We have a web application and would like its users to enter PIN numbers for their debit cards in the web-based UI. However, we must be able to perform DUKPT key management and TDES encryption on the PIN number, and we are beginning to think that DUKPT will force us to use an actual, manufactured "PIN Entry Device", like a swipe card reading device.
This seems to be the case because the key management scheme requires the device to have a list of 'Future Keys' and/or a 'KSN'/'Key Serial Number'.
Does anyone know for certain if this DUKPT requirement will mean that we must enter PIN numbers via the PED all the time? If so, that will likely kill our hopes to have users enter them into a web page.
Thank you!
Related
I want to understand how and where i can perform an EMV Transaction online PIN Verification.
Suppose i have a few POS terminal and also a Visa Cybersource account, i'am able to perform an EMV Transaction on the terminal , however most EMV Transaction request that we perform an Online PIN verification ,i'm able to extract the basic details needed to charge the card example data ,trackData ,PINBLOCK ,KSN and some TLV Data.
I cant find resources to perform an Online PIN Verification if the EMV Transaction request for it ,especially the VISA cybersource developer page, infact i dont know where to perform the verification or how it works.
A brief lessons and directed resources will be appreciated.
A few things you need to understand to verify PIN, and in most cases this is very much the standard, but can't help unless you share more details.
PIN Block is formed from Card number and PIN, and mostly by ANSI PIN
Block format 0
The received PIN block is Triple DES encrypted by
the sender's key called AWK ( acquirer working key )
You need to have the corresponding key IWK ( issuer working key ).
Send card number, PIN Block, IWK, PIN Block format, PIN Verification Key, PIN
verification Key index to HSM
HSM will respond with whether PIN is
successful or no.
I've been playing around with the A6 Gprs chip from Ai thinker.
So I was able to send a SMS:
AT+CMGF=1
AT+CMGS=0031612345678
Is it (technical) possible to change (spoof) the sender phone number?
Or can I do it with other chips, like SIM900?
AT commands A6 chip
Typically the phone number is not stored in the SIM card. You have IMSI inside the SIM card and this IMSI binded with your phone number and an authentication key named Ki in the network operator's databases.
When you want to use the operator services, your device (The chip, the handset, etc) send the SIM Card's IMSI to the network operator. Network operator search his database for that IMSI to see if that IMSI is valid or not. If it found that IMSI inside the database, then it generate a random number and encrypt it with the corresponding Ki (that is stored in the database) and returns that encrypted data to your SIM Card. As your SIM card is aware of its Ki, it can decrypt the random number and return it.
Finally if the network operator receive the correct random from the SIM card, your are authenticated to the network. after that, when you call someone or send a message, the network operator concatenate the phone number inside the database with your messages and send them to the other side.
So, no you can't!
If you want to spoof phone numbers yourself, you need to set up a PBX solution like Asterisk, and you need service with a VOIP carrier that allows you to self assign the outbound CNUM data. Those with a legitimate need to do this (corporate PBX admins for example) already know how to accomplish this trivial task. Many others who wish to spoof are up to no good, so I am not going to lay out the details beyond what I have already said. The simplest (perhaps only?) way to spoof cell phone numbers is to run your call through your PBX and back out. I do this all the time to protect my personal cell phone number - however, the number I am sending is simply my home phone number for my VOIP line. No dirty tricks here. If you have a legitimate business need talk to the business sales department at your carrier.
Being somewhat of a newbie I was wondering if there is a way to hard-code something on a peripheral that would only allow a single unique central/master to connect.....?
i.e. / eg
I have the ‘simple chat’ Arduino app on a RedBearLab Blend-Micro (which is for all intensive purposes the same as a Arduino Uno with a BLE shield) and I only want one single / unique phone to BE ABLE TO connect with it and therefore work with it.
My understanding is that the GAP handles security features during a BLE connection.
Therefore, is there some way to ‘code’ the peripheral device in / below one of the following includes:
spi.h ?
boards.h ?
EEPROM.h ?
RBL_nRF8001.h (or similar) ?
Other?
Didn't quite get an answer from Restricting the BLE peripheral device to connect to only one Master
OR
Am I stuck with EVERYTHING connecting but coding the peripheral in some other way in a GATT profile (I think) to ONLY do something with a predefined unique central/master (how/where to code?).
Many thanks for thoughts in advance
Being somewhat of a newbie I was wondering if there is a way to hard-code something on a peripheral that would only allow a single unique central/master to connect.....?
Theres the "Advertising Filter Policy" as specified in the Bluetooth Core V4.0 specification. Its a Byte in the Advertising Parameters as specified in Section 7.8.5 LE Set Advertising Parameters Command.
For example the value 0x02 reads Allow Scan Request from Any, Allow Connect Request from White List Only.
Then theres section 7.8.16 LE Add Device To White List Command.
That said, if your device confirms to the Bluetooth 4.0 specification, it should support these HCI commands. However there might be functions that simplify these procedures, wrapping those HCI commands for easier use. Check the Documentation of your device for such methods.
Good Luck!
I was asked to answer this question via email. It's been almost a year since I quit working on BLE. So I only answer this question based on my memories.
Basically #dominik has it right.
If the device is freshly new, it should advertise normally (without setting the whitelist only bit), then any central device could connect and bond. Once it is bonded, you should save this bonded flag and the bonded master's bd_addr to EEPROM. If the next time the master is lost, you will advertise with that white-list-only flag set. If a new central tries to connect, you could verify if its address is the same as your master.
I don't have the BLE spec at hand and I kind of forgot a lot about BLE already. Probably the spec says somewhere that if a central sees a peripheral device is broadcasting with white-list-only flag set, it wouldn't try to connect if it doesn't recognize that peripheral device. This saves both some effort.
But a master could always initiate a connection to your peripheral device regardless the white-list-only flag. So checking if the connecting central device's address is the same as your previously bonded master is the last resort.
[Update]
I used CSR1010 chips. I remembered that the BLE stack actually allows me to insert a list of bd_addr to the white-list data structure maintained by the stack. Then, with the white-list-only flag set, the lower-level stack layer will help you filter devices that are not in that white-list without your knowing.
However, you can always filter bd_addrs from your application code.
I would like to use a GSM modem to make a voice call to a phone number, play a recorded message, wait for a digit to be pressed and then disconnect the call. The system needs to know if the line was busy, if the user answered and which digit was pressed by user (if any). It should drop the line if nothing is pressed in 30 seconds. If user presses the digit before the question is completed then the voice should stop (user doesn't have to wait). Also, it would be nice if system could handle invalid digits (play "invalid digit" message, play original message and wait for input). Multiple calls in parallel would be nice, but I guess this is not possible?
I have found this article which explains low-level interface quite nicely. However, this question is more pragmatic - which libraries and which GSM modem would you recommend? OS is Linux, modem can be either RS232 or USB. I would prefer Python, but C(++) is ok too.
BTW: this is not telemarketing, it is a notification system. Not that it matters... ;)
EDIT: I learned this system is known by keyword "IVR" (added for future searchers).
A modem is generally used for data transmission but it sounds like you are actually transmitting voice, albeit prerecorded voice, and tones.
Although you can achieve this with the extra voice capability of a voice modem as you have identified, it might actually be easier to use a GSM to VoIP gateway, unless you actually need the modems data capability for some reason.
You could connect the VoIP to GSM gateway to a low cost or free open source PABX (such as Asterisk) and use this to build your particular application.
Some gateways even support multiple SIMS so you can target the SIM which gives the lowest call rate for the number you are calling - for example if you know that the number you want to call is on a particular operator, then that operator may offer free 'on network' calls between it's SIMs. This might be an advantage if you are expecting to make a large number of calls.
If you do a web search for 'VoIP GSM gateways' you will find some examples.
The following link provides an overview also:
http://www.voip-info.org/wiki/view/VOIP+GSM+Gateways
I am no expert in this field but it is something of a personal project that I have wanted to dive into.
Here is what I think will be the best way to do this.
1 Get yourself a VOIP GSM Gateway like this: VOIP+GSM+Gateways
2 Link into an existing PABX system or download a free one like asterisk
Then you will need to follow the instructions of the PABX development to create your dial plans and routing. I don't know if there are any already out there but I'm sure you will find many examples of the bits and pieces you need.
I have read this somewhere:
Most mobile operators encrypt all mobile communication data, including SMS messages In GSM, messages are encrypted using A5/1 but even when encrypted, the data held by SMS is readable for the operator. Mobile phone operators have the ability to filter and modify short messages during delivery. Also, it is possible that the operator might not filter messages on purpose but might use equipment that cannot handle encrypted messages.
I want to know..is it true..?
Can someone explain how this filtering is done..? and is there any solution to avoid such loss of messages on the network..?
A5/1 is being used on the radio link between mobile and base station controller (BSC, the network entity entity that manages the radio resources). The radio link transports a couple of higher level protocols, among them MAP which is used to transport SMS.
The BSC is relaying SMS over MAP into the core network. The protocol stack between BSC and core network is not encrypted as well as the communication inside the core network. This was deemed as not needed at time GSM was designed, the links are supposed to be mobile operators very own property and territory and therefore assumed being secure.
The core network typically delivers SMS to an SMSC (short message service center) which is reponsible for routing messages to receipients.
A network operator can read SMS in clear text in various places, e.g.
With a protocol analyzer, tapping links between network nodes
On the SMSC, in message queues (databases...) or even log files
On an MSC when tracing MAP messages
Message filtering and modification may happen on the SMSC, depending on the network operator needs.