We were all alarmed to read a story in Computing telling how EMV cards could be cloned with some malware. Now, as you might imagine, were this to be true it would be a matter of the highest priority in the world of card issuers. Since my colleagues and I spend considerable time in that world, yet hadn’t heard anything about this catastrophic turn of events, we were curious as to the accuracy of the report. Delving further into the “news” story, we found this interesting qualification:
The fake cards work on virtually any Brazilian POS system
Brazilian? What? Ah, wait… Now we know that they are talking about. This attack is real and entirely feasible. And we know that it works in the mass market, because we actually executed just such an attack approximately fifteen years ago (and owned up to it, of course!). Sadly, the fifteen year-old hack won’t work in most places (eg, the UK) any more. But it does work in some places, and Brazil is one them. Why? Well…
The reason is that Latin America, an early adopter of EMV, is still heavily reliant on static data authentication chips, which allow the criminal using it to create usable new chip cards with the data it catches.
See? The problem isn’t EMV, it’s the use of Static Data Authentication (SDA) in EMV. We all knew about this many years ago, which is how come we came to prosecute just such an attack to demonstrate it to one of our banking clients. We used our kit to make a bogus SDA card (a “yes card” on Multos white plastic, but I’ll redact the rest of the procedure!) and bought a train ticket with it at Guildford station. Then I took the clone card, with the unopened PIN mailer for the real card, the ticket and the receipt to the head of cards at one of the UK’s biggest banks!
Although knew about this, at the time we thought it would have been irresponsible to blog about it, so I put it to one side and then, stimulated by an enquiry from Brazil, we finally wrote about it back in 2014, explaining in detail what the problem was and how it was fixed. The problem is to do with the checking of the EMV cryptograms, or lack thereof, generally because the issuing bank hasn’t installed the necessary hardware and software to do it correctly (this sometimes happens because they are pushed into issuing but don’t have the budget or time to do things correctly) or the bank does have the necessary infrastructure but the operations people get the IT people to ignore the cryptogram check as customers are getting annoyed with transactions being declined
This isn’t a problem for any of the issuers that we work with, since none of them use SDA and haven’t for many years. But I’m unsympathetic to the banks that are still issuing SDA cards. Perhaps they made a poor choice of consultants to advise them on this, I don’t know, but just to be clear: the SDA threat is genuine and no-one should be issuing SDA cards.
So, no need to panic. Having put your mind at rest (unless you are a Brazilian card issuer, in which case my colleagues stand ready to answer your call) I cannot resist re-telling this story…
Many years ago, when my colleague at Consult Hyperion were testing SDA cards in the UK, we used to make our own EMV cards. To do this, we essentially we took valid card data and loaded it onto our own Java cards. These are what we in the business call “white plastic”, because they are a white plastic card with a Java card chip on it but otherwise completely blank. Since the our white plastic card could not generate the correct cryptogram (because you can’t get the necessary key out of the chip on the real card), we just set the cryptogram value to be “SDA ANTICS” or whatever (in hex).
You might call these cards pseudo-clones. They act like clones in that they work correctly in the terminals, but they are not real clones because they don’t have the right keys inside them. Naturally, if you make one of these pseudo-clones, you don’t want to be bothered with PIN management so you make it into what is called a “yes card” - instead of programming the chip to check that the correct PIN is entered, you programme it to respond “yes” to whatever PIN is entered.
We used these cards in shops in Guildford to see which banks were checking the cryptograms properly and which banks were not. Not once did any of the Guildford shops bat an eyelid about us putting these blank white cards into their terminals. I heard a different story from a Brazilian contact though! He discovered that a Brazilian bank was issuing SDA cards and he wanted to find out whether the bank was actually checking cryptograms properly (they weren’t). In order to determine this he made a white plastic pseudo-clone card. He programmed it as a “yes card” and went into a shop to try it out.
When he put the completely white card into the terminal, the Brazilian shopkeeper asked him what he was doing and what the completely blank white card was. The guy, thinking quickly, told him that it was one of the new Apple credit cards!
“Cool” said the shopkeeper, “How can I get one?”.