The Smart Card Detective: a hand-held EMV interceptor

October 19th, 2010 at 15:21 UTC by Omar Choudary

During my MPhil within the Computer Lab (supervised by Markus Kuhn) I developed a card-sized device (named Smart Card Detective – in short SCD) that can monitor Chip and PIN transactions. The main goal of the SCD was to offer a trusted display for anyone using credit cards, to avoid scams such as tampered terminals which show an amount on their screen but debit the card another (see this paper by Saar Drimer and Steven Murdoch). However, the final result is a more general device, which can be used to analyse and modify any part of an EMV (protocol used by Chip and PIN cards) transaction.

Using the SCD we have successfully shown how the relay attack can be mitigated by showing the real amount on the trusted display. Even more, we have tested the No PIN vulnerability (see the paper by Murdoch et al.) with the SCD. A reportage on this has been shown on Canal+ (video now available here).

After the “Chip and PIN is broken” paper was published some contra arguments referred to the difficulty of setting up the attack. The SCD can also show that such assumptions are many times incorrect.

More details on the SCD are on my MPhil thesis available here. Also important, the software is open source and along with the hardware schematics can be found in the project’s page. The aim of this is to make the SCD a useful tool for EMV research, so that other problems can be found and fixed.

Thanks to Saar Drimer, Mike Bond, Steven Murdoch and Sergei Skorobogatov for the help in this project. Also thanks to Frank Stajano and Ross Anderson for suggestions on the project.

Entry filed under: Banking security, Hardware & signals, Protocols, Security engineering

7 comments Add your own

  • 1. chip  |  October 30th, 2010 at 22:33 UTC

    Why has Ross Anderson got such a chip and pin on his shoulder?

  • 2. John  |  November 2nd, 2010 at 17:12 UTC

    Maybe becuase it doesn’t work porperly. There isn’t the need for a PIN either. The problem is that the (particularly public e.g. this website) internet, ATM’s, and other stuff has evolved whereas security and authentication between electrnic devices has not. It (probably) never will evolve enough to be secure. No system is ever 100% secure – Matthew Broderick as David Lightman in War Games 1983.

  • 3. viettel  |  November 21st, 2010 at 18:45 UTC

    thanks !
    After the “Chip and PIN is broken” paper was published some contra arguments referred to the difficulty of setting up the attack. The SCD can also show that such assumptions are many times incorrect.

  • 4. Jan Jooste  |  December 29th, 2010 at 15:24 UTC

    Omar, great work. Congratulations to yourself and Prof Anderson. I pray that your PhD research will be equally valuable.

    Could you and Prof Anderson please help us? We have a squash club here in Heilbron, South Africa and we use magnetic cards to pay for the lights. We (the Squash Club) buys the cards from a company in Johannesburg but they charge an inordinate fee. We would like to recover the used cards and reprogram them for resale to the members.

    Could you advise us where to access readers and programmers. We appreciate that this same equipment is used for fraud and thus we cannot access it – although our intentions are honourable – ie to save the club some money.

    Thank you,

    Jan Jooste

  • 5. SAS  |  January 4th, 2011 at 16:31 UTC

    Am i imaging thing or did that atm at 00.5 in the french doc have a skimmer on it? Adaptation of the headphone socket as a camera for the pin, with the added card bezel, is very popular at the moment.
    Pin recovery in South Africa, yeh, really!!!

  • 6. Dr. Strangelove  |  January 8th, 2011 at 19:16 UTC

    Awesome work — congratulations and best wishes for your future!

  • 7. Chris Isbell  |  January 10th, 2011 at 17:44 UTC

    Let’s hope that the UK authorities are kinder then the French ones. According to Serge Humpich, he was sent to prison for cracking the old French chip and pin system and obtaining a couple of metro tickets to prove the concept.

Leave a Comment


Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


October 2010
« Sep   Dec »