Mutt
Professional
- Messages
- 1,056
- Reaction score
- 643
- Points
- 113
The content of the article
Contactless bank cards are very convenient: I put the card on the terminal, and after a couple of seconds the phone rang in my pocket - the purchase was paid. But this convenience also has a downside: attackers can steal money from holders of such “plastic”. Let's talk about ways to hack bank cards using NFC technology.
Technologically, NFC payments are a continuation of the EMV standard, so all attacks that occurred “in the wild” were already known to researchers. When I looked into the topic of contactless payments, I still managed to find a few new interesting cases, but such attacks still focus on backward compatibility and other shortcomings of the main EMV mechanisms - authorization, authentication, verification.
After running tests with dozens of cards, I was amazed at the scale of the problems in the banks. They haven't gone away since the early 2000s, and with the advent of contactless payments, such problems simply became more common. One of the peculiarities of fraud with contactless cards is that it is difficult to confirm, since the attacker does not need to gain physical access to your cards. Therefore, banks often protest such customer complaints.
What are contactless legacy modes and why were they created in 2013? Legacy modes are special modes for terminals that did not know how to work with cryptography, mostly American ones. Also, due to backward compatibility, cards and terminals that are still capable of modern cryptography can be used in legacy modes. Imagine that you can make payments with a magnetic stripe using your chip card - this is approximately the level of irresponsibility we are talking about.
Visa cards in legacy MSD (Magnetic Stripe Data) mode simply transmit Track2 Equivalent with a dynamic CVV field that changes “from time to time.” That is, the same CVV can be used more than once. However, this mode also has the disadvantage that it allows the use of an incorrect CVV2 field value, as discussed in the previous article. That is, data read from a magnetic stripe, chip or contactless card chip can be recorded and reproduced by a special application using the NFC protocol, and the bank will consider this a contactless transaction. Russian programmer Dmitry Kholodov even posted an application on Google Play that allows you to read and save this data on an Android phone.
MasterCard cards go a little further: in their legacy mode, called PayPass M-Stripe, the card receives a random UN number from the terminal, uses the ATC counter and generates a CVC3 authorization field based on this data. Next, the terminal itself creates a dynamic Track2 Equivalent from the listed valuesand sends it to the bank to authorize the payment.
The mode has a main drawback - the low entropy of the UN field and the absence of other fields for entropy, such as payment amount, transaction date. UN can take from 3 to 5 bytes, each byte consists only of numbers. This means that the card can receive 999, 9999, or 99,999 different UN values as input. In the first two cases, by bringing a cell phone with the application installed to the card, an attacker can quickly clone all transactions from the card.
Next, the attacker makes a payment at a terminal that supports M-STRIPE mode, using a phone with cloned transactions. The terminal generates a random UN field, the phone searches its transaction database for the correct ATC/CVC3 pair related to this UN and gives it to the terminal.
It is worth recalling here that payment systems recommend monitoring the order of the counter valuesand not accepting transactions with significant jumps in these same ATC values. If antifraud systems are configured correctly, attackers will not be able to make more than one payment, because for the next payment the value of the random UN field will lead to the appearance of the same random value of the ATC field, much higher or lower than the previous one. If the antifraud systems are intimidated by “angry customers,” the attacker will have a full-fledged clone of the card in his hands, which he can use many times.
Another method of cheating that the researchers discovered is to trick the terminal into believing that the entropy UN = 0. It will then return only one possible value, UN = 00000, and only one ATC/CVC3 pair corresponds to it. In this case, cloning the card becomes incredibly easy. We even managed to find one Russian bank that was subject to such an attack.
One of the good descriptions of the shortcomings of legacy regimes in Russian was published in 2018. However, I hasten to disagree with the author that the problem has been generally solved: over the past year I have found two Russian MasterCard cards operating in Legacy mode, as well as one card and one card acquiring in Russia that support the completely unsafe Visa MSD mode.
The approach to implementing legacy modes is also interesting from the point of view of the applicability of attacks on them in the real world. Attacks on Visa cards are still extremely popular and widespread. After all, in order to make contactless payments with Visa cards, you can use information available for sale on special forums - Track2 or Track2 Equivalent.
Attacks on Visa cards are still common
The legacy mode of MasterCard cards also has vulnerabilities that allow them to be attacked. However, these attacks are much more difficult to implement in the real world, since they require physical access to the victim's card, at least for a minute. This is why such attacks are practically never found in the wild.
Attacks on MasterCard require physical contact with the card
It is worth noting that most mobile wallets - GPay, SamsungPay, custom HCE (Host-Card Emulation, an Android application that emulates cards) - also support M-Stripe and MSD modes. But we will talk about this in the section dedicated to mobile wallets and other non-standard payment devices.
If an attacker changes the verification type from a PIN to a signature and then puts a cross on the receipt, or the unlucky cashier does not ask for an autograph, the cardholder may demand compensation if he proves that the transaction was not performed by him. However, no one knows for sure whether he will receive it. But if it is proven that a PIN was entered and verified correctly on a Russian card, all the blame will be placed on the client.
Interestingly, the previously mentioned specialists from Aperture Lab have been engaged in technical examination of fraudulent card transactions for many years. They collected data on transactions and proved to the bank and the judges that they were not carried out in the way the bank interpreted it, for example, without a correctly entered PIN or using a pre-cloned cryptogram.
For Visa contactless cards, we showed this vulnerability in 2019, where we demonstrated security flaws in CVM mechanisms for cards from Russia, Europe, America and the UK. Later, researchers from the University of Zurich repeated our study on Swiss cards with minor modifications for the European market. They only confirmed the conclusions we described earlier about Visa cards.
Some experts are wondering: why only Visa? First, MasterCard cards verify the integrity of the selected CVM verification methods during Offline Data Authentication. Unlike Visa cards, this process is required for every contactless MasterCard. Also, the field responsible for the mobile wallet is part of the payment cryptogram, and they also cannot be replaced without rejecting the transaction.
Each store and acquiring bank can set any limits for their terminals. However, the risks for NoCVM fraud will rest on their shoulders, which is why not every bank or merchant will want to set limits higher than average, otherwise joyful scammers will run to them.
The most popular fraud scheme using stolen contactless cards is to go to a store and make a payment using the described Tap & Go scheme. For example, the scale of such fraud in the UK is “only” just over £10 million in 2019. The fact is that the attackers could perform as many transactions as they wanted within the NoCVM limits until the card was blocked. The most brazen ones even found cashiers who had no problem splitting a large check into several 30-pound checks, which made it possible to bypass national restrictions.
To combat such fraud, the European regulator has released a set of new laws called PSD2 (Payment Service Directive, version 2). One of the main requirements relates to the frequency of payer verification - Strong Customer Authentication. These requirements include a section on contactless Tap & Go transactions - Cumulative Limits, according to which, starting in 2020, issuing banks limit the number of transactions below Tap & Go limits. Instead, they must count the total amount spent and ask for a PIN every five transactions or if the cardholder spends the equivalent of the maximum amount for five Tap & Go transactions, for example £225 in the UK or €250 in France. If in European countries this procedure is not too noticeable for cardholders, then in the UK there is Hard Limits. This means that for payments that require a PIN or signature, a chip card must be inserted into the terminal.
The law is still spreading slowly across Europe. But once I had enough cards in my hands that applied the Cumulative Limits rules, I began to check how effective these rules were and how they could be circumvented using public vulnerabilities or their new variations. One of our latest studies showed that the good old PIN OK attacks, Chip & Signature verification spoofing, Transaction Stream Fraud all allow you to “reset the limits” of £225 / €250. Having stolen cards and a special terminal in their hands, hackers can make payments in regular stores above the specified limits, periodically “resetting the limits” using their compromised terminal .
(c) Article from the paid subscription of Hacker magazine.
xakep.ru
- Legacy
- Cloning cards and transactions
- Bypassing payer verification
- Substitution between the terminal and the acquiring bank
- Substitution between phone and terminal
- PSD2 and card fraud in Europe
- Conclusion
Contactless bank cards are very convenient: I put the card on the terminal, and after a couple of seconds the phone rang in my pocket - the purchase was paid. But this convenience also has a downside: attackers can steal money from holders of such “plastic”. Let's talk about ways to hack bank cards using NFC technology.
Read also
You can learn about the principles on which the security of banking payment systems is based from my previous articles:- Understanding how credit card security systems work
- How carders steal money from bank cards
- How attacks on chip cards work
Technologically, NFC payments are a continuation of the EMV standard, so all attacks that occurred “in the wild” were already known to researchers. When I looked into the topic of contactless payments, I still managed to find a few new interesting cases, but such attacks still focus on backward compatibility and other shortcomings of the main EMV mechanisms - authorization, authentication, verification.
After running tests with dozens of cards, I was amazed at the scale of the problems in the banks. They haven't gone away since the early 2000s, and with the advent of contactless payments, such problems simply became more common. One of the peculiarities of fraud with contactless cards is that it is difficult to confirm, since the attacker does not need to gain physical access to your cards. Therefore, banks often protest such customer complaints.
LEGACY
The first person to draw attention to the insecurity of legacy modes for contactless payment methods back in 2014 was researcher Peter Fillmore.What are contactless legacy modes and why were they created in 2013? Legacy modes are special modes for terminals that did not know how to work with cryptography, mostly American ones. Also, due to backward compatibility, cards and terminals that are still capable of modern cryptography can be used in legacy modes. Imagine that you can make payments with a magnetic stripe using your chip card - this is approximately the level of irresponsibility we are talking about.
Visa cards in legacy MSD (Magnetic Stripe Data) mode simply transmit Track2 Equivalent with a dynamic CVV field that changes “from time to time.” That is, the same CVV can be used more than once. However, this mode also has the disadvantage that it allows the use of an incorrect CVV2 field value, as discussed in the previous article. That is, data read from a magnetic stripe, chip or contactless card chip can be recorded and reproduced by a special application using the NFC protocol, and the bank will consider this a contactless transaction. Russian programmer Dmitry Kholodov even posted an application on Google Play that allows you to read and save this data on an Android phone.
MasterCard cards go a little further: in their legacy mode, called PayPass M-Stripe, the card receives a random UN number from the terminal, uses the ATC counter and generates a CVC3 authorization field based on this data. Next, the terminal itself creates a dynamic Track2 Equivalent from the listed valuesand sends it to the bank to authorize the payment.
The mode has a main drawback - the low entropy of the UN field and the absence of other fields for entropy, such as payment amount, transaction date. UN can take from 3 to 5 bytes, each byte consists only of numbers. This means that the card can receive 999, 9999, or 99,999 different UN values as input. In the first two cases, by bringing a cell phone with the application installed to the card, an attacker can quickly clone all transactions from the card.
Next, the attacker makes a payment at a terminal that supports M-STRIPE mode, using a phone with cloned transactions. The terminal generates a random UN field, the phone searches its transaction database for the correct ATC/CVC3 pair related to this UN and gives it to the terminal.
It is worth recalling here that payment systems recommend monitoring the order of the counter valuesand not accepting transactions with significant jumps in these same ATC values. If antifraud systems are configured correctly, attackers will not be able to make more than one payment, because for the next payment the value of the random UN field will lead to the appearance of the same random value of the ATC field, much higher or lower than the previous one. If the antifraud systems are intimidated by “angry customers,” the attacker will have a full-fledged clone of the card in his hands, which he can use many times.
Another method of cheating that the researchers discovered is to trick the terminal into believing that the entropy UN = 0. It will then return only one possible value, UN = 00000, and only one ATC/CVC3 pair corresponds to it. In this case, cloning the card becomes incredibly easy. We even managed to find one Russian bank that was subject to such an attack.
One of the good descriptions of the shortcomings of legacy regimes in Russian was published in 2018. However, I hasten to disagree with the author that the problem has been generally solved: over the past year I have found two Russian MasterCard cards operating in Legacy mode, as well as one card and one card acquiring in Russia that support the completely unsafe Visa MSD mode.
The approach to implementing legacy modes is also interesting from the point of view of the applicability of attacks on them in the real world. Attacks on Visa cards are still extremely popular and widespread. After all, in order to make contactless payments with Visa cards, you can use information available for sale on special forums - Track2 or Track2 Equivalent.
Attacks on Visa cards are still common
The legacy mode of MasterCard cards also has vulnerabilities that allow them to be attacked. However, these attacks are much more difficult to implement in the real world, since they require physical access to the victim's card, at least for a minute. This is why such attacks are practically never found in the wild.
Attacks on MasterCard require physical contact with the card
It is worth noting that most mobile wallets - GPay, SamsungPay, custom HCE (Host-Card Emulation, an Android application that emulates cards) - also support M-Stripe and MSD modes. But we will talk about this in the section dedicated to mobile wallets and other non-standard payment devices.
CLONING OF CARDS AND TRANSACTIONS
It is not possible to clone EMV contactless cards so that their transactions can be authorized in real time. Attackers or researchers have not yet learned how to extract cryptographic keys to create payment cryptograms. However, this is not the only way to make a functional clone of the card:- the Track2 Equivalent value can be written to a magnetic stripe and payments can be made outside of Russia, as was described in the article on attacks on EMV;
- another technique described earlier is also used to clone transactions - Cryptogram Replay;
- Finally, a fully functional clone of a card or a limited number of transactions can be created using the legacy mode vulnerabilities that I described above.
BYPASSING PAYER VERIFICATION
The mainstream of research on EMV/NFC insecurity over the past 15 years has been devoted to the topic of payer verification - Cardholder Verification Methods, or CVM. Why? Because bypassing CVM is tied to other card security flaws: authorization and authentication. Such attacks are not particularly popular for the same reasons - the attacker needs to have physical access to the card. In official statistics, this type of fraud is called Lost & Stolen.Substitution between the terminal and the acquiring bank
This type of attack is called transaction stream fraud - when hackers replace transaction data at the time of transmission from the payment terminal. In this case, the issuing bank approves the transaction, although it should not have. Transaction verification can be performed using two methods.- Substitution for an offline PIN. This scheme is not used for contactless cards, simply because the card would have to be swiped twice during the payment process. Not a single payment system was ready for this after the 2010s, when the number of terminals connected to the Internet began to approach 100%. However, we found five banks that authorized the transaction if the verification method was stated as “offline PIN”.
- Substitution for online PIN. If the payment authorization request indicates that an online PIN has been selected, but the encrypted PIN itself is not in the request field, one of the banks we would still examine the transaction.
Substitution between phone and terminal
Substitution for signature
The most popular method of verifying a payer after an online PIN is the so-called signature substitution. Cardholders of some Russian banks are well aware that instead of entering a PIN code, the card may by default request a signature on a check. This scheme, called Chip & Signature (similar to Chip & PIN), came from America. I only recently learned about the reasons for its popularity overseas.INFO
When the mass transition to chip cards began in the United States in the early 2000s, it turned out that from the point of view of American law, regardless of whether the correct PIN was entered during a fraudulent transaction or not, the client was required to refund the money. And if you can't see the difference, then why pay customers for whom all these actions with entering a PIN code are a headache? That is why the Chip & Signature scheme is still so popular in the country.If an attacker changes the verification type from a PIN to a signature and then puts a cross on the receipt, or the unlucky cashier does not ask for an autograph, the cardholder may demand compensation if he proves that the transaction was not performed by him. However, no one knows for sure whether he will receive it. But if it is proven that a PIN was entered and verified correctly on a Russian card, all the blame will be placed on the client.
Interestingly, the previously mentioned specialists from Aperture Lab have been engaged in technical examination of fraudulent card transactions for many years. They collected data on transactions and proved to the bank and the judges that they were not carried out in the way the bank interpreted it, for example, without a correctly entered PIN or using a pre-cloned cryptogram.
Mobile wallet spoofing, or NoCVM
In addition to the two most popular schemes for contactless chip cards, the terminal can accept several more non-standard types of payer verification. Firstly, an attacker can tell the terminal that the card is not a card at all, but a mobile wallet, say Apple Pay. In most terminals, in this case, you will not need to enter any PIN codes and you will not even need to leave signatures on the check. The same thing will happen if you select NoCVM as the verification method.For Visa contactless cards, we showed this vulnerability in 2019, where we demonstrated security flaws in CVM mechanisms for cards from Russia, Europe, America and the UK. Later, researchers from the University of Zurich repeated our study on Swiss cards with minor modifications for the European market. They only confirmed the conclusions we described earlier about Visa cards.
Some experts are wondering: why only Visa? First, MasterCard cards verify the integrity of the selected CVM verification methods during Offline Data Authentication. Unlike Visa cards, this process is required for every contactless MasterCard. Also, the field responsible for the mobile wallet is part of the payment cryptogram, and they also cannot be replaced without rejecting the transaction.
PSD2 AND CARD FRAUD IN EUROPE
Each country in the world has its own recommendations on NoCVM limits when no payer verification is required. We are talking about the so-called Tap & Go scheme. In Russia, this limit was previously 1,000 rubles, but it was recently increased to 3,000 rubles. In the UK before COVID the figure was £30, today it is £45.Each store and acquiring bank can set any limits for their terminals. However, the risks for NoCVM fraud will rest on their shoulders, which is why not every bank or merchant will want to set limits higher than average, otherwise joyful scammers will run to them.
The most popular fraud scheme using stolen contactless cards is to go to a store and make a payment using the described Tap & Go scheme. For example, the scale of such fraud in the UK is “only” just over £10 million in 2019. The fact is that the attackers could perform as many transactions as they wanted within the NoCVM limits until the card was blocked. The most brazen ones even found cashiers who had no problem splitting a large check into several 30-pound checks, which made it possible to bypass national restrictions.
To combat such fraud, the European regulator has released a set of new laws called PSD2 (Payment Service Directive, version 2). One of the main requirements relates to the frequency of payer verification - Strong Customer Authentication. These requirements include a section on contactless Tap & Go transactions - Cumulative Limits, according to which, starting in 2020, issuing banks limit the number of transactions below Tap & Go limits. Instead, they must count the total amount spent and ask for a PIN every five transactions or if the cardholder spends the equivalent of the maximum amount for five Tap & Go transactions, for example £225 in the UK or €250 in France. If in European countries this procedure is not too noticeable for cardholders, then in the UK there is Hard Limits. This means that for payments that require a PIN or signature, a chip card must be inserted into the terminal.
INFO
Visa and MasterCard offer two schemes for working above Tap & Go limits - Soft or Hard limits. Most countries work according to the first scheme, in which, when making a payment above the established limit, additional verification of the payer will be requested - a signature or online PIN. The only country I know of that operates under the Hard Limits scheme is the UK. In case of payment above Tap & Go, you will have to insert a card with a chip. This, of course, does not apply to mobile wallets - there are separate limits for them. More information can be found in the studies mentioned.The law is still spreading slowly across Europe. But once I had enough cards in my hands that applied the Cumulative Limits rules, I began to check how effective these rules were and how they could be circumvented using public vulnerabilities or their new variations. One of our latest studies showed that the good old PIN OK attacks, Chip & Signature verification spoofing, Transaction Stream Fraud all allow you to “reset the limits” of £225 / €250. Having stolen cards and a special terminal in their hands, hackers can make payments in regular stores above the specified limits, periodically “resetting the limits” using their compromised terminal .
CONCLUSION
Over three years of working closely with card transactions, I learned a lot. The risk-based approach in the payments industry forces banks and other market players to support outdated forms of payments simply “because it is necessary.” That is why in recent years I have been able to make an exciting journey into the jungle of card fraud, find dozens of vulnerabilities in various banks and payment systems, learn to understand ISO-8583, emulate examples of transaction fraud and master other interesting and unusual methods of attack, which, hopefully, they will remain only in our laboratory.(c) Article from the paid subscription of Hacker magazine.
Близкие контакты. Атакуем бесконтактные карты
Бесконтактные банковские карты очень удобны: приложил карточку к терминалу, и через пару секунд в кармане звякнул телефон — покупка оплачена. Но это удобство имеет и обратную сторону: злоумышленники могут украсть деньги у держателей такого «пластика». Давай поговорим о способах взлома банковских...
xakep.ru
Last edited by a moderator:
