Many years of improvements in the payment systems, but one thing still constant, MSD(Magnetic Stripe Data) transactions. During Troopers 2018 conference, we presented a new tool: the NFCopy project which basically can copy a Visa NFC(Near Field Communication) transaction to replay it later implementing Visa MSD protocol.
The concept of MSD comes from Magnetic Stripe Information.
That information is located behind in the magnetic band. It is also called mag-stripe info which basically is constant data that never changes.
- What is a MSD transaction?
MSD refers to the idea of making a NFC transaction with magnetic stripe data. Why is that bad? The NFC protocol was designed to have secure elements in the middle of the transaction that should change in every payment(Cryptogram, Application Transaction Counter,…). Those elements validate in different ways that only the authorized user can make that transaction.
For example, if point of sales systems continue accepting MSD transactions, malicious users could implement mobile devices to emulate magnetic stripe data and perpetuate fraudulent transactions without arousing suspicion.
More than four years ago, someone was able to implement MSD for Android: https://github.com/dimalinux/SwipeYours. I implemented the same ideology to emulate a contactless transaction with the Acr122u NFC reader using the RFIDIOt library from Adam Laurie.
The code only contains the feature to replay a constant value, so researchers could have the opportunity to emulate prepared cards for educational purposes. I did not add the reading part to avoid fraudulent transactions.
Particularly, I also used a Lipo battery 3.7V 500 mAh with a ZERO-LiPo Booster to increase that 3.7 volts to 5 volts.