Chipknip Demo

In the Netherlands we use the so-called Chipknip electronic purse card. This is a local name for the system which is internationally known as the Proton purse system. It is typically used for small payments like parking lots, payphones and company restaurants. For instance the Dutch Chipknip has a maximum balance of 500 euro.

Before you can use your card to pay at a point-of-sale terminal, you have to charge it. Charging requires an online connection to the bank. And like with debit payments you have to provide the correct PIN. Once your card is charged, you can use it offline and without PIN to pay. All you have to do is confirm that the amount on the display will be charged to your balance on the card. Because these payments are offline they are much faster than debit payments. In particular the security system for these payments is based upon 'something you have'. The system for charging the cards is the same as for debit cards: 'something you have' and 'something you know'.

After a certain amount of time (typically each day) the sales terminal collects all the payments and asks the banks to transfer the corresponding amount of money. The back office taking care of this is very important. The banks keep track of all payments done with a card. The card also keeps track of the last five transactions it was involved in. Obviously, if a card is involved in a list of transactions of a sales terminal, the banks check their shadow bookkeeping to see if there are irregularities or not. If there are, the card will be blacklisted and becomes worthless.

In some cities in the Netherlands the Chipknip is the only way to pay for your parking lot. Because not everybody has a bank card with Chipknip functionality, one can buy a pre-paid card. The bad thing of these pre-paid cards is that have to pay a fee: you pay for instance 10 euro but the card you get is only charged with 7.5 euro. The good thing is that the card is anonymous. The aforementioned back office knows which card is being used for which transaction. But in case of a pre-paid card this cannot be linked to a person.

Analysis of the Chipknip protocols

By eavesdropping on a Chipknip in action, for example using a device as shown in Fig. 1, one can hope to reverse engineer the protocol used by the Chipknip.

Fig. 1: Interesting device

It turns out that the Chipknip is based on the EN 1546 standard. The Chipknip system is fairly secure. As far as we know, the protocol or cryptography has not been broken, in the sense that the balance on Chipknips can be incremented without corresponding decrements of bank accounts. However, it is possible to let money disappear from the system, or to corrupt the log files on a Chipknip.

These log files are not protected. Anyone with a card reader and some knowledge on the communication protocol can build programs to read the information in these logs. Here you can see a screen shot of a card that has been used until March 2003 but is no longer valid.

Fig. 2: Chipknip transaction log checker

The demo program shown in Fig. 2 is able to read information from an inserted Chipknip card. So what do we see here?

The name of the bank. For GUI reasons we have also mapped this name to the logo of the bank.
The balance of the card. The last transaction in March with this card was to refund the balance to the bank account, so it is 0.00.
The account number and the card id. For privacy reasons we have deleted them from this picture.
The valid through date of March 2003.
A list of transactions. Each transaction consists of the following fields.
- The purse stan. This is the transaction counter on the card.
- The date. Because of the format used, we don't see the exact time but only an indication to an interval which is approximately 11 minutes long.
- The type to indicate a charge action or a payment.
- The card only uses one currency at the time. If this card would have been used before the introduction of the euro, we would have seen a certain transaction where the currency has been changed.
- The transaction amount and the resulting balance. Note that the balance at the top of the screen comes from a different file, which provides a mechanism to check integrity of the logs.
- The SAM and the SAM ID. Don't worry: only the SAM ID is logged on the card. However we have built a database that maps the IDs that we know to a specific terminal. The textual representation is more practical to find patterns in the behavior of the card holder of course.
- The SAM stan is the transaction counter in the terminal. Because this is readable it is easy to keep track of how often a certain terminal is being used. If we compare the transactions 255 and 232, we see that this terminal had 2139 transactions between January 8 and February 12.
- The CRGT stands for cash register general total. And this value gives the card holder the possibility to gain knowledge on the amount of money that has been paid at this terminal. However, the Chipknip designers decided that this amount should not be completely out in the open. Therefore a random value is added, depending on the specific card used. However, since this random value is always the same for a particular card, it is possible to compute the difference between to entries. The 2139 transactions together have increased the balance of the terminal with 3883.63 euro.

Note that our application not only uses a database for mapping the terminal IDs, but also to store the history of the card in order to overcome the problem that there are only five entries on the card itself.

People who worked on this: Engelbert Hubbers, Martijn Oostdijk.