MacGyver's Return - An EMV Chip Cloning Case

An EMV chip cloning case
Frank Boldewin (@r3c0nst)

How the story started… (short version)
 In August 2015 I received an encrypted call

from an investigative reporter of a German IT
magazine.
 Reporter: „I got an offer for software from a
guy in the carder scene that is supposed to be
able to clone credit card data onto an EMV
chip. But I can't get it to work. Interested in
taking a look at the case?”
 Me: „Uh, yeah! Sounds interesting. Send me
the software and I'll analyze it for you.”
MacGyver's return - An EMV Chip cloning case - Frank Boldewin (@r3c0nst)– Area 41 security conference Zurich/CH 2
Quick websearch revealed first answers…
Digging deeper into carder boards and other black markets
revealed more answers…
Prices, available Tools, working BINLists…
Hunting on Virustotal revealed tools for cloning creditcard
data on EMV chips exist like sand on the sea.
So what hardware is needed to clone a creditcard?
JCOP21-36 JAVA based smart cards
OMNIKEY 3121 card writer

Prize  20 Euros
Counterfeit creditcards - professional style
Cardprinter
Cloned card
The analysis target  SDA EMV Chip Writer
 Script Type  4 supported card types

 Delete  Purge all Java smartcard
applications on EMV-chip
 Format  Prepare chip
 Save Track  to write all necessary
data to the chip
 Name + Track2 number fields, e.g.
from cc dumpz
Status after deleting, formating and saving track data to
EMV-Chip
Findings so far….
 First steps are the deletion and formating of the chip

 After filling name and track2 fields we can save the data to
the chip
 A hidden directory called C:\Windowr is being created,
containing the following files:
 Several GPShell files (needed to communicate with the chip)
 APDU.DLL, which is in fact a textfile, containing GPShell commands to
send APDUs to the chip
 MacGyver.cap  A Javacard applet, which needs to be reverse
engineered to get a clue what it does exactly
Network communication when trying to write to the chip
After selecting „Save Track to JCOP chip“ feature, the tool secretly tries to send the Track2 data to a
server on the internet. If it fails the tool crashes. Reason why the reporter failed to get it working!
 Patching the assembly code made it work.
Reversing the code…
Password to extract the PE-

resource „DRV“ containing APDUs,
GPSHELL binaries and commands
for communication with the Java
smartcard
Understanding the TerminalEMV chip communication
via Application Protocol Data Units (APDU)
Command APDU
HEADER BODY
CLA INS P1 P2 Lc DATA Le
Response APDU
BODY STATUS WORD
DATA SW1 SW2
CLA: Class byte, defines command class, e.g. using secure messaging or not
INS: Instruction byte, to indicate instruction code
P1-P2: Parameter bytes of instruction code
Lc: Number of bytes in data field
Data: Field with data
Le: max. number of bytes expected in data field with next response APDU
SW: status word of the applet. Reader notifys occurences and exceptions via SWs
Understanding the EMV filesystem
MF: Masterfile, contains ICC serial number, access control

keys, card‘s general PIN etc.
ADF: Application definition file, Data container,

Referenced with an AID, emcompasses one or more AEFs
AEF: Application elementary file, linear variable file

containing information of a card application
DDF: Directory definition file, encompasses a group of

related ADFs
SFI: Short file identifier, AEFs are referenced by SFIs, can

be 1-30.
PSE: Payment system environment, special DDF for

grouping payment applications
EMV cryptography – Authentication standards 1/2
 SDA - Static Data Authentication

 Terminal creates hash of important data on card
 Reads digital signature from card which contains hash for the same
data, signed by the issuer and compares these hashes.
 If signature is valid the data on card has not being tampered with.
 DDA - Dynamic Data Authentication

 Terminal creates random number and sends it to the card
 Card uses its private key to sign random number and sends it back
 Terminal can check the signature using card‘s public key to make
sure card has right private key
 CDA - Combined Data Authentication

 Combines DDA card authentication with the transaction approval
decision
EMV cryptography – Authentication standards 2/2
 ARQC - Authorization Request Cryptogram

 An ARQC is a digital signature on the financial transaction
 Assures that message originates from the source, it claims to be from and
the contents of the message has not been altered
 ARQC Generation
 Card + Session Key derivation
 Preparation of payment data
 Encryption / Hashing gives ARQC
 ARQC can only be decrypted by the owner of the secret key (usually the
bank)
 Online/Offline transaction decisions

 Terminal decides if transaction is done online or offline, depending on
terminals configuration and amount of money being processed.
 Online/Offline decision must be confirmed by the card (reject or accept)
 Card cannot request offline payment, if terminal requires online payment.
SDA EMV Chip Writer features under the hood 1/3
GPSHELL commands to delete the default VISA PSE
mode_211
enable_trace
establish_context
card_connect
select -AID a000000003000000  VISA card manager
open_sc -scp 2 -scpimpl 0x15 -security 1 -keyind 0 -keyver 0 -mac_key
404142434445464748494a4b4c4d4e4f -enc_key
404142434445464748494a4b4c4d4e4f  Secure channel key
get_status -element 20
delete -AID 315041592e5359532e4444463031  PSE (1PAY.SYS.DDF01)
card_disconnect
release_context
GPSHELL commands to install MacGyver.cap as
counterfeit VISA PSE
mode_211
enable_trace
establish_context
card_connect
select -AID a000000003000000
open_sc -scp 2 -scpimpl 0x15 -security 1 -keyind 0 -keyver 0 -mac_key
404142434445464748494a4b4c4d4e4f -enc_key
404142434445464748494a4b4c4d4e4f
install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4
card_disconnect
release_context
GPSHELL commands to generate a VISA card
Some annotated fields
within the APDU data being
send to the JAVA smartcard,
generating a VISA SDA card
Smart Card Shell script to dump the full content of
the cloned VISA card data
Dumped data of the cloned VISA card
Preferred language order:

1. PT  Portuguese
2. EN  English
3. ES  Espanol
Primary Account 4. IT  Italian
Number (PAN)
Java Smartcard structure
Java Smartcard structure
 Java Application, Unique Application Identifiers (AID) Applet 1 Applet 2

for each App. Examples usage: Healthcare, Creditcards,
Access control etc.
Class Library
 API Class library supports applets, assists filesystem
and security services.
 API to support interapp-communication, loading
Java Framework
services for applets and assisting I/O. Takes care of the
ISO 7816 chipcard standard
 Because of limited ressources only small JAVAVM with
reducted instruction set. Bytecode differs sometimes Java Card VM
from JAVA bytecode

 Dealing with I/O, memory access, App loading services
and cryptography OS + native functions
Reverse engineering MacGyver.cap 1/3
Underlying .CAP files contain class,

Main .CAP file can easily be unzipped directory-, descriptor- infos etc.
 The most important file is Method.cap, containing JAVA smartcard bytecode
 To decompile the bytecode to human readable JAVA-code 3 steps are needed:
1. Generating JASMIN (JVM assembler) code from java smartcard bytecode (Small Python script)
2. Generating a class file from assembly code using JASMIN
3. Decompiling the class file with JVM bytecode decompiler CFR
Parsecap.py
generates the
JASMIN code
25
The decompiled MacGyver.cap including some annotations
This code is responsible to accept

every entered PIN as correct.
 aka YES-Card-application
POS Terminal PIN Check of a cloned card
 POS Terminal asks the card application

(MacGyver.cap) if PIN authentication was
correct or not. MacGyver.cap accepts
every PIN and tells the terminal it was
correct in any case
 ATMs use online verification to check the

PIN, so MacGyver.cap is useless here
Attack Sequence of cloned card
POS Terminal
1. Select application
2. Send fake SDA data Cloned card
3. POS sets TAC code C8000000 to
request an online authentication
4. Card selects SDA mode
5. Request a PIN check
6. MacGyver.cap sends „PIN OK“
in any case
7. ARQC request
8. Send fake ARQC
Lessons learned…
 Attack does not work, as long as ARQC and transaction counter

are being verified properly online  Banks failing to implent the
EMV standard incorrectly are vulnerable.
 Fraud detection may help in case used creditcard numbers or
vulnerable BINs are verified against blacklisted cards.
 Known vulnerable Bank Identication Numbers (BINs) have been
identified in India, Brazil, Mexiko, Korea, Japan, several Arabian
countries and some Banks in the USA
 SDA is still being used by several card-providers, as the difference
between SDA and DDA card is in the range of $0.50 - $1.00
BINList-Service to identify vulnerable Banks derived
from cloned cards
The SDA EMV Chip Writer tool

used previously sniffed SDA
information from a valid Caixa
Bank card in Brazil to clone cards.
Only some fields like Track2 data
are being adjusted by the tool.
The End!
Thanx to my friend and co-researcher of this case Tillmann Werner!

MacGyver's Return - An EMV Chip Cloning Case

Uploaded by

Copyright:

Available Formats

MacGyver's Return - An EMV Chip Cloning Case

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MacGyver's Return - An EMV Chip Cloning Case

Uploaded by

Copyright:

Available Formats

An EMV chip cloning case

Frank Boldewin (@r3c0nst)

 In August 2015 I received an encrypted call

JCOP21-36 JAVA based smart cards

OMNIKEY 3121 card writer

 Script Type  4 supported card types

 First steps are the deletion and formating of the chip

Password to extract the PE-

MF: Masterfile, contains ICC serial number, access control

ADF: Application definition file, Data container,

AEF: Application elementary file, linear variable file

DDF: Directory definition file, encompasses a group of

SFI: Short file identifier, AEFs are referenced by SFIs, can

PSE: Payment system environment, special DDF for

 SDA - Static Data Authentication

 DDA - Dynamic Data Authentication

 CDA - Combined Data Authentication

 ARQC - Authorization Request Cryptogram

 Online/Offline transaction decisions

Preferred language order:

 Java Application, Unique Application Identifiers (AID) Applet 1 Applet 2

from JAVA bytecode

Underlying .CAP files contain class,

This code is responsible to accept

 POS Terminal asks the card application

 ATMs use online verification to check the

 Attack does not work, as long as ARQC and transaction counter

The SDA EMV Chip Writer tool

Thanx to my friend and co-researcher of this case Tillmann Werner!

You might also like