Tuesday, September 26, 2006

On Debit Cards

What follows is a technical spiel on debit cards. Not financial networks, not mag stripe technology, not encryption, not ATMs. The cards themselves. Even more specifically, the data on them. Keep in mind there are many standards out there, many different networks. A file dealing with them all would be massive. This is the tale of a Maestro/Cirrus debit card...

This is a brain dump. I've produced it in a couple of hours. There may be a handful of errors and probably plenty of omissions. I certainly haven't edited it carefully. This file is for the curious among you. Don't use it for bad stuff. You will get caught. You will end up with a guilty conscience. You will... Whatever. It isn't up to me to threaten you. This is for the curious, and if you're looking for a fraud how-to, you'll be disappointed. Read and learn.

There are a few security tips you might be interested in throughout. There is certainly plenty of interesting information (at least, I think so). Read on, enjoy, and discuss. PLEASE DISCUSS. I will try to answer your questions, and you might be able to answer mine. Or correct me. Or add to this... Whatever.

Oh, yeah. I should give you this spiel.

PLEASE don't re-publish this. Let me hang onto control of it. I shall always do my best to keep it online. Keep yourself a private copy if you wish, but much of the value here will be the discussion afterwards (if people read it, and bother). I shall attempt to make corrections where necessary, and answer questions. If you are reading this anywhere other than http://kuurnaal.blogspot.com then you should go there to read it.

I do maintain COPYRIGHT over all my work. You may not re-publish it, earn an income from it, or create derivative works from it (or anything else) without my express, in-writing permission. I don't do this to restrict the information; if I wanted to do that, I wouldn't have published it in the first place. I do this to maintain the integrity of the information and keep it up to date. IANAL; this is not all-encompassing. If you're not sure, ask me first. You may exercise all the usual fair-use rights; critique, quote (brief) excerpts, make fun of, and link to this as you wish. Please link to it. Get the information out there; that's your job here. Maintaining the information, publishing, informing, answering questions... that's my job. You do yours, and I'll do mine. Okay? Here you go then.


I've been hunting around the 'net looking for information on mag stripe formats, as commonly used in debit cards. I work in the debit card industry, and so have access to a fair amount of industry-specific information on actual data formats. What I was after, however, was information on reading and encoding hardware for some specific projects I've been working on. While I was poking around, I noticed there was a substantial amount of curiosity regarding the information actually stored on debit cards, and rather a dearth of information. So, here goes.

This information is specific information I have access to regarding the data we put on our cards. However, these cards are Maestro/Cirrus compliant cards, and so this information should apply to a broad range of cards which access the international M/C (most ATMs and EFTPOS terminals worldwide) network.

Just briefly: M/C is Maestro/Cirrus. M/C is a brand (and compliance program, and financial network) owned and operated by MasterCard (MC, without the slash).

Now, the important stuff is on Track 2 (ISO format magnetic stripe cards have 3 tracks). The data consists of a start sentinel (';' character), followed by a (usually 16-digit) card number, followed by an equals sign ('='), followed by a chunk of numeric data, followed by an end sentinel ('?'). Thus, if you swiped your M/C card (look on your bank card for the Maestro and/or Cirrus logos) through a track 2 card reader, you should see data like this:

BBBBBBCCCCCCCCCN is your card number. The six-digit BBBBBB is referred to as the 'BIN'. This is a routing number which allows the M/C network to get the transaction to the Issuing Bank for processing. The nine digits marked 'C' are your actual card number, and the final digit 'N' is the check digit (calculated from the rest of the card number).

Let's look at the BIN for a minute. This can tell you a surprising amount of information about the card. The first digit is a loose 'Industry Code'. It isn't enforced, but is more a guideline which MC follows when issuing BINs to FIs (Financial Institutions).
0 - Reserved / For future assignment
1 - Airlines
2 - Airlines and future assignment
3 - Travel and entertainment
4/5 - Banking and Financial
6 - Merchandising and banking
7 - Petroleum
8 - Telecommunications and future assignment
9 - For assignment by national standards bodies (9 followed by 3-digit country code from ISO 3166)

I believe this list is used for assigning BINs in general, outside of the M/C network, so you will probably find that it applies to a wide range of cards you have.

There are a few 2-digit reservations as well. Of interest:
59 - National only. Numbers beginning with 59 are for local routing on a national system, and will not be routed internationally. If your card starts with this, you cannot use it overseas.

Okay, now for the card number itself. Up to 12 digits, in some rare cases where an issuer has a less-than-6-digit BIN, but generally up to 10 digits. The last digit of these 10 is the check digit. This is calculated using the Luhn formula:
1. Double the value of every second digit, starting with the right-most digit, followed by the 3rd-right-most, and so on. You will get some double-digit values.
2. Take each digit from these doubled values and add them up (if an original digit was, for example, 7, you will get a doubled value of 14, so 1+5). Add to this the sum of the unaffected original digits (the ones you didn't double).
3. Subtract this total from the next highest number ending in 0 to get the check digit (if your total was 66, subtract 66 from 70). If the total ended in 0, your check digit is 0.

So what about that big chunk of data labelled 'X'? That's where it gets interesting.

The first four digits are your expiry date, in 'YYMM' format.

The next digit is the Interchange Designator. A value of 1 indicates availability to International Interchange. A value of 5 indicates availability only in the country of issue, although this may be overriden in some cases. A value of 7 indicates availability for private interchange only (again, with some exceptions) and a value of 9 indicates that the card is a test card only.

Following this is a 2-digit Service Code (this service code is nationally controlled, so the following information may not be accurate for all countries).

The first digit indicates the Authorisation Processing available. This is interesting, because it indicates whether offline transactions are allowed. A value of 0 indicates normal processing (merchant-dependant), while a value of 2 indicates that authorisation must be through the card issuer (no off-line transactions, in theory, although many transactions acquirers ignore this restriction in practice). A value of 4 indicates that off-line transactions may only occur in special circumstances.

A brief note: by 'off-line', I mean that the transaction is not approved on-the-spot by the card issuer. The merchant, the transaction acquirer (the bank who provides the merchant facility), or someone else in between approves the transaction, usually only for low amounts, and the transaction will be routed to the card issuer later.

The second digit of the service code can place certain restrictions on the card. I have listed the available values below.
0 - No restrictions, PIN required
1 - No restrictions
2 - Goods and services only
3 - ATM only, PIN required
4 - Cash only
5 - Goods and services only, PIN required
6 - No restrictions, prompt for PIN if PIN terminal available
7 - Goods and services only, prompt for PIN if PIN terminal available

The remainder of the card data (up to the end sentinel, '?') relates to the PIN number, and this is where things get complicated. If you've been struggling up to this point, stop. Take a break. Read it again. Try to find a card reader and swipe some of your cards through it, and check to see whether it varies anywhere. It might, as there are a lot of different standards out there, lots of different financial networks. Digest. Percolate. Come back later.

Refreshed? Good.

There are a number of schemes for storing the actual PIN data on a card. The one I'm describing here is the VISA PVV (Pin Verification Value) scheme. There are others.

After the service code is the PVKI. The PVK Indicator. The PIN Verification Key Indicator. The Personal Identification Number Verification Key Indicator.

See? I told you to take a break.

This is a number between 0 and 6. The PVK (Pin Verification Key) is an encryption key which your card issuer keeps VERY secret (or at least SHOULD keep very secret). However, because they DON'T always keep them secret enough, they rotate them, and cancel the old ones. When they issue a card, they use one of their current keys, and this number lets them keep track of which one they used for this card.

Then we get four digits. Four measly little digits. You're a privacy nut with a 12-digit PIN? Doesn't matter. Four digits. This number is your PVV, or PIN Verification Value. Yes, another compound acronym.

So, what I foresee is absolute stackloads of comments a la:
1. Plz xplane how do I get the PIN from this number, I lost my PIN and my baby daughter cant get mlik coz I lost my PIN.
2. I am diplomat from forin govment with acess to big bank acount. Is overbil on govment acount. If you being trustworthy businesman can help with changing PIN (make new PVV?) is can give you comission. We are being legal and this is ok in my cuntry. Plz respond asap.

These things are just not feasible. Don't ask. Even if I knew how to, I wouldn't be letting on. It would be the ultimate 0-day... I could make cards to access any bank account I wanted. Heh. Keep dreaming, you little wannabe crims.

So, let's take a good look at the components used to generate the PVV.
1. PIN. If the PIN the user enters at a terminal matches the PIN used to generate the PVV, the PIN check is valid.
2. The rightmost 12 digits of the card number, excluding the check digit. The astute reader will note that this includes PART OF the BIN.
3. The PVK being used to generate this PVV.

These three values are run through a one-way encryption scheme to generate the PVV. The PIN must obviously be a part of it. The PVK is there to ensure security of a card issuer's card base (otherwise anyone could generate this PVV, and thus make a card to access any account in the system). The reason the card number is used is a little more interesting, and not so obvious.

Historically, the card number wasn't used. The PVV (or historical equivalent) was based off a key, and the PIN. The problem? People copied the PVV from THEIR CARD (to which they knew the PIN) over the top of SOMEONE ELSE'S card. Presto. A card which links up to somebody else's account, using your PIN. Game over.

This was a major problem in England and the US in the early days of debit cards.

Okay, so what can we do with this PVV? Pretty much bugger all. The PVK introduces plenty of entropy into the scheme, so don't bother taking your card along to an ATM, changing the PIN a few times, and comparing your PIN and resulting PVV. You won't find a pattern. The card number prevents the above-mentioned exploit. Recovering the key (a double-length DES key) is computationally too intensive for anybody who has to ask about it (I don't care HOW big your botnet is); don't ask. Please.

Okay, I can see the cogs turning. What you do, then, is rotate the PVV on the card, trying all possible PVVs until you match a PIN. Sure, genius. Sit there in front of an ATM with a card reader re-encoding the card until the PIN you're trying works. Except that the account you're trying to access will be blocked after 3 incorrect PIN attempts. So no, this doesn't help you either. Next step? Well, you know how to generate the Luhn check value on card numbers. Pick a fixed PVV, pick a PIN (or two) to try, walk through the valid card numbers in a system until you get a match. Wrong again. Unless you're ATM hopping like crazy, the cops will turn up and arrest you AND your card encoder.

The long and short of debit card fraud is: Don't. Don't bother. Don't risk it. 'Cause it Don't Work. If all you were after is a fraud how-to, thanks for coming. I'm glad I wasted your time. This file is about the search for knowledge.

Speaking of knowledge, here's an interesting little tid-bit about this whole scheme. Your PIN is probably NOT the only one which can access your card. There is not a 1-1 mapping between these 4-digit PVVs and the (usually) 4-digit PIN used to generate it. It's quite possible that there are several PINs which would generate the same PVV. Any of these PINs can be used to access the account. This is not just a theoretical possibility; I have had the opportunity to test it on a live card, and seen two different PINs access the same card account.

Further from that, if you have selected a PIN longer than 4 digits, you may not have made it any harder for somebody to guess your PIN. Why? Because there's a pretty damn good chance that there is a 4-digit PIN which would generate the same PVV as your 12-digit one. There are a good number of PVVs which could not be generated by any 4-digit PIN (10000 possible PVVs, 10000 possible 4-digit PINs, more than one PIN for most PVVs, so roughly half the possible PVVs have no matching 4-digit PIN). However, when you select a longer PIN, there's a good chance you'll get a PVV which can be reached from a 4-digit PIN anyway. That said, there's also a pretty decent chance that you'll need a 5-digit PIN to reach it, and a virtually non-existant chance you'll need a 6-digit PIN. So there's not point having more than 5 digits from a PIN-guessing point of view.

Of course, if somebody is looking over your shoulder, it's gonna be harder for them to see and remember 12 digits than 4, so there is some real benefit. Given my above point about how hard it is to mess with PVVs and PINs, you're almost infinitely more likely to be a victim of some variation of shoulder-surfing than a sophisticated PIN-PVV-Encryption attack, so by all means, go for the longer PIN.

Okay, that just about wraps up the card data. Card number, expiry, interchange, service code, PVKI, PVV. Not that complicated after all, is it?

Now, if this whole PVK-PVV thing is so secure, why do we keep hearing about debit card fraud? Should I be concerned? Is my cash better off under my pillow?

Well, there's plenty of info out there about this already, and it doesn't need rehashing. If you take the above to be mostly correct, though, you might think I'm some kinda experty-type and want my opinion anyway. If you don't, stop reading. If you do, here it is, in short (well, short-ish, maybe). I'll be sticking to card-based stuff; there are plenty of other threats to your electronic cash I won't go into here.

I'll repeat that. DON'T bitch and moan that I left out phishing attacks and 419 scams. I don't care. I'm sticking to card-based attacks, and if you're dumb enough to give out your card number and PIN to some random email guy (or even to your bank; they don't need your PIN for ANYTHING), that's an IQ attack, not a card attack. Plus, this is my file. I write about whatever I want to.

Types of attacks against YOUR debit card:
1. PVK of your FI (remember, Financial Institution) is leaked, somebody generates a valid PVV.
2. Somebody gets hold of your track 2 data and shoulder-surfs your PIN.
3. Somebody snoops on the data sent out by the EFT terminal/ATM and manages to get both the PIN you entered and your track 2 data.
4. An employee of your card issuer has access to enough parts of the system to create a working card.
5. Some guy holds a knife to your throat and makes you pull cash out of your account using your debit card.

Attack 1. Quite possible, happens all the time to smaller card issuers. They don't have the right security policies in place to safeguard their PVKs properly. It even happens to huge banks from time to time, through policy deficiencies or concerted attacks. There is absolutely nothing you can do to protect yourself from this, however the likelihood that YOUR card issuer is affected will be low. Your card uses one of the 7 available PVKIs, however this doesn't help, because the bank won't be checking that, however the fact that there are absolutely loads of cards in your issuer's system means that even if your issuer is affected, you probably shan't luck out and have YOUR account compromised.

Attack 2. This happens all the time. Most minor breaches are of this sort. Watch out for funny-looking attachments on the card slot of an ATM. Cover the PIN pad VERY well as you enter your PIN. Look out for anything camera-looking which points at the PIN pad (the ATM security camera should be interested in your face, not your fingers). There is a variant to this; there exists a device which will allow you to put your card into the ATM, but will prevent the ATM from ejecting your card. The thief watches you complete your transaction, notes your PIN, and then waits for you to walk away in disgust, thinking the ATM has swallowed your card. He then removes the device, hopes the ATM decides to eject your card now (and hasn't just given up and swallowed it for good), and drains your account. IF AN ATM EVER SWALLOWS YOUR CARD, CALL YOUR CARD ISSUER IMMEDIATELY AND HAVE THE CARD CANCELLED. Do not pass go, do not collect $200, do NOT go have lunch. Cancel the card while you're standing in front of the ATM. Use your mobile, use a payphone, whatever. Your next best option is to stand there for a couple of minutes looking unobtrusive and make sure nobody comes up to collect your hard-earned dosh.

Attack 3. Also worryingly common. Most at risk are franchised chains, because they have a big infrastructure with many stores and a complicated network, but individual franchisees don't have the funds to deal with security properly. They have cheap, under-scrutinised systems passing your transaction at the counter through to a back-end server. This server collates the transactions and passes them through to head office, who has a great bulk-processing deal to get cheap transactions, which you wouldn't get if the bank ran each of your terminals at each site. Sadly, and all too often, PINs are passed in the clear, easily related to the track 2 data of that transaction. Log files are kept on low-security servers. Somebody, somewhere, sees all this data, and helps themselves. What can you do? Keep an eye on your bank balance, and keep your fingers crossed.

Attack 4. I find myself close to this scenario myself. Hey, somebody has to run the servers which run the encryption which runs the debit card platform, and if that guy's too good, he works out how to generate cards for himself, as well as for the customers. Then again, if he's not good enough, he misses a security issue and some other bad guy does it anyway. Sure, PINs and physical cards are meant to be separated, so they arrive separately, through separate systems. Who makes sure they're really separate? How good are your bank's policies? Again, watch your balance. Not much you can do.

Attack 5. Mundane, low-tech, but also, depending on where you live, the greatest risk you face with accessing your money with a card. Doesn't really belong here, but hey. I'm the author, you're my reader. Siddown, Shuddup, and listen. Don't use your card in a poorly-lit back alley late at night when there are three dodgy-looking fellas leaning next to a nearby dumpster (skip, whatever you want to call them) adjusting their weapons-belts. Look for good, well-lit, not-too-quiet ATMs. Have a good look around BEFORE you walk up to it (not after you've wandered up to it and the bad guy knows you have a card you expect to pull cash off). Don't stand there like a dumb-ass, carefully counting your bills, and not paying any attention to your surroundings. Be alert. The world needs more lerts.

Attack 6. Yeah, I know. I said there were 5. Actually, there are plenty more, including all sorts of variants of the above, and I think this one's worth mentioning. Fake ATMs. Yes, ladies and gentlemen, that ATM you stick your card in might not be owned by a bank. It could be owned by the Bad Guys (tm). There have been scams, sometimes involving hundreds of ATMs, in which the ATM has been busy recording PIN and track 2 data. Often the ATM will function for quite some time, without any signs of bad behaviour. You'll walk up, enter your PIN, get your cash. Suddenly, after the ATM has been out there for quite some time, its owner will take all the data they've collected, write it to blank cards, and start walking up to ATMs all over the place and withdrawing money. The ATM is abandoned (the fraud WILL be traced back to the machine), but he's covered the cost of the ATM with his first dozen or so cards, and he probably got hundreds of accounts per machine. What can you do? This leads me nicely into my GENERAL ATM CAUTION.

You know those dodgy little ATMs in the back of convenience stores? The ones which you don't insert your card into at all, but just swipe it through a reader? Don't use them. They aren't bank-owned. They are owned by companies which place all these ATMs out there, have all the transactions sent back to head office, and sell the transactions to banks. They provided a service to the card issuer's customer, so the card issuer pays them a fee. Why should you use them?

Answer me this. Why does the company do this? To provide a service to cardholders? Nope. To make money. To make the most money, they want nice cheap machines, so they get a good ROI. They want cheap links back to head office. They want cheap servers to do the collating, and send the transactions to the banks. Keeping costs down also keeps security down. In addition to being open to attack 6, the dodgy ATM (which is MUCH less likely from a real bank ATM, like the ones on the walls at branches, or the proper bank-branded ones in shopping centres / malls / whatever), you also open yourself up to attack 3. How good are the security policies of the company which placed the ATM? Are these cheap ATMs up to the same standard as the ones the banks shell out for? If the banks are after a profit, just like everyone else, why do they use the more expensive ATMs if the cheap ones are good enough?

There you go. Use your debit card; it's a cool technology, and makes life easier. Plus, you now know a whole bunch more about it. You know its strengths and weaknesses, and what attacks it may suffer. I hope you've found this file interesting and informative.

Yours Curiously,



Post a Comment

<< Home