Improving Test Conformance of Smart Cards versus EMV-Specification by Using on the Fly Temporal Property Verification
Electronic payment transactions using smart card are based on the Europay Mastercard Visa (EMV) specifications. This standard appeared in 1995 in order to ensure security and global interoperability between EMV-compliant smart cards and EMV-compliant payment terminals throughout the world. Another purpose of EMV specifications is to permit a secure control of offline credit card transaction approvals. This paper will expose a way to improve verification and validation of the payment application stored in the chip of the smart card based on temporal property verification. In fact, each issuer (e.g., MasterCard) defines its own EMV-compliant specification, allowing different implementation cases and possible errors and we discuss about a method to detect anomalies to avoid smart card vulnerabilities. The properties will be designed in conformance with EMV-specification but our goal is not to formally prove them. We consider implementations through a black-box testing approach, therefore we cannot prove the properties as we don’t have access to the source code. However, we can observe the command/response exchanges and detect, on the fly, when an expected property is violated.
KeywordsPayment EMV Smart Card Evaluation Temporal Property
Unable to display preview. Download preview PDF.
- 1.EMV Integrated Circuit Card Specifications for Payment Systems, version 4.3 EMVco (2011)Google Scholar
- 2.M/Chip 4 Card Application Specifications for Credit and Debit, MasterCard International (2002)Google Scholar
- 3.Lancia, J.: Un framework de fuzzing pour cartes a puce: application aux protocoles EMV (2011)Google Scholar
- 4.Vernois, S., Alimi, V.: WinSCard Tools: a software for the development and security analysis of transactions with smartcards (2010)Google Scholar
- 5.ISO/IEC 7816, International Organization for Standardization and the International Electrotechnical CommissionGoogle Scholar
- 6.Philippaerts, P., Mhlberg, J.T., Penninckx, W., Smans, J., Jacobs, B., Piessens, F.: Software Verification with Verifast: industrial Case Studies (2013)Google Scholar
- 7.Distefano, D., Parkinson, M.J.: Jstar: Towards Practical Verification for Java (2009)Google Scholar
- 8.Foster, H.D., Krolnik, A.C., Lacey, D.J.: Assertion-Based Design (2010)Google Scholar
- 9.Source code of WSCT, https://github.com/wsct
- 10.Vibert, B., Alimi, V., Vernois, S.: Analyse de la sécurité de transactions à puce avec le framework WinSCard Tools (2012)Google Scholar