29C3: A Rambling Walk Through an EMV Transaction (EN)

00:15

okay hi um and I don't know if anybody

00:17

doesn't know what EMV is and just sort

00:18

of came in here by random luck EMV is

00:21

stands for europay master visa and it's

00:24

it's the protocol that's spoken between

00:25

the chip and and and the payment

00:27

terminal that you have um

00:30

the Euro pay thing should already

00:32

suggest to you how old this is because

00:33

Euro pay hasn't not been around uh for a

00:37

long time um about myself I worked for a

00:40

long time at a at a big German Bank uh

00:42

in the in the credit card processing in

00:43

the backend and then I was working the

00:45

last several years at a at a consultancy

00:49

doing mainly uh well doing General

00:51

technical things but mainly focused

00:54

on uh credit card processing backends

00:57

fraud management stuff like that and was

01:00

involved in several projects where we

01:01

actually wrote the software that that

01:03

runs on the

01:04

chip um since this year I've been I've

01:06

been working as an independent

01:07

contractor and and working on a lot of

01:09

the same sort of

01:11

um uh

01:13

topics um the motivation for this talk

01:16

this talk is kind of weird it's it's

01:17

it's it's sort of a strange mixture it's

01:19

really basic really introductory to EMV

01:22

on the other hand it's super low level

01:24

so there's a lot of bits and bites um

01:26

we're not going to see a lot of pictures

01:28

or anything it's going to be a lot of

01:30

text and

01:31

numbers I'm not really revealing any

01:33

secrets of the credit card industry I'm

01:36

not showing any super special hacks and

01:39

this stuff is really really old I think

01:41

on the first Congress that I was at the

01:43

18 C3 um there was already a talk about

01:47

this and so the question is why would

01:49

you actually want to deal with it one of

01:51

the things is um this technology is

01:55

being mandated in in the United States

01:57

soon so there's going to be a giant

02:00

uptake in usage and the other really

02:03

part of the thing that makes it

02:04

interesting is that this protocol is so

02:05

old and this was always a very um

02:08

pragmatic protocol and this back in the

02:11

80s so there's not a lot of um Security

02:13

in it um I'm also not really going to go

02:16

into low-level Hardware stuff um

02:19

attacking these chips I'm not going to

02:21

go into any any attacks on the crypto

02:23

and what you'll see though is that this

02:25

this protocol is so rudimentary and

02:28

weird that it's not really necessary

02:30

there's so much more that you can do and

02:32

it's also if you were at Carson and

02:33

Dexter's talk um about you know scraping

02:37

off the chips and and actually taking

02:39

pictures uh and and probing the chip in

02:41

operation that's I mean they said this

02:44

was this would be an this is easy but um

02:47

this is a lot easier I mean you can you

02:48

can you can just look into your own card

02:50

see what sort of data is stored on it

02:51

and and do these own transactions with a

02:53

with a card reader that cost maybe maybe

02:55

20

02:56

bucks so I'm going to go through a

03:00

this is more or less to get you started

03:01

on on doing the stuff yourself so I'm

03:03

going to go through a bunch of acronyms

03:04

and specifications and stuff I mean the

03:07

the stuff that the card can do or that

03:08

it could do in the 80s was really really

03:11

rudimentary so the protocol is actually

03:12

really easy the hard thing is though

03:15

that it's a very steep learning curve

03:16

there's a lot of weird technology and

03:19

acronyms and and and things that aren't

03:21

really in common usage that you're not

03:22

really used to so going to start off

03:24

with pcsc uh pcsc is how you're going to

03:27

connect to how you're going to connect a

03:28

reader to your um to your to your laptop

03:33

basically almost all um operating

03:35

support pcsc on some level most

03:37

languages have bindings the transactions

03:40

that I'm going to do are with some Ruby

03:42

code I wrote um this smart card project

03:45

is are the um are the pcsc bindings for

03:48

Ruby um my um the stemo code that I'm

03:54

going to I'm going to be showing that

03:55

I'll be talking with this card with um

03:58

is available in in my GitHub r

03:59

repository under 29 C3 and while I'm

04:02

showing URLs there is this open scdp

04:06

Smart Card shell which is a JavaScript

04:08

implementation which is a lot more

04:09

feature complete so if you want to play

04:11

around with smart cards that's a really

04:13

good suggestions and they also have

04:14

stuff for for dealing with Sims or

04:16

German the German health card and and

04:18

things like

04:19

that um so basically that was already

04:22

the first point I mean you don't need a

04:24

special terminal all of the stuff and

04:26

and talking to the card is entirely

04:27

standardized you don't need to buy

04:29

something like this you can just go to

04:30

Amazon and get one of these Swiss army

04:31

knife uh card readers that um if you're

04:34

paying 20 bucks for them you're getting

04:36

ripped off um and they will work just as

04:38

good as anything else so it's it's it's

04:40

a very very low entry to uh barrier to

04:43

entry um so I'll I'll go ahead and start

04:48

my little shell and basically this is

04:50

just I can see now I have one reader

04:53

plugged in fantastic I'll put my card

04:56

in

04:58

um

05:00

um and then what is it dump card dump

05:03

card

05:05

data show card show card um that will

05:08

come later um so this is this is already

05:11

the basic interaction with the card

05:13

we're connected to the card and and the

05:15

session has has already started at this

05:19

point um and it's you know we're maybe

05:23

two or 3 minutes into the talk so

05:28

um all this low-level stuff of how chip

05:31

cards are dealt with is is is taken care

05:33

of in in ISO

05:35

7816 uh you don't really have to worry

05:37

about those standards you don't really

05:38

need to get them if you are really into

05:40

standards you need book three and four

05:45

um they Define sort of the low-level

05:47

characteristics of how um the the

05:49

physical layer communication with the

05:51

card which is basically just a uart it's

05:54

just a simple serial

05:56

interface um and level four uh is is

06:00

sort of the the the transport layer

06:02

there's rudimentary how how how to talk

06:05

back and forth with the card uh again

06:07

you don't need any of this the next five

06:09

slides will sort of be all you need to

06:11

know about it first thing that we saw

06:14

here down here this answer to reset um

06:17

is basically just the um ATR is the

06:20

thing that you will hear it basically is

06:23

just the terminal um settings the B rate

06:26

and things like that there's one

06:28

interesting thing about it if if we're

06:29

approaching it from a from a really high

06:31

application Level like we are which is

06:32

the historical btes um and the vendor

06:35

can put anything in there so sometimes

06:37

it helps to have those historical bites

06:39

to identify who the vendor of a of a

06:41

card is that you're dealing with but you

06:43

normally don't need to do that because

06:44

most of the cards if you look at yours

06:46

will have the actual um vendor printed

06:49

on the back of the card um you will see

06:52

like credit card numbers and stuff from

06:53

this card this is a demo card so you

06:55

don't need to worry about that I'm I'm

06:58

I'm being a total idiot yet um and I'm

07:00

using a demo card for the one hand I

07:02

don't want my credit card number to be

07:04

uh known to you guys and on the other

07:06

hand um for the demo cards that that get

07:09

handed out at like trade fairs and stuff

07:11

you know the keys that are on the card

07:13

so you can uh you can you can reverse

07:15

engineer the crypto um with

07:17

them um so 78164 does a it describes a

07:21

couple of further things first they have

07:24

this weird file system like thing that

07:26

you don't really need to know much about

07:28

but if you see terms like EF MF DF those

07:31

are either directories EFS are

07:33

Elementary files MF is the master start

07:37

of the file but don't really they call

07:40

it a file system but don't really think

07:41

of it as a file system a file in on a

07:44

smart card can be anything from an

07:45

application to some sort of cyclic

07:47

buffer to to all sorts of things but um

07:51

em doesn't use a lot of that so we can

07:54

we can skip it the main thing that you

07:55

need to know is apdu apdu is basically

07:59

the the packets that get exchanged

08:01

between the card and and the host um and

08:03

it's just a bunch of um bites which I

08:08

purposely put an exclamation mark behind

08:10

it it really I mean you're just

08:12

basically assembling five or six bites

08:15

sending them to the card and getting

08:16

them back there's very little crypto

08:18

involved in in the communication so all

08:21

of the communication that you'll see in

08:23

my demo I'm I'm not doing anything

08:25

special to decrypt what's going on I

08:27

mean these are really the bites that are

08:28

getting back and forth um so I'll just

08:31

go through it on one example if you want

08:32

to select one of these files or in this

08:35

case um an application there's always a

08:38

class bite a class bite of zero says

08:40

this is this apdu select file is defined

08:45

in the ISO standards most of the EMV

08:47

ones start with 80 that means it's a

08:48

proprietary apdu stuff like that I'm

08:51

just going to skip over because it's not

08:52

really that important to to to dealing

08:54

with and then there will be some

08:56

instruction bites um some some apdus

08:59

will take uh parameters so there's two

09:01

bytes for parameters then if you're

09:04

transmitting data you you there's one

09:06

bite for the length of the data and

09:08

finally um the data that you want to um

09:11

transmit so this is basically the

09:13

application name of a visa application

09:16

on a card what we're doing here is

09:18

selecting the visa application to to

09:20

make a to make a payment

09:23

transaction um there's one more thing

09:25

that we

09:26

saw here that this card speaks in the

09:29

protocol t t equals

09:31

z um there's there's two low-level

09:34

Communications protocols defined as I

09:36

said this whole thing is just a uart and

09:38

there's one character-based way of doing

09:40

it and one block based doing it and all

09:43

that you really need to know

09:45

is you can't if you are using t0 um you

09:51

can't send and receive data in the same

09:54

um packet so if you wanted to have this

09:57

last Le is length expected if you you

09:59

expect data back from the card you have

10:00

to tell the card how much data um you

10:02

want back and um if you're using T

10:05

equals z you can't send data and expect

10:07

to receive data in the same uh packet

10:10

but we'll see how that will work in a in

10:12

in just a second um but basically what

10:15

you really need to know is that the

10:16

difference uh doesn't really matter

10:18

because T1 is complicated the terminals

10:20

all speak both and nobody actually uses

10:23

T1 uh at least in in payment cards so

10:25

just ignore that so we we just learned

10:27

this select command

10:29

and

10:31

um and we'll just execute it against the

10:34

card I don't know is this large enough

10:36

to see or should

10:38

I yeah so basically

10:43

um right here are the bites that we saw

10:45

on the slide uh and I used a different

10:48

file name I used the one. pay no one

10:51

pay. cy. DDF 01 DF is a directory file

10:58

um but basically this is just a

11:00

well-known file name for a file that's

11:03

called the psse the payment service

11:05

environment which um Can is basically a

11:10

table of contents for the card a card

11:11

can have several applications and these

11:14

are the applic and the psse lists the

11:17

applications that the card wants you to

11:20

know about and use so there could be

11:21

other applications on the card um but

11:24

there don't necessarily need to be you

11:25

don't always need a PSC we can um

11:29

the response that we get back so I said

11:31

you can't send and respond in the same

11:35

in the same Transaction what happens

11:37

when you do that when you need to do

11:38

that anyway in t equals z is

11:42

um okay uh if you're this 9,000 is is

11:46

interesting the card always um responds

11:48

with two status words one and two and if

11:51

you get 9,000 that's perfect that's okay

11:54

so that's a HTTP 200 um most other

11:57

status codes mean errors um but

12:01

basically this select gets a 6126 back

12:04

and all the

12:06

61 status word one error codes mean

12:10

there's more data coming and it will be

12:12

26

12:14

bytes so basically this is one

12:17

transaction you can you can ignore the

12:19

second one the second one gets um gets

12:21

executed automatically when you get the

12:24

6100 um response and it says please give

12:28

me back the 26 bytes that you told me

12:31

that you that you

12:33

um that you can give me back so we can

12:37

look at the

12:38

response uh this is all tag length value

12:41

um in here and this is something that's

12:44

called the file control information this

12:47

is a basically a metadata that

12:49

contains

12:51

um data about the file that you just

12:54

selected one of the things it this one

12:56

contains is the name of of the actual

12:59

file that we selected thanks very much

13:01

uh just typed that in and um this file

13:04

is also identifiable by a short file ID

13:08

now the special file has

13:11

records and each

13:15

record uh

13:18

basically tells us about one application

13:22

on the

13:23

card um so this first one this first uh

13:28

record

13:29

um

13:30

contains so this this card contains two

13:34

application one is a Visa debit card and

13:36

one is a credit

13:37

card um and so I I read the first record

13:41

out of this PSC file and it tells me

13:43

okay this there's one application that's

13:44

called Visa debit and sometimes you get

13:46

that shown in in a uh in a terminal that

13:49

you're that you're that you're paying

13:51

with and it also says the priority of

13:53

that application so if you need to make

13:55

a choice terminal this one has Priority

13:58

One so so then we can look at uh check

14:01

for more

14:03

records um there's a second application

14:07

on here the credit application that has

14:09

priority too so um and then we the

14:14

terminal will keep doing this until it

14:15

has a list of all the records finally it

14:17

gets a there's no such record um you can

14:20

you can quit looking

14:23

now okay so that was the basic of how an

14:26

apdu works just these these

14:30

these the bites on the screen get sent

14:32

back and forth and clear text that's

14:34

that's it and and the pcsc libraries

14:37

have a command transmit data and you

14:39

just give it a raw buffer of

14:42

data so it's fairly easy to program but

14:45

very low

14:46

level um

14:48

so em has has a huge number of

14:52

specifications um the the main

14:54

application framework is defined in

14:56

books 1 2 3 and four that's about 800

14:59

Pages um and I'm just going to skip over

15:01

really quickly what what which ones are

15:03

important and and which ones you should

15:05

look at um book one is maybe interesting

15:08

because it contains a summary of all of

15:10

the stuff that's in the iso Norms how

15:12

these apdus are set up how the lowlevel

15:14

UR communication is how the ATR is set

15:17

up and stuff like that so it's just a

15:19

review of how this stuff works that's

15:20

something that that's good to look at um

15:23

book two is the one of the most

15:26

interesting um books it contains all of

15:28

the crypto that's done by the card so um

15:31

the card doesn't get

15:33

its it gets its own keys but those are

15:36

derived for master keys from the bank

15:38

all of these key derivation algorithms

15:40

are described in here all of the

15:43

certificates that are um uh placed onto

15:47

the card the format of these

15:48

certificates are described in this book

15:51

too and the interesting thing is if you

15:53

think certificates usually you think

15:54

x509 certificates but um in the EM SP

15:58

everything was reinvented and and is a

16:00

little bit different than than you would

16:01

expect it to be um the the most

16:04

important book to look at is is book

16:06

three which um contains all of the

16:09

specific apdus and the instructions that

16:12

are exchanged with the cards um how

16:15

those work how those

16:16

interact um and one of the most

16:19

important things and I put a little

16:21

heart to emphasize this point is that

16:23

there's a data dictionary that explains

16:26

what all of the tags mean you know I um

16:31

so so here all of the the the you know

16:33

the tags are are separated um but

16:36

basically you know you don't know what

16:38

50 means but you have to look it up and

16:40

and know that oh this is application

16:42

label and the statea dictionary is

16:44

really the thing that you work with most

16:45

when when when you're dealing with the

16:47

data in the in the card um another thing

16:51

that you could look at and this is also

16:53

freely available on the net where um

16:55

this tlv be is is is is defined this

16:58

this is an um International

17:00

telecommunications Union standard um and

17:04

there's some tricky bits to to doing tlv

17:06

the way that they want you to do it then

17:09

there's a book four which you can

17:10

basically ignore I mean it's it's kind

17:12

of funny because it it it tells you all

17:13

sorts of stuff of how you should enter

17:15

the pin and and how you could Implement

17:17

a virtual machine whether you should

17:19

interpret by code or or translate it

17:22

into the native instruction set of your

17:24

terminals Hardware

17:26

architecture all the way to um what what

17:29

the receipt is supposed to look like

17:31

that that the thing prints um but it

17:34

fails to mention stuff like what data of

17:36

the transactions the terminal supposed

17:38

to save to present to the bank later

17:40

it's it's really weird I've never used

17:41

it it's it's it's sort of fun to skim

17:43

through but it's not useful um CPS is

17:46

you probably won't ever need it this is

17:48

the application that's on the card

17:50

before it's in the field that in the

17:52

personalization Bureau will be used to

17:54

place your personal data onto the card

17:57

but if if you're dealing with if if you

17:59

want to take a closer look at cards this

18:00

is something useful to look at because

18:02

it um provides some some really useful

18:05

Insight of how data is structured in the

18:07

card and what what data is is actually

18:09

placed on

18:11

it finally um there is CPA so these

18:16

books one through four they

18:18

describe um a general framework of how

18:21

to

18:23

make uh applications for financial

18:26

transactions they don't actually

18:29

describe an

18:30

implementation um EMV published one

18:34

standard for an application and this is

18:37

sort of interesting to look at to see

18:39

what actually goes on um books 1 through

18:42

4 describe really well the the external

18:45

interface but they don't really give you

18:47

a good indication of what the card is

18:48

supposed to do internally how it's

18:50

supposed to check the data they also

18:52

leave open a lot of data structures and

18:55

what they mean they just say what we'll

18:57

see later for example get card

18:58

verification results which is a big bit

19:01

map of literal checks that the card did

19:04

but it doesn't say how what what each

19:06

bit is supposed to mean the the actual

19:09

implementation um specifies that sort of

19:12

information there's also what you will

19:14

come across CCD which is also called

19:17

doublin core uh it's Common Core

19:19

definitions and that goes that's spread

19:22

out through all of um through all of the

19:25

standards it it specifies some of the

19:28

missing pieces so you can um like like

19:32

it it will specify a base card

19:34

verification results bitfield what you

19:36

should put in

19:37

there um the specifications that would

19:40

be most

19:42

interesting

19:44

are but you don't really need at the

19:46

level that that we're dealing with are

19:48

the mchip and bsdc specifications those

19:50

are the concrete implementations for

19:52

MasterCard and Visa unfortunately those

19:54

are proprietary and you can't really get

19:56

at those um with MasterCard you really

19:59

you can't even get the names or the

20:01

current versions of them unless you're a

20:03

MasterCard vendor um thisa you can at

20:06

least get a list of what the current

20:08

specifications are called and and which

20:09

ones are available but you'll have a

20:11

hard time um finding

20:14

them um Okay so we've we've gone over

20:17

all the specifications and we're going

20:18

to go into uh into actually what happens

20:21

and and do a try to get one pound off of

20:24

this card um so the general flow of the

20:27

trans trans actions in in in normal

20:30

human terms would be card and terminal

20:32

introduce each other um figure out which

20:35

application to use so that's that's the

20:38

part we've done so far um then this is

20:41

what I call First worst first date ever

20:43

it's not just tell me a little bit about

20:46

yourself but it's a tell me what

20:48

questions to ask you about

20:51

myself

20:53

um that's what the terminal says to the

20:55

card and then the card responds with a

20:57

number

20:58

of records that it wants the terminal to

21:01

read um it doesn't really check that it

21:04

reads those records or only those

21:06

records um but

21:08

it that that's how the mechanism worked

21:10

just to introduce it then there's some

21:12

simple mechanisms to make sure that the

21:14

data that the card returns are actually

21:16

valid data and that they come from a

21:17

real bank and stuff like that um then

21:21

there's

21:22

uh what's called card holder

21:24

verification so that might be something

21:26

as simple as you sign a piece of paper

21:29

so it happens totally offline it might

21:31

be something that the card checks the

21:33

pin or that the terminal or the ATM

21:35

sends the PIN to the bank to be checked

21:37

and gets a response back and finally the

21:40

card will generate a cryptogram with a

21:43

um with a symmetric secret key um that

21:47

the merchant who owns the terminal can

21:50

later present to the bank to prove that

21:52

this card was actually involved in the

21:54

transaction so one of the common

21:56

misconceptions is that the chip is

21:59

basically just a dumb storage of data

22:01

that's going on so that's not really

22:04

what's happening the chip itself is a

22:06

little computer um and what

22:10

theoretically happens there's a there's

22:12

a key on the on the card that can't be

22:18

extracted

22:21

um and the terminal gives that key a

22:24

random number it encrypts that random

22:27

number and that way

22:28

uh the merchant can prove that this card

22:30

was actually physically involved in the

22:32

transaction and then nobody just copied

22:34

the the card

22:35

number okay so we'll do the um tell me

22:40

what to

22:41

uh uh tell you about myself or whatever

22:44

I called it um so first we want we we we

22:48

um we want to select this the vstc

22:51

application which we figured out the

22:53

file name of which we figured out from

22:56

um from reading the psse and we get

23:02

um we get back another thing of uh file

23:05

information data uh basically the same

23:08

thing again it tells me the the file

23:10

name it tells me the application labels

23:12

and some proprietary discretionary stuff

23:15

as soon as you see issue or

23:16

discretionary or discretionary or

23:18

something like that you know you can

23:19

ignore it um and it also contains an

23:22

application priority indicator that was

23:24

in the PSC as well so a lot of cards

23:26

don't actually have this PS see they

23:29

um the the terminal will just try to um

23:33

select the applications directly and and

23:35

we'll put them in the right

23:37

order so after

23:40

we've um after we've selected the first

23:43

thing we do is is a get processing

23:45

options

23:47

command and

23:52

uh now I can see this is pretty opaque

23:55

data this is response message template

23:57

form format one whatever that means um

24:00

but this is kind of the most important

24:02

um part so um get processing options

24:06

there can be something that's called a

24:08

processing data object list which would

24:11

be returned in the FCI and the select

24:14

that wasn't the case here that will be

24:16

the card telling the terminal what sort

24:18

of data the terminal should provide to

24:21

it so the it could say um please when

24:24

you call this get processing options

24:26

command tell me what sort of terminal

24:28

type you are are you an ATM are you a

24:30

candy vending machine or whatever um

24:34

what the card returns are two data two

24:36

pieces of data AIP and

24:38

AFL um and this is format one you

24:41

remembered that from the

24:44

response message template format

24:47

one um and it contains two bytes of

24:54

AIP so and the second one is really easy

24:57

to explain because all those bits in

24:59

there are reserved for future use so

25:01

they're they're they're always zero and

25:03

in this case um 5c I've circled all the

25:06

all the bits out of the specifications

25:07

what they uh what they mean um this card

25:10

supports

25:12

stda um card holder verification is

25:15

supported it's that's always supported

25:17

terminal risk management is to be

25:19

performed so the card tells the terminal

25:22

kind of what to do which you need to

25:23

keep in the back of your head it does

25:25

that quite a lot um

25:28

and issue issuer authentication is

25:30

supported so most of these things don't

25:31

really make sense because issue

25:33

authentication is always supported card

25:35

holder verification is always

25:37

supported um and the thing to explain

25:39

here is DDA and CDA down here in the

25:42

bottom this card only supports SDA

25:44

that's static data analysis and that is

25:48

how uh in the in the next step once we

25:51

have all the data how we check that this

25:52

data is actually from the bank in the

25:54

static data authentication all of the

25:56

data that's to be authenticated is

25:58

hashed that hash is put into a

26:01

certificate that's signed by the issuer

26:04

and so I can get all the data off off of

26:07

the card hash it decrypt the certificate

26:10

make sure the

26:11

hashes um are identical and then I can

26:14

see well at least this is the data that

26:17

the issuer intended to be on this card

26:21

why this is important we'll we'll we'll

26:22

see in a minute um unfortunately this is

26:26

because it's static um it's it makes the

26:30

card sort of trivial to clone because

26:31

the certificate is on the card and you

26:33

can just read it off of the card and you

26:35

can just write it onto another card and

26:37

so any copy that you make of this card

26:39

will automatically have a correct um

26:43

certificate um DDA will also

26:47

have um a public will have a public key

26:51

mechanism where the um where the

26:53

terminal can give the card a random

26:56

number and it will cryp that with its

26:58

private key and the terminal can decrypt

27:00

it so it knows all of the data is

27:01

correct and this card is actually in

27:05

possession of a secret that's that's

27:07

supposed to be on it that I can verify

27:09

because the general key on the card is

27:11

symmetric only the bank can verify that

27:14

the terminal can never can never check

27:16

if if any cryptogram that the card

27:17

provides is is actually authentic or

27:21

real but again this was a pragmatic

27:24

protocol back in the 80s and back then

27:26

having calculating uh RSA or something

27:29

like that was quite expensive putting a

27:31

crypto processor on the cards is still

27:33

quite expensive um so you can save 50

27:35

cents per card or something by not

27:37

supporting it I think they're starting

27:39

to mandate using it now but this is

27:40

still this is still fairly uh recent

27:43

card so the next point I'm not going to

27:45

go into it too much this is the

27:47

application file locator and it's a list

27:49

of four byte entries so these are three

27:51

application file locator entries the

27:54

first bite of each entry um contains the

27:59

short file ID that the card wants you to

28:03

read um and it's for some reason it's

28:05

shifted by three so it's it's the high

28:08

five bytes of that uh the second bite is

28:11

the first record to start reading the

28:14

next bite is the last record that you to

28:17

read so this basically means short file

28:19

ID one read the first record only short

28:22

file ID read records 1 to three short

28:25

file ID 3 read records one and two and

28:28

the last bite here is interesting

28:32

because that indicates which record will

28:34

actually go into the static data

28:36

authentication so even though this isn't

28:39

really a safe way of authenticating the

28:41

card not even all of the data that's

28:43

being read from the card is being

28:46

authenticated um

28:49

so so here read records so it does it

28:53

goes through here um that Parts the AFL

28:57

and it read records uh short file ID

29:00

record short file ID one record one 2

29:04

one two and

29:07

three

29:10

and two records from short file ID 3 so

29:14

I did that correctly in the

29:17

slides This Record here short file ID 3

29:20

record one is the only one that is ever

29:25

authenticated so

29:28

even with this and we can I still have

29:31

the last one in the buffer so we can

29:32

look at that and that's that's really

29:37

a all of this information that we'll go

29:40

into into more detail um like the

29:42

currency that the card expects the the

29:45

expiration date and the effective date

29:46

of the card things like that aren't ever

29:49

checked for authenticity in this

29:50

specific card um usually this is this

29:53

this information will also go into into

29:55

the

29:55

certificates so

29:58

this is where the dump card data um came

30:01

from so this is all the data that we

30:02

collected from the

30:04

card um the first the first field is is

30:07

fairly simple it's the card holder name

30:09

your name would be in that field here

30:11

it's simply one because it's

30:13

a marketing thing um this is quite

30:17

interesting um and also as a as a

30:20

general attack um track two and track

30:23

one data if you've done anything with

30:25

cards this might seem familiar because

30:28

this is how magnetic stripes are

30:29

structured so basically this card this

30:33

this uh this smart card provides the

30:36

precise data that's also on the magnetic

30:39

card so if you can read out all of this

30:41

data you have enough data to clone the

30:43

magnetic stripe and and it's already

30:45

perfectly formatted in the in in the way

30:47

that it's supposed to be formatted on

30:48

the magnetic stripe the reason for this

30:50

is is that the the bank backend systems

30:53

are very very old and they don't

30:55

necessarily check all of this uh all of

30:58

all of this uh C data that's coming

31:00

because it's more complicated and so

31:02

what you can do is you can just take uh

31:04

on some intermediary system throw away

31:06

everything else but these track data

31:08

things and then process the transaction

31:10

as if it were a normal magnetic stripe

31:12

based

31:14

transaction um or you can hire uh Visa

31:18

MasterCard to do something called stip

31:20

where they will have a system in front

31:22

of your own back end check all of the um

31:25

check all of the chip stuff for you and

31:26

just give you the the magnetic stripe

31:28

data or you can just ignore to do that

31:30

and and and and just not check the check

31:32

the EMB stuff at all um then there's um

31:36

the issuer certificate the terminals

31:39

have lots of CA certificates those sign

31:42

these issuer certificates and you need

31:43

the issuer certificate to get um to be

31:48

able to decrypt the uh the the

31:51

certificate that contains the hash with

31:53

the with the data that's on the card um

31:56

and the rest of the data is is basically

31:58

standard the pan is is is the card

32:00

number um the expiration date the

32:02

effective date this is a card that's

32:05

that's issued in England and in pounds

32:07

and I'll go into what the other things

32:09

mean right here service code again is

32:11

something that comes from magnetic

32:12

stripes that was one of the things on

32:14

here I'm going to skip that because

32:15

we're kind of I don't know if I'll even

32:17

make it um the first thing that's

32:19

interesting is application usage control

32:22

um which is again similar

32:24

to AIP it's a bunch of big that say what

32:28

this card may be used for there's two

32:31

two bites in it the first one is FF so

32:34

the card could be used for all of these

32:36

all of these things which and again

32:39

these categories are are really

32:41

arbitrary you know I mean what why

32:43

differentiate between goods and services

32:45

sometimes differentiating between

32:46

domestic and international might make

32:48

sense but why have a why have a card

32:51

that I can pay with to get my haircut

32:54

but I can't buy a bottle of shampoo with

32:55

it you know this is good and services so

32:58

so it's hard to even configure these

32:59

things or figure out what they're good

33:01

for um and the second bite is in in in

33:03

this specific case because it's also

33:05

this was the debit card it will allow

33:07

domestic so if you're in your own home

33:10

country you can get cash back which

33:11

would be uh you pay for 10 pounds at at

33:14

at the store and and you say well please

33:16

give me 20 20 back um and you might not

33:19

know where you are internationally so

33:21

you might not trust stores anywhere else

33:23

to to to do that validly so I mean I can

33:26

see how that could make sense the next

33:28

thing was the CVM list uh it starts off

33:31

with with two amounts and this is a

33:32

really really important one um these but

33:35

these two amounts aren't aren't never

33:36

used so I'm going to skip over this and

33:38

then next is a variable length list um

33:41

each entry is two bytes long so the

33:43

color coding is is is one entry and

33:46

these um tell the terminal what sort of

33:50

cardholder verifications it should

33:52

attempt to do under what

33:54

circumstances the first by in in each

33:57

entry describes the actual card holder

34:00

verification that the card supports so

34:03

in this case um this will allow plain

34:07

text PIN verification by the card I can

34:09

send the card the pin and it will tell

34:11

me whether it was correct or not uh it

34:13

will support signature it will support

34:16

um the pin being sent to the bank and

34:19

and being checked there and finally um

34:22

this is the nicest one uh none it will

34:25

support that as well

34:27

and basically the terminal will go

34:29

through and and basically if it can

34:31

fulfill one of the conditions and these

34:32

are the next one the second one is under

34:34

which conditions should we use

34:36

this um and if it can fulfill it it will

34:40

do that else it will try the next one

34:41

all the way to the end so basically

34:43

these uh these conditions say um do PIN

34:48

verification unencrypted if you can do

34:51

signature if you can else send the PIN

34:54

to the bank if you can and if not don't

34:56

worry about it

34:59

um so this is quite interesting because

35:03

well we're sort of going to going to

35:05

going to authenticate the card but um

35:08

the card never doesn't know what sort of

35:10

terminal you know it doesn't know if

35:11

it's in a real terminal or if it's just

35:13

sticking in a in a cheap card reader at

35:14

some hacker conference so I can't really

35:17

trust that I will actually do these uh

35:19

these verification methods and

35:20

especially not in this order provided uh

35:23

another thing to note here and this was

35:25

a this was a um this was a um one of the

35:28

important hacks recently um as I said

35:32

all the data being sent back and forth

35:34

between the card and the reader is

35:36

completely unencrypted there's no

35:39

non-repudiation uh you know the data is

35:41

not macked so this is perfect Target for

35:43

man in the middle attacks and so the

35:45

chip cards are supposed to were supposed

35:47

to help to mitigate against skimming

35:49

type um type attacks but it turned out

35:51

it's a lot easier to actually insert a

35:53

skimmer into say an ATM

35:58

and then just um

36:00

basically read the communication between

36:03

the card and and and the and the ATM now

36:06

on top of that it's also fairly simple

36:08

to modify the um this communication so

36:12

one of the hacks that was quite

36:14

interesting so we saw that when when we

36:16

uh when we read all the data we we we

36:18

already have the magnetic stripe data

36:20

ready for cloning and and and making our

36:22

own card that we can use in Romania or

36:25

somewhere to to to at an ATM but now we

36:27

want the pin and

36:30

technically cards aren't allowed to

36:32

accept clear text unencrypted pins at

36:35

ATMs I don't know why they're allowed to

36:38

do it elsewhere I don't know nobody

36:40

would ever install a skimmer in anything

36:42

else but so this hack was basically

36:44

there was a man in the middle attack a

36:46

skimmer or a shim type attack that

36:49

whenever the card um sent the sent the

36:51

CVM list to the ATM it would say I only

36:55

support un encrypt pin please give me

36:57

the pin unencrypted and even though the

36:59

ATMs wouldn't actually be allowed to do

37:01

that I don't know maybe because they use

37:04

like candy vending machine firmware in

37:06

the ATM they decided okay well if you

37:08

say you know send it to me unencrypted

37:10

uh I'll just send it to you unencrypted

37:12

and then you have the the pin and the

37:14

and the Magnetic stripe data and if you

37:16

have a nice GSM module in your in your

37:18

shim then you can just send that off and

37:20

immediately run to the next ATM to to to

37:22

to get

37:24

money um so and and the whole like I

37:28

trust the terminal thing um goes on here

37:31

these are issue or action codes and we

37:33

have to sort

37:35

of uh this gets this gets a little bit

37:38

hairy I'm only going to skim over the

37:39

details basically while the terminal for

37:43

the terminal to um to think about what

37:45

it's going to do it fills out this bit

37:48

map and basically it has little bits for

37:51

for each thing that happens like if the

37:53

static data authentication fails it um

37:57

it will set that bit if the card is

38:00

expired it will set a bit here and this

38:04

and there's basically five bytes of bit

38:06

maps that can be set and if any of these

38:08

correspond this condition will take

38:10

effect so if this bit will get set while

38:13

the terminal is verifying the card um

38:17

the

38:17

terminal the card would like the

38:20

terminal to decline the transaction

38:22

immediately so if we have a look that is

38:26

requested service not allowed for card

38:28

product so the card might say uh you

38:30

know I I don't do domestic services so

38:34

please decline that something like

38:35

that um if any of these bits are set the

38:40

card

38:42

um the terminal should ask the card to

38:45

go