TALLINN UNIVERSITY OF TECHNOLOGY School of Information Technologies Danielle Melissa Morgan 156334IVCM SECURITY OF LOYALTY CARDS USED IN ESTONIA Master’s thesis Supervisor: Rain Ottis PhD Co-Supervisor: Arnis Paršovs MSc Tallinn 2017 TALLINNA TEHNIKAÜLIKOOL Infotehnoloogia teaduskond Danielle Melissa Morgan 156334IVCM EESTIS KASUTATAVATE KLIENDIKAARTIDE TURVALISUS Magistritöö Juhendaja: Rain Ottis PhD Kassjuhendaja: Arnis Paršovs MSc Tallinn 2017 Author’s declaration of originality I hereby certify that I am the sole author of this thesis. All the used materials, references to the literature and the work of others have been referred to. This thesis has not been presented for examination anywhere else. Author: Danielle Melissa Morgan 18.05.2017 Tallinn 2017 Abstract This thesis identifies the card technologies used in loyalty programs across Estonia. These technologies include magnetic-stripe cards, contactless cards (in the form of MIFARE Classic, MIFARE Ultralight, MIFARE DESFire EV1 and low frequency RFID cards) and a smart card known as the Estonian electronic identification card (ID card). Each card type implements its own security features to prevent cloning and/or unauthorized access to the content stored on the card. The contents of each card was read and the method in which it was used in the system analysed. In the cases where possible a clone of the card was created and tested against the real system to verify that it passed the authentication procedures. In the case of the Estonian ID card, a clone of the card was created to log the protocol queries sent by merchant terminals to the card. The study finds that due to the lack of security mechanisms in the technology used, in the majority of cases the loyalty cards provide limited or no protection against card cloning attacks, which makes the loyalty schemes vulnerable to fraud. Keywords: RFID, NFC, EstEID, Estonian ID card, card technology, loyalty card This thesis is written in English and is 76 pages long, including 5 chapters, 41 figures and 22 tables. 4 Abstract Eestis Kasutatavate Kliendikaartide Turvalisus Magistritöö eesmärk on uurida erinevaid tehnoloogiaid, mida kasutatakse Eesti ettevõtete kliendikaartide puhul. Uuritud tehnoloogiate loetelu hõlmab järgnevaid kaaritüüpe: magnetribaga kaardid, NFC MIFARE Classic, Ultralight ja DESFire tüüpi kaardid, madalsagedusel RFID kaardid ning Eesti elektrooniline isikutunnistus (ID- kaart). Igal kaardil on oma turvaelemendid, mis peaksid takistama kaardi kopeerimist ja/või autoriseerimata ligipääsu kaardile salvestatud andmetele. Töö käigus loeti kaartidele salvestatud infot ning analüüsiti viise, kuidas seda infot boonus-süsteemis kasutatakse. Kloonimist võimaldavatest kaartidest tehti koopia ning testiti seda reaal- süsteemide vastu, et veenduda, kas kloonid läbivad autentimise protseduuri edukalt. Eesti ID-kaardi puhul loodi kloon, mis logiks teenusepakkuja terminali poolt saadetavaid protokolli päringuid. Magistritöö tulemusena tuvastati, et puudulike turvamehhanismide tõttu pole enamik kliendikaarte piisavalt kindlustatud kloonimisrünnakute vastu, mis tähendab, et püsikliendi boonus-programmid on petuskeemide poolt haavatavad. Märksõnad: RFID, NFC, EstEID, Eesti ID-kaart, kaarditehnoloogia, kliendikaart Lõputöö on kirjutatud inglise keeles ning sisaldab teksti 76 leheküljel, 5 peatükki, 41 joonist, 22 tabelit. 5 List of abbreviations and terms 3DES Triple Data Encryption Standard APDU Application Protocol Data Unit ATR Answer to Reset CBC Cipher-Block Chaining DoS Denial-of-service EEPROM Electrically Erasable Programmable Read-Only Memory ID Identification IEC International Electrotechnical Commission ISIC International Student Identity Card ISO International Organization for Standardization NDEF NFC Data Exchange Format NFC Near Field Communication PAN Primary Account Number QR Quick Response RFID Radio Frequency Identification RSA Rivest-Shamir-Adleman cryptosystem SHA-1 Secure Hash Algorithm 1 TTU Tallinn University of Technology UID Unique Identifier UT University of Tartu 6 Table of Contents 1 Introduction..................................................................................................................14 2 Magnetic-Stripe Cards..................................................................................................16 2.1 Methodology......................................................................................................18 2.2 Results................................................................................................................20 2.2.1 ABC Card.......................................................................................................20 2.2.2 Aitäh Card.......................................................................................................23 2.2.3 Club One Card................................................................................................24 2.2.4 Hesburger Card...............................................................................................28 2.2.5 ISIC Card........................................................................................................30 2.2.6 Koduekstra Card.............................................................................................31 2.2.7 Partner Card....................................................................................................33 2.2.8 PINS Card.......................................................................................................35 2.2.9 Rimi Card.......................................................................................................37 2.2.10 Säästu Card...................................................................................................39 2.3 Summary............................................................................................................41 3 Contactless Cards.........................................................................................................42 3.1 Contactless Technology.....................................................................................42 3.2 Contactless Tools...............................................................................................43 3.3 Low Frequency (LF) Cards................................................................................45 3.3.1 Methodology...................................................................................................46 3.3.2 Results............................................................................................................46 3.4 MIFARE DESFire EV1.....................................................................................47 3.4.1 Methodology...................................................................................................48 3.4.2 Results............................................................................................................49 3.5 MIFARE Classic 1K..........................................................................................51 3.5.1 Methodology...................................................................................................56 3.5.2 Results............................................................................................................56 3.6 MIFARE Ultralight C........................................................................................67 7 3.6.1 Methodology...................................................................................................70 3.6.2 Results............................................................................................................71 3.7 Summary............................................................................................................75 4 Estonian Identity Card (EstEID)...................................................................................76 4.1 Methodology......................................................................................................77 4.1.1 Design of Fake ID card...................................................................................78 4.2 Results................................................................................................................81 4.2.1 Forum Cinemas...............................................................................................81 4.2.2 Olerex.............................................................................................................83 4.2.3 Pilverprint.......................................................................................................84 4.2.4 Prisma.............................................................................................................85 4.2.5 TTU Library...................................................................................................86 4.3 Summary............................................................................................................86 5 Summary and Conclusions...........................................................................................88 References......................................................................................................................90 Appendix 1 – Communication between TTU gym reader and ISIC card......................92 Appendix 2 – Receipts of purchases using loyalty cards ..............................................94 Appendix 3 – Memory dumps of NFC cards.................................................................98 8 List of Figures Figure 1. Location