How does EMV encrypt the contactless transaction?

Question

I try to figure out what kind of encryption the EMV standardization recommends for transferring payment information via NFC. I browsed through the specification, but I can't find any hint about this topic. I know though that the card manufacturer provides some encryption technology on their card itself, which has partly been compromised. Does someone know, if its encrypted at all (I hope so) and if so, with which technology?

Answer 1

The communication between the card and the contactless reader is not encrypted. You can easily eavesdrop and record the exchanged APDUs, I do it almost daily using a contactless spy (the Fime SmartSpy one).

But recording the dialog is not enough to clone the card. You will get access to some information (ex : the card number, the track2 equivalent data), but :

• you will miss information required to create a magnetic stripe card
• you won't have the CVV (number written behind the card) required to make online purchases.
• You also won't be able to "replay" the transaction because the transaction data includes two unpredictable numbers generated by the terminal and the card, which are unique to each transaction and signed by the card.

The private key/certificate used by the card to sign the transaction is never transmitted during the transaction and cannot be accessed. That's this private key/certificate which is protected and encrypted on the card (I don't know the details of the security mechanisms).

The cards whose security has been compromised are some basic MiFare cards. These cards are not used for payment applications.