Man
Professional
- Messages
- 3,059
- Reaction score
- 585
- Points
- 113
Hello, carders.
Recently I had the opportunity to test a payment terminal with contactless payment capability. Well, since the payment is contactless, it means the signal is transmitted via radio, and of course, I could not resist the temptation to look with the help of an SDR receiver, what data is transmitted and received during the payment.
Photo (c) Verifone
For those who are interested in how it works, a few details under the cut.
It should be noted right away that I don't have any official description of the terminal-card exchange protocol, such data is usually distributed only to partner companies after signing an NDA, but no one forbids us to listen to the broadcast and make some assumptions.
So, let's get started.
Let's start with the simplest thing - launch the receiver, turn on the terminal, make a payment and see what's on the air. Searching for a signal turns out to be elementary, a huge peak is visible at a frequency of 13.56 MHz:
The signal level is not surprising, because it should be enough for the inductive connection with the card, which does not have its own power source. As Google suggests, 13.56 MHz is a standard frequency for RFID devices. The symmetry of the signal suggests the possible use of AM modulation.
Now that the signal has been found, it is easy to look at it in more detail and see the different payment phases:
Let's consider them in more detail.
In this mode, the terminal does not emit anything; only the bank or store logo is displayed on the screen.
The cashier initiates a payment for a certain amount. At this point, the terminal switches to the payment waiting mode. Card payment can be made either using a magnetic strip, or by inserting the card, or by a contactless method, which is what interests us. To determine when the card was brought to the terminal, a request is sent every 0.12 sec. Short packets in the form of vertical lines on the spectrum, when enlarged, look like this:
It is clearly visible that the data is repeated. The data block ("by eye", 24 or 32 bits) most likely contains a bit mask containing the card formats supported by this reader. At least, the reader does not "respond" to other cards (for example, a transport card).
When a card is detected, its controller sends its data in response - probably the card number and service information. There is no power source in the card itself, so the response from it is very weak in power. As you can see, the card sends its response to each request from the terminal, the "radio exchange" between them is quite active:
The increased signal received from the card looks something like this:
When the card data is received, the terminal probably checks the encryption keys on the card, the process takes about 0.6 s. The RFID module is disabled at this point. The terminal may request the card status online.
At the moment when the terminal has read all the data and checked the card, the message "remove the card" is displayed on the screen, every 5ms the terminal checks if the card is in place:
We see the same messages, the card's response is also visible. In an enlarged view, you can show the moment when the card stopped responding:
The response from the card itself, by the way, is quite simple and short, "by eye", no more than 24 bits:
At this point, the radio exchange ends, and with all the data received, the terminal sends a request to make a payment to the bank. The bank responds, and if the payment is successful, we receive our goods.
As you can see, everything is quite simple at the binary level. The RFID protocol uses regular amplitude modulation, no rocket science. But of course, the main work is done at the logical level, checking the card and making a payment is a rather complex process, which also involves encryption. For those who want to study the topic in more detail, you can read the useful comments from users rizorko and lil_Toady, where you can find links to standards.
Finally, we can answer the question that probably interests many, is it possible to secretly withdraw money from someone else's card at a long distance. Judging by the analysis of the radio signal, we can say that this is very unlikely. Firstly, the card itself does not have a built-in power source - for its processor to work, the field strength must be quite high. The normal card reading distance is 2-3 cm, to increase it to at least 100 cm, the field strength must be greater than this difference to the third power. The second point is getting a response from the card - its signal is very weak, and it is also difficult to receive it at a large distance (plus, do not forget that the wavelength with a frequency of 13 MHz is about 20 meters, and short antennas are ineffective at such wavelengths). Finally, do not forget about organizational issues - each payment terminal is linked to a legal entity's bank account, and if complaints are received about the write-off of funds, this account can simply be blocked. By the way, the terminal itself has a unique ID, and if it is constantly linked to different accounts, this will also be suspicious. In general, although theoretically remote reading of RFID may be possible, judging by this article, no real cases of such withdrawals have been registered. And finally, the limit for contactless payments is very small, so the "profit" will probably not correspond to the risk and cost of the equipment.
Source
Recently I had the opportunity to test a payment terminal with contactless payment capability. Well, since the payment is contactless, it means the signal is transmitted via radio, and of course, I could not resist the temptation to look with the help of an SDR receiver, what data is transmitted and received during the payment.
Photo (c) Verifone
For those who are interested in how it works, a few details under the cut.
It should be noted right away that I don't have any official description of the terminal-card exchange protocol, such data is usually distributed only to partner companies after signing an NDA, but no one forbids us to listen to the broadcast and make some assumptions.
So, let's get started.
Signal spectrum
Let's start with the simplest thing - launch the receiver, turn on the terminal, make a payment and see what's on the air. Searching for a signal turns out to be elementary, a huge peak is visible at a frequency of 13.56 MHz:
The signal level is not surprising, because it should be enough for the inductive connection with the card, which does not have its own power source. As Google suggests, 13.56 MHz is a standard frequency for RFID devices. The symmetry of the signal suggests the possible use of AM modulation.
Now that the signal has been found, it is easy to look at it in more detail and see the different payment phases:
Let's consider them in more detail.
1. Idle mode
In this mode, the terminal does not emit anything; only the bank or store logo is displayed on the screen.
2. Request payment and wait for the card
The cashier initiates a payment for a certain amount. At this point, the terminal switches to the payment waiting mode. Card payment can be made either using a magnetic strip, or by inserting the card, or by a contactless method, which is what interests us. To determine when the card was brought to the terminal, a request is sent every 0.12 sec. Short packets in the form of vertical lines on the spectrum, when enlarged, look like this:
It is clearly visible that the data is repeated. The data block ("by eye", 24 or 32 bits) most likely contains a bit mask containing the card formats supported by this reader. At least, the reader does not "respond" to other cards (for example, a transport card).
3. Data exchange with the card
When a card is detected, its controller sends its data in response - probably the card number and service information. There is no power source in the card itself, so the response from it is very weak in power. As you can see, the card sends its response to each request from the terminal, the "radio exchange" between them is quite active:
The increased signal received from the card looks something like this:
4. Checking the card
When the card data is received, the terminal probably checks the encryption keys on the card, the process takes about 0.6 s. The RFID module is disabled at this point. The terminal may request the card status online.
5. Waiting for the card to be withdrawn
At the moment when the terminal has read all the data and checked the card, the message "remove the card" is displayed on the screen, every 5ms the terminal checks if the card is in place:
We see the same messages, the card's response is also visible. In an enlarged view, you can show the moment when the card stopped responding:
The response from the card itself, by the way, is quite simple and short, "by eye", no more than 24 bits:
At this point, the radio exchange ends, and with all the data received, the terminal sends a request to make a payment to the bank. The bank responds, and if the payment is successful, we receive our goods.
Conclusion
As you can see, everything is quite simple at the binary level. The RFID protocol uses regular amplitude modulation, no rocket science. But of course, the main work is done at the logical level, checking the card and making a payment is a rather complex process, which also involves encryption. For those who want to study the topic in more detail, you can read the useful comments from users rizorko and lil_Toady, where you can find links to standards.
Finally, we can answer the question that probably interests many, is it possible to secretly withdraw money from someone else's card at a long distance. Judging by the analysis of the radio signal, we can say that this is very unlikely. Firstly, the card itself does not have a built-in power source - for its processor to work, the field strength must be quite high. The normal card reading distance is 2-3 cm, to increase it to at least 100 cm, the field strength must be greater than this difference to the third power. The second point is getting a response from the card - its signal is very weak, and it is also difficult to receive it at a large distance (plus, do not forget that the wavelength with a frequency of 13 MHz is about 20 meters, and short antennas are ineffective at such wavelengths). Finally, do not forget about organizational issues - each payment terminal is linked to a legal entity's bank account, and if complaints are received about the write-off of funds, this account can simply be blocked. By the way, the terminal itself has a unique ID, and if it is constantly linked to different accounts, this will also be suspicious. In general, although theoretically remote reading of RFID may be possible, judging by this article, no real cases of such withdrawals have been registered. And finally, the limit for contactless payments is very small, so the "profit" will probably not correspond to the risk and cost of the equipment.
Source
