News
The bank’s risks related to fraud of EMV technologies
To determine the impact of fraudulent transactions in the bank’s PS on the bank’s business, it is necessary to assess the following risks: * financial. The result of fraudulent transactions is most often the financial losses of the bank or its customers. In the latter case, it is necessary to take into account the risk of losing the client if he ceases to trust the services provided by the bank; * reputational. The reputation of the bank may be damaged if the services provided by it are (or seem) unsafe, and the protective...
read moreEMV Card Security Policy
A bank card is a type of payment card as a non-cash payment instrument intended for individuals, including authorized legal entities, to perform transactions with funds held by the issuing bank. If an attacker obtains the card itself, its data or details, fakes it, then he has the opportunity to perform fraudulent transactions with a bank account, the means of access to which is this card. Fraudulent transaction (from the point of view of the bank, and not criminal law), we will give the following definition. A fraudulent transaction is an...
read moreCardholder verification method
Fraudulent transactions on counterfeit microprocessor cards are carried out using a magnetic stripe or using its details (MO / TO, Internet). Due to the fact that fraudulent transactions are performed using a magnetic stripe, the cardholder verification method defined by the issuer in the Cardholder verification method Type does not matter. Verification of the holder takes place according to service code – 201 (IPC, normal authorization, normal verification). It turns out that the reduction of fraud on counterfeit cards with IPC is not...
read moreCombating illegal use of EMV cards
Stolen (lost, not received) microprocessor cards (lost, stolen, NRI) The microprocessor card is also a powerful tool in the fight against such type of fraud as stolen (lost, not received) cards. Using the Chip&PIN approach, adopted today in the UK and considered by international payment systems as the most preferred method of cardholder authentication, allows you to significantly reduce these types of fraud. The DDA/CDA + PIN Offline method is the most reliable of all known methods of protection against card fraud. It is important to note...
read moreModification of DDA/CDA transactions
Here are the simplest examples of possible data modification. If the terminal in the GENERATE AC command has requested a cryptogram TC, and the card in the person of the bank chip decides to process the transaction online or reject it offline, then the emulator chip changes the unprotected cryptogram information data in such a way that the card responds to the terminal with a cryptogram TC. Thus, the transaction is approved despite the fact that by the issuer’s decision it must either be rejected or transferred to the issuer for...
read moreClone EMV card protection
Clone DDA/CDA card protection Service code 2xx. In our right hand we have a card with only a magnetic stripe, to which information is transferred from the magnetic stripe of the card located in the left hand. We are trying to use the card in a hybrid terminal that accepts microprocessor cards and magnetic stripe cards. The terminal must check the value of the service code on the magnetic strip, and if it is equal to 2XX, it must require the transaction to be performed using the chip. The terminal should not allow magnetic stripe operations if...
read moreSecurity analysis of operations on EMV cards
Properties of the microprocessor card, allowing to increase the security of operations The most important property of a microprocessor card (MPC) is the support of cryptographic functions by the operating system of the card. The use of these functions by the card application can significantly improve the security of payment transactions. The tasks solved by the IPC application to improve the security of plastic card transactions are listed below. 1. The most important basic task solved by the card application using cryptographic methods is to...
read moreSecurity of EMV transactions
To implement the CAP method, the client must have a microprocessor card with an EMV application, as well as a special card reader capable of initiating the generation of an OTP password and displaying its value consisting of 8 digits on the reader’s display (sometimes the reader and the card are combined in one physical device). Such a reader can cost several euros (10-15 euros, depending on the manufacturer and the volume of the purchased batch of devices). In addition to the additional costs of providing cardholders with readers,...
read moreEncoding data method for EMV Software
The ANSI/ISO/IEC 7811 standard is a specification for encoding information on an identification card using stamping or magnetic stripe techniques. This specification consists of five parts: relief embossing (writing method);magnetic stripe (recording method);the location of the characters when embossed on the ID-1 card;location of read-only magnetic tracks (tracks 1 and 2);the location of the tracks available for reading/writing (track 3). EMV Software Relief embossing allows you to form symbols raised above the plane of the card body. The...
read moreEMV application protection on smart cards
Unlike a normal personal computer, loading a program into memory and then executing it is not the main task for a smart card. Security mechanisms do not allow unauthorized program launches. In particular, you may need to authenticate the terminal for a specific application. In addition, the program code must be protected by at least a MAC address authentication code or a digital signature. Some smart card operating systems perform mutual isolation of memory areas of individual applications using software or hardware, so that the applications...
read more