward increasing the security of\r\ntransactions and reducing card fraud, and one might think that the end is near for the kind of card fraud that relied\r\non cloning.\r\nHowever, our researchers recently discovered that a group of cybercrooks from Brazil has developed a way to\r\nsteal card data and successfully clone chip-and-PIN cards. Our experts presented their research at the Security\r\nAnalyst Summit 2018, and here we will try to explain that complex work in a short post.\r\nJackpotting ATMs and beyond\r\nWhile researching malware for ATM jackpotting used by a Brazilian group called Prilex, our researchers stumbled\r\nupon a modified version of this malware with some additional features that was used to infect point-of-service\r\n(POS) terminals and collect card data.\r\nThis malware was capable of modifying POS software to allow a third party to capture the data transmitted by a\r\nPOS to a bank. That’s how the crooks obtained the card data. Basically, when you pay at a local shop whose POS\r\nterminal is infected, your card data is transferred right away to the criminals.\r\nHowever, having the card data is just half the battle; to steal money, they also needed to be able to clone cards, a\r\nprocess made more complicated by the chips and their multiple authentications.\r\nThe Prilex group developed a whole infrastructure that lets its “customers” create cloned cards — which in theory\r\nshouldn’t be possible.\r\nTo learn why it’s possible, you might first want to take a quick look at how EMV cards work. As for the cloning,\r\nwe’ll try to keep it as simple as possible.\r\nHow the chip-and-PIN standard works\r\nThe chip on the card is not just flash memory, but a tiny computer capable of running applications. When the chip\r\nis introduced into a POS terminal, a sequence of steps begins.\r\nThe first step is called initialization: The terminal receives basic information such as cardholder name, card\r\nexpiration date, and the list of applications the card is capable of running.\r\nSecond is an optional step called data authentication. Here, the terminal checks if the card is authentic, a process\r\nthat involves validating the card using cryptographic algorithms. It’s more complicated than needs to be discussed\r\nhere.\r\nhttps://www.kaspersky.com/blog/chip-n-pin-cloning/21502\r\nPage 1 of 3\n\nThird is another optional step called cardholder verification; the cardholder must provide either the PIN code or a\r\nsignature (depending on how the card was programmed). This step is used to ensure that the person trying to pay\r\nwith a card is actually the same person the card was issued for.\r\nFourth, the transaction happens. Note that only steps 1 and 4 are mandatory. In other words, authentication and\r\nverification can be skipped — that’s where the Brazilians come in.\r\nCarding unlimited\r\nSo, we have a card that is capable of running applications, and during its first handshake, the POS asks the card\r\nfor information about the apps available to it. The number and complexity of steps needed for the transaction\r\ndepend on the available applications.\r\nThe card-cloners created a Java application for cards to run. The application has two capabilities: First, it tells the\r\nPOS terminal there is no need to perform data authentication. That means no cryptographic operations, sparing\r\nthem the near-impossible task of obtaining the card’s private cryptographic keys.\r\nBut that still leaves PIN authentication. However, there’s an option in the EMV standard to choose as the entity\r\nchecking if the PIN is correct…your card. Or, more precisely, an app running on your card.\r\nYou read that right: The cybercriminals’ app can say a PIN is valid, no matter what PIN was entered. That means\r\nthat the crook wielding the card can simply enter four random digits — and they’ll always be accepted.\r\nCard fraud as a service\r\nThe infrastructure Prilex created includes the Java applet described above, a client application called “Daphne” for\r\nwriting the information on smart cards (smart card reader/writer devices and blank smart cards are inexpensive\r\nand completely legal to buy.) The same app is used for checking the amount of money that can be withdrawn from\r\nthe card.\r\nThe infrastructure also includes the database with card numbers and other data. Whether the card is debit or credit\r\ndoesn’t matter; “Daphne” can create clones of both. The crooks sell it all as a package, mostly to other criminals\r\nin Brazil, who then create and use the cloned cards.\r\nConclusion\r\nAccording to Aite’s 2016 Global Consumer Card Fraud report, it is safe to assume that all users have been\r\ncompromised. Whether you use a card with a magnetic stripe or a more secure chip-and-PIN card doesn’t matter\r\n— if you have a card, its information has probably been stolen.\r\nNow that criminals have developed a method to actually clone the cards, that starts to look like a very serious\r\nfinancial threat. If you want to avoid losing significant amounts of money through card fraud, we recommend you\r\ndo the following:\r\nKeep an eye on your card’s transaction history, using either mobile push or SMS notifications. If you notice\r\nsuspicious spending, call your bank ASAP and block the card right away.\r\nhttps://www.kaspersky.com/blog/chip-n-pin-cloning/21502\r\nPage 2 of 3\n\nUse AndroidPay or ApplePay if possible; these methods don’t disclose your card data to the POS. That’s\r\nwhy they can be considered more secure than inserting your card into a POS.\r\nUse a separate card for Internet payments, because this card is even more likely to be compromised than\r\nthose you use only in brick-and-mortar stores. Don’t keep large sums of money on that card.\r\nSource: https://www.kaspersky.com/blog/chip-n-pin-cloning/21502\r\nhttps://www.kaspersky.com/blog/chip-n-pin-cloning/21502\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.kaspersky.com/blog/chip-n-pin-cloning/21502"
	],
	"report_names": [
		"21502"
	],
	"threat_actors": [],
	"ts_created_at": 1775434291,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c0a81af599ffb63906dc87786f4dcb68e4dfb107.pdf",
		"text": "https://archive.orkl.eu/c0a81af599ffb63906dc87786f4dcb68e4dfb107.txt",
		"img": "https://archive.orkl.eu/c0a81af599ffb63906dc87786f4dcb68e4dfb107.jpg"
	}
}