Category Archives: Electronic Payments

MSc thesis: Security of Loyalty Cards Used in Estonia

This thesis identifies the card technologies used in loyalty programs across Estonia. These technologies include magnetic-stripe cards, contactless cards (in the form of MIFARE Classic, MIFARE Ultralight, MIFARE DESFire EV1 and low frequency RFID cards) and a smart card known as the Estonian electronic identification card (ID card). Each card type implements its own security features to prevent cloning and/or unauthorized access to the content stored on the card. The contents of each card was read and the method in which it was used in the system analysed. In the cases where possible a clone of the card was created and tested against the real system to verify that it passed the authentication procedures.

This is MSc thesis from TUT Cyber Security curriculum. The thesis was defended in June 2017.

The thesis analyzed cloneability aspects of the loyalty cards used in Estonia. While the magnetic-stripe cards are known to be trivially cloneable, the study also analyzed bunch of contact-less cards: MyFitness, Elron, Tallinn Bus Card, ISIC, SEB ISIC, Tartu Bus Card, Rimi Card. Only the Rimi and Elron card was found to withstand known cloning attacks.


PIN2 code not needed to make payments in Danske Bank

Most internet bank users using ID-card or Mobile-ID are used to first enter PIN1 and then confirm by PIN2 again when making a payment. Danske Bank, however, has solved the matter differently, and will only ask for PIN1 for both login and for payment confirmation.

Annika Maiste, head of Danske Bank’s e-banking, told that indeed the same PIN code should be used for both login and payment confirmation, and according to the bank, this does not have any effect on security. “In our risk assessment, we have analyzed various attacks and concluded that the use of the digital signing function in Internet Banking may not provide significant additional protection to the user in the case of modern malware,” Maiste said.

She added that the above principle is used for both Mobile-ID and ID-card, and that the company can confirm that, although compared to other banks, Danske Internet Bank does not ask PIN2 from users, it is safe for the users.

Katrin Talihärm, Managing Director of the Banking Association, said that what kind of security code to ask is the responsibility of each service provider and they have not made recommendations to their members about it. She added that both ID-card and Mobile-ID are categorized by their definition as strong authentication tools, when used in an electronic environment in addition to PIN.

If only the modern malware is considered in the threat model than indeed PIN2 does not provide any additional protection. However, there are other attacks where, while the compromise of one key is feasible, the compromise of both keys is not.


Contactless card payment limit rises to 25 EUR

All banks, which issue contactless credit cards in Estonia, starting from October 16 will raise the payment limit from 10 to 25 EUR.

“The ten euro limit established in Estonia initially proved that both consumers and merchants are interested in the new payment method and it is also safe, because only the special equipment for which a contract with the bank is necessary is required to pay the payment,” said Meelis Nurk, chairman of the banking union card working group.

15% of the bank cards used in Estonia are contactless cards. By the end of the year, 80% of payment terminals should support contactless payments; by 2020, all terminals must be able to provide pay-as-you-go payments.

In Estonia the contactless payment cards are issued by Swedbank, SEB Pank, LHV Bank, Krediidipank and Nordea Bank.


Use of password cards for online banking will be limited

Modern security requirements will also be applied to online payments, which is why the field of use of password cards will be limited. The bill will also seek to coordinate Estonian laws with the new European Union Payment Services Directive.

In the future, payment service providers must apply so-called strong authentication requirements when identifying a customer. In Estonia, for example, it means ID-card, mobile-ID, as well as different applications and password calculators. To reduce the security risks associated with payments, the use of existing password cards will be limited because they are easily copied. Limitations also apply to those online payments, where a combination of numbers printed on a bank card is used as the only security feature.

The security measures in question are expected to fully enter into force in the first half of 2019. The exact date depends on when the European Commission will approve the relevant implementing regulation.


Case study on Estonian public transportation RFID/NFC card security

This report talks about security of NFC/RFID cards. It first describes the most widely-used type of cards, MIFARE Classic, and then considers a real-life application, namely Estonian public transportation cards. The communication between a real card reader installed in Tartu bus and a Tallinn public transportation card is eavesdropped and analysed on high level.

The report has been published for the UT course “Research Seminar in Cryptography (MTAT.07.022)”.


SEB mobile app demands permission to access contact list

SEB’s new mobile banking terms of service, set to take effect on March 1, state that the bank can access contacts data in the client’s phone, including phone numbers, street and email addresses of contacts. If a client does not wish to share their contacts data with the bank, they will not be able to make payments based on mobile numbers using the bank’s application.

Public relations adviser at the Data Protection Inspectorate Maire Iro said that all manner of processing of personal information can only take place with explicit permission from the person or under the conditions and pursuant to the procedure provided by law, and that the client cannot give the bank the right to use phone numbers, street and email addresses or other personal data of third persons.

Allas emphasized that SEB does not process data in the way it is stored in the client’s phone, but treats it anonymously, without the part that would allow it to identify persons.

The usability reason why the bank wants to process the contact list is clear – the bank wants ability to show in the app which of the contacts have the app installed and hence can receive the payment. The app cannot provide such feature without the bank processing phone numbers of contacts. The current version of the app already asks technical permission to access the contact list. From March this will be written explicitly also in the terms of service. Although the wording should be improved, since there is a difference between the bank processing the contact information and application written by the bank processing the data in the user’s device.


Legislation allows to open a bank account remotely

Parliament yesterday 88 votes in favor and no votes against adopted the amendments to the law that will give residents and e-residents of Estonia the opportunity to open a bank account without visiting bank office. It will be possible to open a bank account, for example, interacting with a representative of bank through a video call. Identification of a person is still a need for identity document in the home country, but the opening of an account becomes much more comfortable this way.

Some limits will be applied for this mode of authentication. Individual persons each month will be able to transfer money in the amount of up to EUR 10 000, but legal persons up to EUR 25 000.


Supreme Court declares mediation of Bitcoins subject to anti-money-laundering supervision


Yesterday’s verdict put an end to longstanding doubts whether trades with the cyber money should be treated as economic activity requiring special permit or not – in a landmark stand, Supreme Court declared mediation of Bitcoins an economic activity subject to anti-money-laundering supervision.

Uku Tampere, Police and Border Guard Board press representative:

For ordinary people buying or selling cryptocurrency in occasional transactions for own use, the Supreme Court judgement essentially alters nothing. However, when an individual begins to publicly offer cryptocurrency mediation service, he needs to apply for activity licence and meet the requirements prescribed by Money Laundering and Terrorist Financing Prevention Act.


60 percent of Swedbank’s customers use password card for online banking


Nearly 60 percent of Swedbank’s private customers use password cards for online banking. This is in 2016, when already for several years there are much more comfortable and safer identification tools available, which do not involve the EUR 200 transaction limit.

By studying the reasons, it appears that people are not willing to change their habits. Password cards are familiar to them, they are used to them for a long time, they know exactly where the password card is located and know how to use it. They do not need to use it to learn something new.

One of the barrier also highlights the lack of trust in relation to the new authentication. People do not trust the things that they actually do not get to keep. They are not willing to go along with the changes quickly. Many assert that the EUR 200 payment limit does not hinder them.


Poorly secured WiFi router abused to sent SMS messages to paid numbers


Thanks to a poorly secured WiFi network, in a few days cyber-criminals where able to cause nearly EUR 1,000 bill to the dining place BURKS in Tallinn.

EMT WiFi router’s admin account was accessed and SMS messages were sent out to paid numbers (some Latvian numbers and Mobile parking). Seems like it was possible because router used mobile Internet and allowed to send out the messages.