EMV Cards Vulnerabilities Detection Using ANN
HAJJI TARIK
Faculty of Engineering Sciences (FSI),
Private University of Fez (UPF)
Fez, Morocco
hajji@upf.ac.ma
Abstract— the Artificial Neural Network (ANN) was exploited
in several research works as a mechanism of clustering,
diagnostic, detection and classification. This is what our proposal
is aimed at. Indeed, we had used the neural network to evaluate
the integrity of an EMV (Europay MasterCard and Visa) Card by
detecting the vulnerabilities. First of all, we had used the state
transition diagram presenting the interaction between a terminal
and an EMV card to generate the authorized interactions and
unauthorized ones (considered as vulnerabilities). Then, we had
exploited these data to implement a neural network with the
ability to evaluate the EMV specifications by distinguishing
between the vulnerabilities and normal cases of interaction. In this
paper, we will discuss in detail the mentioned steps.
Keywords— Card; Neural Network; Security; Vulnera-bility
I. INTRODUCTION
Following the massive bank data thefts that have affected
large distributors, many are pushing for the adoption of smart
payment cards. But for some experts, fraud do not disappear
completely. EMV also called ”Chip-and-PIN” is widespread in
the world, it is in fact used as a payment system for bank cards.
The information securely stored on an integrated circuit of the
card and the customer’s PIN, allow payment terminals to
authenticate each credit card. However, EMV specifications
still raise security issues, and vulnerabilities affecting these
cards have already been exploited in the real word.
Two modes of possible attacks against the system:
”Preplay” and ”No PIN” attack [2]. In the ”Preplay” attack [1],
the card inserted in the payment terminal can be charged for a
transaction carried out with fraudulent cardused in another
terminal somewhere in the world. In the second type of attack
”No PIN” [2], the criminal uses stolen card connected to
mobile terminal in which there is an another card doctored.
This coupling allows to bypass the PIN verification step at the
point of sale and validate fraudulent transactions. The objective
of our work is to ensure that no security step has been skipped,
including cardholder PIN verification step. To do this, we
propose in this paper, our methodology for verifying the EMV
transaction between a terminal and an EMV card using neural
networks.
The paper is organized as follows: the second section
presents the related work including PIN bypass attack on EMV
cards, vulnerability tests generation and neural networks for
javaCard.
978-1-4673-7689-1/16/$31.00 ©2016 IEEE
Noura Ouerdi
Lab. MATSI, ENSAO
Mohammed First University
Oujda, Morocco
noura@gmail.com
In the third section, we give an overview of EMV card. The
fourth section highlights our new methodology of
vulnerabilities detection for an EMV card based on neural
network. The fifth section details neural network
implementation in three stages: Data normalization, learning
and validation. We end with a conclusion.
II. RELATED WORKS
A. Attack on EMV cards: PIN bypass
The principle of the attack is based on an intruder between
the payment terminal and the stolen card. The intruder has a
FPGA computer that modifies negotiation between the
terminal and the card: on one side, the terminal submits the
PIN inserted by the thief to the FPGA, that always responds
OK, on the other side, FPGA chip lets to believe the stolen
card that the terminal does not know the PIN and requests for
the current customer signature.
This attack is based on several vulnerabilities, including:
• The fact that EMV tested by the Cambridge team [2]
accept transactions without PIN: Is it the case of chips
issued by banks?
• The negotiations between the terminal and the chip are
not encrypted;
• During the online authorization, the bank has no way of
knowing the nature of the authentication (PIN or
signature).
What is really impressive is that the attack works even with
an online authorization (when the terminal calls the bank). This
is not a crypto attack like YES-card attack [1] where the pirate
is programming his own chip with both a random account
number and certificate. Here, the nature of the transaction is
perfectly valid: the card being used is stolen, but it is real. It’s
just the PIN control which is bypassed.
B. Vulnerability Tests generation for EMV Card
There are several types of vulnerability tests, weare inter-
ested here to the tests that can be run on an EMV card. We
quote: Tests based on models MBT and fuzzing tests. Testing
of security applications using MBT techniques seems an
interesting approach to test for security vulnerabilities [8]. As
previous part of this work [4], we have already proposed a
methodology for generating vulnerability tests for an EMV
card. This methodology is based on Model Based Testing
approach.
In the first part of our past work [5], we generated the
abstract test cases based on a SysML model [7]. Indeed, we
used the SysML language to model an EMV transaction
between an EMV card and terminal. We generated thereafter
the formal model EventB that we used to generate the abstract
test cases. For this, we used the VTG tool [6]. As a second part
of this work, we have transformed abstract test cases into
concrete tests [4]. These tests represented vulnerability tests
executable on an EMV card. Concerning Fuzzing tests, they
are considered as popular technique to test for security
vulnerabilities [8]. The results obtained by fuzzing on a smart
card show that for security vulnerabilities, testing by fuzzing
techniques are not really effective, but they remain
complementary to conventional testing techniques [9].
C. Neural Networks
The neural networks are an artificial approach for address-
ing learning and reasoning problems. Thanks to their parallel
processing of information and their inspired mechanisms of
nerve cells (neurons), they infer properties that can solve
complex problems.
Therefore, the neural networks are now used for all kinds of
applications in various fields. In this context, a new detection
approach for fault attacks based on neural networks was
proposed for Java Card [10]. For this, a Java class has been
developed, and then a neural network was established to
differentiate the paths followed by the program during its
execution by the smart card. For the test, the neural network
has been built in an open source virtual machine and uses
learning and test set.
D. Learning and test sets
For both tasks, it is desired that the neural network gives
the right outputs for a set of examples, called test set. For this,
a set of examples, on which the network will train and learn, is
used. This set is called the training set. The examples of the test
set do not belong to the training set. The test set is much
greater than the learning one.
The operational set consists of all real examples encoun-
tered during the end use of neural network. With this method
based on the distinction between training set and test set, the
neural network must be capable of generalization.
III. APPLICATION DOMAIN: EMV CARD
A. EMV Standard
Since 1995, EMV is the international standard of security
of payment cards (smart cards). It takes its name from its
founding organizations: Europay, MasterCard and Visa
International.
One of the initial objectives of the EMV standard was to
allow the deployment of ”multiapplication” cards, otherwise
many applications can be on a single card, for example:
• An application to debit the current account;
• An application ”credit” to debit the associated credit
reserves distinct of the current account;
• An electronic purse.
The transition to EMV Standard payment cards has the
following two advantages:
• Security improving(fraud reducing) ;
• More precise control for ”offline” credit card transac-
tions(without bank authorization request).
The standard ISO/IEC 7816-3 [15] defines the protocol
dialog between the smart card and the terminal. Under this
standard, the data is exchanged according to the APDU
protocol. This means that the terminal sends a command to the
chip, that processes it and returns a response.
B. EMV Transaction
EMV transaction is performed according to the following
steps [3]:
• Selecting the EMV application;
• Application processing initialization;
• Reading records;
• Card Authentication;
• Cardholder identification (PIN code, signature, ...);
• Terminal Risk management terminal;
Risk analysis and terminal action (Payment accepted
offline, declined offline, Authorization Required);
First analysis of the card risk; Online Authorization
Application (if appropriate); Second analysis of the card risk;
Running the transmitter final script (updated card set-tings,
Card locked, ...).
IV. OUR NEW METHODOLOGY OF
VULNERABILITIES DETECTION IN AN EMV CARD
A. Elaboration of the state transition diagram
In this research, our main target is to detect vulnerabilities
of an EMV card using neural networks. For this, we propose a
methodology based on a state transition diagram which models
an EMV transaction between a terminal and an EMV card. We
used the model that we have develop previously as part of the
work [4]. Except that we simplified here this model by
omitting loops. The objective is to ensure relevance of neural
networks. The new model is presented by the The figure 1.
In figure 1, the transitions represent the APDU commands
sent from the terminal to the EMV card, while the states of
diagrams show the different states of the Terminal-Card system
after execution of the associated command APDU.
As a brief explanation of this diagram, an EMV transaction
begins With the sending of SELECT APPLICATION
command in order to select the appropriate application by its
AID (Application IDentifier). The state of Terminal-Card to attacks. In other part, the objective of our system is to detect
system will become ”Application selected”. whether the entry is a valid path or an attack.

Fig. 1. Our state diagram Fig. 2. The associated graph

Then, the terminal sends the second command GET

PROCESSING OPTIONS (GPO transition) to initiate the TABLE I. GAC TRANSITIONS AND THEIR MEANING
selected application. The terminal reads the data stored on the
GAC Transition Meaning
card as records, using the command APDU READ RECORD.
The fourth step is the card authentication. There are two types GAC1_AAC_ARQC_AAC The first call of GENERATE
of card authentication: static authentication (SDA transition) AC command with parameter
and dynamic one (presented by INTERNAL AUTH and GET TC, AAC or ARQC
CHALLENGE transition). Then, the EMV transaction cryptogram. It returns AAC
proceeds to CardHolder authentication via the VERIFY cryptogram
command. Finally, the transitions starting with GAC represent
the APDU commands GENERATE AC which constitutes the GAC1_ARQC_ARQC The first call of GENERATE
heart of the transaction through the cryptograms transmission. AC APDU command with
These last transitions are explained in the table I [4]. ARQC cryptogram
parameter. It returns ARQC
B. Elaboration of the Graph for neural network cryptogram.
To use neural network, we should have a graph with integer GAC1_TC_TC The first call of GENERTE
vertices. Therefore, we propose the following cor-respondence AC APDU command. TC
between the states of our state diagram and vertices of the new cryptogram as argument and
graph (Fig. 2). TC as return value.
GAC2_TC_TC The second call of
V. NEURAL NETWORK IMPLEMENTATION GENERATE AC APDU
An ANN is composed of three types of layers; input, command. TC cryptogram as
hidden and output ones. Each layer contains one or multiple argument and TC as return
elements corresponding to neurons. The value generated by a value.
neuron and which is calculated by taking into account the CAC2_AAC_TC_AAC The second call of
parameter synaptic weight, aliments the neuron belonging to GENERATE AC APDU
the next layer [11]. command. It takes as
Concerning the patterns used to aliment the input layer, we parameter AAC or TC
deduce the possible paths from the graph. These paths are cryptogram and returns AAC
considered as the normal patterns. We consider that any path cryptogram.
which is different from the normal patterns is an attempted
attack. Then, we deduce the abnormal patterns corresponding
 Consequently, we have a single output neuron that takes: 0
if it is a normal case 1 if it is an abnormal case meaning an
attack The strengths of the neural network reside in learning,
objects identification and a better interpretation. This has been
a good reason for employing it to detect intrusions and attacks
A. Data normalization
As mentioned above, the vertices of the graph are affected
to the network’s inputs. Even if the vertices values are
numerical, it is necessary to adapt them to the format of the
network input which is between -1 and 1. By using the Alyuda
Neurointelligence [16], this step (named also the
preprocessing) is realized automatically by thetool.
B. Learning
Learning is the mechanism by which the synaptic weights
are adapted and modified in order to obtain network outputs
which match the desired ones. In order to train the network, a
part of patterns are used in this step. And other patterns are
employed to test the learning rate.
C. Validation
During this phase, the synaptic weights are fixed and the
network must be alimented by new patterns (different from the
patterns employed in the training phase). By taking into
account the synaptic weights, the network calculates the output
which must be as close as possible to the target.
D. Obtained results
As mentioned above, the patterns which have been em-
ployed to aliment the network are generated from the graph.
The paths shown in the figure 3 are considered as normal
patterns.
Fig. 3. Valid patterns
[12][13][14][10] and also to detect vulnerabilities which is
the aim of this work. So, it is necessary to take first three steps:
data normalization, learning (called also training) and
validation.
Consequently, any path which is different of all these
patterns is considered as an attempted attack. We have
generated 236 abnormal patterns. And as an example, we
present some invalid paths by the figure 4. The invalid
passages are highlighted with red color.
Fig. 4. Invalid patterns
A part of these patterns is employed during the first step
which is the network training, and a second part is used to
validate the network ability.
According to the obtained results, we conclude that the
network is able to detect all of the abnormal patterns without
any false positive.
This means, the network detects 100% of the vulnerabilities
and does not confuse them with the normal patterns.
VI. CONCLUSION
Nowadays, smart cards offer great computing power and
they embed advanced hardware security mechanisms. How-
ever, this potential security offered by the hardware platform
can be defeated by implementation vulnerabilities at the
application level [9]. Since we process EMV cards dedicated to
the payment, communication between the terminal and the card
must be secure.
To verify that embedded applications on an EMV card are
safe and functional, we proposed a new methodology based on
neural networks. This methodology takes, as starting point, the
state transition dia gram which models an EMV transaction
between a terminal and an EMV card. Then we adapted this
model in order to have an operable graph with neural networks.
Indeed, we proceeded to the trans-formation of different
states of the state transition diagram into integer elements.
These elements represent the vertices of the graph on which
our neural network will be based. This later involves three
essential steps: data normalization, learning and validation
step. To feed the input layer of our neural network, we used
extracted paths from the graph as valid patterns. Otherwise, all
paths that are differents from these valid patterns are
considered as invalid patterns. After validation step, we
obtained valuable results, the network was able to detect all of
abnormal patterns. This proves the effectiveness of using
neural networks in the context of the vulnerability detection of
an EMV card. As future work, our goal will be focused on
comparing our methodology with other vulnerabilities
detection method-ologies, and studying the effectiveness of
each method in order to extract the best technique adaptable to
vulnerability detection for EMV cards.
REFERENCES
[1] M. Bond and O. Choudary, S. J. Murdoch, S. Skorobogatov, R.
Anderson,Chip and Skim: cloning EMV cards with the pre-play attack,
IEEE Symposium on Security and Privacy, San Jose, CA, 1821 May
2014.
[2] S. -J. Murdoch and S. Drimer, R. Anderson and M. Bond, Chip and PIN
is Broken, IEEE Symposium on Security and Privacy, 2010.
[3] EMV. Book 1-2-3-4 Application independent ICC to Terminal
Interface requirements, 4.3 edition, November 2011.
[4] N. Ouerdi and M. Azizi, M. Ziane, A. Azizi, J.-L. Lanet A. Savary,
Security Vulnerabilities Tests Generation from SysML and Event-B
Models for EMV Cards, International Journal of Security and Its
Applications Vol.8, No.1 (2014), pp.373-388
http://dx.doi.org/10.14257/ijsia.2014.8.1.35
[5] N. Ouerdi and M. Azizi, M. Ziane, A. Azizi, J.-L. Lanet, A. Savary, EMV
Card: Generation of Test Cases based on SysML Models, 2013
International Conference on Electronic Engineering and Computer
Science. IERI Procedia 4 ( 2013 ), pp 133 138
[6] A. Savary and M. Frappier, J.L. Lanet, Automatic Generation of
Vulnerability Tests for the Java Card Byte Code verifier, Network
and Information Systems Security (SAR-SSI) conference, 2011.
DOI:10.1109/SARSSI. 2011.5931379. may 2011.
[7] N. Ouerdi and M. Ziane,A. Azizi,M. Azizi, Abstract tests based on
SysML models for EMV Card, Security Days (JNS3), 2013 National.
26-27 April 2013. IEEE. DOI : 10.1109/JNS3.2013.6595461. Pages 1
6.
[8] M. Felderer and B. Agreiter, P. Zech,R. Breu, A classification for
model-based security testing, Advances in System Testing and
Validation Lifecycle (VALID 2011), 2011, pp. 109114.
[9] J. Lancia, Un framework de fuzzing pour cartes puce: ap-plication
aux protocoles EMV, Symposium sur la Scurit des Technologies de
lInformation et des Communications (SSTIC), 2011.
[10] I. ElFarissi and M. Azizi, J.-L. Lanet, M. Moussaoui, Evalu-ation of
Detection System of Fault Attacks based on Neural Network into a
Java Virtual Machine. INTERNATIONAL JOURNAL OF COMPUTERS
AND TECHNOLOGY. Vol 10, No 3. Pages 1275- 1380
[11] J.P. Rennard, Neural networks, Vuibert, ISBN 2711748308, First
Edition, 2006.
[12] R.Beghdad, Critical study of neural networks in detecting intrusions,
Computers and security 27, p 168-175, 2008.
[13] I.ElFarissi and M.Azizi, J-L.Lanet, M.Moussaoui, Neural Network VS.
Bayesian Network to Detect Java Card Mutants, AASRI Procedia 4, p
132-137, 2013.
[14] I.ElFarissi and M.Azizi, M.Moussaoui, Detection of smart-card
attacks using neural networks,International Conference on
Multimedia Computing and Systems (ICMCS), p 949-954, 2012.
[15] ISO/IEC, ISO/IEC 7816: Identification cards Integrated circuit cards,
(2005).
[16] http://www.alyuda.com/neuralnetworks- software.htm, Alyuda
Research, LLC, 2001-2015.