News

Chip Liability Shift

Obviously, card authentication is an effective means of combating counterfeit cards (Counterfeit). That is why payment systems have introduced the chip Liability Shift, worded as follows. If fraud of the “Fake card” type occurs on the MP K card in a terminal that supports only cards with a magnetic stripe, the Bank serving the terminal is responsible for the fraud. The chip Liability Shift, when it appeared, had an intraregional character (it acted in the case when the servicing Bank and the card Issuer were residents of the same...

read more

Three methods of offline card authentication: EMV standard (V. 4.2)

Card authentication methods are divided into offline and online. The latest version of the EMV standard (V. 4.2) distinguishes three methods of offline card authentication: 1) SDA (Static Data Authentication); 2) DDA (Dynamic Data Authentication); 3) CDA (Combined Dynamic Data Authentication/AC Generation). The first authentication method in the list belongs to the class of static authentication methods, while the last two belong to dynamic authentication methods. The SDA method ensures the integrity of static data critical to the map...

read more

Chip technology has reduced the level of fraud in the card market by 82%

The Introduction of chips significantly contributed to the reduction of fraud with counterfeit credit cards, according to research by VISA. Since the introduction of the EMV (Europay + MasterCard + VISA) standard, chip-based fraud in counterfeit card-based payments has declined by 82 percent. Today, issuers are sending new chip-enabled payment cards to magnetic stripe credit card holders, which are set to expire soon. The same “chip” technology is used during contactless payments, which allows users to easily pay through the...

read more

Clone MasterCard in MagStripe mode

We proceed directly to the principle of cloning. This contactless card attack method was published by two researchers Michael Roland, Josef Langer from the University of Austria. It is based on a general principle called Skimming. This is such a scenario in which an attacker steals money from a bank card by reading (copying) information from this card. In the general case, it is important to keep the PIN code confidential and prevent it from leaking. But in the method of the Austrian guys we do not need to know this. Cloning of a payment card...

read more

Clone a contactless card using a mobile application

It was always interesting to see what happens on a bank card under the “hood”. How the communication protocol of a bank card and a POS terminal is implemented, how it works and how safe it is. Such an opportunity appeared before me when I was doing an internship at Digital Security. As a result, when parsing one known vulnerability of EMV cards in MagStripe mode, it was decided to implement a mobile application that is able to communicate with the terminal via a contactless interface, using its own commands and a detailed analysis of requests...

read more

Offline EMV Transaction

The peculiarity of an offline transaction is that the transaction is carried out by card and terminal without contacting the bank and the payment system. During such a transaction, the card can approve the transaction within the established limit, and the terminal, in turn, sends information to the bank later on schedule, or when a connection with the bank appears. Such offline transactions provide additional benefits to both the issuing bank and the card holder. For example, the owner may pay even if there is no connection with the bank. Or,...

read more

Online EMV Transaction

The main method of confirming the authenticity of the card in online transactions is the authentication of the card online. The basis of this method is the generation of the ARQC (Authorization Request Cryptogram) cryptogram for each payment transaction. Let’s take a closer look at this process. The generation and verification of cryptograms is based on the 3DES algorithm. The issuer and the card own a shared secret key MKac (Application Cryptogram Master Key). At the beginning of the transaction, the card generates an SKac (Application...

read more

EMV Application Data

Like magnetic stripe cards, EMV applications also have open readable data. And although it is impossible to read the application itself, it is impossible to get to the keys and pin code – access to open application data is always open. What kind of data are we talking about? The picture above is an indicative list of the data stored inside the EMV application. Of course, for each specific application, it may be slightly different. At this stage, it is important to note that the client’s personal information is not stored in the EMV...

read more

The internal structure and security of the EMV card

By and large, the EMV microprocessor card is a regular smart card (read one, two, three), which is based on the ISO / IEC 7816 or ISO / IEC 14443 standards (for contactless). Implementation of an EMV card can be performed both on the basis of JavaCard and GlobalPlatform, and using native smart card methods. Similar to conventional operating systems (OS), card OS also have a file structure and applications. In the context of this article, it is the EMV card payment applications that are most interesting. Therefore, we will consider just them....

read more

EMV-card. Payment Security Mechanisms

Payment cards are firmly embedded in our lives. More recently, only cards with a magnetic strip were used everywhere. Today you will not surprise anyone with a card with a chip. Everyone knows that a chip, microprocessor, or, more consonant, payment EMV card is a modern and reliable way to access a current account. It is safer than a magnetic stripe card and it is almost impossible to fake. However, the details of the implementation of the “insides” of the EMV-card are little known. Everyone who is interested in how the EMV-card...

read more