I'm doing a grad-school software engineering project and I'm looking for the protocol that governs communications between ATMs and bank networks.
I've been googling for quite a while now, and though I'm finding all sorts of interesting information about ATMs, I'm surprised to find that there seems to be no industry standard for high-level communications.
I'm not talking about 3DES or low-level transmission protocols, but something along the lines of an Interface Control Document; something that governs the sequence of events for various transactions: verify credentials, withdrawal, check balance, etc.
Any ideas? Does anything like this even exist?
I can't believe that after all this time the banks and ATM manufacturers are still just making this up as they go.
A shorter question: if I wanted to go into the ATM software manufacturing business, where would I start looking for standards?
Well, there are lots of interbank networks. I would guess that each of them communicate differently. The stickers on the ATM (Cirrus, STAR, Pulse, etc...) identify which network the machine participates in. I do believe, though, that the "structure" of the message is dictated by an ISO standard. Cirrus is a Mastercard owned network and PLUS is a Visa owned network... I'd scour their sites to see if they publish any API details.
Edit, by request:
Have a look at the following ISOs 15022, 20022, 9362 and 4217 -- http://en.wikipedia.org/wiki/Category:Financial_routing_standards
ISO 8583 is dominant.
Also, take a look at EMV.
The ATM to bank link can be proprietary or standard. It is only upstream where inter-organisation wire level interoperability is needed, that standards become always necessary.
ISO 15022 definitely doesn't cover ATM to bank. So far, it covers further upstream. And is now superseded by ISO 20022 - "originally named ISO 15022 2nd edition".
ISO 20022 covers the total scope of financial services, and acts as a super forum for ISO financial services protocols.
There are two basic protocols, ISO8563 and IFX (a financial XML subset) but many banks us protocols supplied by the vendor, because these include Device driver protocols that drive the ATM 'States', There is also a reporting protocol where the ATM reports its cash and usage statii.
Related
I'm going to write a Java Card applet to convert my card into an EMV compliant card.
1- The question is how can I do that?
As far as I know, there are four EMV specifications known as EMV Books which contain principles of EMV cards (Chip characteristics, file structure and also the list of APDU commands). Do I need any other specifications to implement my applet or these are all I need? If there are some other specifications which I need, are they freely available or they are proprietary?
2- Do EMV cards have an specific Applet AID?
EFT-Lab provided a good list of applet AIDs. As you see below, there are a lot of AIDs which belong to Visa International (as vendors) that all are "EMV" types. Why does Visa International have a lot of different AIDs for its EMV applets? What's the difference between these applets?
3- Is there any open source EMV applet? Is there any Java Card that has an EMV applet/package by default?
4- Is there any specific difference between contact and contactless EMV cards? (I mean in the file-structure or in the APDU commands)
1- The question is how can I do that?
Yes. Implement the specifications. If there are any other requirements (and surely there will be) then they should be referenced in the specs.
2- Do EMV cards have an specific Applet AID?
Because they offer specific functionality? You may even have multiple applications on the same card. Note that it is possible to select applications using a partial AID (see how the Debit & Credit card partially match). The VISA specific cards are likely used internally only, e.g. when servicing cash machines.
3- Is there any open source EMV applet? Is there any Java Card that has an EMV applet/package by default?
Not likely. It would be rather unusable because it would require EMVCo security evaluation to be accepted. So you need some kind of payment structure to pay for certification and audits. No open source initiative is likely to pony up the cash up front.
Often these kind of implementations require techniques to avoid vulnerabilities that need to remain secret; smart cards do not offer perfect security after all. That's perpendicular to open sourcing an implementation. So if there is anything out there it must be created out of academic interest (e.g. for testing the security of the protocol, proof of concept etc.).
4- Is there any specific difference between contact and contactless EMV cards? (I mean in the file-structure or in the APDU commands)
Generally it is more about which parts of the applet are available or not. The fact that most applets can be used in dual mode probably speaks for itself otherwise.
This paper seems to have a good introduction to the possible differences.
Is there any open source EMV applet? Is there any Java Card that has
an EMV applet/package by default?
Was working on a similar project and found this github repo. According to the owner:
This is a fully working EMV applet for javacard 2.2.1.
I am trying to develop a custom cryptographically secure protocol for authenticating through an RFID smart card, all I can find over the internet are generic info on how write static Tags into the card.
For my project I need for the reader to send a Challenge nonce to the card (fixed length random bytes), then the card should send back the challenge encrypted with the hard-coded key (for example with AES CBC) or an hash HMAC.
The problem is: how can I program the card to do such behavior? I can write the code to do so, but how to "flash" it to the card. Also the code for the reader is not a problem (I want to use an Arduino with a reader module).
And then has a passive chip enough power to do this kind of calculations or is better to use an active one, considering that the distance would be few centimeters, such as behind a door?
A passive tag can't do this. Those just hold serial numbers that they spit out back.
You need some smarter card. You have basically two choices:
1) Choose a general-purpose card that fit your needs
The authentication scheme you describe is very widely used, and implemented by virtually all general-purpose smart cards, whether with contact or contactless (RF) interfaces (or both). If you go this way, you don't need to program the card with your own code, you just need to get the specs and initialize the card with the key value you want by sending the appropriate commands. And actually, with these cards, there are often generic tools available to initialize them. Easy.
Mifare (by NXP), for example is very widely used, easily available, and cards are cheap (drawback: it is certainly not the most secure cards ever made). You could use Mifare Classic - with proprietary NXP security protocol - specs here (be careful, the reader must be compatible) or Mifare UltraLight C, with open 3DES crypto - specs here. There are other variants, as well (e.g. Mifare Plus, which uses AES). Just don't go for the simple Mifare Ultralight, which doesn't provide authentication means. You'll see that for all these type of cards, there is a builtin authentication scheme that can functionally fulfill your needs (it is actually a mutual authentication, so it does more that what you require, but it's fine).
FeliCa (made by Sony), ACOS3 (made by ACS - specs here) are other possibilities, although I'm less familiar with it.
2) Get programmable cards
There are some, but it is not very easy to find for contactless and they are very expensive. You can lookup:
BasicCard (ZeitControl), which exist with dual interface. Those cards are programmable in Basic, and there are some kits available (but I'm not familiar with it either).
JavaCard (any manufacturer), which is a standard, but those are hard to find for small volumes. A few online shops seem to have some, though. These cards are programmable in Java (actually a subset of Java). There are tools available for the development phase (from Oracle, or even as Eclipse Plugins, for example). Then, for loading your custom applet in the smart card, you need to get familiar with GlobalPlatform, which is another (publicy available) standard, describing the way applications are managed in a smart card. This would be too broad to describe in detail here, though. You can find resources on the internet, but this road is definitely the most difficult.
Note, that NFC just describes the communication method and tells nothing about the intelligence available on other side.
More intelligence is needed (the command you seem to look for is called EXTERNAL AUTHENTICATE in ISO 7816-4), but does not help for your range problem, since the weaker the field, the less power is available. The idea of having communication through the door will only work for doors which are so weak, that a high-tech electronic protection won't improve overall security. The maximum distance achievable with standard field strength (heart pacemakers and similar devices limit that one) with nothing more than air between suffices typically for something like 10 centimeters. So for me it seems that your reader has to be on the outside and needs to be mechanically hardened against tampering itself.
(What would help, is a "card" with its own power source, so the field is only required for communication. As far as I know, this is mostly provided by a sort of external sleeve.)
What dim fails to mention is the product group of so-called native cards, which are typically only programmable with significant manufacturer support (non-disclosure agreement, probably fee involved), but luckily contain functionality for most use cases already, in your case the commands Get Challenge and External Authenticate.
I have a couple of questions concerning BLE beacons:
1) Are beacons based on nRF51822 chip the best solution? Or are there any other chips better than nRF51822? I want to take up BLE beacon development and struggling to find the right hardware for these needs. As a novice developer I want the beacon to be as cheap as possible in order not to waste money in case of a failure.
2) Is it possible to buy pure Eddystone beacon (not iBeacon)? The reason for choosing Eddystone is that Eddystone is capable of broadcasting URLs that are essential for me.
The second question stems from my failed attempts to find a pure Eddystone beacon on Chinese electronics sites like alibaba.com or aliexpress.com where the only firmware available is iBeacon. But iBeacon is not an option because it can't broadcast URL the way Eddystone does.
Apart from the above questions It would be great if someone wrote a quick guide for taking up BLE development with Eddystone and covered basic topics like: chip to use, beacon model, best website to buy beacons at, etc.
Thanks in advance,
Pavel
1) I've worked with Estimote beacons and Chinese beacons from Amazon and in my opinion, they do not differ in terms of accuracy too much. Especially for prototyping, I'd buy cheaper ones to test if your use case can be satisfied with BLE beacons. If it is too inaccurate with Chinese beacons, chances are that it won't work with more expensive ones either.
2) Why do you need the URL broadcast? If the app is going to use the url, it would have to be connected to the internet. Therefore, you can just query the beacon's IDs to a web service to get back an URL and use that. Personally, I think this is a better approach as you can configure the web service from anywhere to change the url for beacons where as if you want to change the URL of the Eddystone, you have to go to the beacon to configure it.
The nRF51822 is a common implementation, is flexible, well understood and can be very inexpensive. Be aware though that development costs, add on circuitry for power and/or peripherals, and packaging can easily eclipse the Bluetooth chip when you get to production cost savings.
If you want to buy an off the shelf beacon, most models supporting Eddystone also support iBeacon, simply because supporting both adds no additional hardware cost. Newer Radius Networks and Estimote beacons all support both. And, yes, cheaper generic Chinese suppliers often have bulk manufactured inventory from before Eddystone existed at only support iBeacon.
I've a question,
If exist some extra component on a electronic circuit, Is it a security thread? for example in a VGA card, If exist a component except its standard component on it, Is it a security threat?
Is there any paper about this? I've searched the web, but up to now, couldn't find a proper paper.
Thanks
There has been some new coverage of examples of something similar being done with routers, such as this article from the guardian:
The NSA routinely receives – or intercepts – routers, servers and other computer network devices being exported from the US before they are delivered to the international customers. The agency then implants backdoor surveillance tools, repackages the devices with a factory seal and sends them on.
(...)
Eventually, the implanted device connects back to the NSA.
(...)
It is quite possible that Chinese firms are implanting surveillance mechanisms in their network devices. But the US is certainly doing the same.
There's a little more (and also some blury images purported to be of NSA operatives in action) in this techradar article.
These deal with bigger components though - as in whole routers getting tampered with - not just a small circuit or card, so this may not be exactly what you are looking for(?). Still it gives an indication of not just what is possible, but also of some of the motivations that exist; it's a pretty brazen act for the NSA (or anyone else) to intercept and tamper with hardware in this way, yet it does happen.
What is the difference between SIP and H.323, I mean what are the salient features between them?
To start with ,
SIP is text based while H.323 is binary.
SIP is by IETF while H.323 by ITU.
SIP is basically request-response based like HTTP, while H.323 is not like that(is based on session).
What were the motivating factors which led to SIP's development?
How is one advantageous from other?
Both are relatively the same on the technical side - there are differences, but you can use both to run a VoIP service.
They both started at about the same time to develop, with H.323 gaining more traction in the beginning and SIP taking center stage in the past several years.
The main advantages of H.323 is the level of interoperability it provides in existing video conferencing equipment - something that can't be matched by SIP today (yet), and the fact that it holds most of the deployments of video conferencing in enterprises.
The main advantages of SIP is a larger ecosystem and dominance in voice calls and PBX systems. And the fact that it is viewed as the future of VoIP (at least to some extent).
I also wrote about it in the past in my company's blog: http://blog.radvision.com/voipsurvivor/2011/03/24/ask-an-expert-which-protocol-do-you-prefer-sip-or-h323/
H323 is familiar to telecommunications people. It reuses many concepts, terms and protocols from ISDN.
SIP is familiar to internet people. It's a lot like HTTP, re-uses all the response codes and standards like URI-s, uses the DNS well, etc.