The document summarizes the findings of an analysis of the implementation of chip-based debit cards in Indonesia that comply with the National Standard Indonesian Chip Card Specification (NSICCS).
The analysis found that: (1) data stored on the chip cards was not encrypted and could be easily read, (2) one bank's cards had similar data in the chip and magnetic stripe, and (3) modifying the data to be written to magnetic stripes allowed most test cash withdrawals at off-network ATMs and point-of-sale terminals to go through successfully.
The document suggests that as long as magnetic stripes continue to be used alongside chip cards, NSICCS card users remain at risk of card skimming
Blepharitis inflammation of eyelid symptoms cause everything included along w...
The achilles heel of GPN Card implementation
1. The Achilles Heel of
GPN Card Implementation
B. Noviansyah / @tintinnya
Presented at IDSecConf 2020
12--13 December 2020
2. What Does This Presentation All About
➢ Share my observation towards Gerbang Pembayaran Nasional (GPN) cards,
focusing on the implementation flaw of Chip-based ATM/Debit Card with
NSICCS (National Standard Indonesia Chip Card Specification) Applet that is
derived from EMV Standard
➢ I will not share the full detail, since the impact is still major, affecting millions
of users. But the trends are decreasing near the migration deadline
➢ Suggests what should Card Issuers do towards this finding to protect users
from similar threats
➢ Suggest what should we as customers do towards this
finding to protect our own money and account
2
GPN Logo from www.bi.go.id
3. Hello, I am TinTin
Been there, done that
★ Java EE Programmer since 2002
○ Tab Person
○ K&R with 1TBS
★ Internal Pentester
★ Information Security Policy maker
★ Enterprise Security Architect
★ Digital Forensics
○ Host-based forensics: Image Acquisition
with dcfldd, DumpIt, Tableau
○ Cloud-based forensics: Image Acquisition
with gsutil
○ Analyze image with TSK, autopsy
★ Blockchain Enthusiast
○ Solidity on Private Ethereum on Ubuntu
★ Advisor of Information Security for
Payment System and FinTech
3
Formal, Professional Ed, and Certification
★ Teknik Informatika Institut Teknologi
Bandung
○ Sistem Terdistribusi
★ Heinz College Carnegie Mellon University
○ Master of Science in Information Security
Policy and Management
○ Cyber Forensics and Incident Response
(CyFIR) Track
○ Chief of Information Security Officer (CISO)
Executive Education Certificate
★ Certification:
○ EC-Council’s CEH v4.1
○ EXIN’s ITIL Foundation v2
○ SGS’ ISO 20000 LA
4. 4
★ Payment Systems are closer than we
thought.
★ One of the instruments in Payment
Systems is Card-based Payment
Instrument.
★ Migration of Magstripe to Chip as
Part of Security Control. But How
secure is Chip-based Payment Card?
★ To see the magnitude of impact
when chip-based implemented and
distributed to the public
Why Did I Choose This
Topic?
5. Card-based Payment System Instrument in Blueprint
5
Blueprint Sistem Pembayaran Indonesia 2025, 28 November 2019
6. One of the Problems with Payment Card
6
https://nasional.tempo.co/read/680461/sepertiga-kasus-skimming-di-duni
a-terjadi-di-indonesia/full&view=ok
https://www.beritasatu.com/faisal-maliki-baskoro/ekonomi/269376/bank-i
ndonesia-jumlah-fraud-terus-menurun
“From the last 3 years, there are 5,500
skimming case in the world. And
1,549 cases happened in Indonesia.”
~Brigjen Victor E. Simanjuntak, Director of Economic and
Special Crime, Criminal Investigation Agency of
Indonesian Police Force, July 2nd, 2015~
“Indonesia is still in the lowest
position for banking crime rates since
2012 compared to other Southeast
Asian countries. From 2014 and until
February 2015, card-based fraud only
0.0008% of total amount transaction”
~Eni V Panggabean, Head of Payment System Policy
and Supervision Department, Bank Indonesia,
April 28th, 2015~
In 2010, Fraud amount was IDR 55 billion
In 2015, Fraud amount was IDR 33 billion
What about now in 2020?
7. Understanding the Impact: Card Growth
7
Source: Bank Indonesia’s Payment System Statistics
https://www.bi.go.id/id/statistik/sistem-pembayaran/apmk/contents/jumlah%20apmk%20beredar.aspx
8. Understanding the Impact: Amount and Volume
ATM/D Card
8
Source: Bank Indonesia’s Payment System Statistics
https://www.bi.go.id/id/statistik/sistem-pembayaran/apmk/contents/transaksi.aspx
9. Understanding the Impact: Amount and Volume
Credit Card
9
Source: Bank Indonesia’s Payment System Statistics
https://www.bi.go.id/id/statistik/sistem-pembayaran/apmk/contents/transaksi.aspx
10. Understanding the Impact: Infrastructure
10
Source: Bank Indonesia’s Payment System Statistics
https://www.bi.go.id/id/statistik/sistem-pembayaran/apmk/contents/infrastrukturapmk.aspx
11. Understanding the Impact: Bank Indonesia’s Licensee
11
116 Total Financial Institutions
75 Total Issuer ATM/D Card
23 Total Acquirer D Card
26 Total Issuer CC
17 Total Acquirer CC
34 Total Issuer ATM Card
12. Infrastructures:
ATMs: ~105 thousands
EDCs: ~1,4 millions
Merchants: ~ 906 thousands
Understanding the Impact: TL;DR
12
Cards:
ATM/D Cards: ~200 millions
Credit Cards: ~18 millions
ATM Cards: ~ 10 millions
ATM/D Transactions:
Total Transactions: 565 millions
Total Amount: ~IDR 580 trillion
CC Transactions:
Total Transactions: 22 millions
Total Amount: ~IDR 18 trillion
To roll-out security enhancement or migration, it is like
moving an elephant
13. ★ Card Present (CP) Transaction, both
with Magstripe and Chip
★ Linkage between NSICCS and EMV
★ Contact-based card ISO7816
★ ATM/Debit Cards Only
★ Interaction between chip and
Terminal
13
Focus of This
Presentation
14. ★ Card Not Present (CNP) Transaction,
such as online transaction
★ EMV on Credit Cards
★ Contactless Cards ISO14443
★ Communication between Terminal
and Host
14
Will not be the Focus
of This Presentation
15. How Do Cards Interact With Bank’s Back-end?
15
...and Skimmers are sitting there in the card slot,
reading and copying the data from magstripe, or
tampering the EDC and stored it in malicious chip
inside the EDC.
16. What Make Skimmers Win Your Money?
Your Card Your PIN: pinhole camera and/or overlayed PIN pad
16
https://www.boredpanda.com/how-to-spot-atm-scam/
Your Card data and your PIN were sold to
online forum. Buyer can write the data
into a different magstripe card and use
the PIN to withdraw your money
19. Banks Urge Customers To Migrate Their Magstripe
Card
19
https://www.bbc.com/indonesia/indonesia-43486801
https://finance.detik.com/bursa-dan-valas/d-3874531/gratis-
migrasi-kartu-atm-jadi-pakai-chip
https://www.liputan6.com/bisnis/read/3939518/biar-aman-dir
ut-bca-minta-nasabah-segera-migrasi-ke-teknologi-chip
https://finance.detik.com/bursa-dan-valas/d-3874
329/kartu-atm-belum-pakai-chip-ini-risikonya
https://www.liputan6.com/bisnis/read/3502530/bri-imbau-n
asabahnya-segera-migrasi-kartu-atm-ke-teknologi-chipBank Indonesia circulated Letter
Nr. 17/52/DKSP dated Dec 30th,
2015 and set the deadline of
100% migration from Magstripe
Card to Chip-based Card on
Jan 1st, 2022
20. ...but Banks Still Allowed to Issued Magstripe Card.
20
Surat Edaran No.17/52/DKSP Tanggal 30 Desember 2015
Implementasi Standar Nasional Teknologi Chip dan Penggunaan
Personal Identification Number Online 6 (Enam) Digit untuk Kartu
ATM dan/atau Kartu Debet yang Diterbitkan di Indonesia
Only for Account with maximum balance of IDR
5 million, with proper risk management from
Bank Issuer
21. Luckily, The Cards Could Not Be Used Overseas, Right?
21
https://finance.detik.com/moneter/d-4143357/baru-terbit-gpn-tidak-bi
sa-dipakai-di-luar-negeri
https://www.republika.co.id/berita/ekonomi/keuangan/18/07/30/pcog
zj370-kartu-berlogo-gpn-belum-bisa-dipakai-di-luar-negeri
https://www.liputan6.com/bisnis/read/3587012/alasan-kartu-debet-gp
n-belum-bisa-dipakai-di-luar-negeri
GPN Card optimizes for domestics transaction.
Customers could ask Visa/MasterCard for
overseas transaction purpose
https://ekonomi.kompas.com/read/2018/04/16/193000726/seperti-jc
b-dan-unionpay-bisakah-gpn-dipakai-untuk-transaksi-di-luar-negeri-?pa
ge=all
22. ★ Does GPN Card with NSICCS applet
able to protect us as customers from
counterfeited card created by
international skimmer syndicate and
being used to perform unauthorized
transactions (e.g. withdrawal)?
22
Problem Statement
23. Bank Indonesia has set National
Standard Indonesian Chip Card
Specification (NSICCS) as the country’s
technology benchmark for ATMs and
debit cards of all card providers across
the country.
All cards should be migrated 100%
1 January 2022 at the latest.
The (Zero-knowledge) Observations
Which EMV version is adopted by NSICCS for GPN?
23
https://www.thejakartapost.com/news/2017/06/22/bank-indonesia-set
s-chip-technology-standard-for-atms-debit-cards.html
24. APDU: TLV (Tag Length Value)
No NSICCS Book, just EMV 4.1 Books
1--3
The NSICCS Observations thru EMV 4.1 Books
24
25. What Do You Need To Read the Card
1. Hardware:
a. Smartcard Reader and Magstripe
Reader/Writer
25
2. Software:
a. Python Libraries to communicate with
USB Smartcard
b. DLL and x86 application for read write
26. Reading the Card
PSE (Payment System Environment)
26
MasterCards from Bank B has NSICCS Applet as Priority #1 over DEBIT MASTERCARD Applet
27. Reading the Card
27
Enumerating Available AIDs
GPN Cards have Visa Applet, except GPN Card from
Bank A
Visa Cards and MasterCards have NSICCS Applet
If GPN Card has Visa Applet, does it means that this card can be
processed by Non-NSICCS Terminal? Let alone the routing of BIN could
not be found by Visa Principal This is false positive, since old AIDs of
Global Platform “borrowed” 5 bytes from VISA’s AID.
28. Findings: Card Properties
28
⭕= n/a, 🛑 = Not Supported, * = Using AID Enumeration, not with PSE
Some cards are only support SDA, not DDA. SDA (Static Data Authentication) is the less secure compare with DDA (Dynamic Data Authentication)
29. Findings: EMV Tag can be easily read. No Encryption
scrambled or protected it
29
EMV chip-based card is not protecting the data inside the card from being copied.
Instead, EMV chip-card serves as a mini computer to conduct APPLICATION CRYPTOGRAM calculation to
generate dynamic data and send along with the transaction information to ISSUER HOST. This authentication
process makes EMV card is more secure than magstripe card.
30. This finding is exploited by
copying the data from EMV
tag to Magstripe, with
certain modification.
The results were surprising.
Findings: One Bank has EMV Tag similars with
Magstripe Data(!)
30
31. 1. Testcase:
a. Modify data from EMV Tag, and write it on magstripe with 4 scenarios of cash withdrawal
b. On-Us ATM EMV, On-Us ATM Magstripe, On-Us EDC
c. Off-Us ATM EMV, Off-Us ATM Magstring, Off-Us EDC
d. There are 4 scenarios tested on 6 types of terminals. Not all tested banks have these terminal
types
2. Results:
a. Most of cash withdrawal test cases are successfully executed on the Off-Us terminals
b. Data from magstripe basically discourage EDC to read it, hence some tag need to be replaced
i. Some banks not check the integrity of data in the back end. They just simply rely on
logics in terminal (ATM/EDC)
ii. Some banks only rely on EDC to prevent card being used based on certain tags
iii. Some banks only rely on EDC to prevent card being used based on
BIN. The EDC still has FALLBACK mechanism to accept
magstripe instead of chip
Developed Test Cases and Results
31
32. Findings: Recaps
1. Data in EMV chip is not encrypted, and can be read within < 1s
2. One Bank’s GPN Card has similar data between EMV and Magstripe
3. Most of cash withdrawal use cases using copied card are successfully
executed on the Off-Us terminals
4. Data from magstripe basically discourage EDC to read it, hence some tag
need to be replaced
a. Some banks not check the integrity of data in the back end
b. Some banks only rely on EDC to prevent data, based on certain part
c. Some banks only rely on EDC to prevent data based on BIN
5. GPN cards still have VISA/MasterCard applet
6. VISA/MasterCard Cards still have GPN applet
7. Above modifications are still requiring valid PIN.
32
33. ★ As long as magstripe still co-exists
with EMV Chip, there’s still a chance
for GPN card users become victim of
card shimming and/or card
skimming. This is also applies with
VISA/Mastercard.
★ This is not a final conclusion, since
only 6 issuers bank that were tested.
There are 75 licensees, and 6 are not
enough to represent these.
33
Answering
Problem Statements
36. Banks:
Increase your visibility
36
Check your back-end. Data integrity
verification is a must.
Do not simply rely on data: “PIN and
Card are valid” without supported by
auxiliaries data, e.g. CCTV, pattern
of customers movement
37. Standard Body and Central Bank:
Increase security level of the standard
37
Evaluates and Enhanced the
standard. Attacking SDA Card
already available on the Internet.
Enforce a comprehensive risk
management towards GPN Card
Implementation, that include risk
assessment in Chip and Magstripe