'Carding' tag logo

Are EMV credit cards clonable? How?

From a theoretical perspective, a smart card can be compared to a networked computer: it’s content cannot be accessed directly like a disk or a USB stick, you must send requests to the chip (either to access some data or to execute some operation) and the chip answers following a given protocol (authentication may be needed for some requests, etc.).

Therefore, still from a theoretical perspective, while a smart card itself can be considered as secure, this led to a wrong marketing discourse claiming that systems based on it were “unbreakable” or that such cards were “unclonable”. However, a complex system like a complete payment system cannot be shrinked to the sole EMV card security. The payment card is only the tip of the iceberg, every element composing this system and their mutual interaction must be taken into account, from the various involved devices to the protocols and the communication mediums, a lot of disparate elements participating into weakening the payment system and making it far from being “unbreakable”.

Too short keys used (1993-1998)

The smart card being a French invention, France was obviously an early adopter of this technology as an attempt to increase payment system security. The magstripe was not perceived as being secure enough, and the future shows that this weakness was true (at the end of this video for instance, we can see someone creating a magstripe-based credit card from an hotel door card).

Despite “GIE cartes bancaires” (the French banks consortium handling smart card based payment systems) claims that this system was unbreakable, a security researcher, Serge Humpich, contacted them privately and demonstrated that this was not true. Due to a too short private key being used, Serge Humpich was indeed in measure, not only to clone a card, but even to create new cards bearing fancy numbers.

While Serge Humpich’s goal was to help the “GIE cartes bancaires” to improve the securityof their system, as a reward they sued him for having reverse-engineered it.

Nevertheless, after this event the private key has been upgraded and nowadays its length is reviewed on a yearly basis.

A bit of tape to force a fallback on the magstripe

The smart card payment system being still not widespread around the world, the ATM and payment devices continue to accept the magstripe as a fallback when the chip is unavailable or unreadable.

Next issue: by putting some tape on the the chip you can force an ATM to fall-back on the easily forgeable magstripe, allowing you to clone even a chip-enabled card without having to actually clone the chip itself.

Some banks reacted by restricting payments made by EMV enabled cards to be chip-only, the EMVCo consortium also proposed to use a different CCV (a three number ID) on the the chip and on the magstripe in order to prevent to build a valid magstripe from data read from the chip (called iCCV, I do not know if this is widespread, the video linked above showing someone forging a magstripe using data collected via NFC makes me doubtful about this…).

A communication protocol too complex to be secure

The protocol involving the chip, the payment/ATM device and the bank is very complex, too complex according some people. The communication between the card and the device is not fully secured (some steps involve no cryptography, no signature, etc.), this includes several backward and international compatibility features and some other features allowing the transaction to proceed even in case of technical issues. Moreover, the different steps composing the transaction are not tight together.

All this complexity make any flaw hardly fixable, while opening the door to a wide range of attacks, including the following Man-in-The-Middle (MiTM) attack.

Instead of a simple piece of tape as seen before, the attacker now puts a specially crafted second chip over the genuine one which will take in charge all of the MiTM process. It could for instance:

  • Take in charge the PIN authentication while deceiving the genuine card into thinking it is acknowledging a chip and signature transaction (French link from the Cambridge University researches work, see below).
  • It could downgrade security settings, in order for instance to disable some optional cryptography.
  • The chip can even be installed on the payment device side, capturing informations and PIN numbers from all cards going through it. The attacker can then retrieve the collected information using a specially crafted smart-card or simply through the air if the MiTM device includes, for instance, WiFi capabilities (such device has been encountered in real life by the team presenting the above linked DefCon video, they were even more worried to discover a serial number on such device implying some semi-industrial production).

A system too complex to be correctly implemented

The standard complexity also encourages for weak implementation.

Cambridge University researchers have shown that several ATM use a weak pseudo-random number generator. While the card contains a secret encryption key which cannot be discovered, malicious payment devices could trick a card into producing several signed messages by advance which will then be used against such weak ATM, effectively making resulting malicious “cloned” cards act as the genuine one from the ATM point-of-view.

This attack has been described in 2012, it is said that weak ATM’s have now been upgraded and fixed. However, by the end of 2014 newspapers still seem to describe attacks looking strangely close to this one. Funnily enough, this article mentions a bank which detected the attack because some EMV payment have been processed for magstripe-only cards.

Other attacks

At last, I cannot without mentioning other situation where card numbers obtained by cloning devices can also be useful:

  • While all ATM require the bank authorization before proceeding with the request, it is not the case for all payment system. Some of them, mainly in location where payment must be processed very quickly (toll highways, automated gas stations, …) or for small amounts do not contact the bank and rely only on the exchanges made with the card to accept the transaction. Such payment systems with no bank authorization can often be recognized by a notice telling that they do not accept “Visa Electron” cards (this card requires bank authorization on a systematic basis).

  • Collected card numbers can also be used for online, phone or mail-order payment. There are still a large number of websites not asking (or asking but not checking) the three-digit CCV number and which haven’t subscribed to Visa 3-D Secure / MasterCard SecureCode systems. No PIN needed here, only the card number and the expiration date, the very information provided by the chip without any authentication required.

Customer liability

As a side note, the worse in all this is that several of the above mentioned attacks, producing a transaction labelled as EMV (no matter if a physical card has been used or not) makes most often the consumer directly responsible of the financial consequences. Most banks indeed only covers frauds as-long-as the PIN code has not been used. As-soon-as the transaction appear as EMV in their logs, upon the wrong assumption that smart card security is unbreakable, they often blindly consider that the PIN code has been used and that the consumer is responsible by negligence.

Article based on a StackExchange answer.

Popular tags see all