I want to understand how and where i can perform an EMV Transaction online PIN Verification.
Suppose i have a few POS terminal and also a Visa Cybersource account, i'am able to perform an EMV Transaction on the terminal , however most EMV Transaction request that we perform an Online PIN verification ,i'm able to extract the basic details needed to charge the card example data ,trackData ,PINBLOCK ,KSN and some TLV Data.
I cant find resources to perform an Online PIN Verification if the EMV Transaction request for it ,especially the VISA cybersource developer page, infact i dont know where to perform the verification or how it works.
A brief lessons and directed resources will be appreciated.
A few things you need to understand to verify PIN, and in most cases this is very much the standard, but can't help unless you share more details.
PIN Block is formed from Card number and PIN, and mostly by ANSI PIN
Block format 0
The received PIN block is Triple DES encrypted by
the sender's key called AWK ( acquirer working key )
You need to have the corresponding key IWK ( issuer working key ).
Send card number, PIN Block, IWK, PIN Block format, PIN Verification Key, PIN
verification Key index to HSM
HSM will respond with whether PIN is
successful or no.
Related
I am attempting to use HM10 as central to read data from a sensor. The HM10 has been flashed with the latest firmware V710 to use the self learn functionality.
Here is the list of messages I am sending and receiving from the HM10
First I configure the HM10 as central and turn on some notifications. Then I connect to the MAC address of the sensor. I use the AT+FINDSERVICES? command to get the list of services, then find all the characteristics in the range of that uuid. The characteristics I am interested in is 0021.
But here is when the problems start. If I try to read that characteristic I get OK+DATA-ER, which the datasheet the characteristic does not have a read property. Same thing with notify.
But from the AT+CHAR command we can see handle 0021 has both read and notify. I have also tired reading from 001E handle and I get the same error. I am able to read data like the device name from another handle so I am able to get some data off the sensor.
I am wondering if the OK+DATA-ER response can mean something else? Or if the characteristic handle isn't correct somehow. If that were the case how would I find the correct handle?
I have tried connecting to the sensor on my iphone using the LightBlue app and I am able to both read and subscribe to the notification. I have also tried cloning the sensor as a virtual device on LightBlue and I am able to read and subscribe from the HM10 to the phone. So the issue seem to be between the HM10 and the sensor specifically and not with either device individually.
LightBlue UUID
LightBlue read data
I figured it out. Turned out to be a security issue. The sensor would allow connection but no data would be accessible unless the connection was encrypted.
The BLE sensor required pairing when it first connect to a phone and does not subsequently so I missed that fact when I was trying to connect to it via the HM-10.
I don't believe the HM-10 supports pairing connection. I tried setting AT+TYPE to other than 0 but it would no longer connect to the sensor. I would get OK+CO11A but it wouldn't finish connecting.
I switched to an ESP32 board and used
BLEDevice::setEncryptionLevel(ESP_BLE_SEC_ENCRYPT);
This allowed me to read and subscribe to the characteristic.
I am using an arduino Uno with SIM800L, I am trying to send voice at anyway while a voice call is active, and how do I receive voice too?
I have searched a lot, but found nothing. Even though, I have reference which contains most of the AT commands that are applicable on my SIM800L. For example, when I make a voice call with my phone and the SIM800L, how do I receive the voice data from the GSM when I talk through my phone?
The GSM I have is SIM800L version 2, note that version 2 is different from version 1. However, it turned out that there are no at commands to send voice while a voice call is active, you must use another pin, not directly from the at commands. SIM800L has only 7 pins which is low, this is a picture of it : https://i.imgur.com/yxS3Apy.jpg .
It does not have any pins for receiving and sending voice specialized for a voice call. So, you can answer a call and dial a number, but you can't hear or speak. So, all I can do is use another GSM that has the capability of receiving and sending voice.
However, if you would like to know if a GSM has the voice capability or not, you should find these couple of these pins or similar to them:
MCN (Microphone Negative)
MCP (Microphone Positive)
SPKN (Speaker Negative)
SPKP (Speaker Positive)
Search for SIM800C, which has these pins. You can also connect a basic speaker with an amplifier directly with the SPKN and SPKP, the amplifier is optional, but the sound will be too weak.
I've been playing around with the A6 Gprs chip from Ai thinker.
So I was able to send a SMS:
AT+CMGF=1
AT+CMGS=0031612345678
Is it (technical) possible to change (spoof) the sender phone number?
Or can I do it with other chips, like SIM900?
AT commands A6 chip
Typically the phone number is not stored in the SIM card. You have IMSI inside the SIM card and this IMSI binded with your phone number and an authentication key named Ki in the network operator's databases.
When you want to use the operator services, your device (The chip, the handset, etc) send the SIM Card's IMSI to the network operator. Network operator search his database for that IMSI to see if that IMSI is valid or not. If it found that IMSI inside the database, then it generate a random number and encrypt it with the corresponding Ki (that is stored in the database) and returns that encrypted data to your SIM Card. As your SIM card is aware of its Ki, it can decrypt the random number and return it.
Finally if the network operator receive the correct random from the SIM card, your are authenticated to the network. after that, when you call someone or send a message, the network operator concatenate the phone number inside the database with your messages and send them to the other side.
So, no you can't!
If you want to spoof phone numbers yourself, you need to set up a PBX solution like Asterisk, and you need service with a VOIP carrier that allows you to self assign the outbound CNUM data. Those with a legitimate need to do this (corporate PBX admins for example) already know how to accomplish this trivial task. Many others who wish to spoof are up to no good, so I am not going to lay out the details beyond what I have already said. The simplest (perhaps only?) way to spoof cell phone numbers is to run your call through your PBX and back out. I do this all the time to protect my personal cell phone number - however, the number I am sending is simply my home phone number for my VOIP line. No dirty tricks here. If you have a legitimate business need talk to the business sales department at your carrier.
I want to send all extensions and conference bridge participants of asterisk voice to a analog telephone cable which is connected to a voicelogger ( recorder system) . How can it be done ?. I think this is possible by connecting Analog phone cable to ATA device ( linsys pap2) and sending stream to that ATA extension . But the challange is voicelogger is not an automatic answer machain .
First i have say you that idea is really strange. Asterisk can record all calls and record storage will cost much less then any analog device storage.
If you still insist you need it send to analog, you need multiple line analog device(every call record will require different wire).
Also you need FXS dahdi card and/or sip fxs adapter to connect your recorder.
You can orginize recording by using ChanSpy and/Or Confbridge as "ghost" call to all your calls with other dialling your fxs recording bank.
Complexity of such dialplan will be above average and require significant efforts and asterisk knowledge. You can read this links to get idea.
http://www.voip-info.org/wiki/view/Asterisk+n-way+call+HOWTO
http://www.voip-info.org/wiki/view/Asterisk+cmd+ChanSpy
http://www.voip-info.org/wiki/view/Asterisk+auto-dial+out
Other options you can have is record by asterisk and play recorded files one-by-one to your analog recorder or just use usual computer to playback files to recorder.
We have a web application and would like its users to enter PIN numbers for their debit cards in the web-based UI. However, we must be able to perform DUKPT key management and TDES encryption on the PIN number, and we are beginning to think that DUKPT will force us to use an actual, manufactured "PIN Entry Device", like a swipe card reading device.
This seems to be the case because the key management scheme requires the device to have a list of 'Future Keys' and/or a 'KSN'/'Key Serial Number'.
Does anyone know for certain if this DUKPT requirement will mean that we must enter PIN numbers via the PED all the time? If so, that will likely kill our hopes to have users enter them into a web page.
Thank you!