Bank PICC Features

Bank smartcards typically function according to the Europay, MasterCard, and Visa (EMV) standard, which describes the interaction between a smart card and a terminal. Protocols most people have heard of, such as PayPass or ExpressPay, build on the EMV standard. The EMV standard was originally designed with ISO/IEC 7816 smart cards in mind, but has since also been applied on top of ISO/IEC 14443 contacless (NFC) smart cards.

The core of the EMV protocol is based on the transmission of Application Protocol Data Units (APDUs). The PCD pushes a Command APDU to the PICC, and then the PICC computes the response and pushes a Response APDU to the PCD. Most of the APDUs sent between the two are transmitted in plaintext. Cryptographic security is only employed in the authorization phases of a transaction.

In many implementations there exist safegaurds to deactivate the PICC in the event of a brute-force attack on the authentication system. This same sort of safegaurd even exists on the Secure Element in the PN65N chip for the Nexus S. Because of this, it is impractical to attempt any sort of brute-force attack with the aim of key recovery. To do so with any success would require a very large number of credit cards. Even if this was achieved, Point of Sale terminals are capable of blacklisting certain keys and downloading new ones from Issuers.

This makes bank PICCs difficult to crack, but they are still susceptible to relay attacks and information leakage when interacting with a spoofed terminal. While we were unable to complete the relay attack implementation because of complications with card emulation on the Nexus S, I did manage to successfully spoof a terminal and retrieve private information from a card. Newer implementations of bank PICCs are keeping a tighter lid on private information, so they may only be practically susceptible to relay attacks in the future.