banks

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

banks

Hans Witvliet

Hi all,

Perhaps a ludicreous question, but i post it anyway...

Some creditcard companies or banks supply their customer with cards plus
pin-code in order to identify themselfs during financial transactions.

>From my focus i presume these look like ordinary smartcards.
Can these cards also be used for anything else?

Did anybody ever looked at them this way?
It is not that i would try to temper with them, but if these are safe
enough to be trusted by a bank, why could i not use them for instance,
for setting up a vpn?

(If it is completely nonsence, just say so)

hw

Oh, and by the way, the cards of some banks let you even store  money on
the card it self. And when do a micro transaction (ticket in a car-park
or so) you only have to press the "OK" button.
Funny thing is that these banks provide small gadgets that can read the
amount still stored on these cards, and they work for cards from several
banks eg: different kind of "smartcards".
Would be fun to be able to do those "readings" on my linux PC, not?

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: banks

Martin Paljak-4
Hello,
On Aug 18, 2011, at 12:11 , Hans Witvliet wrote:

> Hi all,
>
> Perhaps a ludicreous question, but i post it anyway...
>
> Some creditcard companies or banks supply their customer with cards plus
> pin-code in order to identify themselfs during financial transactions.
>
>> From my focus i presume these look like ordinary smartcards.
> Can these cards also be used for anything else?
>
> Did anybody ever looked at them this way?
> It is not that i would try to temper with them, but if these are safe
> enough to be trusted by a bank, why could i not use them for instance,
> for setting up a vpn?
>

You might want to study EMV DDA

http://www.openscdp.org/scripts/tutorial/emv/dda.html


--
@MartinPaljak.net
+3725156495

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: banks

Nikos Mavrogiannopoulos
In reply to this post by Hans Witvliet
On 08/18/2011 11:11 AM, Hans Witvliet wrote:

> Perhaps a ludicreous question, but i post it anyway... Some
> creditcard companies or banks supply their customer with cards plus
> pin-code in order to identify themselfs during financial
> transactions.
>> From my focus i presume these look like ordinary smartcards.
> Can these cards also be used for anything else?

These cards typically support the EMV protocol (or a subset). They
have the ability to perform RSA and 3DES, so in theory there could
be a vendor (or manufacturer) that releases a PKCS #11 module that
allows you to access them. However, without it the operations
available to an EMV card are not sufficient to "emulate" PKCS #11
(and be used in other than banking applications).


regards,
Nikos

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: banks

Andreas Jellinghaus-2
In reply to this post by Martin Paljak-4
Am Freitag 19 August 2011, 11:56:13 schrieb Martin Paljak:

> Hello,
>
> On Aug 18, 2011, at 12:11 , Hans Witvliet wrote:
> > Hi all,
> >
> > Perhaps a ludicreous question, but i post it anyway...
> >
> > Some creditcard companies or banks supply their customer with cards plus
> > pin-code in order to identify themselfs during financial transactions.
> >
> >> From my focus i presume these look like ordinary smartcards.
> >
> > Can these cards also be used for anything else?
> >
> > Did anybody ever looked at them this way?
> > It is not that i would try to temper with them, but if these are safe
> > enough to be trusted by a bank, why could i not use them for instance,
> > for setting up a vpn?
>
> You might want to study EMV DDA
>
> http://www.openscdp.org/scripts/tutorial/emv/dda.html

SDA/DDA is a mechanism used for authenticating credit card transactions
in the card / terminal / processor setup (or for offline use: card/terminal).

the new mechanism for online banking with chipcard, reader and pin are
something different - thought they might be build on top of EMV spec.

so reading up on DDA won't help you.

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: banks

Andreas Jellinghaus-2
In reply to this post by Nikos Mavrogiannopoulos
Am Samstag 20 August 2011, 09:34:21 schrieb Nikos Mavrogiannopoulos:

> On 08/18/2011 11:11 AM, Hans Witvliet wrote:
> > Perhaps a ludicreous question, but i post it anyway... Some
> > creditcard companies or banks supply their customer with cards plus
> > pin-code in order to identify themselfs during financial
> > transactions.
> >
> >> From my focus i presume these look like ordinary smartcards.
> >
> > Can these cards also be used for anything else?
>
> These cards typically support the EMV protocol (or a subset). They
> have the ability to perform RSA and 3DES, so in theory there could
> be a vendor (or manufacturer) that releases a PKCS #11 module that
> allows you to access them. However, without it the operations
> available to an EMV card are not sufficient to "emulate" PKCS #11
> (and be used in other than banking applications).

IIRC for EMV protocoll you need to hand in the amount of money you want to
deduct, wether you want offline or online transactions, the service code of
the terminal (i.e. atm or store or ...) etc. that doesn't map well to pkcs#11.

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: banks

Hans Witvliet
On Mon, 2011-08-22 at 07:41 +0200, Andreas Jellinghaus wrote:

> Am Samstag 20 August 2011, 09:34:21 schrieb Nikos Mavrogiannopoulos:
> > On 08/18/2011 11:11 AM, Hans Witvliet wrote:
> > > Perhaps a ludicreous question, but i post it anyway... Some
> > > creditcard companies or banks supply their customer with cards plus
> > > pin-code in order to identify themselfs during financial
> > > transactions.
> > >
> > >> From my focus i presume these look like ordinary smartcards.
> > >
> > > Can these cards also be used for anything else?
> >
> > These cards typically support the EMV protocol (or a subset). They
> > have the ability to perform RSA and 3DES, so in theory there could
> > be a vendor (or manufacturer) that releases a PKCS #11 module that
> > allows you to access them. However, without it the operations
> > available to an EMV card are not sufficient to "emulate" PKCS #11
> > (and be used in other than banking applications).
>
> IIRC for EMV protocoll you need to hand in the amount of money you want to
> deduct, wether you want offline or online transactions, the service code of
> the terminal (i.e. atm or store or ...) etc. that doesn't map well to pkcs#11.
>
> Andreas
> _______________________________________________
>

Tnx Andreas,Martin, Ludovic, Nikos, many others....

You have givven me plenty material, to read, (and as for serendipity,
relevant stuff for other projects also...)

But the main objective is to check if the cards that are issued by bank
or creditcompany can be legaly used   for identifycation/authentication
for other purposes.

>From what i deduced so far, is that on those (mostly java-) card is a
specific applet stored, but no general-purpose key/certificates.
So i presume that if i want to use a bank-card, i can only do that with
the full coorporation of that bank.  (simular to the problem we have
with mal-functioning safesign applet & driver ;-)

Hans
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: banks

helpcrypto helpcrypto
AFAIK, it depends on your bank card relationship

We use a bank card, that can be used for payment and cash retrieval,
and also used for authentication process.
The card is customized for our company, and has the "euro6000" logo.

The workout its the following: the card has 2 applications (DF
according to 7816 standard), one for EMV, the other one for our own
puprposes.
Some guys, a long time ago, designed the content of our card and now
im the responsible of developing and mantaining the PKCS#11 interface
for auth and sign on Win/Linux/Mac.

Does that answer your question?
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: banks

J.Witvliet
In reply to this post by Hans Witvliet
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of helpcrypto helpcrypto
Sent: Monday, August 22, 2011 9:04 AM
To: Hans Witvliet
Cc: [hidden email]
Subject: Re: [opensc-devel] banks

AFAIK, it depends on your bank card relationship

We use a bank card, that can be used for payment and cash retrieval,
and also used for authentication process.
The card is customized for our company, and has the "euro6000" logo.

The workout its the following: the card has 2 applications (DF
according to 7816 standard), one for EMV, the other one for our own
puprposes.
Some guys, a long time ago, designed the content of our card and now
im the responsible of developing and mantaining the PKCS#11 interface
for auth and sign on Win/Linux/Mac.

Does that answer your question?
-----Original Message-----

Wow, that is what would call seriously "user friendly".
And an example for others...

Could you (offlist, as the list is non-commercial) disclose me the name of the bank?


Hans.

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: banks

helpcrypto helpcrypto
> Wow, that is what would call seriously "user friendly".
> And an example for others...
>
> Could you (offlist, as the list is non-commercial) disclose me the name of the bank?

Again AFAIK, this is a common scenario here in spain for public
companies like the one i work for (university).
In our case, the bank is a saving bank (according to wikipedia
translation of "caja de ahorros"). kind of a bank that dont give
benefits to their owners (cough). So, "anyone" could do it. at least,
banco santander, lacaixa, bankia...

Anyhow, this is -more or less- what we have:
Dual card (contact/contacless). contactless interface has only an id
for parking access and similar things.
Contact interface with 2 applications: one for the bank, one for our
own use with a 1024 (yes...i know...) RSA certificate for auth+sign...
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: banks

Vlastimil Pavicek
In reply to this post by Andreas Jellinghaus-2

I think that MasterCard CAP & Visa DPA is the technology to look for.

see:
http://en.wikipedia.org/wiki/Chip_Authentication_Program

Best regards

 VLP

______________________________________________________________

> Od: "Andreas Jellinghaus" <[hidden email]>
> Komu: <[hidden email]>
> Datum: 22.08.2011 07:39
> Předmět: Re: [opensc-devel] banks
>
>Am Freitag 19 August 2011, 11:56:13 schrieb Martin Paljak:
>> Hello,
>>
>> On Aug 18, 2011, at 12:11 , Hans Witvliet wrote:
>> > Hi all,
>> >
>> > Perhaps a ludicreous question, but i post it anyway...
>> >
>> > Some creditcard companies or banks supply their customer with cards plus
>> > pin-code in order to identify themselfs during financial transactions.
>> >
>> >> From my focus i presume these look like ordinary smartcards.
>> >
>> > Can these cards also be used for anything else?
>> >
>> > Did anybody ever looked at them this way?
>> > It is not that i would try to temper with them, but if these are safe
>> > enough to be trusted by a bank, why could i not use them for instance,
>> > for setting up a vpn?
>>
>> You might want to study EMV DDA
>>
>> http://www.openscdp.org/scripts/tutorial/emv/dda.html
>
>SDA/DDA is a mechanism used for authenticating credit card transactions
>in the card / terminal / processor setup (or for offline use: card/terminal).
>
>the new mechanism for online banking with chipcard, reader and pin are
>something different - thought they might be build on top of EMV spec.
>
>so reading up on DDA won't help you.
>
>Andreas
>_______________________________________________
>opensc-devel mailing list
>[hidden email]
>http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: banks

Anders Rundgren
On 2011-08-22 10:40, Vlastimil Pavicek wrote:
>
> I think that MasterCard CAP & Visa DPA is the technology to look for.
>
> see:
> http://en.wikipedia.org/wiki/Chip_Authentication_Program

Shared secrets are not generally useful with more than one ID-provider.

Anders

>
> Best regards
>
>  VLP
>
> ______________________________________________________________
>> Od: "Andreas Jellinghaus" <[hidden email]>
>> Komu: <[hidden email]>
>> Datum: 22.08.2011 07:39
>> Předmět: Re: [opensc-devel] banks
>>
>> Am Freitag 19 August 2011, 11:56:13 schrieb Martin Paljak:
>>> Hello,
>>>
>>> On Aug 18, 2011, at 12:11 , Hans Witvliet wrote:
>>>> Hi all,
>>>>
>>>> Perhaps a ludicreous question, but i post it anyway...
>>>>
>>>> Some creditcard companies or banks supply their customer with cards plus
>>>> pin-code in order to identify themselfs during financial transactions.
>>>>
>>>>> From my focus i presume these look like ordinary smartcards.
>>>>
>>>> Can these cards also be used for anything else?
>>>>
>>>> Did anybody ever looked at them this way?
>>>> It is not that i would try to temper with them, but if these are safe
>>>> enough to be trusted by a bank, why could i not use them for instance,
>>>> for setting up a vpn?
>>>
>>> You might want to study EMV DDA
>>>
>>> http://www.openscdp.org/scripts/tutorial/emv/dda.html
>>
>> SDA/DDA is a mechanism used for authenticating credit card transactions
>> in the card / terminal / processor setup (or for offline use: card/terminal).
>>
>> the new mechanism for online banking with chipcard, reader and pin are
>> something different - thought they might be build on top of EMV spec.
>>
>> so reading up on DDA won't help you.
>>
>> Andreas
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel