3

Lets consider that someone skimmed the magnetic stripe of a credit/debit card which also has an emv chip.

Can this info be translated and stored into an emv chip?

And if this is possible, it is supposed that the information on the emv chips is encrypted. Right?

Nikos Tsirakakis
  • 31
  • 1
  • 2
  • @SteffenUllrich This post is too old. I have searched and i have seen that there is an app that converts the magnetic stripe info(track 2) into EMV. – Nikos Tsirakakis Nov 25 '18 at 18:15
  • I very much doubt that. Please provide proof. And regarding too old - EMV did not change between the post and now and the information on the magnetic stripe neither. – Steffen Ullrich Nov 25 '18 at 18:23
  • @SteffenUllrich https://krebsonsecurity.com/2015/04/revolution-crimeware-emv-replay-attacks/ – Nikos Tsirakakis Nov 25 '18 at 23:18
  • This article is not about cloning EMV from magnetic stripe. It is about replaying captured data with some information replaced from the magnetic stripe - and it only worked since the card handling was not properly implemented by the bank. No EMV chips were cloned or otherwise created in this process. – Steffen Ullrich Nov 26 '18 at 05:22

1 Answers1

1

EMV chips can be cloned, but not with only the information present on the mag stripe. EMVs function as a challenge-response system, meaning an EMV authorization is transactionary between the ATM/POS and the card based on a secret stored on the EMV. There are three stages in this process:

  1. Card Authentication - here the card authenticates itself to the ATM/POS
  2. Cardholder Verification - here the cardholder authenticates via PIN or signature (the card is not involved in this step)
  3. Transaction Authorization - where the transaction itself is done

Stages one and three present problems to our would-be skimmer. From the outset, the card has to authenticate itself to the machine. It does this by transmitting an RSA signature back to the machine over selected records.This signature is not going to be on the mag stripe. Once that's done, the transaction needs to be authorized. The ATM/POS sends the card the parameters to the transaction (amount, currency, date, etc.) to the card, which the card then returns signed with the secret, along with an ATC (a ticker that counts the transaction number) and an IAD (information specific to the card issuer). The ATM/POS sends this along to the bank for a green light for the transaction. By design, the secret isn't going to be stored on the stripe, and it would be impossible to store the ATC since that changes with each transaction.

Again, you could do a preplay attack on the chip, or you could take the chip apart and look at it under an electron microscope, but the magnetic stripe isn't going to be enough to mint new chips.

Khang T
  • 36
  • 3