Collaborate Disseminate
EMV 3-D Secure (aka, ?3-D Secure 2.0?) is about to become a reality, bringing with it a frictionless consumer experience and the technology for more secure transactions. That?s good news if you?re a card issuer?as long as you?re prepared for the change… Continue reading 3D Secure 2.0: Be Ready to Make It Work to Your Advantage
When using EMV chip based cards at POS/shops, we can tell the device is EMV compliant if the card is inserted rather than swiped. Similarly, how can we tell if an ATM is EMV compliant or still scanning just the magnetic strip… Continue reading How to Identity EMV compliant ATM? [on hold]
NXP Semiconductors has the Smartmx2 P60 that is able to run JCOP3 and is compatible with EMV.
Now I wonder where one can find other tiny chips that are capable of the same thing but perhaps a bit slower or some other trade-o… Continue reading What (small) computer chips are able to run JCOP and are EMV compatible? [on hold]
Previous stories here on the proliferation of card-skimming devices hidden inside fuel pumps have offered a multitude of security tips for readers looking to minimize their chances of becoming the next victim, such as favoring filling stations that use security cameras and tamper-evident tape on their pumps. But according to police in San Antonio, Texas, there are far more reliable ways to avoid getting skimmed at a fuel station. Continue reading How to Avoid Card Skimmers at the Pump
Much of the fraud involving counterfeit credit, ATM debit and retail gift cards relies on the ability of thieves to use cheap, widely available hardware to encode stolen data onto any card’s magnetic stripe. But new research suggests retailers and ATM operators could reliably detect counterfeit cards using a simple technology that flags cards which appear to have been altered by such tools. Continue reading Detecting Cloned Cards at the ATM, Register
Police in Lower Pottsgrove, Pennsylvania have spotted a group of thieves who are placing completely camouflaged skimmers on top of credit card terminals in Aldi stores. The skimmers, which the gang placed in plain sight of surveillance video came… Continue reading New credit card skimmer worked in plain sight at Aldi stores
Imagine I want to identify users more securely than using username/password, e.g. a hardware token. However, I can’t issue smartcards to them. Is it a good idea to try to use NFC-enabled bank cards for that purpose, e.g. with… Continue reading Is identification with NFC bank cards feasible?
I am working on an Android based POS terminal app that will work only with contactless cards (NFC). I got to the point where PIN is entered and I have to send an online auth request. I am creating generic functionality, i.e. … Continue reading How is the PIN ecrypted when preparing for an online authorization (EMV contactless)
I would like to recall a fraud happened in France in 2011 for which a paper was published (also linked from Ars). I came onto this by following debate on EMV card security and its mandatory introduction in the USA. I live in Europe anyway.
This question is directly related to the specific fraud and must be contextualized into year 2011, as this technique is mitigated. This means that the question is not actual.
By adopting a sophisticated MITM technique, physically implanting a proxy chip onto a real stolen card’s chip, criminals were able to completely disable user authentication via PIN code and perform transactions using stolen credit cards.
After the fraud was discovered and cryptoanalyzed, a number of fraud prevention enhancement were deployed to POS system and card protocol to defeat this technique.
Interesting quote from the article
The reason we started our research was that people came to us again and again claiming that their cards had been stolen and used in store transactions which the banks swore proved that they’d been negligent with their PINs, while the customers were certain they could not have been.”
How was it ever possible that a stolen card was usable for months?
Since the very introduction of EMV cards (a long time for us Europeans) all banks getting reports on stolen cards would first disable the card itself, and in real time. Credit cards could be physically stolen (like the 2011 fraud), or their PIN compromised, namely coerced.
In both case, a POS machine from year 2011, while accepting a card that passed PIN verification, would get a clear rejection from the payment processor, as the card is supposed to appear in the blacklisted cards, or not in the list of enabled cards.
How was it possible that those transactions were accepted and processed? The article clearly speaks about stolen cards, and I don’t think that all 40s of cards were stolen without the cardholder knowing that. And also I am not talking about a card stolen and used as quickly as possible before the cardholder calls the bank to block the card.
All of our banks since earlier than 2011 offered a free-dial number to report stolen card. The card is blocked immediately (ATMs may also refuse to return the card to the presenter) and the bank will later issue a new EMV card with a new PAN and a new PIN. I had to block my stolen EMV card once, so I have direct experience with this. It was never used by who got it, as it was PIN protected, but anyway I got my old card blocked upon phone call, and after a few weeks a new card with new number and code was issued to me.
I have read the entire paper I linked and could not understand how could that fraud scheme be effective against payment processing banks. Unless at that time the payment processor did not check for the card to be active, relying on its advertised expiry date (stored in the chip) and PIN authentication result.
The sense of this question is that, theoretically, an EMV card with compromised PIN reported stolen could be (or could have been at the time) used further! I know about a small number of PIN coercion cases in my country.
Continue reading How could criminals use stolen EMV credit cards in 2011?
i have seen a lot of threads saying that cloning track2 on chip wont happen and it is hard to do and there’s a lot of things that needs to be gathered / info / cryptogram , arqc calculator etc, and all these were actually yes… Continue reading it is real and i have seen it my eyes! Emv chip software!? " CHIPSO"