another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Monday, June 20, 2005

Slashdot: Smart Card Hacking

Who says smart cards can't be hacked? Apparently all you need is a 50$ oscilloscope. ;-) rol..

Smart-Card Hacking?
Hardware Hacking
Posted by Cliff on Saturday June 18, @11:45AM
from the what-exactly-do-they-put-on-these-things dept.
W3bbo asks: "With the ever-increasing information being stored on so-called 'Smart-Cards', including credit cards with the chips, how do we know what data is read by stores when you hand over your plastic? Seaching for 'smart-card hacking' just turns up satelite TV piracy websites and virtually nothing for (sort-of) legitimate investigation to our cards. So what methods are available to hack smart-card chips and see what information about us our banks store on our cards?"
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
it's called carding... (Score:4, Informative)
by (410908) on Saturday June 18, @11:56AM (#12851204)
( | Last Journal: Saturday October 30, @06:54PM)
so have a few searches on this term []

Also there is an open source project devoted to reading cards and chips, don't remember the name right now...

Was on slashdot, so have a check 8)
[ Reply to This ]

Re:it's called carding... (Score:5, Informative)
by Mattcelt (454751) on Saturday June 18, @12:56PM (#12851533)
One of the original smart card hacks was done by Ben Jun, Paul Kocher, and Joshua Jaffe, the guys at Cryptography Research [], using a technique called "Differential Power Analysis" which they did with a $50 HP oscilliscope to extract the private key stored on a smart card. You can find the white paper here. []
[ Reply to This | Parent ]
o Re:it's called carding... by pbhj (Score:2) Saturday June 18, @08:32PM
o 1 reply beneath your current threshold.

Kind of Esoteric, But... (Score:5, Informative)
by fuzzybunny (112938) on Saturday June 18, @11:56AM (#12851205)
( | Last Journal: Friday December 12, @08:21AM)
The best way to learn is to latch onto someone who really knows their stuff (which is what I did on a previous project.) If you don't have that luxury, start looking at vendor pages (Schlumberger, ActivCard, Siemens, Utimaco, Gemplus, etc.) and chipset manufacturers (Infineon, Sagem or Giesecke & Devrient for example.)

Depending on how far down you want to dig (do you want to learn about applications? Circuit design? Interfaces? Security issues?) you should probably browse around related manufacturers' pages and related newsgroups. A good example would be looking at PKCS#11-related docs, Entrust implementation docs, the Javacard specifications, how Javacards differ from other implementations, docs on "Open Platform", types of card readers (class 1 through class 4, what is "middleware", how hardware key storage works, etc.)

A lot of card-related documentation and information is strongly vendor-specific, poorly documented and, to be honest, largely irrelevant for someone who wants to learn about it in a not-too-hardcore manner.

If you're professionally seriously interested, I recommend talking to one of the serious pros, such as Jerome Ajdenbaum [] who really know their stuff. For starters, though, a quick google search on "smart card" +documentation turned up a number of good results, including from Microsoft [] (whose card interface for many manufacturers and variants is surprisingly well-written), ,a href=" nce/docs/">Java card docs from Sun, and the Open Card [] platform.
[ Reply to This ]

* Re:Kind of Esoteric, But... by Cthefuture (Score:3) Saturday June 18, @12:26PM
Re:Kind of Esoteric, But... (Score:5, Informative)
by swillden (191260) * on Saturday June 18, @01:05PM (#12851572)

Along with PKCS#11 and Javacard, you should be looking at all the ISO 7816 specifications for technical information.

The ISO 7816 specs are generally not free. You buy them from your national standards body, which in the US is ANSI. It'll cost around $150-$200 to buy the whole set from ANSI.

However, much of the content of the 7816 documents is replicated in the EMV specifications. EMV stands for Europay Mastercard Visa and is a consortium for establishing smart card banking standards, so if you're interested in looking at your bank card chip, that's the more relevant set of documents anyway. You can find all of the EMV documents on-line, free, at the EMVCo web site []. You may still have to acquire some of the 7816 specs (parts 3 and 4 are probably the most important), but the EMV docs contain most of what you need. Word of warning: be prepared to plow through a lot of material. Smart card technology has acquired a lot of complexity through 30 years of incremental enhancements.
[ Reply to This | Parent ]
+ Re:Kind of Esoteric, But... by aminorex (Score:2) Sunday June 19, @02:20AM
o Re:Kind of Esoteric, But... by fuzzybunny (Score:3) Saturday June 18, @01:10PM
o Re:Kind of Esoteric, But... by AdamInParadise (Score:2) Saturday June 18, @04:31PM

Who else finds it funny... (Score:2, Funny)
by Toby_Tyke (797359) on Saturday June 18, @12:21PM (#12851347)
(Last Journal: Monday May 02, @02:43AM)
That the story below this one is "Security Breach Exposes 40M Credit Cards" ?

[ Reply to This ]

No "sort-of" about it... (Score:2)
by Saeed al-Sahaf (665390) on Saturday June 18, @12:59PM (#12851547)
...and virtually nothing for (sort-of) legitimate investigation to our cards...

I think it's important to understand that there is no "sort-of" about it. We have every right to know what information is contained on the cards that we use. Why wouldn't we? What can there possibly be there that is none of our business?
[ Reply to This ]

* Re:No "sort-of" about it... by tengwar (Score:2) Saturday June 18, @03:47PM
o 1 reply beneath your current threshold.
* Re:No "sort-of" about it... by vettemph (Score:1) Saturday June 18, @03:52PM

Maybe this is too obvious... (Score:1)
by WonderSnatch (835677) on Saturday June 18, @01:34PM (#12851739)
Have you tried calling your card company?

[ Reply to This ]

Card security attacks (Score:4, Informative)
by brejc8 (223089) * on Saturday June 18, @01:46PM (#12851787)
( | Last Journal: Sunday November 16, @07:21PM)
These break down to a few different kinds:
Information leaking e.g. power analysis: observe the power consumption of a divide to determine what operations it is executing and what data it is working on. Usually these will only tell you the number of bits which are on in a particular stage. I found the ARM 6 gave a very clear signature of the result of the adder and could determine the number of on bits down to the nearest 2.
Error introduction e.g. clock glitch attack: This is an asynchronous engineers favorite. Basically a method of inserting errors into the processor in a deterministic method. Say the processor stage calculating a compare operation is the worst case path, the attack inserts an early clock forcing the comparison to be incorrectly made. Place this in the "are the checksums correct" code. Usually though these are a little more difficult than that.
Brute force with limited tries e.g. Flash charge pump: So to crack your card it only takes as many attempts as there are pin code combinations. To stop people from just trying out the 10,000 or so combinations the card remembers how many tries you had. Before it writes something to the flash it needs to drive up a charge pump. This is visible using power analysis and at this point you cut the power and try again.

More interestingly why are these not investigated? Well because there is no money for it. The async community has been offering better methods but the companies who make the only get a tiny profit are not inclined to make them any better.
[ Reply to This ]

h1kari did some smart card work: (Score:1)
by undef24 (159451) on Saturday June 18, @02:19PM (#12851940) .ppt []
[ Reply to This ]

Circuit Cellar (Score:1)
by AndroidCat (229562) on Saturday June 18, @05:14PM (#12852787)
Circuit Cellar magazine [] has articles on smart cards, RFID, etc, now and then.
[ Reply to This ]

MUSCLE project (Score:3, Informative)
by sgifford (9982) on Saturday June 18, @07:48PM (#12853469)
Information from the MUSCLE smartcard-on-Linux project be useful: []

[ Reply to This ]

Frighteningly enough (Score:2)
by Dachannien (617929) on Sunday June 19, @04:58AM (#12855287)
There may be a potential DMCA violation involved with doing this, especially if credit card company-issued smart cards contain proprietary copyrighted information on them. In any case, the threat of a lawsuit (whether it's valid or not) may be enough to silence any efforts to figure out what sorts of personally identifiable info is stored on these cards.

[ Reply to This ]

Re:Legitimate Investigation? (Score:3, Insightful)
by FidelCatsro (861135) on Saturday June 18, @12:45PM (#12851470)
(Last Journal: Wednesday June 15, @03:08AM)
1:) finding out what personal data is stored on your card
2:) hacker(traditional meaning) mentality ,Some of us just can shake the urge to explore discover and create.
3:) setting up your own credit card reader to go into bussiness as a manufacturer


Post a Comment

<< Home