EMV chip AQRC generate

[Windos95]

Hello. I think many thought on the topic of ARQC and chip cloning in general. Today I will try to speculate on this topic.
The creators of the EMV system are clearly not fools and have made the task of replacing the storage medium as complicated as possible. When we worked with a magnetic strip everything is pretty simple. The original media is not protected from data compromise in any way, since it does not have cryptographic protection and the data is static. With the advent of the chip and the EMV system, everything became more complicated. Now the card has its own role in conducting a transaction, that is, the opinion of all three parties is now taken into account during the transaction: POS terminal, card, bank issuer The card can interact with the terminal giving it answers to all its questions.
Dialogue example:
* a person enters a pincode on the terminal and presses the green button *
Terminal - Card, is the entered pin correct?
* the card checks the pin with the contents of the encrypted pin-container on the chip *
Card - Yes, right.
So, there are 2 types of chips: SDA and DDA.
SDA chips are very similar to a magnetic stripe since they have static certificates of authenticity of cards based on card data (PAN, exp. Date, etc.)
DDA in turn possess greater cryptographic powers. They have the ability to calculate the ARQC cryptogram.
ARQC - a cryptogram confirming the authenticity of the card. You ask: "Why is ARQC a guarantor of bank card authenticity?"
Everything is very simple: at the factory where the card is made, MDK (Master Derivation Key) is recorded in the chip in the encrypted applet, which is also stored on the issuer's bank server. This key should NOT be pulled out or read from a genuine chip. Therefore, only a genuine chip can have the original MDK of the issuing bank.
When making a transaction, the card calculates ARQC based on MDK + parameters from the POS terminal (date, time, transaction amount, etc.), after which the ARQC with data from the POS terminal is sent to the server of the issuing bank, which also in turn calculates AQRC based on MDK key and data from the POS terminal. In the end, the issuer bank compares its ARQC cryptogram with the cryptogram sent by the POS terminal and issues the ARPC (response cryptogram, allow or reject the transaction).
RESULT: you can get ARQC using these methods:
This POS + genuine MDK card (not suitable, since it does not make sense)
POS terminal emulator + genuine MDK card (suitable only where to download the POS terminal emulator on a PC and so that it can interact with the real card?)
And after that we sew the ARQC received by us from a genuine card with the original MDK into the memory of the JCOP card; after trying to ask the ARQC card at the POS terminal, the card will issue as a response the cryptograms prepared by us from ARQC, since Our JCOP card does not have an MDK key and cannot independently calculate the ARQC.
Question for connoisseurs: Can the CVV to TRACK 2 equivalent change on a chip?

[anhlong]

let's first define terminology. ARQC is what the card calculates - only if issuer authentication is required.
*this is THAT, when the card, based on its settings or according to the instructions and choice of terminal / ATM, taken on the basis of the settings of the terminal-
asks for approval to approve / reject to the bank the card of which she is. if the terminal and the card decide to conduct a transaction differently,
*and it is possible, no ARQC is used during the transaction. ARQC is implemented through symmetric encryption keys.
who knows only the card and the bank that issued the card (issuer). asymmetric encryption when using mapped
when personalizing, the private key is not used when calculating ARQC. will be used during an ARQC transaction or not: is decided
both by card and terminal. if the issuer bank has set up the card so that it requires ARQC for certain terminal characteristics
(online authorization), it will be ARQC, even if the terminal proves to be noncontradicting to conduct a transaction without ARQC. if the bank owns
the terminal set up the terminal so that it required ARQC for certain transactions, then the transaction will either be implemented through ARQC
*either will be rejected. ARQC is online. if the operation is offline - ARQC is not needed
The ARQC is transmitted to the terminal; the terminal sends the ARQC to the bank to the acquirer that issued the terminal. the acquirer bank is packing ARQC in the iso8583 messaging standard
and sends to the network of the payment system - which sends a message to the bank to the issuer. which handles ARQC
and decides to approve or reject the transaction. and a solution seasoned as needed with additional instructions (what data on the card should be rewritten by the terminal)
sends back the same way. through the payment system. to the acquirer's bank that sends the data to the terminal - which sends it to the card. The answer is called ARPC.

[anhlong]

The principle of operation of the DDA is as follows
(simplified and omitting many details):
1) the terminal sends a unpredictable number to the card, along with some other data for signing
2) the card signs the data transmitted to it from the terminal and transfers the signature of this data in response to the terminal
3) the terminal decrypts the encrypted data received from the card
4) the terminal verifies the data transmitted in advance of the card with the data obtained from the signed and decrypted data
5) if the unpredictable number transmitted by the terminal to the card differs from the unpredictable number in the decrypted data received from the card, the transaction is canceled
a) each terinil generates its own unique unpredictable number.
b) a unpredictable number is a number that generates terminal
c) the card signs unpredictable number and transfers the signature to the terminal for verification.
d) new operation = new unpredictable number
e) new terminal = new unpredictable number
f) a new transaction initialization involves generating a new unpredictable number.
g) the unpredictable number generated by the terminal has value in the very transaction for which it is generated
due to the fact that DDA uses the private key of the card:
the bank issuer (simplified and omitting many details) creates 2 pairs of keys:
1) public key card + private card key
2) bank's public key + bank's private key
public key of the card and public key of the bank
become known to the terminal during the execution of the transaction.
bank's private key and private card key never become known to the terminal
3) the payment system (visa, mastercard ...) has its own, public key + private key
a) - the public key of the system (visa, mastercard ...) is entered into the terminal by the bank acquirer
b) - before issuing its cards, the issuer bank - sends its public bank key to the payment system
b1) the payment system signs with the private key the public key of the issuing bank and sends the received certificate back to it
с) the bank issuer signs by his with the private key the public key of the card and receives the certificate of the public key of the card
the bank’s public key certificate and the card’s public key certificate are recorded on the card upon personalization
through a mathematical connection between private keys and public keys, as well as through a mathematical connection between certificates - the authenticity of the card are verified, when used, in the terminal
terminal receives signed data and can check :
card issued by a bank that is certified by the payment system
having established that the public key of the card can be trusted
the terminal uses this public key to decrypt the encrypted data and compare the unpredictable number from this data with the unpredictable number that the terminal transmitted to the card half a second ago back

[moneymitch23]

......................

[anhlong]

Track 2 Equivalent Data is made to ensure that with minimal changes on the servers of banks and processing, to receive and process chip cards.
*Track 2 Equivalent Data introduced*in order for banks and processings to change settings on their servers less
The old configured infrastructure for accepting bank cards should change dramatically when chip cards are introduced
it is difficult and expensive to change old infrastructure all over the world simultaneously
*Track 2 Equivalent Data is designed to make the transition to chip technology smooth and painless
All the existing infrastructure for accepting bank cards was created for the magnetic strip.
When introducing EMV, it is very difficult to change everything at once and around the world.
for EMV and only for EMV - Track 2 Equivalent Data is not needed
Track 2 Equivalent Data is made so that banks and processors can accept chip cards using the old infrastructure designed for magnetic stripe cards.
In 2008-2009, visa and mastercard introduced the rules under which Track 2 Equivalent Data should differ from the same data on the magnetic strip
when implementing the EMV standard in a country or world in which a bank card on a magnetic strip has never existed - no one would invent this very Track 2 Equivalent Data
Initially, payment systems created Track 2 Equivalent Data with a full copy of data on a magnetic strip.
carders began to use this
In 2008-2009, the instructions of payment systems were issued - that the data in Track 2 Equivalent Data and on the magnetic strip of the same card were different
data exchange between banks involves the use of standard data fields
data exchange between banks when using bank cards lies in the accepted rules, formats, sizes of transmitted messages
in order to transfer data when using the new technology EMV - all formats, sizes, rules, messaging - need to be redone
reworking historically established protocols is difficult and expensive.
Track 2 Equivalent Data is designed to use old messaging channels. to use the old configured infrastructure for sending / receiving, processing, messages
differences Track 2 Equivalent Data from Track 2 located on the magnetic strip in the value of CVV
cvv located in Track 2 Equivalent Data when paying by a contact card when using the old infrastructure has its own name
cvv included in Track 2 Equivalent Data when paying with a contactless card, using the old infrastructure has its own name
payment systems do not prescribe the dynamic value of cvv in Track 2 Equivalent Data when using the contact interface
The dynamic cvv value in Track 2 Equivalent Data is used when using a contactless interface. contactless card !!
Track 2 Equivalent Data stored on a chip card, while using contact payment, is different from Track 2 on a magnetic strip. from 2008-2009. if the bank follows the instructions of the payment systems and not a imbecile.
If payment occurs in a contactless manner, there are two options:
1) Track 2 Equivalent Data is not needed at all. everything works like a stripped-down (for service speed) version of EMV
2) the card forms Track 2 Equivalent Data in which cvv is formed based on ATC and Unpredictable Number
often reasoning is based on very very general knowledge. with such reasoning it is impossible to plan anything. still in order to plan fraud, you need to know what is:
CVV / CVC
CVV2 / CVC2
dCVV / CVC3
iCVV / chipCVC
It should also be remembered that if someone tells stories convincing that fraud is possible, even in a place where this is impossible,
the simplest answer that can explain the existing state of affairs is that some banks can poorly process data on their server.
this is the exception rather than the rule.
if checking some data on authorizing a request for an operation on a bank server is done carelessly, then fraud is possible even where it is difficult to imagine.
if I pay in a store for goods worth $ 1000 only $ 100 and the cashier at the checkout mistakenly assumes that I gave him $ 1000 and allows me to buy goods for $ 950 and give a change for $ 50
The cost of such information (that I bought it and it is true) is very small. it will be very difficult to repeat. the cashier will be fired and another cashier will be more careful to count the money
Issuations of a similar nature, present on the forum and breeding thanks to a scoundrels, pursue only the goal of selling air in the end. super emv program or magic emv skimmer
for the implementation of fraud in 2019 there are no clear ready-made recommendations, possible in 2000-2005. clear universal algorithm can not exist at the moment.
need to study and explore every single bank. fraud is possible due to improper implementation of the standards adopted by the payment systems in banks.
It is much more important to increase your personal level of knowledge than to look for any proof of fraud.
due to the fact that without the accompanying knowledge to do something with the information received about the fraude, except to be deceived, when buying air, will not work.

[Greench]

О сколько написали. Я только из России, и английского не знаю ). Результат то какой? Может кто нибудь мне сделать удаленно одну штучку, на тест, или выложить подробную инструкцию , понятную для новичка? Зачем столько пустых слов?

[v3dro1d]

Quote:

Originally Posted by vadim-123

Может кто нибудь мне сделать удаленно одну штучку, на тест

ну а денюжки то у тебя есть тестировщик? вдруг сломаешь или потеряешь?

[anhlong]

необходимый результат мне видится в повышении компетентности присутствующих на форуме, в сфере чиповых карт. для генерации и осмысления различных идей и поиска монетизации.
ожидать готовых четких указаний как делать деньги - по меньшей мере наивно, по большей- глупо.
вряд ли кто-то знающий как делать деньги и делающий эти деньги- будет писать в подробностях как он это делает и учить остальных делать тоже самое.
а писать о том что ты ни делаешь сам- а где то слышал или подглядел - таких много и без меня. я стараюсь этим не увлекаться. потому что получаются сплетни. сам ни делаешь, сам недопонимаешь - а другим об этом пишешь.
остаётся общаться о технических моментах, которые при должном разборе можно использовать для размышлений о фроде.
есть другой подход- ничего не понимать- и пытаться найти волшебную схему - если у использующих этот подход людей бывают свободные деньги они их часто вкладывают в разные авантюры, понадеясь на авторитетные мнения "авторитетных" пользователей
людям - для которых важнее всего - найти мембера от чьих слов можно отталкиваться в будущем, при этом не исследуя ничего , что за этими словами стоит, а просто принимая как данность эти слова, ибо человек хороший и надежный - таким людям мне нечего предложить. уж извините. ну всем не угодишь. как ни старайся.
хотелось бы приносить пользу людям с похожим образом мыслей, а все кто думает кардинально иначе- ну не звери же мы. уживёмся. форум ни тесный.
форум также можно переводить прямо в браузере или поставить плагин который при выделении текста открывает новую вкладку в translate.google
будто я это по английски всё писал. я все написал по русски - перевел и вставил. )

[tonialcoponi]

smartcard whats your point exactly ?
do you have any solution for emv ?
you break the chip tech ?
a lot of people wait for the big news and maybe you know something that not everybody know

[anhlong]

I'm interested in EMV
I know no more than can be found on the Internet
I have my own idea.
i have solution me.
bit i dont have solution fo to others.(
due to the fact i dont have solution fo to others I cannot give advice on what to do to others.
I can only communicate for the sake of knowledge of the device EMV
Everyone has the right to use this knowledge further independently.
For example, I attach the screen, which was at hand.
he can clarify my point of view.
point is to study