It Only Takes a Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem - Cyber R&D Lab Publication
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
It Only Takes a Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem Prepared by Leigh-Anne Galloway Head of Commercial Research Cyber R&D Lab Publication July 7th 2020 https://www.cyberdlab.com
It Only Takes a Minute to Clone a Credit Card
Contents
1. Summary of Findings ....................................................................................................................... 3
2. Introduction .................................................................................................................................... 3
3. Background ..................................................................................................................................... 4
3.1. Magnetic Data – Making the Invisible, Visible ........................................................................ 4
3.2. Primary Account Number ....................................................................................................... 6
3.3. Magnetic Stripe ....................................................................................................................... 7
3.4. Service Code .......................................................................................................................... 10
3.5. Discretionary Data ................................................................................................................ 10
3.6. Card Security Code ................................................................................................................ 10
3.7. Threats to Magstripe............................................................................................................. 11
3.8. How to Clone a Magstripe Card ............................................................................................ 11
3.9. Magstripe and EMV Differences ........................................................................................... 14
3.10. Shared Commonalities: Magstripe Equivalent Data in EMV Transactions ....................... 15
4. Findings ......................................................................................................................................... 16
4.1. Scope ..................................................................................................................................... 16
Example ......................................................................................................................................... 19
4.2. Results ................................................................................................................................... 20
4.3. Recommendations ................................................................................................................ 22
5. Conclusion ..................................................................................................................................... 23
6. References..................................................................................................................................... 23
Cyber R&D Lab Publication Page 2 of 24
It Only Takes a Minute to Clone a Credit Card 1. Summary of Findings This research shows how card data from EMV chip and contactless interfaces can be intercepted and used to create a new magstripe card, which can be used successfully to make payments. This is possible because of commonalities between magstripe, a fifty-year-old technology, and EMV standards for chip inserted and contactless transactions. 2. Introduction It has been fifty years since the introduction of magstripe. In the time that has passed, technology has changed beyond recognition; the personal computer was invented and made affordable to the masses. In the early two-thousands, Nokia became synonymous with the cell phone, selling one hundred and twenty-five million units of the classic Nokia 3310. During the same period, we saw the rise of the iPod, followed by the tablet, smart watches and, more recently, IoT devices. By comparison, payment technology has been marching to the sound of its own drum. Until the nineteen-nineties, transactions were made in two ways: by taking a carbon copy of the card’s embossed information or by swiping the magstripe. By the nineteen-nineties, magstripe had been in circulation for over twenty years which has provided plenty of time for criminals to figure out its weaknesses. As it turned out, the predominant issue with magstripe is the ease with which you can clone the card. After all, the card data is encoded in plain text on the magnetic stripe. In the nineteen-eighties, French banks began trials with chip enabled smart cards to their own specification. The rollout of this scheme dramatically reduced the rates of fraud associated with payments. Seeing this success, international card brands, Europay, MasterCard and Visa, started developing their own specifications called the EMV specification. EMV set about to eradicate the ability to clone the card by implementing additional security measures on the card itself. While EMV has reduced fraud, it has not done away with the problem all together; skimmers have evolved along with card specifications, like a game of cat and mouse. A skimmer is a device that sits between the card and the genuine payment instrument. Skimmers developed from reading magstripe data to reading data from the chip. Most often found in ATM’s and gas stations, modern skimmers read information from the chip and store this information for later use. Criminals use this to create new cards or to sell this information online. If skimmers are still effective, how is it possible to clone an EMV chip-based card? Cyber R&D Lab Publication Page 3 of 24
It Only Takes a Minute to Clone a Credit Card
3. Background
To understand how this works, take a step back in time and look at the first implementation
of electronic card data. If you look at the back of a credit or debit card, you’ll see the black
stripe known as the magnetic stripe.
Figure 1. Photo depicting PVC card with magnetic stripe.
The magnetic stripe contains important information that is also represented on the chip of all
modern cards. This information is used for chip inserted transactions and, if the card has NFC
capability, it is also used for contactless transactions. These are types of transactions as
specified by the EMV standards (EMVCo, n.d.)
3.1. Magnetic Data – Making the Invisible, Visible
With the help of magnetic particles, we can see the information stored on a card with the
naked eye. You can try this experiment at home. Use gloves, an old credit card and cover the
working surface as it can be hard to remove ferrofluid, and in no way should it be ingested!
Ferrofluid may be purchase from Amazon.com. Alternatively, iron filings will also work for this
experiment, but do not add water. There are commercially available products, such as Q-View
(Magnetic Developer, n.d.). Ferrofluid works just fine with a few adaptions. Ferrofluid comes
in a liquid form and contains microscopic magnetic particles suspended in a fluid. The particles
are combined with a surfactant to create a smooth liquid. Without a surfactant, the magnetic
particles would separate from the liquid solution.
Cyber R&D Lab Publication Page 4 of 24
It Only Takes a Minute to Clone a Credit Card
Figure 2. Photo depicting ferrofluid.
By itself, ferrofluid may have a high viscosity. If at first you do not see any data appear on the
magstripe, then you can add a drop or two of water to the surface of the card using a pipette,
after the Ferrofluid has been applied. Use a paper towel to blot some of the excess liquid
away from the card. In a few moments tiny bars appear as if by magic!
Cyber R&D Lab Publication Page 5 of 24
It Only Takes a Minute to Clone a Credit Card Figure 3. Photo depicting data encoded on Track 1 and Track 2 of the magnetic stripe. This experiment makes visible the data stored on the back of a card using magnetic encoding. You can find magnetic storage in use in a lot of places, most commonly in hard drives. Magnetic encoding works by translating the data to be stored into binary zeros and ones. The card writer contains an electromagnet. Changing the direction of the electrical current changes the polarization of the magnet within the electromagnet. As it passes over the magnetic stripe of the card, the magnet permanently orientates each section of the magnetic stripe in either a north facing or south facing direction. Each binary zero or one is represented by a corresponding north facing or south facing magnet. This is why the magnetic stripe looks like a series of bars when exposed to the ferrofluid. When the card is swiped through a card reader or payment device, the signal input changes depending on the direction of the magnet that is being read. The computer reads this information as a zero or a one. Once complete, the computer translates all the binary information into corresponding alphanumeric values at the application level. When looking at the results of this experiment, there will be up to three tracks of information: Track 1, Track 2 and Track 3. If only two tracks of information are visible, this is perfectly acceptable. It is common for bank cards to have Track 1 and Track 2 encoded. Track 3 was intended to be dynamically updated. 3.2. Primary Account Number The front of the card consists of the Primary Account Number (PAN), a start date (optional), an expiry date, an issue number (optional), the cardholder name and imagery pertaining to the issuing bank and the card brand. Cyber R&D Lab Publication Page 6 of 24
It Only Takes a Minute to Clone a Credit Card
Figure 4. Photo depicting embossed card data.
The PAN consists of three key pieces of information. The Issuer Identification number (IIN),
the account number and a check digit. For Visa and MasterCard products, the PAN is 16 digits
long, but it may be up to 19 digits long. The IIN identifies both the card brand and the bank
that issued the card. The account number identifies the owner of the account. Finally, a single
digit acts as a checksum to verify the validity of the PAN. This is calculated using the Luhn
algorithm, with the preceding PAN digits acting as input.
PAN
IIN Account Number Check Digit
Up to 8 digits 1-10 digits 1 digit
Figure 5. Data elements that make up the Primary Account Number (PAN).
3.3. Magnetic Stripe
On the back of the card, there is an area for the cardholder’s signature; next to it, a Card
Security Code (CSC) and above this the magstripe.
Cyber R&D Lab Publication Page 7 of 24
It Only Takes a Minute to Clone a Credit Card
Figure 6. Location of encoded tracks on the magnetic stripe.
The magstripe represents much of the same information that can be found in plain text on
the front and back of the card. All magstripe tracks contain the Primary Account Number
(PAN), the expiry date, a service code and discretionary data. When this information is sent
electronically, it is checked against information known to the issuing bank. The magstripe
contains up to three tracks of encoded information. But as Track 3 is no longer frequently
used by financial institutions, this research will only be describing Track 1 and Track 2.
Track 1 contains the PAN, the cardholder name, the expiration date, a service code,
discretionary data and a checksum. Track 2 is almost the same as Track 1, but lacks the
cardholder name. Track 2 is purely numeric, including the checksum. The space allocated for
discretionary data is shorter, and in both Track 1 and Track 2 this information is proprietary
to the issuer.
Cyber R&D Lab Publication Page 8 of 24
It Only Takes a Minute to Clone a Credit Card
Track 1
Expiration Service Discretionary LRC
% B PAN ^ Cardholder Name ^ Date Code Data ?
Longitudinal
Redundancy
Remaining Check
Start Format 19 2-26 characters 4 Digits or 3 Digits or Balance of End
Sentinel Code Digits Separator Title.Firstname/Lastname Separator ^ ^ Characters Sentinel 1 Character
Total = 79 Alphanumeric Characters
Figure 7. Data elements that form Track 1.
Track 2
Expiration Service Discretionary LRC
; PAN = Date code data ?
Longitudinal
Redundancy
Remaining Check
Start 19 4 Digits or 3 Digits or Balance of End
Sentinel Digits Separator = = Characters Sentinel 1 digit
Total = 40 Numeric Characters
Figure 8. Data elements that form Track 2.
Cyber R&D Lab Publication Page 9 of 24
It Only Takes a Minute to Clone a Credit Card
3.4. Service Code
The first digit of the service code describes the interchange value and supported onboard
technology that can be used for alternative transaction methods. This digit determines if the
card can be used internationally, nationally or via predetermined agreements between
issuers (private). This digit can also be used to describe whether the card possesses alternate
technology to complete the transaction, such as Integrated Circuit Card (ICC). It is now
standard to issue a card with ICC functionality, this option exists as a legacy.
The second digit describes the authorization processing indicator value. This specifies if the
card requires explicit authorization from the issuer in order to complete the transaction. If
this value is set to “0,” then authorization can be made without explicit authorization, if the
transaction passes checks made on the terminal.
The third digit describes allowed services and Cardholder Verification Method (CVM)
requirements. This digit describes whether the card may be used at an ATM, for cash and for
which circumstances the cardholder will be prompted for additional verification via PIN.
Service Code
Digit 1st 2nd 3rd
Description Specifies interchange value and Authorization Types of services
onboard technology processing available to the
indicator value card product and
CVM options
Figure 9. Data elements that form the service code.
A common service code is “201.” This indicates that a card that may be used internationally,
processing may be completed without the issuer and no restrictions exist on the type of goods
or services that the card product can be used for. Refer to ISO/IEC 7813:2006 for further
information on available digits and combinations.
3.5. Discretionary Data
Discretionary data is reserved for proprietary use by the card issuer. Despite this, it is known
that discretionary data is used to hold information for cardholder verification, card
authenticity and operational decisions. It contains the Card Security Code (CSC) and can
contain the card start date or the card issue number. The length assigned for the discretionary
data is the remaining number of digits once all other information has been subtracted from
the track.
3.6. Card Security Code
There are three generations of Card Security Code (CSC), with each card brand using their
own distinct name. Visa calls the CSC the Card Verification Value (CVV). For MasterCard, this
value is called the Card Verification Code (CVC). This is a unique number used to validate the
Cyber R&D Lab Publication Page 10 of 24It Only Takes a Minute to Clone a Credit Card card. The CSC is calculated using the PAN, expiration date and service code as input. This information is put through an algorithm to produce the CSC. The CSC is present in both Track 1 and Track 2 of the magstripe within the discretionary data field. This piece of data is critical to the transaction process and must be checked at the time of authorization to identify fraudulent transactions. However, there are no requirements for this data to be checked for card not present, chip inserted or contactless transactions. The second-generation CSC is called CVV2 (Visa) and CVC2 (MasterCard). This is the verification value used in ‘card not present’ transactions. Card not present transactions include those made online and over the phone. This value can be found on the back of the card. This value remains the same throughout the lifetime of the card and is used to verify that the cardholder has the card in their possession. The third-generation card security codes are values used for chip transactions and contactless transactions. For chip inserted transactions, these are known as iCVV (Visa) and Chip CVC (Mastercard). For contactless transactions that support magstripe equivalent modes, these values are dCVV (Visa) and dCVC (MasterCard). 3.7. Threats to Magstripe Magstripe is extremely vulnerable to cloning. It is synonymous with the server attack; a restaurant server takes the card away to swipe it and a few moments later brings the card back for the cardholder to sign the check. During that time, there’s a small window when the card data can be cloned. This is a type of eavesdropping or man-in-the-middle attack, which uses a second card reader to read track data from the magstripe at the time of payment. This information is enough to clone the card. Likewise, lost and stolen cards are vulnerable to cloning. An attacker can clone an expired card and modify the expiration date to extend the validity of the card. If the service code has restrictions, this can be altered as well. Cardholder verification is made via signature, making it relatively simple to pass as the card owner. 3.8. How to Clone a Magstripe Card The process of cloning the magstripe is a simple one. A card reader and writer can be purchased from Amazon.com for less than $100. This research uses the MSR605. Cyber R&D Lab Publication Page 11 of 24
It Only Takes a Minute to Clone a Credit Card
Figure 10. Image depicts sales listing for the MSR605 reader/writer.
The MSR605 is a magnetic card reader and writer that plugs into a computer via USB and
comes with prepackaged software for Windows. All that is required it to set it into “read”
mode and swipe a credit or debit card.
Figure 11. Image depicts the MSR605 plugged into USB interface.
Cyber R&D Lab Publication Page 12 of 24It Only Takes a Minute to Clone a Credit Card Figure 12. Image depicts the MSR605 user interface containing data read from a card. The reader will show the track data encoded onto the magnetic stripe. Select “Write,” and it will write the data to a new card. Cyber R&D Lab Publication Page 13 of 24
It Only Takes a Minute to Clone a Credit Card
Figure 13. Image depicts the MSR605 process for writing data to a card.
3.9. Magstripe and EMV Differences
EMV was introduced to tackle the security issues associated with magstripe. EMV is bound to
an Integrated Circuit Card (ICC). By design, the chip allows the card to take on much more
functionality than magstripe. This provides much greater assurance that the cardholder
information belongs to the card. Because the chip can compute mathematical functions, the
transaction can be signed using a cryptogram. By contrast, the magstripe is encoded on the
card and can be read by anyone.
For cardholder verification, EMV has the option to use a PIN, and it is increasingly used in
most countries. If the transaction is made online, then the PIN is transmitted to the issuer’s
Hardware Security Module (HSM) using symmetric cryptography, decrypted and verified for
correctness. If the transaction is made offline the PIN is checked by the card. This has some
weaknesses (Murdoch et. al., 2010) but is considerably stronger than magstripe methods.
There are two options for cardholder verification using magstripe, the first is a signature and
the second is a PIN. The signature is compared to the signature on the back of the physical
card, or a form of ID. In all cases, it is trivial to forge. Where a PIN is used, the transaction
needs to be made online. The PIN is transmitted to the issuer for comparison using symmetric
key cryptography.
Cyber R&D Lab Publication Page 14 of 24It Only Takes a Minute to Clone a Credit Card
3.10. Shared Commonalities: Magstripe Equivalent Data in EMV
Transactions
Perhaps surprisingly, Track 1 and Track 2 are also present in EMV transactions. These are
referred to as Track 1 equivalent and Track 2 equivalent. Track 2 equivalent differs, but not
significantly, from its original counterpart; data for card expiration date and the discretionary
data must be unique to the transaction mode and the card security code is dynamic. For
contactless transactions, Track 1 equivalent is not used by Visa card products but is used by
MasterCard.
Track 1 Equivalent – EMV Tag 56
B PAN ^ Expiration ^ Service Discretionary
Date Code Data
Format 19 Digits Separator 4 Digits Separator 3 Digits Remaining
Code Balance of
Digits
Total = 50 Numeric Characters
Figure 14. Data elements that form the Track 1 equivalent.
Track 2 Equivalent – EMV tag 57
PAN D Expiration Service Discretionary F
Date Code Data
19 Digits Separator 4 Digits 3 Digits Remaining Optional
Balance of Padding if
Digits Required
Total = 40 Alphanumeric Characters
Figure 15. Data elements that form the Track 2 equivalent.
Cyber R&D Lab Publication Page 15 of 24It Only Takes a Minute to Clone a Credit Card
4. Findings
With such a striking relationship between magstripe and EMV, this research questions
whether it is possible to substitute data from one technology type, EMV, and use it to
authorize an entirely different technology (magstripe). The idea is plausible, as there are many
skimmers and shimmers in circulation that record data from EMV chip inserted transactions.
From experience, it is entirely feasible for a hacker to skim card information during a
contactless EMV transaction. This provides two ways of harvesting card data from EMV
transactions, and one practical application, magstripe.
Opposing this idea: It should not be possible to substitute data from one technology and use
it for another. Based on EMV specifications and the ISO/IEC7811-2 standard, EMV data is
unique for every transaction and unlike magstripe data. EMV transactions ought to have
distinct discretionary data and are reliant on a different card security code. Issuers have the
capability to verify the source of discretionary data and should be doing this to identify and
stop fraud.
4.1. Scope
To resolve these questions, this research looked at a total of eleven different credit and debit
cards, made up of a mix of Visa and MasterCard. A total of ten different card issuers; seven
cards issued in the UK, three issued in Europe and one in the US. It should be noted that the
US card along with one of the European issued cards do not have an NFC interface that allows
for contactless transactions. This reduces the amount of data that may be harvested.
Card Issuer Brand Country of issue
1 1 Visa UK
2 2 MasterCard UK
3 3 MasterCard UK
4 4 Visa UK
5 5 MasterCard EU
6 6 Visa US
7 7 MasterCard UK
8 1 MasterCard UK
9 8 Visa EU
10 9 Visa EU
11 10 MasterCard UK
Figure 16. Shows cards within the scope of this research.
The methodology for this research is simple, data is to be read from each of the card’s EMV
interfaces along with the magstripe. This information is compared, and any striking
similarities or differences are noted. Next, the value of the CSC is determined for each
interface. This information is substituted for the CSC in the magstripe tracks. It is only
necessary to change this information, as Track 1 and 2 equivalent data is often the same for
Cyber R&D Lab Publication Page 16 of 24It Only Takes a Minute to Clone a Credit Card
Track 1 and Track 2 on the magstripe. In the wild, an attacker would use the full information
harvested from Track 1 and Track 2 equivalent to build a new card.
To read data from the NFC interface, the Android application “Card Reader Pro” was used.
Figure 17. Depicts the Card Reader Pro interface on Android.
The SCR3310 USB Smart Card Reader along with Python EMV Utilities library by David
Barkhuizen was used to read data from the chip interface.
Cyber R&D Lab Publication Page 17 of 24It Only Takes a Minute to Clone a Credit Card
Figure 18. Depicts the SCR3310 USB Smart Card Reader.
To read the encoded tracks on the cards magstripe, the method used is described in the
section titled “How to Clone a Magstripe Card.” The MSR605 was also used to write data to
magstripe cards. Blank cards were purchased online. These can be purchased at a very low
cost: $20 for one-hundred cards. Transactions were made using Mobile Point of Sales (mPOS)
terminals, either using the fallback method or with a dedicated magstripe interface. Fallback
is a process that occurs when the cards fails to be read by the chip inserted method. This can
be achieved by covering the chip with tape or not fully inserting the card. This should be
repeated several times until the terminal prompts for the card to be swiped.
Cyber R&D Lab Publication Page 18 of 24It Only Takes a Minute to Clone a Credit Card
Figure 19. Depicts mPOS Terminals used as part of this research.
Example
This is an example of readings taken for a Visa card. It should be noted that some of the
readers remove delimiters and the LRC from the output of the track data readings. The first
readings are from the magstripe.
Track 1:
%B4716042088430250^MR.P/GREEN^2108201000000000000000222000000?
Track 2 :4716042088430250=21082010000002220000?
From this it can be determined that the CVV for the magstripe is “222.” Next, readings from
the chip inserted into the SCR3310 reader.
Track 1 4716042088430250^21082010001000000000387000000
Track 2 4716042088430250D21082010000013870000F
We can see that the iCVV value is “387” on both tracks. The additional “1” within the
discretionary data may be used for operational purposes.
Track 1 4716042088430250D21082010000013870000F
Visa does have Track 1 equivalent for contactless data. Again, the iCVV is “387.” Using this
information, we can construct a new card with the values:
Track 1:
%B4716042088430250^MR.P/GREEN^2108201000000000000000387000000?
Cyber R&D Lab Publication Page 19 of 24It Only Takes a Minute to Clone a Credit Card
Track 2 :4716042088430250=21082010000003870000?
Figure 20. Image depicts the new card value using the MSR605.
4.2. Results
Four of the eleven cards allowed for data to be harvested from EMV interfaces and for this
information to be used to create a counterfeit magstripe card and authorize a swiped
transaction. One of these four cards allowed the transaction to be authorized with random
data inserted into the discretionary data. A further two of the four cards allowed for
transactions to be processed with a single track of information. Out of eleven cards, only two
cards use truly unique Track 2 equivalent data for both interfaces. Of the two cards from the
same issuer, one was vulnerable to this type of attack, and the other was not.
Card Issuer Brand Country of Issue Vulnerable
1 1 Visa UK Y
2 2 MasterCard UK Y
3 3 MasterCard UK N
4 4 Visa UK Y
5 5 MasterCard EU N
6 6 Visa US N
7 7 MasterCard UK Y
8 1 MasterCard UK N
9 8 Visa EU N
10 9 Visa EU N
11 10 MasterCard UK N
Cyber R&D Lab Publication Page 20 of 24It Only Takes a Minute to Clone a Credit Card
Figure 21. Table of results: cards that are vulnerable to cloning EMV interface data for use
on magstripe cards.
Figure 22. Bank statement depicting an approved transaction made using cloned EMV data.
Cyber R&D Lab Publication Page 21 of 24It Only Takes a Minute to Clone a Credit Card
Figure 23. Photo depicting approved transaction made using cloned EMV data.
4.3. Recommendations
When a POS or mPOS is used to make a transaction, a POS entry mode code is sent to the
card issuer along with the transaction. This code indicates which type of transaction was
made. Magstripe transactions have a terminal code of “90.” Whereas chip inserted
transactions have an entry code of “95” or “05.” Contactless transactions have the codes “91”
or “07.” This information can be used by the issuer to determine the transaction type, and if
it is supported. If the card issuer supports the transaction type, then the corresponding card
security code can be checked for validity against the entry mode. Implementing this check
prevents the use of cloned cards from other sources.
Cyber R&D Lab Publication Page 22 of 24It Only Takes a Minute to Clone a Credit Card
5. Conclusion
This research shows how card data from EMV chip and contactless interfaces can be
intercepted and used to create a new magstripe card. This is one of the mechanisms by which
skimmers work. This vulnerability exists for several reasons. First, the commonalities between
magstripe and EMV standards for chip inserted and contactless mean that it’s possible to
determine valid cardholder information from one technology and use it for another. Secondly
magstripe is still a supported payment technology, likely because adoption of chip-based
cards has been slow in some geographic regions around the world. Third, although magstripe
is a deprecated technology in many of the countries tested, cloned data is still effective
because it is possible to cause the terminal and card to fallback to a magstripe swipe
transaction. Finally, card security codes, a critical point of card verification, are not checked
at the time of transaction by all card issuers.
6. References
14:00-17:00. (n.d.). ISO/IEC 7813:2006. ISO. Retrieved April 23, 2020, from
https://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/04/33/43317.
html
A_Guide_to_EMV_Chip_Technology_v2.0_20141120122132753.pdf. (n.d.). Retrieved April
24, 2020, from https://www.emvco.com/wp-
content/uploads/2017/05/A_Guide_to_EMV_Chip_Technology_v2.0_20141120122132
753.pdf
ALG ID Cards® Premium Blank White PVC Cards with Hi-Co Mag Magnetic Stripe | 760
Micron CR80 (Credit Card Size)—100 Pack: Amazon.co.uk: Office Products. (n.d.).
Retrieved April 22, 2020, from
https://www.amazon.co.uk/gp/product/B07KWXVFQY/ref=ppx_yo_dt_b_search_asin_
title?ie=UTF8&psc=1
Barisani, A., Laurie, A., Bianco, D., & Franken, Z. (n.d.). Chip & PIN is definitely broken.
43.
barkhuizen, david. (2020). Davidbarkhuizen/py_emv_utils [Python].
https://github.com/davidbarkhuizen/py_emv_utils (Original work published 2012)
Computers | Timeline of Computer History | Computer History Museum. (n.d.). Retrieved
April 24, 2020, from https://www.computerhistory.org/timeline/computers/
Credit Card Reader Pro. (n.d.).
https://play.google.com/store/apps/details?id=com.github.devnied.emvnfccard.pro
EMVCo. (n.d.). EMVCo. Retrieved April 23, 2020, from https://www.emvco.com/
Cyber R&D Lab Publication Page 23 of 24It Only Takes a Minute to Clone a Credit Card
ISO - ISO/IEC 7811-2:2018—Identification cards—Recording technique—Part 2: Magnetic
stripe: Low coercivity. (n.d.). Retrieved April 9, 2020, from
https://www.iso.org/standard/73638.html
Magnetic Developer. (n.d.). Retrieved April 23, 2020, from https://www.q-
card.com/products/magnetic-developers/magnetic-developers/page.aspx?id=1415
Masters, G., & Turner, P. (2007). Forensic data recovery and examination of magnetic swipe
card cloning devices. Digital Investigation, 4, 16–22.
https://doi.org/10.1016/j.diin.2007.06.018
Mitigating Fraud Risk Through Card Data Verification. (n.d.). 5.
Murdoch, S. J., Drimer, S., Anderson, R., & Bond, M. (2010). Chip and PIN is Broken. 2010
IEEE Symposium on Security and Privacy, 433–446.
Radu, C. (2003). Implementing electronic card payment systems. Artech House.
Souppouris, A. (2013, September 3). Nokia: A visual history. The Verge.
https://www.theverge.com/2013/9/3/4688932/nokia-smartphone-history-in-pictures
Cyber R&D Lab Publication Page 24 of 24You can also read
