Bestand wählen
Merken

Decoding Contactless (Card) Payments

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
the the the to it
and and and I and the and the the imagine you're in general at the checkouts at the supermarket and to take the cash got to get something like 35 years to pay and you place it just on the top of the terminal and it makes a beep and you've paid what near-field communication worried that and in particular what happens at the protocol levels for the answer is are given outweighs the more awareness is a cofounder of the words the company and specialized in point of sale payment gateway technologies C mon and this study it informatics Munich in december Cisco and in Los Angeles so let's welcome now c mon with his talk own decoding the this chord payments soon viewers half of things alot and the water crowd welcome everybody thanks for joining tonight and and tonight I wanna talk about contactless card payments and how we go from like in so you got to tapping a cart to in the end just having your smartphone and full disclosure I'm not talking about like exposing new security risks and that of former tonight so I'm not going on the lowest level of the in the protocol which is the below that of the dome running this but I wanna focus on the status quo on how is basically a conic discards transaction working and how do we do and that'll pay how do we do and what they what is involved there and why is it not possible to actually take a cart and loaded to use much of something that picture crotchet xt prevent you from from doing and and this to give you some context where this is coming from and I will get pay works that we run a payment gateway and develop tools for making transactions are easier for developers to integrate and hand over there I mean response before in integrating new terminals connecting Eubanks and I wanna take a model of the Congress to art and just to out and give you some insights and what I learned while we're working on that I'm 2 and me yeah its get started with this um probably everybody
here in the room has heard about contactless payments and has used it maybe maybe not in my meaning Germany adoption rate for conductance transactions are relatively slow 1st of all you get a new card from your bank or your credit card company and even if you have that you still you to tell which is actually a two-handed connected transactions and if you then finally do we conduct this transaction allocations looking at you Mercury's instinct was is that having that that's not how it worked pretty before and then in the end you get your goods but they always some surprises so waiting for you and what we're looking at tonight is the 1st of all what makes a conductance transactions from the blueprint what stages to we go through and then we need to discuss ways of achieve converting your smartphone into some stimulating for simulating a contact Scott and in addition to that I which about making payments the more secure at the point of sale or on an e-commerce site in general from where we talk about tokenization and then we have all the information that we need to actually I'm looking to entertain and and good faith and in the end I just wanna giver curricula got on how I could envision are the next steps when it comes to conduct this transactions and transactions at the point of sale in general so looking at the conduct
of transactions and this is a relatively new technology and you might think well somebody came up with something new and that was the the state of the art but if you look at the underlying protocol to see that this just brings you the transactions that so the protocols or the come from the workflows that are used for quantities of for and for the future cost to the confidence level all you basically take what you have and put basically NFC on it and and that's it and um because I'm not going into too much detail when it comes to the conduc I'm where he was talking about in the transactions and sexual going on the lowest level looking at the specs looking at the particles and what actually makes a a transaction work in the end what data elements are involved in the but for us
and it's important to 1st have a look at what is actually always actually involved in a note over transaction and this is not only true for the conduct of transaction also contact transaction using a chip card is suspected using the same entities so on the 1 hand you have yourself as a shopper as somebody wants to buy something and you have a credit card and and this credit card is given to you by a bank by your bank and because of this bank issues you the cards this bank is called an issue the and then on the other side you have a merchant of who owns a store and he wants to accept credit card payments so we need to time of but just all the time intimate doesn't give him anything he needs to have a merchant account with than it is separate bank where in the and the money is basically put onto them and this is called an acquiring bank or acquirer so now we have 2 sides and they high itself I look fine but I think in some way we need to bring those 2 together and and well we know what we use we use a network from and in our case we use payment networks and this would be for example the reason it works a massacred network and express network the red networks that are available and they need to connect to the acquirers and the assures so that in the end and the payment can be transacted basically between all parties know that always residues involved in a transaction let's have a look of the different
phases or steps to go through during a transaction before you can actually make a transaction what you need your cart so this is the card issuing step and terms the Merchant needs is time so this is the time of provisioning where he gets the time of its configure to get the correct configurations loaded there and then set up and configure to what kind of cards should be accepted and then we at this point where you wanna make a transaction on and there busy go through 3 distinct phases so we have the of the phase where you attach your cart to the to the terminal linear-phase phase for the time was doing some internal stuff from evaluating what the data that actually received and so most likely after that it will be on in a phase where basically goes online users network talk to the issue of your cart and to check if you if you have funds on your account and if this transaction is genuine and should be actually approved and after that we haven't a separate phase which is not that important for us from the gist of the transaction settlement so this in the and make sure that if the money moves from 1 account to the other and we're going to be the focus on the on the 3 highlighted here and so
on so imagine you go from intra store wanna pay with your card of the 1st thing is that on the Tamil and the amount is busy shoulder and you as a shopper go there and tap you cart on on the terminal and so the determine this phase space he sees OK well I have a conic this card to my proximity and I have a basic idea on what kind of car the sources of visa card is is a MasterCard and this is Carter JCB you name it and as the 1st thing before I should continue with a transaction and it activates a special kernel and what a kernel is is a the implementation of of overpayment workflow that is specified by the schemes sold these are the main dates at different workflow how the court intermittent interact as part of a conic this transaction and then MasterCard for example all this was easier and during a knowledge a transaction because there was only 1 kernel now we have 7 right kernels and each payment scheme has its own and after the correct color has been loaded activated the hour drives the transactions between some of the card and the and the next phases in the that the takes change phase where the Tamil as the cart for some data to be given out in order to complete a transaction and what is normally includes this 1st of all the count data that's the credit card number and expiry date information like that which is the crucial for x routing the transaction to the crack bank and making the the transaction work in the end and you get from uh the signature some on specific data elements that the car generates from and which allows time to check if the card is an actual payment card and on the card also generates a cryptogram and that's the end cryptographic hash and that allows the sharing the and to verify that the transaction is genuine and that this effect in recent transaction on a replay for example the and all of this data just happens between the cart and the time at this point after that you can remove your card and that's also 1 of the big difference already and if you would do contact transaction with the chip the chip card needs to be in in the Tamil and to the become of the transaction this is done here you cannot remove it and you don't accidentally we go with it and forgot aboard so the the upper right some or usability features also next
phase we looking at is then what's happening on the time and at this point all the term is doing something I'm and 1st of all the checks if this card should be except that at this location but could be that the card should only be used domestically in in a in a in a country but it's not the country of of the merchants it could be that this card is an ATM card and shouldn't be used at a retail location for example and and and those things are busy check 1st In the 2nd step of the the the timeless verifying the authenticity of the the the the data it receives from the cart and for that there is a public key infrastructure in place at the top there is a root CA from from the payment schemes and below that we have uh some ICA and from the actually sure of the cart and then we have certificates with report on the card itself and from some as as the city as reading data it got this this kind of uh of sign data and using public key infrastructure the timer can actually check if the signature that was created by the private key on the cart was provided or created by an entity which at some point was signed by the by the root CA and then as a last step there is this phase of a customer ification you probably all know this you go a supermarket pay for from a couple of things and in the end you ask for circuit Europe or obtained on you with conductance transaction is that if you below a certain limit you not ask for anything but nevertheless you're going through this phase and most
likely especially with conductance transactions at the end of the term uh decides well I should go on and check if this icon is actually from the let's has the funds that I wanna get from it and then the timer starts like a chain of of transactions or off of hops and the term sense the data including the count data and this cryptogram to the actual acquiring bank and from there the crime makes sense to the global payment network and based on the 1st digits of the your credit card to the payment works know what the actual issue is because every sure has assigned a specific number arranged and then in the end the issue receives this kind of data sees is the cryptogram and basically is able to verify that this isn't a genuine transaction made with the card that of of a says it is and checks if the funds available and then hopefully approved the transactions Indian end and then this OK but he goes from from the lowest and back to the time work but it it shows approved and in the end you get your goods and can lead so that's basically looking
at at a whole transaction as well as a as an entity talk about about what kind of data is exchanged as as that I think it's interesting to see what actually is busy say from the credit cards and again sometimes talk about him we has some more detailed information on that but what you basically get this account information you get your on primary count number a credit card number basically you get your track to equivalent data and that's a busy a data element which mimics the data that would normally be on next right if you still have 1 and there's networks which only wrote those kind of information and not the whole transaction data are meant for backward comp Deloitte compatibility and and legacy reasons this is still present 7 that yours but some have expired and then you have verification information so what kind of education should be supported by other car can make some recommendations the Tamil has some information what it actually supports that has a pin that does doesn't have a PIN should be except information like that then we have the authentication data and there you basically get the and the reference to Europe and C a of public key from the from the court schemes and you get the public key off the card itself and the and the resulting signed data to check off and on the terminal if the transaction is valid and then you have the authorization data some of which is I mean as aside aside from the card information the amount and currency which is crucial I mean in the end you wanna get pretty and specific amount and during the transaction and then you add the date and time of some of the cryptogram which allows the the shore to verify that the selections genuine and the that's basic information that's used during a transaction it and the um former 2 the protocol that is used for the cost of communication between the card terminal is ISO 7 8 1 6 and that's basically what's known we talk between on the card reader any card reader and the to card and the payload is to be art you'll be encoded in itself encoding format and which allows you to add more or less data as part of your communication and we will talk about the communication then between the terminal and the acquirer or entities be behind that and you have uh mostly and I is a variant of ISO 8 5 8 3 and especially with the acquirers because the banking networks from users and it's a bit map based the format from which has some very bit-mapped combinations and it's a it's a pain to our to the back if you if you wanna send a valid message there and yes so comparing the NFC to ICC why should I use it what's the benefit of Y you go for it and so normally you have a lot faster transaction times that they are not timing limits on how far how fast the court in a timely to interact in this 1st infection face from and you can also remove the card already after this phase and this is not complete it within a 2nd but you also get some benefits when it comes to verification minutes uh the occasion methods and limits and so they introduced oral rediscovered and something which is and no CDM so this means you don't have to pry signature or pin and they introduce the limits on under which you don't have to perceive the providing thing and in the end this was probably added to ECE or to incentivize you as a shopper to use contactless transactions but then again we also have legacy and this means that N of CU transactions run in 2 operating modes you the mode which is basically upgrading ICC transaction to contact us and then we have max of motor and for those networks back then in the US but also in other can countries around the world which only can wrote next slide information not you me or eyes ICC information and their this relies heavily on just using fake to equivalent data the so
now we have seen how all a context detection is made what steps we go through what is required as part of data elements for a you make you transaction but I wanna talk about how can we actually make a smartphone simulator emulator such part of the and not everybody should be able to just wouldn't say well I wanna have my card on my phone and that's it and then they are true distinctive ways on on how you can do this and the 1st 1 is is busy city using a something which is called a a secure element which is an enclave for cryptographic and sensitive information some of which was the once and busy receives this kind of information no longer gives it out the a micro is and if you like and your normative part is basically a secure element and but nowadays and we ought to have phones which includes this so all its
again looking at the parties if you talk about secure elements and busy providing this information required for making transactions were secure element what do we need their our on the 1 hand we need the smartphone or in this case we are talking predominantly about a smartphone which has this kind of secure element and which at some point receives the information and data required for emulating a card and then we have something which is called a trusted Service Manager this exists for a long time and this is also an identity which normally provisions you actress apart and it holds a cryptographic keys to action modify data within those some enclaves and all this some this entity and is also then linked to your smartphone and and has the power to actually load information in there some In the past as I have also seen as ICQ elements and as part of the SIM cards and but they are for example the transitive measure was of the moment of for cooperative so yet another play in there and this number really took off and and so we have our next try with the smartphone and some entity which is a trusted service manager and there's not just only 1 service manager and but they are a lot of them and the 1 with provisioning your smartphone is the 1 that other provisions smart cards and some in your neck traditional credit cards and but those are the 2 roads which play a major role when it comes to to making a secure element and able to To make a contactless transactions the so looking at when
do we actually get the data into the The vesicular element from both I mean you wanna make a transaction with physical limit you have so we have to do with before can make the transaction but most likely already have a cart and so this happens right before your 1st transaction after that you can make as many transactions as you like and looking at this the whole
this whole this works out in the end and you as a user normally enter your credit card number on your smartphone you scan it you entered manually something like that and then your smartphone or you're at some talks to with the trusted service manager gets information pay I wanted provision this kind of art and the sources of mention only has a connection to URI issuing bank or a group of treebanks and then there are checks say well I 1 and and this car to my secure element or to the specific phone and can do this and anomaly than the 1st issue is doing is talking to you as the older off your cart on a 2nd channel has a mass e-mail whatever and as behave someone is asking to provision and you you cards to your smart phone is is actually you and do you approve this in the end and as long as you don't do anything nothing is happening so you actually have to come from this and then the issue gets active again and provides to the to the trusted service measure their information the cryptographic keys found that need to be embedded into the secure element and from there it goes back to the sum to the smartphone and from there on your smartphone is actually able to just mimic an actual smart card and driver transaction and a conduct at the conical selection term candidates for a credit card terminal but well I mean in the yet
talked about cloning and l'encadrement that's not really true we saw this and what we do we rather provision and additional card that is added to the secure element from and this means that the sheer has means to distinguish between Haiti we're not doing a transaction with like National cards and they do not action with the phone which some has been loaded with the that information about on how to make a card also know we have a smartphone in in in place and we don't have a dumb cards we have something which has logic there and modem also has biometric sensors other means of of the refit verifying that there's actually the right person using the phone and what this basically change or added was an additional verification method which is card called totally by CVM or on device verification and those of you have you has used Apple pave maybe in the past and this is when you press your home button with your finger and authorize the transaction by this and this is basis the station of this device at the right person used some of the that the term this a smartphone for making a transaction and when we talk about the data that is loaded on to succeed the secure element and the this is base is same as if you could wear a chip card or any the card that was X. she handed out by the you bank but most importantly it it always includes a symmetric and non-symmetric keys that are needed for generating the sign data and the cryptogram and this is what he what makes the sum of the transaction or at the same security level as if you would use some a traditional apart from 2 to the level where you use URIs market for transaction and this use the same verification method and on the term level and also on the bank level to see that this transaction sexual genuine this is 1 way to do it
but not everybody has some has not from which has a Q element which is always a trusted by all these yours and and this is what we have another way of making a smartphone able to act as a as a cop provided and this is called host condemnation and from what we have there is
basically we have a smartphone could be any smart from India and those you need to know and have seek abilities in there but other than that don't we have many and requirements and then you have your traditional payment at work or the issue which is some up behind that and come what what's happening here is that of your smartphone no longer receives those generally and Bennett cryptograph cryptographic keys but it only gets a limited use keys or how 1 time and he's this you codebook that can be used for a couple of transactions from the network but it cannot be used for repeated transactions
same as with a secure element you wanna make a transaction I'm with your we provide information so this host-card emulation of provisioning also needs to happen before actually making the transaction but in addition to that for comparable in contrast to the secure element you only get information that you can use a couple of times and so all you need to have a constant network connection in order to make repeated transactions and if you also look at busy how
this look what's out in the end and you can enter your credit card information on on your smartphone use scan whatever from this and directly goes to the payment networks and so there is no trusted service mention what their and and then depending on the solution you using either from the payment networks themselves generate those 1 times q that can be used for making a transaction or this is always a forward then again to the issuer tool the 1 which he gave you your cart and and they are then I generating those some limited keys and and they have been busy and AP again to Europe and to your phone but the data that you receive isn't believe the stored in a in a secure element stored within your application data
sort of comparing those 2 methods each C was as as the of provisioning so 1 of the benefits of C is that you don't need a totally secure environment the but if you have it you can still use it so you can also put you want and he's into a secure element for example the and anomaly with c you only get limited use cryptic he's from which other sort and within the app and which need to be renewed every now and then and is also then the catch the year and well what what happens if your smart phone doesn't have any so reception and you wanna make a couple of transactions but after you've used your a limited number of of keys to basically to the cryptograms for transaction you're out of keys soul at least every once in a while you need to make the network connectivity to refresh the number of keys that that you have available and you can also see that our h c is receiving a big push from the industry so I'm actually the this payment schemes the payment work from the prox themselves provide is the case and for developers to add this into their applications on which abstract away the need for communication which gives predefined interfaces that you can use for for making the transaction um and to which basically is that I mean if you look at it from their side every transaction that is made through 1 of the networks make some money so they wanna basically bring more people onto that and he eventually have an influence on a secure element they cannot modified but they can bring other that developers to use C for their transactions well now we know how we
can get data on a terminal I'm and on on a credit card them sorry on a smartphone and while now we we have this data down there and it can simulate now on actual but well in the end I don't have my credit card data run in lying around in in some kind of of replication written by some that developer or maybe not even by a bank I mean we have seen what this would result in and so there's another thing that was recently did you which is accommodated tokenization and what this does is basically places your credit card number whether and token equivalent this has been the same form same length again Villegas reasons probably and this can be used interchangeably with your actual credit card number and this is something that can then be stored within your well new features
new players we have now a token service provider that's a service which stores mappings between tokens and the actual card number and provides interfaces to any new ones and to which converting from 1 to the other and then you have a torque requester which makes requests some some new tokens from from the service provider and or I'll ask it's to proceed translate from 1 from a to the other luckily this happens in the same phase
as if he would do its HCV from or as provisioning so you also wanna basically convert your credit card number to a token before you actually were transactions
and what this looks like is that you have your value phone and which knows about your credit card that you wanna use this thing goes to the token requester which for example could be Apple could be go with and and what they do they add some information about who you are maybe your credit history with iTunes or something or the app and they then talked to work on token service provider and provide them with the card number and this information how they know you and they then the talk to the payment networks and some from there it goes into the assuring and the issue can say well OK this account is its existing disability and it's OK to edit as it as a token basically and then this OK under co goes back to the to the some some tokens and that to the token provided and it basically stores at picture number generator tokens and give it back and through the requester to your phone and then you miss you have a phone from which knows about a token it can discard because that number and uses now for every transaction it's the
well why would you wanna use organizations well I mean yet provide security benefits so the account number is no longer used outside of pain that works and the other benefit is that you can limit the scope on those kind of tokens to can say well this token that was repressed it was requested by Apple so this is only valid for point of sale transactions using honesty all other kind of selections from his own from X part of the body kind because it's not intended to be used like that and the other benefit is that and the tokens can be revoked individually so for example if you have 2 devices and you look to your same credit card on both the wisest and they will receive a different token on each device and that means if 1 devices compromise you can be the cancer this token but the other ones are still working and you extra credit card numbers the compromise because it's not safe there thing of it of and and have specific password if used to effectively authorization and something that you give 1 entity which you can remove all the time without affecting the others and the other benefit is that you can use the token not only for from point of say payments you can also for example users in an e-commerce context on Amazon for example all right so we know about
how can we make a solely act as a cart we know how we can make this a more secure and there's no way we can look at at the pain and pain because they use actually those kind of information make it shorter ever paid
users the secure element some on the iPhone that you have and in addition applies a call data tokenization and as a result you get up a paper and some if you look at it and good pay this is rather similar but they don't have a secure element we have a fragmented market we cannot make any assumptions and and this is why in the base year betting on host in relation and in addition that they also applying accommodated tokenization and in the end this is and pay if you know look a transaction
what kind of our workflows are happening there what kind of data is exchanged let's assume we already basically went to the initial stage of presenting a Cotto often you for 1 actually you get rid of the cards so we represent the fallen onto the terminal direct the data and only in this online phase where we actually went on to the shore and instead of having your credit card number you know have the token In addition that you have the cryptogram that was generated for exactly for this transaction for example by the Secure Element this traditionally goes into the acquirer from and as a payment at work and all I want to stress that this is happening the payment network season well OK if this is a token is on a car combined in a way to get this to some so 1st I have to ask the little commercial hey can you convert this back to a car to me and so the token gives goes to the manager and you get returned and the actual card number but this happened within the time credit card networks where more or less every information that's flowing around that is visible in plain text anyways and and from there on the payment of where the nose OK well OK this is a view that transaction and this year part belongs to so for example my truck a European in active and then this database is is given and to this bank and the bank and then do that then all checking of checking accessibility part in this case it's a smartphone and is and the vector parameter for the selection and then gives its OK back and that's basically what makes up a transaction and when using HCI C or a secure element in particular at the pay or and repair and in this in this scenario and who will or at at the would play the role of an some or wouldn't would play no role in in in this course as soon as the data elements are provisioned and they're more or less of all of the transactions and they also then no longer see the actual code data so
now we've seen a OK at the pay and pay and with ads that if insecurity um what's happening after that from well 1st of all especially in Germany I won't actually be able to use that they so I and the my friends in the US which users on a daily basis from I'm sitting here I cannot used your and but well not having the some but if you look at around there are other things happening and there's
something which is called is your grades and HCV and the issue is that well we don't really need of a token measure in the workflow and I can actually now give out tokens to to my customers we might my own at but I can answer give them the keys that are necessary for that because I'm India and the 1 with the refined them and would be Shing them in the 1st place on and a source and a that's come the those assures to to give out cards but Cutlass just provisioning of the cart to your actual phone without sending you a physical cart it was a scene out of payment methods and mining tradition banks so slow to adapt to new technologies and then there the players which basically came in and for example especially in the summe Asia region we have new ways of making a transaction which removes the cart and the terminal together and then we end up with hourly pay all we they of which use a QR code on the phone and an application on the form of the Merchant of 2 to make a transaction and and the thing about I mean legacy for the wind on those a big networks networks this enables you to actually use your cards in Germany and Spain in Mexico and the US in Iceland and this will not change overnight there are too many some parties involved and everyone has their own agenda they're so and probably in the next years B. C. Itoh the methods but we always see credit card terminals credit cards and smartphones and the Astrid cards and to finish with the personal touch I work in this area and is there no it's it's a very slow progressing area and its use a lot of legacy code but in the end this is the best place feud for you Treacy improved something and to find new um you areas where you want improved and and um this is actually my got into this and with that i wanna think everybody and thank you
and right we got enough time for questions please line up at the microphones if you're interested in anything you ask something to c mon do we have an internet question currently not it's so all the microphone number 3 degrees that that's all those things as the most right you mentioned that the token requester at some data like credit history something when they wanted to know can critique briefly explain why this is necessary what this information is used for and well in the end this information was protected from somebody you talk about the pay that uses a combination Apple has a history of if you actually um recent user of this card if you have used it for a long time how credible you our and this is just used for making sure that a 2nd card is issued to the the right person and in the end this is the most likely error for Apple Pay for example that somebody's using your and had a 2nd 1 to his full and not to your phone and and and those kind of information that is just making sure that the right person actually use or requesting a 2nd card on the phone is kind of fingerprint it's kind of a what I would say fingerprint because it's not uh um um reused at a later point it's just that point and and the collection of the off you put a view of the current moment of what you have been done and how authentic this request seems to be alright for those who are leaving these alluded to the lower down your voice and the noise which do have going on here so microphone number 1 please those was you any difference the cost of uh for you was secure mental just post complementation so the maximum among all what happens in case of fault all what happens if the network form useful to me so this depends on the city provider of the H a C solution and in general they among the same level 1 but I'm the 1 who gives out this 1 times the could could limit and to a certain amount of being on the outer limit how many 1 using only get at at a certain point so 5 or 10 is normal and and yeah you're right if your phone is loaded and somebody else gets access to those as they can be used for actually imposing on obtaining poster and then making a transaction time but this is limited to like the ones that you receive this is you y you limit the number of the number of tokens that you get for h c because they are not protected as if you would be using a secure element then the bank play play me you all users so it is an interesting part and I don't know about any case so and I don't know I'm this property is a case-by-case analysis but let's move on to microphone number 6 the sum of the in case of multiple parts of the reason why this range uh is uh collision detection and constant evolution to all of general law and so nothing happens and so yeah this is detected from the army guys who basically invented the conduct aspects are set well OK the detector collision we say well just present 1 card so all you get on an such indicating to you as the 1 was running parts OK please just like 1 part that it probably to make it easier to differentiate which contradict should be used and not adding new the new selection interface to busy pull on the transaction yes but consistently labeled and you can you can that this will not work or a microphone number 2 please hi um so uh if you go back to the US this year element provisioning stepped in and get a really nice to see that on the screen separate look yeah and
so the the bottom 2 lines is that that's basically people in the this secret keys right and so what's on the issue to the arms to the class of service manager and then to the demand is basically what a standardized lot if you want which holds a lot of private capital piece for the asymmetric and symmetric encryption is that those are accredited grows well kind yes so they are encrypted by some or between the issuer and the service provider and then from there to the to the phone so come it's not like you just apply the lesser or something but it's actually they have shared the switch encrypt this on both sides so it's only the service provider can do this year and you only the writer has the knowledge about how all of these economies can have reason and the keys fractured training data in the dead so and who is there so in in case of Apple pain of this is at the and in any other case it was I don't know what any other solution which is you secure element to make our a conductance transaction work and and well in the AC case we don't have this entity but it could be for example if you talk about a traditional of part and then this could be for example but you might open the door the creators of the or the there are many factors off the actual cards that you get sent by the by the bank and then the keys of those secure elements are the 1st 5 years so there's not 1 provider with every key but committee there are a couple of entities which sent and have their own access their carts basically it so what we're interested only in the general to the next question in this is a dialog from sorry it's a little too much with an question please just about after the agent wants to know whether are token steady-going Levis or they have updated and would that be an advantage to changing them and and so the that the 1 time he said are but I so very we talking about that opens and so the token once it's busy provisions they anomaly static and until you basically say what I wanna add another cart in the same cart you would probably get a different token but in general it's Stacy static and yes there would be benefit in Chinese regularly just removing some fingerprinting options there are some but i s as things if the the major benefit of actually having this kind of of option is on that you can hide your extra credit card number and this I think most of the primary focus on them yeah microphone number 4 please you were talking about payment networks like MasterCard and we say the same technology used for contactless payment cards known as a hero places completed and it's a similar mean that your cat has its own kernel which should be running on the terminal and you don't have this this global payment at work if you will but you have like a local German network from which is connected to different service providers and about the handling overall this is more or less similar In microphone number 5 please I I I I I hurt or I often hear that risk management is 1 of the most important things for credit card institutes are pretty important thing the any experience in this or do you know if there really is so much money stolen from the cat institutes or during the transaction a minus against a differentiator I mean there are and credit card are you sure other companies who have been doing this long time especially in Europe they are very keen on checking the data as part of the risk management and when you me was introduced in the yes there were instances where the bank introduced you me but they didn't take any data so you could just send inference action they would be approved I'm so yes so this happens from time to time um but if the correct checking is implemented then from this is a very hard OK let's get back to microphone number 3 hello I think you forgot to mention the of the you can play with the phone or near Bay was the phone because some banks are also the changing of the guard that near field communication sticker that you can just put on the back of the film and it works even when you don't have the signaling that the easiest way was this works and and yes you're right this is also 1 of the options that you can use In this case unit don't doesn't necessarily need a phone you can stick this to anything and and true this is like a key fob or something that you carry on with you and this also works this has been tried in Germany for example and the network operators and the mobile and so on have tried this book it didn't reach critical mass and amateur golf and then they bird it I guess this is now the next try of of getting to the masses my country in linear that's released by the bank and then you can play with well is just not additive them to the detection credit card as but in number 1 in microphone please OK so it will get my 1 of the last so can't couple of years ago and for the 1st time that I could pay contactless I had to
pay with the contact attention the cards is there a technical reason for that but I don't know I think this is just checking that everything is OK and that the account is still available from some otherwise you could for example use uses card for the law of undergoes limits and without needing any pain or anything else I think is just the 1st is check them but there's no technical reason for it and microphone number 6 please and then using host Continuation Holdings Limited use keys get updated the ferry prior court order interaction of Saturn automatically so this normally happens behind the scenes so you as a user of the smartphone don't see this some this happens basically as synchronously in the background of and whenever the Fonsie's well what the applications use well I'm running out of keys and it refreshes that's got a microphone to please uh I a height and could you elaborate a bit on why the banks are pushing uh more for host cards angulation then S C I understand why Google uses who's got emulation but the banks are pretty powerful and entity and good basically put their weight behind forcing manufacturers user sees why don't you and solved from what I understand yes they couldn't put more force than that but in the end you also need manufacturers who 1 supported and if you're looking for example at at and wanted there might be 1 manufacturer who and to seek relevant to their phone but well 1st of all you need to basically be able to cater the from markets and Saladin markets and so media Germany don't help me if Chinese makers adding this to his smartphone and I'm also not so sure how a how how much I would trust this implementation so secure element is basically and has a sink abilities of a card and so we need to a trusted entity in there and this is I think whether the 1 the surest BCD focus more on host condemnation because they're the connection influences they don't have any external requirements of us some some manufacture adding some stuff there and for example with them but they just need a reason handset with thing and what for plus some and then they want to go next alright and any questions from the internet the note that and let's go on to microphone number 4 please so thank you for the great talk I wonder if there are any alive it changes of when that this thing you will work closely with the mobile by arrived like secure element and was recommendation cool is liable for the for all its in this case is because there are no new players for example of the trusted service providers which basically owns the security of the cryptic use all of the latest card but overall this doesn't anything the same as if you would use your credit card and yes there's somebody with you can put data in your secure element but those types of entities have been existing in the past the ones who pretty provisioned you all actual physical cart and and they undergo the same some certification or I don't know what how we would call this like the same requirements in order to become 1 of the it comes to securing your data and so in the end and the same liability is there and and as long as you use you know the and you are protected by it except for if you use a pen or something what do whatever the banks come up with Indian down but the general idea for using the liabilities with the with the the bank 2nd skull question is there such a thing as an offline no contact is payments and the there is how widespread technically yes you can use it and but this and really shifts the liability and some because then you are ignoring the result of the transaction and the just trying to accept that some but yes the differences between saying well I wanna use that I wanna work in in a strictly off environment and some I have often approved transactions and which could also happen but no I days but I think in almost all countries that I have been working with some there's this this floor limit which indicates a timer when should they go online for transactions and this is 0 so anomaly every transaction is authorized online but i and microphone number 5 please I think there's some simulator I'm on hold us in verification work and and how is it different different from that so chip can so when looking at a chip transactions you know only have 3 ways of verifying it tends to can basically check this offline so just between the time and the card and then you have 2 ways of encrypting it or doing it text so this is how the Tamil communicate with a card and actually ones that appear to be verified and then there's a 2nd a 3rd option which is online pin where the pin magentization crib that on the term and then together with the authorization sent to the bank and the bank checks at the pin is actually valid and when we talk about off of conductance transactions that only a 3rd option is actually available so if you use a pin for conic this action is always goes to the to the shore fought for checking and because there is no court anymore for refined the pain of and microphone number 3 please my question would be about the pain Germany banks in Germany seem to be reluctant to accepted and implemented 1 reason seems to be that they have to give up of the the share of the the the transaction in detail that transaction fee that would is the like this would be so how does the how does it know about the transaction in which data is sent to to apple when I pay with uh with the phone so I don't want them to be involved to confusion yes in an Indian year aren't some well in order to basically be able to use at the pay on your phone your our needs to participate in this charade some of provisioning cart and this also then means that they enter an agreement that a percentage of every transaction is busy paid out to at the and and this happens basically independently of making the transaction so the the shores are aggregating preceded the transactions and then busy providing ample with information of how much they get there is no direct feedback as of of as part of every transaction flapper that women a prediction about this and this means that you get that so this is like a trusting a contractual agreement between the issue and the and that book the microphone number 1 please I also variable transaction privacy and is this any different of offender at they do they get a need for of the transaction data and so this is kind of similar and also there I In general at the gluon doesn't get any transaction data and they have access to the same elements that you has as part of a transaction and but after you apply that to tokenization you ought to just half Europe replaced the account number and in the they could do more and to be honest I don't know what it was and what they had to store and what is basic east and transferred as part of transaction but I would assume that this is similar to whatever does because this a highly sensitive topic and if there's any wrongdoing there then this would create a rich shits they were given time there is 1 more question left is looks like please microphone for those great talk but I've seen you missed some saying OK back and maybe I missed it but you never mentioned number 26 with his QR-code paying well I would say that's pretty similar to the pattern payment methods which pretty come up and and this is a way where you no longer need a card actually you just adjust my form to display a QR code and this is then scanned at the their catches system and on this basically includes information of of making the transaction here and yes to right this is a valid way of doing this is to for example in Germany and that's um I want to focus on actually making like a cloning or making part payments with which is smartphone those with um as a replacement for a for nomocratic parts of the focus on that yeah it's thank you OK thank you very much c mon um apologies again for the small delay thanks a lot how was to was that
what this is and the and the thank you people it that if the the at
Beobachtungsstudie
Kegelschnitt
Punkt
Chord <Kommunikationsprotokoll>
Protokoll <Datenverarbeitungssystem>
Wasserdampftafel
Computersicherheit
No-Free-Lunch-Theorem
Entscheidungsmodell
Kontextbezogenes System
Fokalpunkt
Viewer
Speicherkarte
Chipkarte
Übergang
Transaktionsverwaltung
Informationsmodellierung
Gateway
Radikal <Mathematik>
Wort <Informatik>
Softwareentwickler
Smartphone
Humanoider Roboter
Betriebsmittelverwaltung
Addition
Punkt
Protokoll <Datenverarbeitungssystem>
Element <Mathematik>
Güte der Anpassung
Token-Ring
Element <Mathematik>
Bitrate
Speicherkarte
Übergang
Chipkarte
Arithmetisches Mittel
Transaktionsverwaltung
Bereichsschätzung
Emulator
Partikelsystem
Information
Smartphone
Transaktionsverwaltung
Wärmeleitfähigkeit
Aggregatzustand
Punkt
Prozess <Informatik>
Datennetz
Programmverifikation
Entscheidungsmodell
Mathematisierung
Fokalpunkt
Term
Speicherkarte
Chipkarte
Teilmenge
Arithmetischer Ausdruck
Transaktionsverwaltung
Authentifikation
Datennetz
Speicherkarte
Residuum
Radikal <Mathematik>
Speicher <Informatik>
Konfigurationsraum
Transaktionsverwaltung
Wärmeleitfähigkeit
Phasenumwandlung
Public-Key-Kryptosystem
Subtraktion
Public-Key-Infrastruktur
Punkt
Mathematisierung
Programmverifikation
Entscheidungsmodell
Zahlenbereich
Interaktives Fernsehen
Implementierung
Element <Mathematik>
Zählen
Term
Speicherkarte
Kernel <Informatik>
Phasenraum
Authentifikation
Vorzeichen <Mathematik>
Kryptologie
Hash-Algorithmus
Inverser Limes
Wurzel <Mathematik>
Abstand
Speicher <Informatik>
Phasenumwandlung
Umwandlungsenthalpie
Soundverarbeitung
Digitales Zertifikat
Prozess <Informatik>
Benutzerfreundlichkeit
Nummerung
Quellcode
Elektronische Unterschrift
Chipkarte
Transaktionsverwaltung
Rechter Winkel
Digitaltechnik
Mereologie
Authentifikation
URL
Kantenfärbung
Information
Ordnung <Mathematik>
Verkehrsinformation
Wärmeleitfähigkeit
Bit
Konfiguration <Informatik>
Extrempunkt
Natürliche Zahl
Weg <Topologie>
Programmverifikation
Element <Mathematik>
Information
Zählen
Autorisierung
Speicherkarte
Radikal <Mathematik>
Phasenumwandlung
Nichtlinearer Operator
ATM
Äquivalenzklasse
Prozess <Informatik>
Datennetz
Güte der Anpassung
Wurm <Informatik>
Element <Gruppentheorie>
Nummerung
Sampler <Musikinstrument>
Bildschirmsymbol
Dateiformat
Elektronische Unterschrift
Rechenschieber
Transaktionsverwaltung
Magnetkarte
Verkettung <Informatik>
Emulation
Rechter Winkel
Digitalisierer
Transaktionsverarbeitung
ATM
Phasenumwandlung
Dateiformat
Information
Wärmeleitfähigkeit
Message-Passing
Public-Key-Kryptosystem
Telekommunikation
Decodierung
Schaltnetz
Zahlenbereich
Term
Speicherkarte
Wurm <Informatik>
Weg <Topologie>
Authentifikation
Inverser Limes
Transaktionsverwaltung
Autorisierung
Protokoll <Datenverarbeitungssystem>
Programmverifikation
Gasströmung
Inverser Limes
Persönliche Identifikationsnummer
Chipkarte
Mapping <Computergraphik>
CDMA
Mereologie
ICC-Gruppe
Authentifikation
Personal Area Network
Chipkarte
Sensitivitätsanalyse
Punkt
Element <Mathematik>
Computersicherheit
Gruppenoperation
Zahlenbereich
Dienst <Informatik>
Element <Mathematik>
Kontextbezogenes System
Chipkarte
Transaktionsverwaltung
Dienst <Informatik>
Datenmanagement
Kryptologie
Speicherkarte
Diskrete Simulation
Nichtunterscheidbarkeit
Mereologie
Information
Emulator
Schlüsselverwaltung
Smartphone
Einflussgröße
Leistung <Physik>
Kernel <Informatik>
Chipkarte
Gewichtete Summe
Element <Mathematik>
Physikalismus
Programmverifikation
Gruppenkeim
Entscheidungsmodell
Zahlenbereich
Element <Mathematik>
Term
Speicherkarte
Datenmanagement
Authentifikation
Autorisierung
Speicherkarte
Trennschärfe <Statistik>
Radikal <Mathematik>
Inverser Limes
E-Mail
Transaktionsverwaltung
Einfach zusammenhängender Raum
Kegelschnitt
Prozess <Informatik>
Ruhmasse
Quellcode
Kombinatorische Gruppentheorie
Chipkarte
Dienst <Informatik>
Transaktionsverwaltung
Druckertreiber
Rechter Winkel
Information
Schlüsselverwaltung
Smartphone
Wärmeleitfähigkeit
Chipkarte
Gewichtete Summe
Element <Mathematik>
Mathematisierung
Gruppenoperation
Element <Mathematik>
Term
Mathematische Logik
Speicherkarte
Übergang
Vorzeichen <Mathematik>
Speicherkarte
Arbeitsplatzcomputer
Klon <Mathematik>
Emulator
Transaktionsverwaltung
Addition
Schlüsselverwaltung
Computersicherheit
Kryptologie
Element <Gruppentheorie>
Programmverifikation
Chipkarte
Modem
Arithmetisches Mittel
Transaktionsverwaltung
Symmetrische Matrix
Magnetkarte
Basisvektor
ICC-Gruppe
Smartphone
Schlüsselverwaltung
Biostatistik
Klon <Mathematik>
Chipkarte
Kernel <Informatik>
Programmverifikation
Element <Mathematik>
Speicherkarte
Authentifikation
Autorisierung
Datennetz
Inverser Limes
Kontrast <Statistik>
Emulator
Transaktionsverwaltung
Einfach zusammenhängender Raum
Addition
Datennetz
Prozess <Informatik>
Kombinatorische Gruppentheorie
Konstante
Transaktionsverwaltung
Leistung <Physik>
Information
Emulator
Ordnung <Mathematik>
Smartphone
Schlüsselverwaltung
Schnittstelle
Telekommunikation
Server
Zahlenbereich
Kartesische Koordinaten
Element <Mathematik>
Nummerung
Speicherkarte
Standardabweichung
Inverser Limes
Emulator
Softwareentwickler
Transaktionsverwaltung
Schnittstelle
Einfach zusammenhängender Raum
App <Programm>
Softwareentwickler
Schlüsselverwaltung
Datennetz
Computersicherheit
Kryptologie
Nummerung
Programmierumgebung
Quick-Sort
Chipkarte
Transaktionsverwaltung
Dienst <Informatik>
Magnetkarte
Information
Smartphone
Programmierumgebung
Schlüsselverwaltung
Dicke
Zahlenbereich
Token-Ring
Äquivalenzklasse
Service provider
Eins
Chipkarte
Mapping <Computergraphik>
Service provider
Bildschirmmaske
Dienst <Informatik>
Token-Ring
Datenreplikation
Radikal <Mathematik>
Speicher <Informatik>
Softwareentwickler
Phasenumwandlung
Schnittstelle
Kernel <Informatik>
Chipkarte
App <Programm>
Prozess <Informatik>
Datennetz
Programmverifikation
Zahlenbereich
Token-Ring
Service provider
Kombinatorische Gruppentheorie
Chipkarte
Speicherkarte
Transaktionsverwaltung
Dienst <Informatik>
Authentifikation
Autorisierung
Information
Speicher <Informatik>
Transaktionsverwaltung
Humanoider Roboter
Autorisierung
Punkt
Selbst organisierendes System
Computersicherheit
Entscheidungsmodell
Zahlenbereich
Token-Ring
Kontextbezogenes System
Service provider
Speicherkarte
Chipkarte
Eins
Transaktionsverwaltung
Magnetkarte
Token-Ring
Datennetz
Trennschärfe <Statistik>
Mereologie
Computersicherheit
Passwort
Information
Transaktionsverwaltung
Humanoider Roboter
Resultante
Element <Mathematik>
Zahlenbereich
Element <Mathematik>
Code
Speicherkarte
Datenmanagement
Trennschärfe <Statistik>
Speicherkarte
Radikal <Mathematik>
Emulator
Phasenumwandlung
Parametersystem
Addition
Sichtenkonzept
Datennetz
Datenhaltung
Computersicherheit
Relativitätstheorie
Systemaufruf
Token-Ring
Vektorraum
Chipkarte
Transaktionsverwaltung
Mereologie
Information
Smartphone
Maschinenschreiben
Konfiguration <Informatik>
Entscheidungsmodell
Datenmanagement
Kartesische Koordinaten
Gradient
Code
Speicherkarte
Gradient
Data Mining
Demoszene <Programmierung>
Bildschirmmaske
Authentifikation
Speicherkarte
Radikal <Mathematik>
Einflussgröße
Datennetz
Mathematisierung
Token-Ring
Quellcode
Automatische Differentiation
Chipkarte
Transaktionsverwaltung
Magnetkarte
Flächeninhalt
ATM
Basisvektor
QR-Code
Schlüsselverwaltung
Smartphone
Punkt
Gewichtete Summe
Inferenz <Künstliche Intelligenz>
Momentenproblem
Element <Mathematik>
Extrempunkt
Element <Mathematik>
Fastring
Gesetz <Physik>
Service provider
Kernel <Informatik>
Übergang
Internetworking
Eins
Datenmanagement
Einheit <Mathematik>
Trennschärfe <Statistik>
Speicherkarte
Radikal <Mathematik>
Gerade
Schnittstelle
Private-key-Kryptosystem
Nichtlinearer Operator
Sichtenkonzept
Datennetz
Kategorie <Mathematik>
Ruhmasse
Teilbarkeit
Linearisierung
Konfiguration <Informatik>
Arithmetisches Mittel
Konstante
Dienst <Informatik>
Transaktionsverwaltung
Chiffrierung
Datenfeld
Evolute
Information
Computerunterstützte Übersetzung
Schlüsselverwaltung
Wärmeleitfähigkeit
Instantiierung
Fehlermeldung
Telekommunikation
Subtraktion
Komplementarität
Wellenpaket
Stoß
Klasse <Mathematik>
Gruppenoperation
Schaltnetz
Entscheidungsmodell
Zahlenbereich
Geräusch
Hydrostatik
Differential
Spannweite <Stochastik>
Multiplikation
Bildschirmmaske
Elektronischer Fingerabdruck
Inverser Limes
Touchscreen
Analysis
Trennungsaxiom
Token-Ring
Fokalpunkt
Chipkarte
Kollisionserkennung
Minimalgrad
Mereologie
Resultante
Sensitivitätsanalyse
Bit
Gemeinsamer Speicher
Kartesische Koordinaten
Element <Mathematik>
Gesetz <Physik>
Service provider
Gerichteter Graph
Internetworking
Eins
Richtung
Medianwert
Prognoseverfahren
Speicherkarte
Mustersprache
Verschiebungsoperator
Computersicherheit
Winkel
Ähnlichkeitsgeometrie
Konfiguration <Informatik>
Dienst <Informatik>
Transaktionsverwaltung
Forcing
QR-Code
Information
Ordnung <Mathematik>
Programmierumgebung
Smartphone
Schlüsselverwaltung
Wärmeleitfähigkeit
Rückkopplung
Subtraktion
Gewicht <Mathematik>
Gruppenoperation
Entscheidungsmodell
Zahlenbereich
Implementierung
Interaktives Fernsehen
Term
Demoszene <Programmierung>
Hypermedia
Systemprogrammierung
Bildschirmmaske
Variable
Diskrete Simulation
Datentyp
Inverser Limes
Speicher <Informatik>
Hilfesystem
Autorisierung
Einfach zusammenhängender Raum
Datenmissbrauch
Digitales Zertifikat
Programmverifikation
Physikalisches System
Fokalpunkt
Persönliche Identifikationsnummer
Chipkarte
System F
Mereologie
Hypermedia
Emulator
Klon <Mathematik>

Metadaten

Formale Metadaten

Titel Decoding Contactless (Card) Payments
Untertitel An Exploration of NFC Transactions and Explanation How Apple Pay and Android Pay Work
Serientitel 34th Chaos Communication Congress
Autor Eumes, Simon
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34826
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract This talk will dive into the techniques and protocols that drive contactless card payments at the Point of Sale. We will explore how Apple Pay works on a technical level and why you are able to 'clone' your credit card onto your phone. Building upon previous C3 talks on the topics of EMV and ICC payments, we will learn about different NFC payment options, why legacy will never die and how the individual card brands have specified their payment workflows.
Schlagwörter Security

Zugehöriges Material

Video wird in der folgenden Ressource zitiert

Ähnliche Filme

Loading...
Feedback