Brazil? Ah, I get it...
I was as alarmed as I am sure all of you were to read a story in Computing telling how EMV cards could be cloned with malware. Now, as you might imagine, were this to be true it would be a matter of the highest priority in the world of card issuers. If EMV cards could be cloned (spoiler alert: they can’t) then the whole world of payment cards would collapse. Since my I spend some of my time in that world, yet hadn’t heard anything about this catastrophic turn of events, I was naturally curious as to the accuracy of the report. Delving further into the “news” story, I found the interesting qualification that the fake cards work "on virtually any Brazilian POS system”.
Brazilian POS systems? What? Ah, wait… Now I know that they are talking about. Sadly, this yonks old hack won’t work in most places any more. But it does work in a few remaining places, and Brazil is one of them. Why? Well because Latin America, an early adopter of EMV, is still heavily reliant on "static data authentication chips", which allow the criminals exploiting them to create usable new chip cards with the data that they can extract.
Thus problem isn’t that “EMV cards” can be cloned. They can’t. The problem is the use of Static Data Authentication (SDA) in EMV. We all knew about this many years ago. In fact, although lots of people knew about this, at the time we thought it would have been irresponsible to blog about it, so I put it to one side until stimulated by an enquiry from Brazil, I finally wrote about it back in 2014, explaining in detail what the problem was, how it was fixed and why it was no longer a worry.
So, no need to panic. Having put your mind at rest (unless you are a Brazilian card issuer, in which case my colleagues at Consult Hyperion stand ready to answer your call) I cannot resist re-telling the story that explains what the “malware” does…
Many years ago, when my colleague at Consult Hyperion were testing SDA cards in the UK, we used to make our own EMV cards. To do this, we essentially we took valid card data and loaded it onto our own Java cards. These are what we in the business call “white plastic”, because they are a white plastic card with a chip on it but otherwise completely blank. Since our white plastic do-it-yourself EMV cards could not generate the correct cryptogram (because you can’t get the necessary key out of the chip on the real card, which is why you can’t make clones of EMV cards), we just set the cryptogram value to be “SDA ANTICS” or whatever (in hex). This is what the criminals referred to in the story are doing. Now, if the card issuer is checking the cryptograms properly, they will spot the invalid cryptogram and reject the transaction. But if they are not checking the cryptograms, then the transaction will go through.
You might call these cards pseudo-clones. They act like clones in that they work correctly in the terminals, but they are not real clones because they don’t have the right keys inside them. Naturally, if you make one of these pseudo-clones, you don’t want to be bothered with PIN management so you make it into what is called a “yes card” - instead of programming the chip to check that the correct PIN is entered, you programme it to respond “yes” to whatever PIN is entered.
We used these pseudo-clone cards in a number of shops in Guildford as part of our testing processes to make sure that issuers were checking the cryptograms properly. Not once did any of the Guildford shopkeepers bat an eyelid about us putting these strange blank white cards into their terminals. But I heard a different story from a Brazilian contact. He discovered that a Brazilian bank was issuing SDA cards and he wanted to find out whether the bank was actually checking cryptograms properly (they weren’t). In order to determine this he made a white plastic pseudo-clone card and went into a shop to try it out.
When he put the completely white card into the terminal, the Brazilian shopkeeper stopped him and asked him what he was doing and what this completely blank white card was, clearly suspecting some misbehaviour.
The guy, thinking quickly, told him that it was one of the new Apple credit cards!
“Cool” said the shopkeeper, “How can I get one?”.