Skip to content or view screen version

Banks vs the Smart Card Detective

Danny | 28.12.2010 12:48 | Other Press | Technology

Banks are trying to censor a Master of Philosophy thesis from Cambridge University student Omar Choudary, showing how to avoid scams. The banks claim this is a security threat in itself. The university are intent on keeping his work on their website, and it remains on Choudary's, but the banks have a history of successfully covering up and ignoring security flaws to protect their reputations. I think it is useful for as many people and sites as possible to download and republish this information while it is still available.

I haven't verified any of the thesis, that will take quite some time, and I don't want to spell out implications that aren't obvious. I think publishing it here is justified solely from the fact the university are trying to protect it and the banks are trying to censor it. Maybe you know someone technical enough to find it very useful, or maybe you didn't even know you were at risk of being shown one price for a transaction when a different price was charged.

Banks attempt to censor student thesis

Banks attempt to suppress maths student's exposé of chip and pin

The Smart Card Detective (SCD)

The SCD is a card-size device that can intercept, monitor and modify the data of an EMV transaction (EMV is the protocol used in Europe for smartcard payments). This device and the associated software are the result of my MPhil project. The main goal of the SCD was to offer a trusted display for anyone using credit cards, to avoid scams such as tampered terminals which show an amount on their screen but debit the card another (usually larger) amount.

However, the final result is a more general and open EMV framework that can basically do anything a card or a terminal might do. That is, the SCD can act as both a card or a terminal (or even a CAP device), and it can relay, monitor and modify a transaction between a card and a terminal.

We have successfully tested the SCD with many CAP readers and terminals. Among the applications implemented I mention: confirmation of requested amount before authorising a transaction, log of transaction data, PIN modification. We have been able to test also the No PIN vulnerability using the SCD. There is also a French reportage on this.

The hardware consists of an ATMEL AT90USB1287 microcontroller, with several features: 3 power supplies (USB, DC, battery), ISP, USB and JTAG connectors, 2 ISO-7816 (smartcard) interfaces. Most of the software (targetted for the AVR architecture) is written in C with some small parts in assembler.

All the details about the SCD can be found on my MPhil thesis.

I give free access to all the software and hardware files for personal and research purposes (files below). For any commercial purposes please contact me. I also mention that the code used to implement the NO PIN vulnerability is NOT available, although I provide all the functionality for any EMV transaction. My aim is to make the SCD an open framework for research on EMV. I will be updating the software as necessary and even the hardware can be modified, so any comments are more than welcome. Please give it a try and send me some feedback. If you need help in building the hardware get in touch with me.

News(20/12/2010): the new version (2.2) of the software includes the code for a terminal application. The SCD can now be used as a terminal.

Support for T=1 protocol is under development.

DISCLAIMER: I am not responsible for any damage or prejudice caused by using the software or hardware provided in these pages. Please use the information provided at your own risk.
All the files below are provided under the GNU GPL license.

Hardware files
SCD schematic v2.0 [SCD_PCB_v2.sch]
SCD library for Eagle [SCR.lbr]
SCD gerber files v2.0 []
ISO7816 ID-1 probe schematic [ICC.sch]
ISO7816 ID-1 probe gerber files []
Farnell basket for SCD components [scd_farnell_basket.csv]

Software files
source code v2.2 (includes terminal application) [scd_avr_v2_2.tgz]
source code v2.0 [scd_avr_v2_0.tgz]

Doxygen API for v2.2 [ ]



Display the following 3 comments

  1. Simple Implications — Henry Cow
  2. Mainstream coverage — hack
  3. Smart bombers? — Inventor of the helium-balloon whale