1. Analyzing VISA payment flow
2. Transit and Offline Data Authentication
3. About domestic cards
| DESC | AID | Comments |
|---|---|---|
| VISA | A0000000031010 | |
| MASTERCARD | A0000000041010 | |
| KOREACREDIT | D4100000011010 | BC Card? |
| KOREACREDIT | D4100000012010 | LOCAL(V) |
| KOREA(?) | D4100000013010 | LOCAL(M) |
| D4100000014010 | Appears on EMV QR |
Domestic AIDs can be found on domesic-only cards, and cobranded cards only shows corresponding global AID.
Example: KB Domestic-only card
6F | File Control Information (FCI) Template
84 | Dedicated File (DF) Name
[7] D4 10 00 00 01 20 10
A5 | File Control Information (FCI) Proprietary Template
50 | Application Label : "KOREACREDIT"
87 | Application Priority Indicator : 01
5F2D | Language Preference : "koen"
9F11 | Issuer Code Table Index : 01
9F12 | Application Preferred Name : "KMC_CHECK"
BF0C | File Control Information (FCI) Issuer Discretionary Data
9F6E | Third Party Data
Country: Korea, Republic of
Unique Identifier: Proprietary Data not used
Device Type: 00 - Card
Proprietary Data: Not used
4. Miscellaneous Informations
1) Student ID
Seoul National University’s Student ID is in AID D410000005494401.
== Authentication Flow ==
1. SELECT
-> 00 A4 04 00 08 D4 10 00 00 05 49 44 01
<- [61 2E]
2. GET RESPONSE
-> 00 C0 00 00 2E
<- [90 00] 6F 2C 84 08 D4 10 00 00 05 49 44 01 A5 20 50 14 53 54 55 44 45 4E 54 20 49 44 20 20 20 20 20 20 20 20 20 20 BF 0C 07 01 00 00 00 00 00 00
6F |
84 | "D410000005494401"
A5 |
50 | "STUDENTID"
BF0C | "01000000000000"
3. GET CHALLENGE
-> 00 84 00 00 10
<- [90 00] [ 16 byte RAND ]
4. CREATE SESSION
-> 90 8A 00 81 14 [ 16 byte RAND ] [ 4 byte MAC ]
<- [90 00]
5. EXTERNAL AUTH
-> 00 82 00 82 04 [ 4 byte MAC ]
<- [90 00]
6. READ RECORD
-> 00 B2 01 0C C8
<- [90 00] ...
01 |
02 | UNIV CODE (SNU:"0345")
03 | TYPE ("1")
04 | ID NUMBER
05 | ISSUE NO
06 | NAME (EUC-KR)
07 | ID NUMBER
08 | 000000000000000000000000000000000000000000000000
09 | PADDING
Crypto algrithm is likely to be SEED.
As suspected, reading personal information requires SAM and Key. I dont have access to SAM, so I can’t extract information from random ID card.
But since they doesn’t do mutual authentication, I possibly can emulate any student ID if I know correct card issue number. I made an PoC app to emulate any card as HCE, and I confirmed that it works on almost all reader.
Although some reader may use pre-registered MIFARE UID for identification.
2) payOn
payOn is domestic contactless protocol that’s only used on credit based fare system and few merchants.
It uses MIFARE Classic 1k that’s already compromised long time ago, so its considered unsafe.
I managed to crack full memory in about 3 mins, and I “confirmed” it works just fine as real card.
== payOn Memory structure? ==
Log: [YY MM DD HH MM SS] FFFF [MERCHANT CODE?] [AMOUNT IN WON] [CTR] [PADDING?] [CKSUM]