EMV Cloning Explained: The Cyber Risks of Smart Card Exploitation

To understand the attacks, one must first understand the defense. The core security feature of an EMV transaction is the generation of dynamic data.

The Cryptogram (ARQC)

When an EMV card is inserted into a Point-of-Sale (POS) terminal, the terminal does not simply read static data. Instead, it initiates a complex "handshake" and risk management process with the chip.

Crucially, the terminal requests an Authorization Request Cryptogram (ARQC) from the card. The card generates this ARQC using:

1. Transaction Data: Details like the purchase amount, currency, and date.
2. A Unique Cryptographic Key: A symmetric key securely stored deep within the chip's tamper-resistant memory (which the POS terminal never sees).
3. An Unpredictable Number (UN): A random number generated by the terminal to prevent replay attacks.

Because the ARQC is generated using unique transaction details and a secret key, it is entirely dynamic. An ARQC valid for a $10 coffee purchase today cannot be reused for a $1000 electronics purchase tomorrow. When the bank receives the transaction request, it uses its copy of the secret key to independently calculate the ARQC. If the bank's calculation matches the card's ARQC, the bank knows mathematically that the genuine card was present at the terminal.

Because the secret cryptographic key cannot be extracted from the tamper-resistant chip, true cloning of an EMV card—creating an exact duplicate chip that functions identically to the original—is currently considered practically impossible in the wild.

However, "EMV Cloning" is often used as a colloquial umbrella term for a variety of sophisticated attacks designed to bypass or downgrade EMV security, effectively achieving the same fraudulent result as cloning.

1. Shimming (The Man-in-the-Middle Attack)

While skimming reads the magnetic stripe, "shimming" intercepts the communication between the EMV chip and the POS terminal.

A shimmer is an incredibly thin, flexible circuit board inserted directly into the chip slot of a card reader (like an ATM or gas pump). When a victim inserts their EMV card, the card contacts the shimmer, and the shimmer contacts the terminal.

The shimmer acts as a passive eavesdropper. While it cannot extract the card's secret cryptographic key, it can intercept the static data the card transmits to the terminal during the initial handshake (such as the PAN and expiration date).

The Exploit: Attackers use this intercepted static data not to create a fake chip card (which wouldn't work without the secret key), but to create a fake magnetic stripe card. If a merchant's POS terminal is misconfigured and allows "fallback" transactions (where the terminal accepts a magnetic swipe because it falsely believes the chip reader is broken), the attacker can use the cloned magnetic stripe to commit fraud. This highlights that EMV security relies on the entire ecosystem enforcing chip transactions.

2. The Pre-Play Attack (Cloning the Cryptogram)

This is a highly sophisticated attack that exploits vulnerabilities in the random number generation process of poorly designed POS terminals or ATMs.

As mentioned earlier, the card uses an Unpredictable Number (UN) generated by the terminal to create the ARQC. If an attacker discovers that a specific ATM generates predictable numbers (e.g., sequentially instead of randomly), they can execute a Pre-Play attack.

The attacker briefly gains access to the victim's card (perhaps via a modified skimmer). They use a device to query the card multiple times, providing it with the predictable numbers they know the target ATM will generate in the near future. The card dutifully generates a valid ARQC for each of these predictable numbers.

The attacker records these ARQCs and programs them onto a counterfeit smart card (a JavaCard). When the attacker goes to the target ATM, the counterfeit card doesn't calculate the ARQC; it simply replays the pre-recorded ARQC that perfectly matches the ATM's predictable number, successfully authorizing a fraudulent withdrawal.

3. Relay Attacks (Extending the Transaction Range)

Relay attacks do not involve cloning data; they involve cloning the physical presence of the card. This attack is particularly relevant to contactless EMV (Tap-to-Pay).

In a relay attack, two criminals work in tandem.

• Attacker A (The "Mole"): Stands close to a victim in a crowded area holding a concealed NFC reader near the victim's pocket or purse.
• Attacker B (The "Spender"): Is located at a high-end retail store with a counterfeit card emulator connected to Attacker A via the internet.

Attacker B taps their emulator to the store's POS terminal. The terminal initiates the EMV handshake. The emulator transmits this request over the internet to Attacker A's reader. Attacker A's reader wirelessly queries the victim's genuine card in their pocket. The genuine card generates the valid ARQC, which is relayed back to Attacker B's emulator and presented to the POS terminal. The transaction is approved because the genuine card was involved, even though it was miles away.

Securing the EMV ecosystem requires constant vigilance from financial institutions, payment processors, and merchants.

For Financial Institutions and Processors

• Enforce Strict Randomness: Banks and ATM manufacturers must ensure that the Unpredictable Numbers (UN) generated by terminals are cryptographically secure and genuinely random, completely neutralizing Pre-Play attacks.
• Eliminate Fallback Transactions: The most effective defense against shimming is aggressively declining "fallback" transactions. If a card is known to be an EMV chip card, the issuer should reject the transaction if it is processed via the magnetic stripe, forcing the merchant to use the more secure chip reader.
• Implement Distance Bounding: To mitigate relay attacks on contactless cards, the industry is developing "distance bounding" protocols. These protocols measure the precise time it takes for the card to respond to a query (down to the nanosecond). If the response takes too long (because it traveled over a network in a relay attack), the transaction is declined.

For Merchants and Consumers

• Terminal Inspection: Merchants must frequently inspect their POS terminals and ATMs for signs of tampering, particularly the incredibly thin shimming devices that can be inserted into the chip slot.
• RFID Blocking Sleeves: While the risk of long-distance relay attacks is relatively low in practice, consumers can protect their contactless cards from unauthorized scanning in crowded areas by keeping them in RFID-blocking wallets or sleeves.