The new generation of EMV skimming device

I’ll start by explaining at a high level how an EMV transaction is processed. The reason I explain this is so you know how we can extract the data. I am simplifying it so that I don’t lose everyone with technical details, for those of you who would like to go more technical, let me know and if enough people ask for it I’ll write something.

Overview of a transaction
The transaction starts after the user of the POS has entered the amount and gives the POS to the cardholder that inserts his card into it. The sequence goes as follows:

Power up
The POS will power the chip card (Important because we will use this power for our device, no battery needed)

Answer To Reset – ATR
The Card responds with ATR which is a number telling the POS what kind of card has been inserted

AID
As you may know, each POS supports predefine cards that some of you refer to as BIN. In MSR transactions the BIN was used to know where to forward the transaction, with EMV each card supports one or more “applications” or software. Each of these applications has an Application ID or AID, if you look at an EMV receipt you will see which AID on the card was used to process the transaction something like “A0000000041010” which is the Mastercard AID. So POS looks at AID available on the cards and selects the one that is compatible.

Application Records
The POS will then read records of data associated with the AID selected, the data contain in these records contain (but are not limited to) the Cardholder verification methods (CVM or EMV tag 8E) this tells the POS what method of cardholder verification should be used.

Some other data read is the Track 2 equivalent data (EMV Tag 57) this represents half of what we are extracting.

Pin Validation

I am skipping some steps in transactions that are irrelevant to explaining the device.
On most POS devices the PIN is verified by the card itself, on ATMs and unattended devices (kiosk, gas pump) the PIN is Verified online.

IMPORTANT: the device only works on standard POS.

So at this point, the POS will issue a Verify command to the card with the PIN, (the second and last part of the information that we extract), the card will respond and continue the transaction if the PIN is valid.The rest of the transaction is irrelevant to us, we have all that we need.

How it works
The device is built on a flexible PCB of 100 µm thickness, it is inserted for the first time in the

POS with your card on a regular transaction. When you remove your card the PCB will stay in place

because of an adhesive. So from now on whenever you insert a card in the POS our circuit is between the card and

the reader, this means that all communication between POS and card are going thru it.

We just listen to the communication for the TAG 57 (track 2) and pin validation (PIN) and keep those values.

Since we had to keep the circuit VERY small we can only store 75 to 90 combinations of track/PIN. To extract

the data, we also use Bluetooth with an Android app. You just have to be in Bluetooth range when a card is inserted in the POS (because of power) to receive all the data and go back whenever you need more…