News
EMV Card Verification
The ECV test Suite (EMV Card Verification) is designed to test EMV applications on smart cards. ECV allows you to check the completeness of data on the card and the card’s performance during transaction servicing, consistency and lack of redundancy of data, monitor the implementation of cryptographic functions of the EMV application, identify the causes of failures in the work of already issued cards, and much more. ECV is a terminal emulator in a point of sale (POS-terminal) with a number of additional features that are not available...
read moreChip Liability Shift
Obviously, card authentication is an effective means of combating counterfeit cards (Counterfeit). That is why payment systems have introduced the chip Liability Shift, worded as follows. If fraud of the “Fake card” type occurs on the MP K card in a terminal that supports only cards with a magnetic stripe, the Bank serving the terminal is responsible for the fraud. The chip Liability Shift, when it appeared, had an intraregional character (it acted in the case when the servicing Bank and the card Issuer were residents of the same...
read moreThree methods of offline card authentication: EMV standard (V. 4.2)
Card authentication methods are divided into offline and online. The latest version of the EMV standard (V. 4.2) distinguishes three methods of offline card authentication: 1) SDA (Static Data Authentication); 2) DDA (Dynamic Data Authentication); 3) CDA (Combined Dynamic Data Authentication/AC Generation). The first authentication method in the list belongs to the class of static authentication methods, while the last two belong to dynamic authentication methods. The SDA method ensures the integrity of static data critical to the map...
read moreChip technology has reduced the level of fraud in the card market by 82%
The Introduction of chips significantly contributed to the reduction of fraud with counterfeit credit cards, according to research by VISA. Since the introduction of the EMV (Europay + MasterCard + VISA) standard, chip-based fraud in counterfeit card-based payments has declined by 82 percent. Today, issuers are sending new chip-enabled payment cards to magnetic stripe credit card holders, which are set to expire soon. The same “chip” technology is used during contactless payments, which allows users to easily pay through the...
read moreClone MasterCard in MagStripe mode
We proceed directly to the principle of cloning. This contactless card attack method was published by two researchers Michael Roland, Josef Langer from the University of Austria. It is based on a general principle called Skimming. This is such a scenario in which an attacker steals money from a bank card by reading (copying) information from this card. In the general case, it is important to keep the PIN code confidential and prevent it from leaking. But in the method of the Austrian guys we do not need to know this. Cloning of a payment card...
read moreClone a contactless card using a mobile application
It was always interesting to see what happens on a bank card under the “hood”. How the communication protocol of a bank card and a POS terminal is implemented, how it works and how safe it is. Such an opportunity appeared before me when I was doing an internship at Digital Security. As a result, when parsing one known vulnerability of EMV cards in MagStripe mode, it was decided to implement a mobile application that is able to communicate with the terminal via a contactless interface, using its own commands and a detailed analysis of requests...
read moreOffline EMV Transaction
The peculiarity of an offline transaction is that the transaction is carried out by card and terminal without contacting the bank and the payment system. During such a transaction, the card can approve the transaction within the established limit, and the terminal, in turn, sends information to the bank later on schedule, or when a connection with the bank appears. Such offline transactions provide additional benefits to both the issuing bank and the card holder. For example, the owner may pay even if there is no connection with the bank. Or,...
read moreOnline EMV Transaction
The main method of confirming the authenticity of the card in online transactions is the authentication of the card online. The basis of this method is the generation of the ARQC (Authorization Request Cryptogram) cryptogram for each payment transaction. Let’s take a closer look at this process. The generation and verification of cryptograms is based on the 3DES algorithm. The issuer and the card own a shared secret key MKac (Application Cryptogram Master Key). At the beginning of the transaction, the card generates an SKac (Application...
read moreEMV Application Data
Like magnetic stripe cards, EMV applications also have open readable data. And although it is impossible to read the application itself, it is impossible to get to the keys and pin code – access to open application data is always open. What kind of data are we talking about? The picture above is an indicative list of the data stored inside the EMV application. Of course, for each specific application, it may be slightly different. At this stage, it is important to note that the client’s personal information is not stored in the EMV...
read moreThe internal structure and security of the EMV card
By and large, the EMV microprocessor card is a regular smart card (read one, two, three), which is based on the ISO / IEC 7816 or ISO / IEC 14443 standards (for contactless). Implementation of an EMV card can be performed both on the basis of JavaCard and GlobalPlatform, and using native smart card methods. Similar to conventional operating systems (OS), card OS also have a file structure and applications. In the context of this article, it is the EMV card payment applications that are most interesting. Therefore, we will consider just them....
read more