News

Cardholder verification method

Fraudulent transactions on counterfeit microprocessor cards are carried out using a magnetic stripe or using its details (MO / TO, Internet). Due to the fact that fraudulent transactions are performed using a magnetic stripe, the cardholder verification method defined by the issuer in the Cardholder verification method Type does not matter. Verification of the holder takes place according to service code – 201 (IPC, normal authorization, normal verification). It turns out that the reduction of fraud on counterfeit cards with IPC is not...

read more

Combating illegal use of EMV cards

Stolen (lost, not received) microprocessor cards (lost, stolen, NRI) The microprocessor card is also a powerful tool in the fight against such type of fraud as stolen (lost, not received) cards. Using the Chip&PIN approach, adopted today in the UK and considered by international payment systems as the most preferred method of cardholder authentication, allows you to significantly reduce these types of fraud. The DDA/CDA + PIN Offline method is the most reliable of all known methods of protection against card fraud. It is important to note...

read more

Modification of DDA/CDA transactions

Here are the simplest examples of possible data modification. If the terminal in the GENERATE AC command has requested a cryptogram TC, and the card in the person of the bank chip decides to process the transaction online or reject it offline, then the emulator chip changes the unprotected cryptogram information data in such a way that the card responds to the terminal with a cryptogram TC. Thus, the transaction is approved despite the fact that by the issuer’s decision it must either be rejected or transferred to the issuer for...

read more

Clone EMV card protection

Clone DDA/CDA card protection Service code 2xx. In our right hand we have a card with only a magnetic stripe, to which information is transferred from the magnetic stripe of the card located in the left hand. We are trying to use the card in a hybrid terminal that accepts microprocessor cards and magnetic stripe cards. The terminal must check the value of the service code on the magnetic strip, and if it is equal to 2XX, it must require the transaction to be performed using the chip. The terminal should not allow magnetic stripe operations if...

read more

Security analysis of operations on EMV cards

Properties of the microprocessor card, allowing to increase the security of operations The most important property of a microprocessor card (MPC) is the support of cryptographic functions by the operating system of the card. The use of these functions by the card application can significantly improve the security of payment transactions. The tasks solved by the IPC application to improve the security of plastic card transactions are listed below. 1. The most important basic task solved by the card application using cryptographic methods is to...

read more

Security of EMV transactions

To implement the CAP method, the client must have a microprocessor card with an EMV application, as well as a special card reader capable of initiating the generation of an OTP password and displaying its value consisting of 8 digits on the reader’s display (sometimes the reader and the card are combined in one physical device). Such a reader can cost several euros (10-15 euros, depending on the manufacturer and the volume of the purchased batch of devices). In addition to the additional costs of providing cardholders with readers,...

read more

Encoding data method for EMV Software

The ANSI/ISO/IEC 7811 standard is a specification for encoding information on an identification card using stamping or magnetic stripe techniques. This specification consists of five parts: relief embossing (writing method);magnetic stripe (recording method);the location of the characters when embossed on the ID-1 card;location of read-only magnetic tracks (tracks 1 and 2);the location of the tracks available for reading/writing (track 3). EMV Software Relief embossing allows you to form symbols raised above the plane of the card body. The...

read more

EMV application protection on smart cards

Unlike a normal personal computer, loading a program into memory and then executing it is not the main task for a smart card. Security mechanisms do not allow unauthorized program launches. In particular, you may need to authenticate the terminal for a specific application. In addition, the program code must be protected by at least a MAC address authentication code or a digital signature. Some smart card operating systems perform mutual isolation of memory areas of individual applications using software or hardware, so that the applications...

read more

Smart card interaction with EMV Software

The global concept of smart technology development is based on multi-functionality, which implies that several independent applications can be stored on a smart card: personal information (similar to a passport), driver’s license, etc., financial, identification, transport and other applications. With the growing role of the Internet in the global economy, the attention of leading technology and financial organizations to the standardization of smart cards and personal computers, as well as the procedures for their interaction, is...

read more

Smart Card Terminal authentication

The authenticity of the smart card user is verified by entering the PIN code. However, the user may also want to verify the authenticity of the terminal. Consider the potential threats of an attacker using a false terminal. An attacker could use such a machine to collect card PIN values entered by uninformed users. If the attacker who installed the terminal then stole these cards, he could use the PIN codes requested by the false terminal to perform any operations with the smart cards. There is a procedure that can be used to protect against...

read more