NFC and payment cards, be scared now.

In my previous post I have warned people not to share the output of cardpeek with others, as it includes data including the full 16-digits (or 15 or 19, depending on the type) of the card, and its expiration date.

The reason why that happens, is that the EMV implementation requires exposing the data from the magnetic stripe over the chip; this data is defined as Track1, Track2 and Track3 — classically only the first two are of relevance for credit cards, but at least for Italian debit cards (Bancomat), like the one I discussed yesterday, it is present.

Track1 contains the name on the card, while Track2 contains, as I said, the full card number and expiration date. The only thing that is missing is the CVV/CVC/CV2, you name it, the three digits that are printed (not embossed!) on the back of the card. Recording magnetic stripe data is trivial with a skimmer – if you’re interested, check Krebs’s blog – but recording the data from a chip is not much more complex, if you can hack the firmware of the terminal device.

The difficulty, after copying the tracks’ data, is to make a copy of the card itself. At least in theory, the private key used for enciphered PIN verification is supposedly impossible to extract, which makes duplicating a chip not feasible — again, in theory, as I’ve pointed out how many different CVM policies are configured on cards, and some of them do not require enciphered PIN (In particular Italian debit cards seem to be the worst offenders). Similarly, online transactions nowadays always require the CVV code, which is not available on either the magnetic stripe or the EMV data.

On the other hand, the fact that magnetic-stripe usage is still allowed (and it is vastly due to the United States not having moved to the new technology yet), means that just snooping Track1 and Track2 data allows for in-store transactions with a fake card. It’s thus just a matter of lower direct benefits for fraudsters if chip-and-pin cards are not usually cloned in Europe: even if you can read the data with a hacked terminal, you have to sell the data somewhere else to be used.

But all I said up to now involves having the card in your hands, or using a hacked terminal, both options are pretty risky. There is a more “interesting” approach, thanks to the current move to NFC-enabled payment cards (my Irish debit card has it too). It does not really look like one of the NCIS episodes with the fraudster just brushing off people in the street, but it comes close enough.

While NFC payment only works for non-CVM-required transactions (less than 15 euro or 25 dollars), it does expose the full tracks’ data over the contactless interface, which means it’s just a tap away from being cloned. Sure, you still need physical contact with the card, but there are a few reasons why I find it much more worrisome than cloning from the stripe or chip.

The first problem is that the tools required to skim the data out of the chip or the magnetic stripe are much harder to come by than the NFC. Because you only need an NFC-enabled phone (such as a Nexus 4 or 5) and the right app. You can for instance look at cardtest which will show you all the details of the card just by tapping it on the phone — the app will hide the full number of the card, but that is done in software, the NFC inspection would read the full number already.

And the card itself will gladly talk through your average wallet – sure there are RFID blocking wallets but they are rarely good quality – so it’s just a matter of getting the phone, or one of the many RFID readers over, or under, the wallet. Maybe it’s my wannabe-writer imagination at work here, but I can see how it’s easy to set up a few strategically-placed RFID readers embedded on the table around the till of a store can read a lot of cards, even those that are not being used to pay muddling the waters quite a bit.

There is another point of view as well, that can be interesting. Even cards that are NFC-enabled are mailed, at least in Europe, through standard paper envelopes. These do nothing to protect you from NFC skimmers; a malicious postman can easily skim the cards with his unmodified cellphone, by just tapping the letters when they like they contain a card of some kind. I tried this myself the other day as I received an Irish, government-issued card through the mail: just leaving it on top of my laptop and running pcsc_scan made it work, and using my cellphone was just as easy. All the time without opening or even making it look like the envelope was tampered with! And yes, of course the cards are not shipped active, but just wait a week or two and they’ll be — it’s rare for people like me having to wait to ship them to a different country before they get enabled.

So what can we do about this? Well, I’m not sure, I’m not that much of an expert. My best bet up to now is to add as many NFC-enabled cards (Leap, DublinBikes, ZapaTag, Oyster, etc.) on my wallet, to mix up the signal from the actual payment card. This tends to work, but it’s just a matter of tries until the right card comes up. I guess it’s time for me to consider buying one of those two-dozen-cards aluminium holders, which are usually shielded against RFID access, and for you too.

Other than that, the usual advices apply: make sure to check your statements, and report quickly to your institution if something is looking odd!

My time abroad: chip’n’pin

A couple of months ago I started gathering content to write about payment cards of various types, after discussing with some colleagues about the difference in payment cards between countries. I still have the draft there, with a bunch of connected links to expand upon, but I realized that it was going to become really unwieldy and, honestly, not interesting to the mass anyway. I decided then to limit myself and to provide some commentary on one of the banes of my existence here in Dublin: chip-and-pin cards.

My American readers might know chip-and-pin just by name; my Italian readers will probably not know what it is at all, given that the term was never really used in Italy, but it’s very much in use. In Europe, most of the payment (credit and debit) cards in Europe are actually smartcards, and their chip, rather than the magnetic band, is used for the payment. In the US this is not that common at all, although this is changing as we speak.

The presence of the chip, though, does not by itself make the card a chip-and-pin card. Indeed, I have two credit cards I brought from Italy, and both have trouble working in Ireland, where chip-and-pin has been forced for a while — the same is true in the UK, and indeed when I first visited London, I knew it was the case, but my bank manager, and the documentation he had available, had no clue about it. Instead, my Italian cards are chip-and-signature: you don’t swipe them in, but then you still get the same kind of receipt that you have to sign for. This has been the default for credit cards in Italy for the longest time. Some banks, and American Express, do provide Italian customers with chip-and-pin cards; on the other hand, I’ve been told that US Amex provides chip-and-signature cards nowadays.

But the funny part is that one of the two Italian credit cards I have does have a PIN, and I know I’ve been asked for it at least once in London. So how does that work? If you own a smartcard reader – I do – you can easily find out the way it works using cardpeek. This tool includes inspector protocols for a series of different smartcard applications, including EMV, the application type used by chip-and-pin (and also chip-and-signature) cards.

All of this combined together makes for a headache of some cards working in some countries and not others (my Irish debit card does not reliably work in the US, but sometimes it does, one of my Italian credit cards always works fine in the US but does not work in Switzerland, and so on so forth). Unfortunately I did not bring with me the collection of older cards that I owned, or I could be trying an American Express too, so I’ll have to stop my description at an Italian debit card (chip-and-pin), an Italian credit card (chip-and-signature), and Irish debit card (chip-and-pin, contactless), and an Irish credit card (chip-and-pin).

When you inspect an EMV card with cardpeek, you can identify the Cardholder Verification Method (CVM) records, which are, basically, an ordered list of options to validate a transaction. In the case of my Italian credit card, these read:

  • Fail cardholder verification if this CVM is unsuccessful: Signature (paper) — If terminal supports the CVM
  • Fail cardholder verification if this CVM is unsuccessful: Enciphered PIN verified online — If terminal supports the CVM
  • Fail cardholder verification if this CVM is unsuccessful: Plaintext PIN verification performed by ICC — If terminal supports the CVM
  • Fail cardholder verification if this CVM is unsuccessful: No CVM required — Always

What this implements is a very restrictive CVM list, and in particular if the terminal supports paper signatures, that’s the only option that the chip gives to the vendor. Now, in Ireland there are many terminals that theoretically support signature verification, but the vendors themselves will not accept them; the reason is that the liability in that case lies with the vendor, rather than its bank, in case of fraud. The same problem in Italy is tackled by requiring photo ID every time you use the credit card, but that is not the case here in Ireland as no photo ID is mandatory to possess.

It’s very interesting to check the Italian debit card’s CVM too. It’s interesting because the card have two applications installed in it: one is Maestro and the other is PagoBANCOMAT, the Italian banks-operated debit card circuit. The latter has a single CVM supported: “Fail cardholder verification if this CVM is unsuccessful: Plaintext PIN verification performed by ICC — Always”, which basically means that every single operation happens through the card’s verification of the user’s PIN. On the other hand, the Maestro app has a list:

  • Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verified online — If unattended cash
  • Fail cardholder verification if this CVM is unsuccessful: Enciphered PIN verified online — If manual cash
  • Fail cardholder verification if this CVM is unsuccessful: Plaintext PIN verification performed by ICC — If terminal supports the CVM
  • Fail cardholder verification if this CVM is unsuccessful: Enciphered PIN verified online — Always

You can see that it’s an interestingly complicated series of options; in particular it seems like “manual cash” only works with online PIN, and it’s preferred to use online PIN for unattended cash, but for everything else, if the terminal supports offline PIN, that’s what it has to use. I’m not sure why this happens, but this particular card does not always work here in Ireland either.

So what about the second Italian credit card?

  • Apply succeeding CV rule if this rule is unsuccessful: Signature (paper) — If terminal supports the CVM
  • Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verified online — If terminal supports the CVM
  • Apply succeeding CV rule if this rule is unsuccessful: Plaintext PIN verified online — If terminal supports the CVM
  • Fail cardholder verification if this CVM is unsuccessful: No CVM required — If terminal supports the CVM

So this card is actually very permissive; it’s probably not by chance that this is the only card I can use in the US without risks of getting it rejected. The Irish debit card is a bit more complex too, and not as reliable in the US:

  • Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verified online — If unattended cash
  • Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verification performed by ICC — If terminal supports the CVM
  • Fail cardholder verification if this CVM is unsuccessful: Plaintext PIN verification performed by ICC — If terminal supports the CVM
  • Fail cardholder verification if this CVM is unsuccessful: Enciphered PIN verified online — If terminal supports the CVM
  • Fail cardholder verification if this CVM is unsuccessful: Signature (paper) — If terminal supports the CVM
  • Fail cardholder verification if this CVM is unsuccessful: No CVM required — Always

Again, unattended cash prefers online verification, but then everything else prefers offline. Unlike the Italian debit card, though, enciphered PIN is preferred over plaintext one. And surprisingly enough, the same CVM is present on the NFC interface.

Finally, this is the CVM list for my Irish credit card:

  • Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verified online — If terminal supports the CVM
  • Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verification performed by ICC — If terminal supports the CVM
  • Apply succeeding CV rule if this rule is unsuccessful: Plaintext PIN verification performed by ICC — If terminal supports the CVM
  • Fail cardholder verification if this CVM is unsuccessful: Signature (paper) — If terminal supports the CVM
  • Fail cardholder verification if this CVM is unsuccessful: No CVM required — Always

This resembles a lot the permissiveness of the second Italian card (but just for reference, that one is a MasterCard while the Irish one is a Visa). And indeed it matches the fact that this card also works flawlessly in the US. Unlike the Italian one, though, the PIN is never transmitted in plaintext for online verification, and it’s only used as second-to-last resort within the ICC itself.

So when you expect things to be easy because your card is “chip-and-pin”, try to keep in mind that it might not be strictly true. If you’re curious about your own debit and credit card, and you happen to have a smartcard reader, take a look at cardpeek and ask it to analyze an EMV card. Keep in mind that what you read out of the card itself is not to be shared with anybody as is! The full number of the card, as well as the expiration date and a little more private data is present in the EMV dump that cardpeek produce. For some cards, such as my Italian MasterCard, a log of the most recent transactions executed on a terminal is also available.

Amazon UK: you fail.

It so happens I like(d) Amazon but they really have failed me now, probably for the last time.

First of all you have to know that the majority of Italian credit cards aren’t like the one around in US, rather than paying all at once at the end of the month, they tend to force you to pay in installments, which is quite fine as long as I’m waiting to be paid, but are not good if I have the money at hand, as it adds interests that I could avoid otherwise.

Sure there are pre-paid cards, but it’s an hassle to handle, they are quite limited in payment, can’t be confirmed in PayPal, and usually allows you to charge them only with a fixed amount of money, so you can’t just load 234.34 euro. And each charge costs you money too.

So when I did see that my bank’s (UniCredit Banca) debit card switched to a smartcard with embedded the 19 digits Maestro code, and that Amazon UK supposedly accepted Maestro debit cards, I decided to get a new debit card, replacing my old one that didn’t have the Maestro code. This took me two weeks to have my new Bancomat card working with its PIN. Incidentally, about at the same time I had trouble with my prepaid card, so I returned that too, leaving myself with just the MasterCard credit card.

When I finally decided to place an order, my Maestro card was rejected: they wanted either a start date or an issue number, and Maestro cards in Italy don’t have either. Googling around, seems like Irish cards also don’t have those, and they actually seem to be an UK-only feature. So I contacted Amazon customer care. (I also tried placing an order with Play.com, but although they first accepted the code, they rejected it afterward, which pissed me off in a different way)

The first mail from Amazon UK customer care suggested me to set the payment method to cheque, and then call in to get it changed to Maestro, giving the card’s details to the phone operator. So I did, this morning I called the UK non-free number, thanks to VoIP at least I paid very little, but I still paid! After 20 minutes, the operator told me that unfortunately they only accept Maestro cards with an issue number or a start date, and suggested asking the bank for the data. So I did.

The bank of course doesn’t know anything about issue numbers or start date, what they provided me should be quite enough, it just isn’t for Amazon UK.

Interestingly, for both email requests and phone calls, Amazon asks you if the customer care sastified you, so I told them I wasn’t satisfied because their own documentation repeats that Maestro cards are accepted, without stating that only some Maestro cards are accepted.

And then I got a more interesting reply, credit cards are accepted almost worldwide, but debit cards, as well as cheques, need to be pounds-based, that’s why they require the two attributes that are not part of my card. So I again asked them to make it clear in the documentation that Maestro cards in eery other part of the globe are not accepted.

The last message I received didn’t make sense to me, as they repeated where I could find the Issue Number for my card (I can’t, I told them!) and referred to a combo menu I talked about, I didn’t talk about a combo menu.

Now, I’ve had to cancel my order, and this makes me angry as I was hoping to get Devil May Cry 4 soon enough, as I completed Ratchet and Clank and I need something new to vent off. And Amazon made me even more angry so I’d need more venting off.

Amazon you most likely have lost a customer.