In addition to the requirements of the EU directive, the Danish data retention law also requires retention of the source+destination IP address, port number and timestamp of every 500th internet packet (called “session logging” in Denmark). This is usually done at the boundary of the ISP’s network where they exchange traffic with other autonomous systems, so it doesn’t really help with NAT.

However, the evaluation report from the Danish government mentions that one ISP has implemented logging of IP addresses, source ports and customer identities in their NAT gateway. The ISP in question uses NAT for mobile internet customers (smartphones and mobile broadband). From my understanding of the Danish data retention law, this extra logging is not formally required by the law, but something that the ISP has done voluntarily, presumably because they were aware of the limitations that NAT would cause.

The description in the report is somewhat confusing (suggesting that the author of that section hasn’t fully understood the problem), but by reading between the lines, it’s pretty clear that they are talking about NAT. I have also discussed the evaluation report with a former employee of the ISP, and he has confirmed the logging of source ports at the NAT gateway.

Now comes the interesting part..

According to the report, this NAT gateway logging has been of very limited use to the Danish police. The ISP can only identify the customer if the police can provide the IP address and source port together with an accurate timestamp. In many cases, the police has not been able to obtain the source port from server log files. Typically, web server logs only contain the IP address of incoming connections, not the source port.

Another (related) issue is the accuracy of the timestamps. Some NAT sessions, e.g. for webserver requests, can be very short.

Jesper Lund
IT-Pol Denmark

From what I gather, what is needed to replay the transaction is the following:
ARQC (a DES wrapper of: transaction counter, card details and the MAC)
MAC (a des wrapper of 4-byte TVR data, UN, amount, currency and time/date stamp)
This leaves us with a DES message of 16bit number, the symmetrical key-encrypted IAD, and the DES encrypted MAC.

If we can predict the UN, then we can retrieve the MAC. What is the significance of this, when we cannot access the IAD, or can the IAD encrypted block simply be sent to the acquirer, who will check it as if it came from a real card? The only unique piece of data, it seems to me, within an EMV transaction will be the internal transaction counter within the card and the timestamp. In theory, every other piece of information can be identical. Why, then, is predicting the UN the key to replaying a transaction?

please refrain from making sweeping comments about an entire nation of which you do not live in

I’m sorry guys but I think you are not looking at the issue in the way others do, or more importantly with respect to the actual context of the comment.

The comment was very clearly made with respect to “data regulation” which is part of legislation about personal information and thus privacy.

To put it crudely US legislation on personal data can be sumed up as “He who collects it owns it” and with Federal agents using over reaching legislation to make not fully complying with online companies T&C’s with respect to personal information such as a persons name a criminal offence with substantial maximum jail time and fine, you have to ask why?

I for one don’t think the US legislature and federal LEAs give any respect to personal privacy despite the various rights US citizens supposadly have through the constitution and the various amendments frequently quoted. I think they actually view privacy as at best a hinderance, and those trying to maintain it as being guilty of the equivalent of a criminal / subversive / terrorist act. Which the recent “off the table” and similar comments by the Mayor of New York has made abundantly clear.

Now I’m perfectly willing to belive that some US citizens are concerned about privacy but obviously not enough to make the legislature change it’s mind away from the views of “Corparate America” et al.

Now I do not know if it’s a simple numbers game of not enough concerned citizens giving voice or whether it is one of Corporate America buying up politicians in various ways but the simple fact is the impression given off by the US legislature, Federal authorities and judiciary is “We don’t belive people in the US or the rest of the world should have privacy in any way shape or form”.

So from my perspective and that of many others I know the view is that America is rapidly becoming a survalence state bordering on being a police state.

Further you also lastly need to consider that the US only consists of a little over 300million citizens whilst the EU is more than double that. There are India and China with higher populations but have you looked at their ideas of legislation on privacy?