News

Contact mode transaction processing

The terminal reads all entries specified by the card using the READ commands RECORD and proceed to perform offline data authentication, provided by card. At this point completely can be performed only SDA or DDA authentication. Data authentication by the method of CDA (due to the peculiarities of the implementation) is performed completely only after receiving a response from the first GENERATE AC command. The terminal then proceeds to perform constraint checking procedures on application application (version numbers are checked, the term is...

read more

EMV data object specifications

In EMV specifications, a composite data object is called a template (for example, FCI Template). The data object length field specifies the number of bytes in the object value field. In the EMV standard, the length field is specified by one, two, or three bytes. If the highest bit of the leftmost byte of the length field is 0, the length field occupies one byte and defines the length of the value from 0 to 127. If the highest bit is 1, the subsequent bits determine the number of additional bytes used to represent the length field. The BER-TLV...

read more

EMV Card Verification

The ECV test Suite (EMV Card Verification) is designed to test EMV applications on smart cards. ECV allows you to check the completeness of data on the card and the card’s performance during transaction servicing, consistency and lack of redundancy of data, monitor the implementation of cryptographic functions of the EMV application, identify the causes of failures in the work of already issued cards, and much more. ECV is a terminal emulator in a point of sale (POS-terminal) with a number of additional features that are not available...

read more

Chip Liability Shift

Obviously, card authentication is an effective means of combating counterfeit cards (Counterfeit). That is why payment systems have introduced the chip Liability Shift, worded as follows. If fraud of the “Fake card” type occurs on the MP K card in a terminal that supports only cards with a magnetic stripe, the Bank serving the terminal is responsible for the fraud. The chip Liability Shift, when it appeared, had an intraregional character (it acted in the case when the servicing Bank and the card Issuer were residents of the same...

read more

Three methods of offline card authentication: EMV standard (V. 4.2)

Card authentication methods are divided into offline and online. The latest version of the EMV standard (V. 4.2) distinguishes three methods of offline card authentication: 1) SDA (Static Data Authentication); 2) DDA (Dynamic Data Authentication); 3) CDA (Combined Dynamic Data Authentication/AC Generation). The first authentication method in the list belongs to the class of static authentication methods, while the last two belong to dynamic authentication methods. The SDA method ensures the integrity of static data critical to the map...

read more

Chip technology has reduced the level of fraud in the card market by 82%

The Introduction of chips significantly contributed to the reduction of fraud with counterfeit credit cards, according to research by VISA. Since the introduction of the EMV (Europay + MasterCard + VISA) standard, chip-based fraud in counterfeit card-based payments has declined by 82 percent. Today, issuers are sending new chip-enabled payment cards to magnetic stripe credit card holders, which are set to expire soon. The same “chip” technology is used during contactless payments, which allows users to easily pay through the...

read more

Clone MasterCard in MagStripe mode

We proceed directly to the principle of cloning. This contactless card attack method was published by two researchers Michael Roland, Josef Langer from the University of Austria. It is based on a general principle called Skimming. This is such a scenario in which an attacker steals money from a bank card by reading (copying) information from this card. In the general case, it is important to keep the PIN code confidential and prevent it from leaking. But in the method of the Austrian guys we do not need to know this. Cloning of a payment card...

read more

Clone a contactless card using a mobile application

It was always interesting to see what happens on a bank card under the “hood”. How the communication protocol of a bank card and a POS terminal is implemented, how it works and how safe it is. Such an opportunity appeared before me when I was doing an internship at Digital Security. As a result, when parsing one known vulnerability of EMV cards in MagStripe mode, it was decided to implement a mobile application that is able to communicate with the terminal via a contactless interface, using its own commands and a detailed analysis of requests...

read more

Offline EMV Transaction

The peculiarity of an offline transaction is that the transaction is carried out by card and terminal without contacting the bank and the payment system. During such a transaction, the card can approve the transaction within the established limit, and the terminal, in turn, sends information to the bank later on schedule, or when a connection with the bank appears. Such offline transactions provide additional benefits to both the issuing bank and the card holder. For example, the owner may pay even if there is no connection with the bank. Or,...

read more

Online EMV Transaction

The main method of confirming the authenticity of the card in online transactions is the authentication of the card online. The basis of this method is the generation of the ARQC (Authorization Request Cryptogram) cryptogram for each payment transaction. Let’s take a closer look at this process. The generation and verification of cryptograms is based on the 3DES algorithm. The issuer and the card own a shared secret key MKac (Application Cryptogram Master Key). At the beginning of the transaction, the card generates an SKac (Application...

read more