Posts Tagged ‘bank’

A puzzle solved. [en]

mercredi, juillet 4th, 2012
Vasco Digipass 810

Vasco Digipass 810

Do you remember when i opened my bank calculator ? Beside replacing dead batteries, i wanted to see what made it tick and eventually replace it by an ordinary smartcard reader and some code running on a computer.

Turns out that other people had the same idea, but they beat me by having put more time and energy into that project and ended up producing something usable.

It’s just a Python script to talk to the card. The usage is very straightforward, here are some examples:

To authenticate with the M1 key and the 23543696 challenge, type the following command:

$ ./EMV-CAP -m 1 23543696
***************************************************************************
Using this software for real financial operations can lead to some risks.
Indeed advantage of using a standalone reader is is to isolate your banking
card from big bad malwares.
Using it in a non-secured reader is taking risk that a keylogger intercepts
your PIN, a malware accesses to your card informations, or even intercepts
your transaction to modify it or operates its own transactions.
***************************************************************************
Are you sure you want to continue?
If so, type 'YES', or anything else to quit:YES
Enter PIN (enter to abort) :
Response: 45108749
$

To sign a transaction the same way than the M2 key with the challenges 09356196 and 345, use the following command:

$ ./EMV-CAP -m 2 09356196 345
***************************************************************************
Using this software for real financial operations can lead to some risks.
Indeed advantage of using a standalone reader is is to isolate your banking
card from big bad malwares.
Using it in a non-secured reader is taking risk that a keylogger intercepts
your PIN, a malware accesses to your card informations, or even intercepts
your transaction to modify it or operates its own transactions.
***************************************************************************
Are you sure you want to continue?
If so, type 'YES', or anything else to quit:YES
Enter PIN (enter to abort) :
Response: 45201783
$

Thank you Jean-Pierre Szicora and Philippe Teuwen, nice work !! 🙂

Virement bancaire: communication structurée [fr]

dimanche, juin 5th, 2011

Voici un petit bout de script qui génère une communication structurée valable pour un virement bancaire en Belgique. L’avantage de ce système est que la banque n’exécutera pas le virement si il y a une erreur lors de la retranscription des chiffres.

# Generate the 'Communication' field for the virement
# Format: +++DDD/DDDD/DDDSS+++
# DDDDDDDDDD: Any number you like.
# SS: Above number mod 97. Set to 97 if zero.
# Banks love obsolete^Wproven technologies. :-)
mkcomm ()
{
# In case of collision, the function can take a salt as an optional parameter.
COMMSTR="$1$RANDOM$RANDOM$RANDOM$RANDOM$RANDOM"
COMMSTR="${COMMSTR:0:10}" # Trim string length to 10
COMM_MODULO=$(expr $COMMSTR % 97 ) # Get reminder
case $COMM_MODULO in # Padding and/or correction
"0") COMM_MODULO="97" ;;
[1-9]) COMM_MODULO="0$COMM_MODULO" ;;
esac
#echo "$COMMSTR$COMM_MODULO" #Debug
echo "+++${COMMSTR:0:3}/${COMMSTR:3:4}/${COMMSTR:7:3}$COMM_MODULO+++" # Chop into blocks
}

Si votre banque vous autorise à télécharger vos extraits de comptes au format .csv (possible chez Dexia et Argenta), il suffit simplement de faire une recherche sur la chaîne de caractères de la communication structurée pour trouver la trace du paiement.

Opening the Vasco Digipass 810 [en]

jeudi, février 24th, 2011
Vasco Digipass 810

Vasco Digipass 810

Many belgian and european banks are providing their customers with a device that look like a small calculator. This device, coupled with your bank card,  is used to secure and authenticate the transactions when using internet banking.

Since that device is fairly standard, there is nothing stopping you from using the reader from bank A with your card from bank Z and vice versa, because the crypto processing is happening on the chip of your card.

Knowing that the heavy crypto work is delegated to the bank card, it is safe to assume that the device is quite dumb: a keypad to feed data to the card, a screen to display the results and a micro-controller to do some simple housekeeping tasks, like update the screen, poll the keypad, clock the card and send/receive data.

I have no proof of what’s described above, but since mine had dead batteries after five years of use, it has become a prime candidate for exploration, so let’s open the case !! 🙂

Ugh !!

Digipass cracked open

Opened !!

It was a tough nut to crack !!

There are no screws and no clips holding it closed: the two halves of the case are welded together !! This is another prime example of planned obsolescence and wasteful engineering. There is no way to open it cleanly, you need to break it apart as careful as possible to get access to the main PCB and the batteries. Your ability to close the box afterward will fully depend on how you open it in the first place.

The batteries are nothing exotic: just two CR-2032 button cells. They are wired in series on the PCB, because many smartcards require a 5V power supply to work properly.

Circuit board detail

All test pads are clearly labelled !

When you observe the PCB, there are a lot of interesting test points, all properly labeled. A hacker’s dream. 🙂

Fried !!

Unfortunately, while groping at it with a multimeter set to continuity tester, i fried the microcontroller. Apparently, that kind of invasive measurement was enough to kill it.

I wanted to check the continuity between the SDATA test pad and the DATA line on the card connector, the SCLK and the CLOCK line of the card connector. There was no continuity between those points and the J2 pad is still a mystery of what the purpose could be. An optional eeprom maybe ?

I received a new reader to continue with my day to day banking operations, but i still want to see the data flowing between the card and the reader. My mistake is just a setback: i will change strategy and try to (ab)use the reader as-is, without opening the case. 🙂

More to come later. In the meantime, here are the Manufacturer’s information