Cryptogram Replay

Payment cryptogram (ARQC) is the core component of chip/EMV security features. Main security features that were introduced along with chip/EMV are:

- cardholder authentication (PIN)

- card authentication (preliminary offline data authentication on the payment terminal)

- transaction authorization.

Transaction authorization is a process when the card requests a set of fields (they have names like PDOL, CDOL1, CDOL2 depending on the card brand, payment process step, etc) and sign these fields along with other essential fields stored on the card itself, such as Transaction Counter (ATC) using 3DES. On the issuer's side, the correctness of the signed transaction will be checked on the Hardware Security Module (HSM). This is proof of the integrity of the transaction - if any essential fields such as amount or currency will be tampered by attackers, the cryptographic checksum will fail, and the transaction will be rejected.

However, as long as hackers know all cryptogram input (amount, currency, date, etc.), they can precalculate the cryptogram in advance and use it without having an actual card. The ATC (Application Transaction Counter) field was implemented to mitigate this risk. Each new transaction will have higher ATC than previous, and the issuer should not allow transactions with ATC out of order. In this case, if someone will prerecord transaction cryptograms, there will be a very limited window when these cryptograms can be used - until the victim itself will use the card next time. But as some point because of false rejections of genuine transactions due to some offline delays, this check became redundant for many banks, and official EMVCo statement is that "declining transactions based on the ATC being out of sequence could result in unnecessary declined".

Links: