It Only Takes a Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem - Cyber R&D Lab Publication

Page created by Eric Morgan
 
CONTINUE READING
It Only Takes a Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem - Cyber R&D Lab Publication
It Only Takes a Minute to Clone a Credit
Card, Thanks to a 50-Year-Old Problem

Prepared by Leigh-Anne Galloway
Head of Commercial Research

Cyber R&D Lab Publication
July 7th 2020                     https://www.cyberdlab.com
It Only Takes a Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem - Cyber R&D Lab Publication
It Only Takes a Minute to Clone a Credit Card

Contents
1.     Summary of Findings ....................................................................................................................... 3
2.     Introduction .................................................................................................................................... 3
3.     Background ..................................................................................................................................... 4
     3.1.     Magnetic Data – Making the Invisible, Visible ........................................................................ 4
     3.2.     Primary Account Number ....................................................................................................... 6
     3.3.     Magnetic Stripe ....................................................................................................................... 7
     3.4.     Service Code .......................................................................................................................... 10
     3.5.     Discretionary Data ................................................................................................................ 10
     3.6.     Card Security Code ................................................................................................................ 10
     3.7.     Threats to Magstripe............................................................................................................. 11
     3.8.     How to Clone a Magstripe Card ............................................................................................ 11
     3.9.     Magstripe and EMV Differences ........................................................................................... 14
     3.10.        Shared Commonalities: Magstripe Equivalent Data in EMV Transactions ....................... 15
4.     Findings ......................................................................................................................................... 16
     4.1.     Scope ..................................................................................................................................... 16
       Example ......................................................................................................................................... 19
     4.2.     Results ................................................................................................................................... 20
     4.3.     Recommendations ................................................................................................................ 22
5.     Conclusion ..................................................................................................................................... 23
6.     References..................................................................................................................................... 23

 Cyber R&D Lab Publication                                                                                                             Page 2 of 24
It Only Takes a Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem - Cyber R&D Lab Publication
It Only Takes a Minute to Clone a Credit Card

1. Summary of Findings
This research shows how card data from EMV chip and contactless interfaces can be
intercepted and used to create a new magstripe card, which can be used successfully to make
payments. This is possible because of commonalities between magstripe, a fifty-year-old
technology, and EMV standards for chip inserted and contactless transactions.

2. Introduction
It has been fifty years since the introduction of magstripe. In the time that has passed,
technology has changed beyond recognition; the personal computer was invented and made
affordable to the masses. In the early two-thousands, Nokia became synonymous with the
cell phone, selling one hundred and twenty-five million units of the classic Nokia 3310. During
the same period, we saw the rise of the iPod, followed by the tablet, smart watches and, more
recently, IoT devices.
By comparison, payment technology has been marching to the sound of its own drum. Until
the nineteen-nineties, transactions were made in two ways: by taking a carbon copy of the
card’s embossed information or by swiping the magstripe. By the nineteen-nineties,
magstripe had been in circulation for over twenty years which has provided plenty of time for
criminals to figure out its weaknesses. As it turned out, the predominant issue with magstripe
is the ease with which you can clone the card. After all, the card data is encoded in plain text
on the magnetic stripe.
In the nineteen-eighties, French banks began trials with chip enabled smart cards to their own
specification. The rollout of this scheme dramatically reduced the rates of fraud associated
with payments. Seeing this success, international card brands, Europay, MasterCard and Visa,
started developing their own specifications called the EMV specification. EMV set about to
eradicate the ability to clone the card by implementing additional security measures on the
card itself.
While EMV has reduced fraud, it has not done away with the problem all together; skimmers
have evolved along with card specifications, like a game of cat and mouse. A skimmer is a
device that sits between the card and the genuine payment instrument. Skimmers developed
from reading magstripe data to reading data from the chip. Most often found in ATM’s and
gas stations, modern skimmers read information from the chip and store this information for
later use. Criminals use this to create new cards or to sell this information online. If skimmers
are still effective, how is it possible to clone an EMV chip-based card?

 Cyber R&D Lab Publication                                                          Page 3 of 24
It Only Takes a Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem - Cyber R&D Lab Publication
It Only Takes a Minute to Clone a Credit Card

3. Background
To understand how this works, take a step back in time and look at the first implementation
of electronic card data. If you look at the back of a credit or debit card, you’ll see the black
stripe known as the magnetic stripe.

                  Figure 1. Photo depicting PVC card with magnetic stripe.
The magnetic stripe contains important information that is also represented on the chip of all
modern cards. This information is used for chip inserted transactions and, if the card has NFC
capability, it is also used for contactless transactions. These are types of transactions as
specified by the EMV standards (EMVCo, n.d.)

   3.1.    Magnetic Data – Making the Invisible, Visible

With the help of magnetic particles, we can see the information stored on a card with the
naked eye. You can try this experiment at home. Use gloves, an old credit card and cover the
working surface as it can be hard to remove ferrofluid, and in no way should it be ingested!
Ferrofluid may be purchase from Amazon.com. Alternatively, iron filings will also work for this
experiment, but do not add water. There are commercially available products, such as Q-View
(Magnetic Developer, n.d.). Ferrofluid works just fine with a few adaptions. Ferrofluid comes
in a liquid form and contains microscopic magnetic particles suspended in a fluid. The particles
are combined with a surfactant to create a smooth liquid. Without a surfactant, the magnetic
particles would separate from the liquid solution.

 Cyber R&D Lab Publication                                                          Page 4 of 24
It Only Takes a Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem - Cyber R&D Lab Publication
It Only Takes a Minute to Clone a Credit Card

                              Figure 2. Photo depicting ferrofluid.

By itself, ferrofluid may have a high viscosity. If at first you do not see any data appear on the
magstripe, then you can add a drop or two of water to the surface of the card using a pipette,
after the Ferrofluid has been applied. Use a paper towel to blot some of the excess liquid
away from the card. In a few moments tiny bars appear as if by magic!

 Cyber R&D Lab Publication                                                           Page 5 of 24
It Only Takes a Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem - Cyber R&D Lab Publication
It Only Takes a Minute to Clone a Credit Card

   Figure 3. Photo depicting data encoded on Track 1 and Track 2 of the magnetic stripe.

This experiment makes visible the data stored on the back of a card using magnetic encoding.
You can find magnetic storage in use in a lot of places, most commonly in hard drives.

Magnetic encoding works by translating the data to be stored into binary zeros and ones. The
card writer contains an electromagnet. Changing the direction of the electrical current
changes the polarization of the magnet within the electromagnet. As it passes over the
magnetic stripe of the card, the magnet permanently orientates each section of the magnetic
stripe in either a north facing or south facing direction. Each binary zero or one is represented
by a corresponding north facing or south facing magnet. This is why the magnetic stripe looks
like a series of bars when exposed to the ferrofluid. When the card is swiped through a card
reader or payment device, the signal input changes depending on the direction of the magnet
that is being read. The computer reads this information as a zero or a one. Once complete,
the computer translates all the binary information into corresponding alphanumeric values
at the application level.

When looking at the results of this experiment, there will be up to three tracks of information:
Track 1, Track 2 and Track 3. If only two tracks of information are visible, this is perfectly
acceptable. It is common for bank cards to have Track 1 and Track 2 encoded. Track 3 was
intended to be dynamically updated.

   3.2.    Primary Account Number

The front of the card consists of the Primary Account Number (PAN), a start date (optional),
an expiry date, an issue number (optional), the cardholder name and imagery pertaining to
the issuing bank and the card brand.

 Cyber R&D Lab Publication                                                          Page 6 of 24
It Only Takes a Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem - Cyber R&D Lab Publication
It Only Takes a Minute to Clone a Credit Card

                       Figure 4. Photo depicting embossed card data.
The PAN consists of three key pieces of information. The Issuer Identification number (IIN),
the account number and a check digit. For Visa and MasterCard products, the PAN is 16 digits
long, but it may be up to 19 digits long. The IIN identifies both the card brand and the bank
that issued the card. The account number identifies the owner of the account. Finally, a single
digit acts as a checksum to verify the validity of the PAN. This is calculated using the Luhn
algorithm, with the preceding PAN digits acting as input.
                                             PAN
                      IIN              Account Number             Check Digit
                 Up to 8 digits           1-10 digits               1 digit
          Figure 5. Data elements that make up the Primary Account Number (PAN).

   3.3.    Magnetic Stripe

On the back of the card, there is an area for the cardholder’s signature; next to it, a Card
Security Code (CSC) and above this the magstripe.

 Cyber R&D Lab Publication                                                         Page 7 of 24
It Only Takes a Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem - Cyber R&D Lab Publication
It Only Takes a Minute to Clone a Credit Card

                Figure 6. Location of encoded tracks on the magnetic stripe.
The magstripe represents much of the same information that can be found in plain text on
the front and back of the card. All magstripe tracks contain the Primary Account Number
(PAN), the expiry date, a service code and discretionary data. When this information is sent
electronically, it is checked against information known to the issuing bank. The magstripe
contains up to three tracks of encoded information. But as Track 3 is no longer frequently
used by financial institutions, this research will only be describing Track 1 and Track 2.
Track 1 contains the PAN, the cardholder name, the expiration date, a service code,
discretionary data and a checksum. Track 2 is almost the same as Track 1, but lacks the
cardholder name. Track 2 is purely numeric, including the checksum. The space allocated for
discretionary data is shorter, and in both Track 1 and Track 2 this information is proprietary
to the issuer.

 Cyber R&D Lab Publication                                                         Page 8 of 24
It Only Takes a Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem - Cyber R&D Lab Publication
It Only Takes a Minute to Clone a Credit Card

                                                                      Track 1
                                                                                 Expiration       Service       Discretionary                    LRC
     %         B      PAN          ^         Cardholder Name            ^          Date            Code             Data             ?

                                                                                                                                             Longitudinal
                                                                                                                                             Redundancy
                                                                                                                  Remaining                     Check
   Start   Format 19                   2-26 characters                           4 Digits or     3 Digits or      Balance of        End
  Sentinel Code Digits Separator Title.Firstname/Lastname Separator                  ^               ^            Characters      Sentinel   1 Character
                                                        Total = 79 Alphanumeric Characters

                                                    Figure 7. Data elements that form Track 1.

                                                                      Track 2
                                                        Expiration    Service      Discretionary                       LRC
                               ;       PAN      =         Date         code            data                 ?

                                                                                                                   Longitudinal
                                                                                                                   Redundancy
                                                                                   Remaining                          Check
                             Start    19                4 Digits or 3 Digits or    Balance of            End
                            Sentinel Digits Separator       =            =         Characters          Sentinel      1 digit
                                                           Total = 40 Numeric Characters

                                                    Figure 8. Data elements that form Track 2.

Cyber R&D Lab Publication                                                                                                                         Page 9 of 24
It Only Takes a Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem - Cyber R&D Lab Publication
It Only Takes a Minute to Clone a Credit Card

   3.4.    Service Code

The first digit of the service code describes the interchange value and supported onboard
technology that can be used for alternative transaction methods. This digit determines if the
card can be used internationally, nationally or via predetermined agreements between
issuers (private). This digit can also be used to describe whether the card possesses alternate
technology to complete the transaction, such as Integrated Circuit Card (ICC). It is now
standard to issue a card with ICC functionality, this option exists as a legacy.
The second digit describes the authorization processing indicator value. This specifies if the
card requires explicit authorization from the issuer in order to complete the transaction. If
this value is set to “0,” then authorization can be made without explicit authorization, if the
transaction passes checks made on the terminal.

The third digit describes allowed services and Cardholder Verification Method (CVM)
requirements. This digit describes whether the card may be used at an ATM, for cash and for
which circumstances the cardholder will be prompted for additional verification via PIN.
                                          Service Code
       Digit                        1st                         2nd                   3rd
    Description      Specifies interchange value and       Authorization      Types of services
                           onboard technology               processing         available to the
                                                          indicator value     card product and
                                                                                CVM options

                     Figure 9. Data elements that form the service code.
A common service code is “201.” This indicates that a card that may be used internationally,
processing may be completed without the issuer and no restrictions exist on the type of goods
or services that the card product can be used for. Refer to ISO/IEC 7813:2006 for further
information on available digits and combinations.

   3.5.    Discretionary Data

Discretionary data is reserved for proprietary use by the card issuer. Despite this, it is known
that discretionary data is used to hold information for cardholder verification, card
authenticity and operational decisions. It contains the Card Security Code (CSC) and can
contain the card start date or the card issue number. The length assigned for the discretionary
data is the remaining number of digits once all other information has been subtracted from
the track.

   3.6.    Card Security Code

There are three generations of Card Security Code (CSC), with each card brand using their
own distinct name. Visa calls the CSC the Card Verification Value (CVV). For MasterCard, this
value is called the Card Verification Code (CVC). This is a unique number used to validate the

 Cyber R&D Lab Publication                                                         Page 10 of 24
It Only Takes a Minute to Clone a Credit Card

card. The CSC is calculated using the PAN, expiration date and service code as input. This
information is put through an algorithm to produce the CSC. The CSC is present in both Track
1 and Track 2 of the magstripe within the discretionary data field. This piece of data is critical
to the transaction process and must be checked at the time of authorization to identify
fraudulent transactions. However, there are no requirements for this data to be checked for
card not present, chip inserted or contactless transactions.
The second-generation CSC is called CVV2 (Visa) and CVC2 (MasterCard). This is the
verification value used in ‘card not present’ transactions. Card not present transactions
include those made online and over the phone. This value can be found on the back of the
card. This value remains the same throughout the lifetime of the card and is used to verify
that the cardholder has the card in their possession.

The third-generation card security codes are values used for chip transactions and contactless
transactions. For chip inserted transactions, these are known as iCVV (Visa) and Chip CVC
(Mastercard). For contactless transactions that support magstripe equivalent modes, these
values are dCVV (Visa) and dCVC (MasterCard).

   3.7.    Threats to Magstripe

Magstripe is extremely vulnerable to cloning. It is synonymous with the server attack; a
restaurant server takes the card away to swipe it and a few moments later brings the card
back for the cardholder to sign the check. During that time, there’s a small window when the
card data can be cloned. This is a type of eavesdropping or man-in-the-middle attack, which
uses a second card reader to read track data from the magstripe at the time of payment. This
information is enough to clone the card.
Likewise, lost and stolen cards are vulnerable to cloning. An attacker can clone an expired
card and modify the expiration date to extend the validity of the card. If the service code has
restrictions, this can be altered as well. Cardholder verification is made via signature, making
it relatively simple to pass as the card owner.

   3.8.    How to Clone a Magstripe Card

The process of cloning the magstripe is a simple one. A card reader and writer can be
purchased from Amazon.com for less than $100. This research uses the MSR605.

 Cyber R&D Lab Publication                                                          Page 11 of 24
It Only Takes a Minute to Clone a Credit Card

            Figure 10. Image depicts sales listing for the MSR605 reader/writer.
The MSR605 is a magnetic card reader and writer that plugs into a computer via USB and
comes with prepackaged software for Windows. All that is required it to set it into “read”
mode and swipe a credit or debit card.

             Figure 11. Image depicts the MSR605 plugged into USB interface.

 Cyber R&D Lab Publication                                                       Page 12 of 24
It Only Takes a Minute to Clone a Credit Card

   Figure 12. Image depicts the MSR605 user interface containing data read from a card.

The reader will show the track data encoded onto the magnetic stripe. Select “Write,” and it
will write the data to a new card.

 Cyber R&D Lab Publication                                                       Page 13 of 24
It Only Takes a Minute to Clone a Credit Card

           Figure 13. Image depicts the MSR605 process for writing data to a card.

   3.9.    Magstripe and EMV Differences

EMV was introduced to tackle the security issues associated with magstripe. EMV is bound to
an Integrated Circuit Card (ICC). By design, the chip allows the card to take on much more
functionality than magstripe. This provides much greater assurance that the cardholder
information belongs to the card. Because the chip can compute mathematical functions, the
transaction can be signed using a cryptogram. By contrast, the magstripe is encoded on the
card and can be read by anyone.
For cardholder verification, EMV has the option to use a PIN, and it is increasingly used in
most countries. If the transaction is made online, then the PIN is transmitted to the issuer’s
Hardware Security Module (HSM) using symmetric cryptography, decrypted and verified for
correctness. If the transaction is made offline the PIN is checked by the card. This has some
weaknesses (Murdoch et. al., 2010) but is considerably stronger than magstripe methods.
There are two options for cardholder verification using magstripe, the first is a signature and
the second is a PIN. The signature is compared to the signature on the back of the physical
card, or a form of ID. In all cases, it is trivial to forge. Where a PIN is used, the transaction
needs to be made online. The PIN is transmitted to the issuer for comparison using symmetric
key cryptography.

 Cyber R&D Lab Publication                                                         Page 14 of 24
It Only Takes a Minute to Clone a Credit Card

   3.10. Shared Commonalities: Magstripe Equivalent Data in EMV
         Transactions

Perhaps surprisingly, Track 1 and Track 2 are also present in EMV transactions. These are
referred to as Track 1 equivalent and Track 2 equivalent. Track 2 equivalent differs, but not
significantly, from its original counterpart; data for card expiration date and the discretionary
data must be unique to the transaction mode and the card security code is dynamic. For
contactless transactions, Track 1 equivalent is not used by Visa card products but is used by
MasterCard.
                                      Track 1 Equivalent – EMV Tag 56
          B           PAN               ^       Expiration      ^        Service        Discretionary
                                                  Date                    Code              Data
       Format       19 Digits       Separator    4 Digits   Separator    3 Digits        Remaining
        Code                                                                             Balance of
                                                                                            Digits
                                       Total = 50 Numeric Characters

                   Figure 14. Data elements that form the Track 1 equivalent.

                                   Track 2 Equivalent – EMV tag 57
                PAN             D     Expiration    Service   Discretionary         F
                                         Date        Code          Data
              19 Digits   Separator    4 Digits     3 Digits    Remaining           Optional
                                                                Balance of          Padding if
                                                                  Digits            Required
                                 Total = 40 Alphanumeric Characters

                   Figure 15. Data elements that form the Track 2 equivalent.

 Cyber R&D Lab Publication                                                                  Page 15 of 24
It Only Takes a Minute to Clone a Credit Card

4. Findings
With such a striking relationship between magstripe and EMV, this research questions
whether it is possible to substitute data from one technology type, EMV, and use it to
authorize an entirely different technology (magstripe). The idea is plausible, as there are many
skimmers and shimmers in circulation that record data from EMV chip inserted transactions.
From experience, it is entirely feasible for a hacker to skim card information during a
contactless EMV transaction. This provides two ways of harvesting card data from EMV
transactions, and one practical application, magstripe.

Opposing this idea: It should not be possible to substitute data from one technology and use
it for another. Based on EMV specifications and the ISO/IEC7811-2 standard, EMV data is
unique for every transaction and unlike magstripe data. EMV transactions ought to have
distinct discretionary data and are reliant on a different card security code. Issuers have the
capability to verify the source of discretionary data and should be doing this to identify and
stop fraud.

   4.1.    Scope

To resolve these questions, this research looked at a total of eleven different credit and debit
cards, made up of a mix of Visa and MasterCard. A total of ten different card issuers; seven
cards issued in the UK, three issued in Europe and one in the US. It should be noted that the
US card along with one of the European issued cards do not have an NFC interface that allows
for contactless transactions. This reduces the amount of data that may be harvested.
          Card                  Issuer                 Brand                Country of issue
            1                      1                    Visa                      UK
            2                      2                 MasterCard                   UK
            3                      3                 MasterCard                   UK
            4                      4                    Visa                      UK
            5                      5                 MasterCard                   EU
            6                      6                    Visa                      US
            7                      7                 MasterCard                   UK
            8                      1                 MasterCard                   UK
            9                      8                    Visa                      EU
           10                      9                    Visa                      EU
           11                     10                 MasterCard                   UK

                  Figure 16. Shows cards within the scope of this research.
The methodology for this research is simple, data is to be read from each of the card’s EMV
interfaces along with the magstripe. This information is compared, and any striking
similarities or differences are noted. Next, the value of the CSC is determined for each
interface. This information is substituted for the CSC in the magstripe tracks. It is only
necessary to change this information, as Track 1 and 2 equivalent data is often the same for

 Cyber R&D Lab Publication                                                         Page 16 of 24
It Only Takes a Minute to Clone a Credit Card

Track 1 and Track 2 on the magstripe. In the wild, an attacker would use the full information
harvested from Track 1 and Track 2 equivalent to build a new card.
To read data from the NFC interface, the Android application “Card Reader Pro” was used.

                Figure 17. Depicts the Card Reader Pro interface on Android.
The SCR3310 USB Smart Card Reader along with Python EMV Utilities library by David
Barkhuizen was used to read data from the chip interface.

 Cyber R&D Lab Publication                                                       Page 17 of 24
It Only Takes a Minute to Clone a Credit Card

                  Figure 18. Depicts the SCR3310 USB Smart Card Reader.

To read the encoded tracks on the cards magstripe, the method used is described in the
section titled “How to Clone a Magstripe Card.” The MSR605 was also used to write data to
magstripe cards. Blank cards were purchased online. These can be purchased at a very low
cost: $20 for one-hundred cards. Transactions were made using Mobile Point of Sales (mPOS)
terminals, either using the fallback method or with a dedicated magstripe interface. Fallback
is a process that occurs when the cards fails to be read by the chip inserted method. This can
be achieved by covering the chip with tape or not fully inserting the card. This should be
repeated several times until the terminal prompts for the card to be swiped.

 Cyber R&D Lab Publication                                                        Page 18 of 24
It Only Takes a Minute to Clone a Credit Card

              Figure 19. Depicts mPOS Terminals used as part of this research.

Example

This is an example of readings taken for a Visa card. It should be noted that some of the
readers remove delimiters and the LRC from the output of the track data readings. The first
readings are from the magstripe.

       Track 1:
       %B4716042088430250^MR.P/GREEN^2108201000000000000000222000000?
       Track 2 :4716042088430250=21082010000002220000?
From this it can be determined that the CVV for the magstripe is “222.” Next, readings from
the chip inserted into the SCR3310 reader.
       Track 1 4716042088430250^21082010001000000000387000000
       Track 2 4716042088430250D21082010000013870000F
We can see that the iCVV value is “387” on both tracks. The additional “1” within the
discretionary data may be used for operational purposes.
       Track 1 4716042088430250D21082010000013870000F

Visa does have Track 1 equivalent for contactless data. Again, the iCVV is “387.” Using this
information, we can construct a new card with the values:

       Track 1:
       %B4716042088430250^MR.P/GREEN^2108201000000000000000387000000?

 Cyber R&D Lab Publication                                                        Page 19 of 24
It Only Takes a Minute to Clone a Credit Card

       Track 2 :4716042088430250=21082010000003870000?

              Figure 20. Image depicts the new card value using the MSR605.

   4.2.    Results

Four of the eleven cards allowed for data to be harvested from EMV interfaces and for this
information to be used to create a counterfeit magstripe card and authorize a swiped
transaction. One of these four cards allowed the transaction to be authorized with random
data inserted into the discretionary data. A further two of the four cards allowed for
transactions to be processed with a single track of information. Out of eleven cards, only two
cards use truly unique Track 2 equivalent data for both interfaces. Of the two cards from the
same issuer, one was vulnerable to this type of attack, and the other was not.
       Card             Issuer            Brand            Country of Issue      Vulnerable
        1                  1               Visa                  UK                  Y
        2                  2            MasterCard               UK                  Y
        3                  3            MasterCard               UK                  N
        4                  4               Visa                  UK                  Y
        5                  5            MasterCard               EU                  N
        6                  6               Visa                  US                  N
        7                  7            MasterCard               UK                  Y
        8                  1            MasterCard               UK                  N
        9                  8               Visa                  EU                  N
        10                 9               Visa                  EU                  N
        11                10            MasterCard               UK                  N

 Cyber R&D Lab Publication                                                        Page 20 of 24
It Only Takes a Minute to Clone a Credit Card

Figure 21. Table of results: cards that are vulnerable to cloning EMV interface data for use
                                     on magstripe cards.

Figure 22. Bank statement depicting an approved transaction made using cloned EMV data.

Cyber R&D Lab Publication                                                        Page 21 of 24
It Only Takes a Minute to Clone a Credit Card

       Figure 23. Photo depicting approved transaction made using cloned EMV data.

   4.3.    Recommendations

When a POS or mPOS is used to make a transaction, a POS entry mode code is sent to the
card issuer along with the transaction. This code indicates which type of transaction was
made. Magstripe transactions have a terminal code of “90.” Whereas chip inserted
transactions have an entry code of “95” or “05.” Contactless transactions have the codes “91”
or “07.” This information can be used by the issuer to determine the transaction type, and if
it is supported. If the card issuer supports the transaction type, then the corresponding card
security code can be checked for validity against the entry mode. Implementing this check
prevents the use of cloned cards from other sources.

 Cyber R&D Lab Publication                                                        Page 22 of 24
It Only Takes a Minute to Clone a Credit Card

5. Conclusion
This research shows how card data from EMV chip and contactless interfaces can be
intercepted and used to create a new magstripe card. This is one of the mechanisms by which
skimmers work. This vulnerability exists for several reasons. First, the commonalities between
magstripe and EMV standards for chip inserted and contactless mean that it’s possible to
determine valid cardholder information from one technology and use it for another. Secondly
magstripe is still a supported payment technology, likely because adoption of chip-based
cards has been slow in some geographic regions around the world. Third, although magstripe
is a deprecated technology in many of the countries tested, cloned data is still effective
because it is possible to cause the terminal and card to fallback to a magstripe swipe
transaction. Finally, card security codes, a critical point of card verification, are not checked
at the time of transaction by all card issuers.

6. References
14:00-17:00. (n.d.). ISO/IEC 7813:2006. ISO. Retrieved April 23, 2020, from
     https://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/04/33/43317.
     html
A_Guide_to_EMV_Chip_Technology_v2.0_20141120122132753.pdf. (n.d.). Retrieved April
    24, 2020, from https://www.emvco.com/wp-
    content/uploads/2017/05/A_Guide_to_EMV_Chip_Technology_v2.0_20141120122132
    753.pdf
ALG ID Cards® Premium Blank White PVC Cards with Hi-Co Mag Magnetic Stripe | 760
    Micron CR80 (Credit Card Size)—100 Pack: Amazon.co.uk: Office Products. (n.d.).
    Retrieved April 22, 2020, from
    https://www.amazon.co.uk/gp/product/B07KWXVFQY/ref=ppx_yo_dt_b_search_asin_
    title?ie=UTF8&psc=1
Barisani, A., Laurie, A., Bianco, D., & Franken, Z. (n.d.). Chip & PIN is definitely broken.
     43.
barkhuizen, david. (2020). Davidbarkhuizen/py_emv_utils [Python].
     https://github.com/davidbarkhuizen/py_emv_utils (Original work published 2012)
Computers | Timeline of Computer History | Computer History Museum. (n.d.). Retrieved
    April 24, 2020, from https://www.computerhistory.org/timeline/computers/
Credit Card Reader Pro. (n.d.).
     https://play.google.com/store/apps/details?id=com.github.devnied.emvnfccard.pro
EMVCo. (n.d.). EMVCo. Retrieved April 23, 2020, from https://www.emvco.com/

 Cyber R&D Lab Publication                                                         Page 23 of 24
It Only Takes a Minute to Clone a Credit Card

ISO - ISO/IEC 7811-2:2018—Identification cards—Recording technique—Part 2: Magnetic
     stripe: Low coercivity. (n.d.). Retrieved April 9, 2020, from
     https://www.iso.org/standard/73638.html
Magnetic Developer. (n.d.). Retrieved April 23, 2020, from https://www.q-
    card.com/products/magnetic-developers/magnetic-developers/page.aspx?id=1415
Masters, G., & Turner, P. (2007). Forensic data recovery and examination of magnetic swipe
     card cloning devices. Digital Investigation, 4, 16–22.
     https://doi.org/10.1016/j.diin.2007.06.018
Mitigating Fraud Risk Through Card Data Verification. (n.d.). 5.
Murdoch, S. J., Drimer, S., Anderson, R., & Bond, M. (2010). Chip and PIN is Broken. 2010
    IEEE Symposium on Security and Privacy, 433–446.
Radu, C. (2003). Implementing electronic card payment systems. Artech House.
Souppouris, A. (2013, September 3). Nokia: A visual history. The Verge.
    https://www.theverge.com/2013/9/3/4688932/nokia-smartphone-history-in-pictures

 Cyber R&D Lab Publication                                                       Page 24 of 24
You can also read