Is the security of credit cards indeed as strong as we expect?
Image source - asiancsbank.com
It is difficult to imagine a modern person who does not use Visa or MasterCard cards. More and more people prefer cashless payments. Paying bills, shopping online, and booking flights can all be done in seconds, all thanks to credit cards. However, are we thinking about the algorithms used in credit cards?
To protect yourself from the actions of intruders, you need to find out how the payment was made. So how do bank cards work? Let's figure it out together.
This article also:
- a practical guide for holders of bank cards of payment systems Visa, MasterCard, etc.;
- a functional safety guide for bank customers and employees.
📑 Table of contents:
This article discusses technologies that should be used to protect funds in bank accounts. Any use of these methods for hacking or unauthorized access is illegal. All information is provided only to inform you about the methods used by scammers.
A bank card is a tool that allows you to access your bank account.
The card can be issued both on a physical medium and in electronic form (virtual card).
On the face side of the card any image could be applied. The card number and validity period are mandatory. If the card issuer on a tangible medium, then the name of the bank, the logo of the payment system, and the holder's name also apply to it (but not always).
On the back, there is a magnetic strip and a paper strip for the holder's signature. On some cards, the CVV2 or CVC2 code is indicated.
Operations with a magnetic stripe consider the simplest and at the same time unsafest. Many people around the world have been victims of skimming. Hackers or carders hide malicious devices those read information from payment cards during the transaction as well as capture PIN code within the help of hidden camera (most often in those ATMs located on the street).
Readers use to recognize the information recorded on a magnetic card for different purposes, as making non-cash payments for purchased goods, services, implementing bonuses and advertising programs in stores, conducting transactions with social cards, identifying employees on time-management systems, etc. Readers speed up transactions of mutual settlements; provide automation of the control and reporting system.
Image source – sj-company.ru
Magnetic cards make of standard-sized plastic. The front side contains graphic or textual information, for example, with or without identifying the owner and its issuer. The reverse side includes a magnetic stripe 12.7 mm wide, on which data up to 100.0 bytes recorded. Special devices are required to read and identify stored information — card readers.
Magnetic cards are in demand in payment systems. Magnetic stripe readers are used in large stores: supermarkets, shopping centers, as well as public catering places — cafés, restaurants, bars, and other establishments for settlements with customers. These devices are in demand in many banks for customer identification and payment acceptance, also used when paying for travel in public transport (metro, electric trains, buses, etc.).
However, despite their technical characteristics, readers have significant drawbacks:
- Low security against unauthorized access, since an intruder, having taken possession of someone else's card, can duplicate it.
- Unreliability in operation associated with clogging and displacement of the magnetic heads.
- Low bandwidth of access control in slot readers because often it is necessary to identify a magnetic card several times.
Another device used by fraudsters is an encoder.
The encoder of magnetic cards is a device for recording information on the magnetic stripe of a plastic card. The magnetic stripe card is manually inserted into the encoder slot and checks the read head for data placement.
A permanent magnet mounted on the encoder shaft creates a magnetic field measured by the encoder and generates a unique value.
There is an external standalone and embedded encoder. External encoders are connected to the computer using a cable. Embedded encoders are used in printers for printing plastic cards, as well as for encoding a magnetic stripe directly in the process of applying an image to them. It is possible to simultaneously perform several operations related to reading, writing, and checking the correctness of the procedures to be carried out.
Magnetic encoders are robust and compact. The use of batteries doesn’t require, so the financial costs are minimal. Standalone magnetic card encoders communicate with a PC via USB, TCP IP, or RS232.
It was supposed to use the signature on the printed check, which the cashier must compare with the signature on the back of the card, to verify the card owner.
The magnetic stripe was replaced in the 90s by smart cards, for the popularization of which the EMV consortium (Europay, MasterCard & Visa) was created.
Image source – huffpost.com
The consortium's idea was simple: by leveraging the power of smart cards, symmetric cryptography, and public-key cryptography, all magnetic stripe problems could be solved.
Working with a smart card guarantees three levels of protection at once:
- Card authentication. Verification by a payment terminal that the card is genuine and issued by the bank;
- Payer verification. Confirmation that this card belongs to the buyer standing in front of the payment terminal;
- Transaction authorization. There is a long way from the card to the issuing bank. The bank must make sure that Cybercriminals have not interfered with these transactions anywhere.
A cryptography open encryption algorithm using RSA protocol is used for card authentication. The current requirement for a minimum key length is 1024 bits. CA issues a limited number of keys to banks, and banks already bind them to the cards themselves.
Root certificates will be installed on the terminal after configuring it. The card provides the public keys to the payment terminal and information encrypted with the private key in digital signature mode during the transaction.
However, in 2009, researchers at the University of Cambridge discovered a PIN OK attack. A specially crafted device located between the card and the terminal carried out a man-in-the-middle attack and changed one of the fields sent by the card. This replacement could not be found on the terminal using the methods described above.
The EMV consortium provided a new defense mechanism to defend against attacks, the CDA scheme, even before the researchers discovered it. During the execution of the security mechanism, the terminal can check the integrity of most of the fields transmitted by the card.
Autonomous authentications create primarily to protect offline payments if the terminal does not have a permanent connection to the Internet. Therefore, if the result of the DDA or CDA modes is not successful, it will not lead to a failure of the transaction 99% of the time since the issuing bank authorizes it using a cryptogram.
However, some payment systems recommend paying attention to cases of persistently failed authentication, especially if they occur during the payment process on different terminals.
There are two ways to verify the payer: PIN code and signature. The PIN code can be checked on the card itself and online. The PIN can be encrypted (using the 3DES symmetric key) or transmitted in clear-text.
Another verification method, which, depending on the payment system, is called CDCVM or On-Device CVM. It is used in Google Pay and Apple Pay.
For authorization of a smart card transaction, programmers have developed a payment cryptogram. The card sends to the terminal a list of data fields. Their set depends on the version of the cryptogram and the card's settings. As a rule, these are the transaction amount, currency, date, and other terminal settings necessary for the risk management stage.
During the next stage, the card supplements the above-mentioned fields with its internal fields: the counter of operations and the version of the cryptogram.
The received string encrypted using the 3DES secret key recorded on the card in the digital signature mode and transmitted to the bank along with all the signed information. The issuing bank uses a hardware security module (HSM) that contains a copy of the card’s symmetric key in a read-protected memory area.
HSM also digitally signs data from the payment terminal. This means that no one changed these operations during their transfer from the card to the issuing bank. Simultaneously, the card deciphers and verifies the card's PIN code if online PIN verification is used.
For verification to work correctly, it must be controlled using authentication. If there is no authorization, the entire transaction becomes insecure.
Contactless payments have been gaining popularity since the mid-2010s. Banks and payment systems present them as a fast and convenient way to pay.
The benefit, of course, is significant: the more people pay with their cards, the more they can earn on commissions! With technology development, it is necessary to develop security, but this rule doesn’t always apply in practice. Contactless payments, despite their practicality, have a lot of flaws that should be eliminated.
First, the protection mechanisms and their problems described in the early 2000s have survived. In most cards, even the cryptography keys used for EMV and NFC cryptograms are the same.
Secondly, the EMV association could no longer influence how the payment process would be structured.
By understanding how credit cards work and the principles of contactless payment, you can protect yourself from the theft of funds and other unwanted actions of fraudsters. In order not to become a victim of scammers, we recommend that you follow a few simple rules:
- Store your PIN separately from your notes on your phone. If the phone lost or stolen, an attacker would gain access to your bank card number and PIN;
- Do not under any circumstances reveal card PIN codes and CVV codes.
- Remember, bank employees will never request your confidential data by phone or SMS. If you receive a suspicious SMS, delete it;
- If you lose your bank card, immediately contact the bank. Your lost card will be blocked, and you can get a new card;
- Do not publish your passport data anywhere in the Internet — attackers can use your data and apply for a loan in your name;
- Attackers can use phishing sites to obtain credit card information. Make purchases only on secure sites with verified SSL certificates and participated in Trusted Shop networks.
We hope this article was helpful to you and the rules described above will help you keep your money safe and sound! We hope.
Dear readers, please share whether you have been victims of carder? Tell us about your experience in the comments below this article.