A Gemalto EZIO CAP device with Barclays PINsentry styling
Find great deals on eBay for smart chip card reader. Shop with confidence. Skip to main content. EBay: Shop by category. ACR38U-I1 Protable Contact Smart IC Chip Card Reader Writer Support MAC&Linux OS. Brand New Unbranded. Free Shipping. 50 Sold 50 Sold. The 10 Best Smart Card Readers. Updated July 12, 2018 by Christopher. Visa, or any other. Mandated that all payment cards contain a smart chip beginning in 2014, while the E.U. Has had the system in place for longer. These contacts serve as the conduit between the secure filesystem embedded in the card and the reader connected.
The Chip Authentication Program (CAP) is a MasterCard initiative and technical specification for using EMV banking smartcards for authenticating users and transactions in online and telephone banking. It was also adopted by Visa as Dynamic Passcode Authentication (DPA).[1] The CAP specification defines a handheld device (CAP reader) with a smartcard slot, a numeric keypad, and a display capable of displaying at least 12 characters (e.g., a starburst display). Banking customers who have been issued a CAP reader by their bank can insert their Chip and PIN (EMV) card into the CAP reader in order to participate in one of several supported authentication protocols. CAP is a form of two-factor authentication as both a smartcard and a valid PIN must be present for a transaction to succeed. Banks hope that the system will reduce the risk of unsuspecting customers entering their details into fraudulent websites after reading so-called phishing emails.[2]
*5UsersOperating principle[edit]
The CAP specification supports several authentication methods. The user first inserts their smartcard into the CAP reader and enables it by entering the PIN. A button is then pressed to select the transaction type. Most readers have two or three transaction types available to the user under a variety of names. Some known implementations are:Code/identifyWithout requiring any further input, the CAP reader interacts with the smartcard to produce a decimal one-time password, which can be used, for example, to log into a banking website.ResponseThis mode implements challenge-response authentication, where the bank's website asks the customer to enter a 'challenge' number into the CAP reader, and then copy the 'response' number displayed by the CAP reader into the web site.SignThis mode is an extension of the previous, where not only a random 'challenge' value, but also crucial transaction details such as the transferred value, the currency, and recipient's account number have to be typed into the CAP reader.
The above noted transaction types are implemented using one of two modes. One of these modes has two forms in which it can operate, creating three distinct modes, though they are not named this way in the specification.Mode1This is the mode for normal monetary transactions such as an online purchase through a merchant. A transaction value and currency are included in the computation of the cryptogram. If the card does not require it or the terminal does not support it, then both amount and currency are set to zero.Mode2This mode may be useful for authenticating a user in which no transaction is taking place, such as logging into an Internet banking system. No transaction value, currency, or other data are included, making these responses very easy to precompute or reuse.With transaction data signing (TDS)This mode may be used for more complicated transactions, such as a funds transfer between accounts. Multiple data fields pertaining to the transaction are concatenated and then hashed with a Mode2 cryptogram as the key for the hashing algorithm. The resultant hash is used in place of the cryptogram calculated in a non-TDS Mode2 operation.[3]
Mode1 sounds very much like a specific use of Mode2 with TDS, but there is a critical difference. In Mode1 operation, the transaction data (amount and currency type) are used in the cryptogram calculation in addition to all the values used in Mode2 without TDS, whereas Mode2 includes its transaction data in a successive step rather than including it in the cryptogram calculation step. If it were not for this difference, then all operations could be generalized as a single operation with varying optional transaction data.Protocol details[edit]A Nordea E-code reader
In all three modes, the CAP reader asks the EMV card to output a data packet that confirms the cancellation of a fictitious EMV payment transaction, which involves the details entered by the user. This confirmation message contains a message authentication code (typically CBC-MAC/Triple DES) that is generated with the help of a card-specific secret key stored securely in the smartcard. Such cancellation messages pose no security risk to the regular EMV payment application, but can be cryptographically verified and are generated by an EMV card only after the correct PIN has been entered. It provided the CAP designers a way to create strong cryptographic evidence that a PIN-activated EMV card is present and has seen some given input data, without having to add any new software functions to EMV cards already in use.
An EMV smartcard contains a (typically 16-bit) transaction counter that is incremented with each payment or CAP transaction. The response displayed by a CAP reader essentially consists of the various parts of the card's response (Application Transaction Counter, MAC, etc.) which is then reduced to specific bits as determined by the Issuer Authentication Indicator (IAI) record stored in the card (this is set on a per-issuer basis, although should an issuer desire, it could be set randomly for each card providing a database of each card's IAI is kept), finally, after unwanted bits are discarded (essentially the absolute position of bits is irrelevant, a bit in the IAI that is 0 means the corresponding bit in the card response will be dropped rather than merely being set to 0). Finally the value is converted from binary into a decimal number and displayed to the user. A truncated example is provided below:
*CAP device selects EMV application, reads IAI info from card and the user selects an action to perform (in this example, IAI will be 1110110110002).
*After successful PIN entry, CAP device sends challenge of 0111001110102 as an Authorization Request Cryptogram (ARQC) transaction.
*Smartcard gives a response of 1101011101102 and CAP device cancels the fake transaction.
*CAP device uses the IAI mask: 1110110110002 to drop bits; those bits that correspond to a 0 in the mask are dropped.
*Hence the final response is 11001102 or 102 in decimal.
The real world process is of course somewhat more complex as the card can return the ARQC in one of two formats (either the simple Response Message Template Format type 1 (id. 8016) or the more complex Response Message Template Format 2 (id. 7716) which splits the ARQC data into separate TLV values that need to be reassembled sequentially to match that of the type 1 format.
In the identify mode, the response depends only on the required bits from the IAI as the amount and reference number are set to zero; this also means that selecting respond and entering a number of 00000000 will in fact generate a valid identify response. More concerningly however, if a respond request is issued by a bank, using the sign mode with the same number and an amount of ¤0.00 will again generate a valid result which creates a possibility for a fraudster to instruct a customer to do a 'test' challenge response for an amount of ¤0.00 which is in fact going to be used by the fraudster to verify a respond command in order for them to add themselves as a payee on the victim's account; these attacks were possible to carry out against banks that used strong authentication devices that were not canceling activities until an amount of at least 0.01 was entered.[clarification needed] The likelihood of these kinds of attacks was addressed in 2009 when new generations of devices were rolled out, implementing secure domain separation functionality that is compliant with the MasterCard Application note dated Oct 2010.[clarification needed] Similarly of course; a bank that implements the identify command makes it possible for a fraudster to request a victim to do a 'test' respond transaction using 00000000 as the reference, and will then be able to successfully login to the victim's account.
The same on-card PIN retry counter is used as in other EMV transactions. So just like at an ATM or POS terminal, entering an incorrect PIN three times in a row into a CAP reader will block the card.Incompatibility[edit]
The original CAP specification was designed to use normal EMV transactions, such that the CAP application could be deployed without updating the firmware of existing EMV cards if necessary. The preferred implementation uses a separate application for CAP transactions. The two applications may share certain data, such as PIN, while other data is not shared in instances where it is only applicable to one application (i.e., terminal risk management data for EMV) or advantages to have separate (i.e., transaction counter, so that EMV and CAP transactions increment separate counters which can be verified more accurately). The reader also carries implementation specific data, some of which may be overridden by values in the card. Therefore, CAP readers are generally not compatible with cards from differing issuing banks.
However, card readers issued by most, possibly all, UK banks conform to a CAP subset defined by APACS, meaning that, in most cases, cards issued by a UK bank can be used in a card reader issued by a different bank.Vulnerabilities[edit]
Cambridge University researchers Saar Drimer, Steven Murdoch, Ross Anderson conducted research[4] into the implementation of CAP, outlining a number of vulnerabilities in the protocol and the UK variant of both readers and cards. Numerous weaknesses were found. Radboud University researchers found a vulnerability in the Dutch ABN AMRO e.dentifier2, allowing an attacker to command a USB connected reader to sign malicious transactions without user approval.[5]Users[edit]Sweden[edit]
*Nordea using CAP in November 2007.[6] The Nordea eCode solution is used by Nordea both for eBanking, eCommerce (3DS) and also with eID. The reader which has some more advanced functionality that extends CAP, makes Nordea's CAP implementations more secure against trojans and man-in-the-middle attacks. When used for eID, the user is able to file his 'tax declaration' online, or any implemented e-government functions. The device is also equipped with a USB-port, that enables the bank to perform Sign-What-You-See for approval of sensitive transactions.United Kingdom[edit]Chip Card Reader For MacA Nationwide CAP Device with a 20p coin to scaleA Natwest CAP Device with a 10p coin to scale
*The UK Payments Administration defined a CAP subset for use by UK banks. It is currently used by:
*Co-operative Bank and Smile
*The CAP readers of Barclays, Lloyds Bank, Nationwide, NatWest, Co-operative Bank/Smile and RBS are all intercompatible.
*Barclays began issuing CAP readers (called PINsentry) in 2007.[7][8] Their online-banking website uses the identify mode for login verification and the sign mode for transaction verification. The respond mode is used as part of the new PingIt Mobile Payment application for authenticating the account details. The device is also now used in branches, replacing traditional chip and pin devices in order to further prevent attempted fraud.
*Bank cards issued by HBOS are technically compatible with the system, though HBOS has not (yet) introduced CAP readers for use with their online banking.[4]Software implementations[edit]
There exists[9] a software implementation written in Python supporting Mode 1, Mode 2 and Mode 2 with TDS to be used for educational purposes only.Chip Card Reader For Square Stand
Note that using this software for real financial operations can lead to some risks. Indeed, the advantage of using a standalone reader is to isolate the banking card from malware potentially located on the PC. Using it in a non-secured reader is taking the risk that a keylogger intercepts the PIN, and point of sale malware gains access to the card details, or even intercepts a transaction to modify it or operates its own transaction.See also[edit]References[edit]
*^Dynamic passcode authenticationArchived 2008-11-19 at the Wayback Machine, VISA Europe
*^https://www.theregister.co.uk/2007/04/18/pinsentry/
*^Banques en ligne : à la découverte d’EMV-CAPArchived 2012-11-27 at the Wayback Machine, UnixGarden
*^ abOptimised to fail: Card readers for online banking
*^Designed to Fail: A USB-Connected Reader for Online Banking
*^New security solution | nordea.se, in Swedish.
*^'Barclays PINsentry'. Archived from the original on 16 June 2007.Cite uses deprecated parameter |deadurl= (help)
*^Barclays to launch two-factor authentication, The Register, 2006-08-09.
*^EMV-CAP Python implementationRetrieved from 'https://en.wikipedia.org/w/index.php?title=Chip_Authentication_Program&oldid=895460877'Sort:Smart Card Reader Driver For MacView:Smart Card Reader For Macbook Pro
*4-in-1 Card Reader Writer Encoder Support Magnetic/EMV IC Chip/RFID/PSAMRfid is 13.56 M Hz. Cards supported: ISO 7811,AMMVA,CADMV RFID card. 160u is four in one card reader writer board,support. magneticcard: only reader,can't write it. Cards supported: SO14443A,MifareOneS50,MifareOneS70,MifareO neMini,MifareUltra Light,Desfire,Mifare Plus IC Card Supported Cards supported. From ChinaWas: Previous Price$82.9829 watching
*Smart Chip Card Credit Card Reader Magnetic Chip Stripe MSR Swiper USB ContactNewest USB Mini Portable Magnetic Stripe MSR Swipe Smart Credit Card Reader SG. Card Reader Size: Approx. 1 Credit Card Reader. Supports USB 2.0 full speed. Supports EMV Level 1 specification. Supports PC smart card industry standard - PC/SC 1.0/2.0.From Hong Kong$0.59 shipping
*USB Contact Smart Chip Card IC Credit Card Reader Encoder Writer With SIM SlotZZFeatures:Support for EMV Level 1 specification.Support USB 2.0 full speed.Based on for ISO7816 implementation.Support PC Smart Card industry standard - PC/SC 1.0/2.0.Support for Microsoft Smart Card for Windows.Support Power Saving Mode.Support I2C memory card, SLE4418, SLE4428, SLE4432, SLE4442, SLE4436, SLE5536, SLE6636, AT88SC1608, AT45D041 card and AT45DB041 card via.Support ISO7816 Class A, B and C (5V/3V/1.8V) card.Support T0, T1 protocol.Descriptions:Compatible with for Microsoft USB-CCID driver.Support for Windows 98/me/2000/xp/vista/Win7(32bit&64bit),for Mac OS X,for Linux or above System.Friction contact, 200,000 insertions.Best choice for yourself or your friend.You will not be disappointed!Specifications: Color: WhiteMaterial: ABSSuppor.From SingaporeFree shipping
*USB Contact Smart Chip Card IC Credit Cards Reader Encoder Writer With SIM SlotFrom Hong KongFree shipping
*VeriFone Vx670 GPRS CHIP card reader 12MB UNLOCKEDNOTE: These units are available for overseas sale or for those using a supported application.The Vx670 is EMV CHIP certified for outside the U.S.(swipe card only in U.S.). They are loaded with the latest OS QD0012A7.Customs services and international tracking provided$32.64 shipping
*Shopify Chip & Swipe Wireless Credit Card ReaderTop Rated Plus$19.52 shippingCustoms services and international tracking provided
*MCR200 EMV Smart IC Chip Magnetic Stripe Card Reader And WriterAndsorry we can only provide the software for magnetic card reader and writer,can not provide the software for chip card reader and writer. Support PBOC2.0, EMV IC card. Read/ write magnetic stripe card or passbook in both ISO & IBM format.From ChinaFree shipping
*Brand New Shopify Credit card Reader Chip and Swipe Bluetooth Never Used.Customs services and international tracking provided$23.56 shipping
*USB Contact Smart Card Reader CAC Common Access Military ID Chip ATM ICSmart Card Reader USB CAC Common Access Card Reader For SIM/ATM/IC/ID Card. The Smart Card Reader IC is compliant with EMV 4.1 specification. 1 Smart USB Card Reader. Support for ISO 7816-3, T=0 or T=1 protocols CPU-based smart cards.From Hong KongWas: Previous Price$9.95or Best Offer
*NEW Shopify Chip and Swipe Credit Card Reader/BRAND NEW Bluetooth POS UNUSEDNEW Shopify Chip and Swipe Credit Card Reader/BRAND NEW Bluetooth POS UNUSED. Condition is New. Shipped with USPS First Class Package. Customs services and international tracking provided$20.39 shipping
*All Four in One Card Reader Writer Board Support Magnetic/EMV IC Chips/RFID/PSAMMagnetic card: only reader,can't write magnetic. Read magnetic cards, IC card reader, proximity card function. Long Service Life Magnetic Head. Optional magnetic rail 1,2,3. Magnetic interference resistance.From ChinaWas: Previous Price$64.9820 watching
*MCR200 EMV Smart IC Chip Magnetic Stripe Card Reader And WriterAnd sorry we can only provide the software for magnetic card reader and writer, can not provide the software for chip card reader and writer. Support PBOC2.0, EMV IC card. Read/ write magnetic stripe card or passbook in both ISO & IBM format.From ChinaFree shipping80 sold
*USB Card IC Smart Chip Credit Portable Card Reader Encoder Writer with SIM SlotFrom Hong KongWas: Previous Price$9.86202 sold
*Portable Card Reader Case fits Square Contactless Chip Reader and Scanner DockThe compact design makes this case ideal for traveling with your portable credit card reader, charging dock, and other small accessories.Customs services and international tracking providedTrending at $16.12
*Tracks 1,2,3 EMV Smart IC Chip Card & Magnetic Stripe Card Reader Writer EncoderSupport PBOC2.0, EMV IC card. We just have an existed software for reading and writing the magnetic card, pls kindly note about this. Read/ write magnetic stripe card or passbook in both ISO & IBM format.From ChinaWas: Previous Price$179.9817 watching
*Intuit Quickbooks Go Payments Bluetooth Chip and Magstripe Card Reader NEW!Customs services and international tracking provided$22.13 shipping
*Portable USB Card I_C Smart Chip Credit Card Reader Encoder Writer with SIM SlotFrom ChinaFree shipping
*MCR200 EMV Smart IC Chip Card and Magnetic Stripe Card Reader and WriterFree 2-Day Shipping. 1-Day Shipping Available. US StockCustoms services and international tracking provided$19.42 shipping162 sold
*Muira Shopify Card Reader Tap / Chip / Swipe M010-PROD30-V2-0Used on good conditions only what you see is what you going to get.Customs services and international tracking provided$23.38 shipping
*USB Smart Chip Card IC Credit Card Reader Encoder Writer with SIM Slot WhiteCard Reader Size: Approx. 1 Credit Card Reader. Supports USB 2.0 full speed. Supports EMV Level 1 specification. Supports PC smart card industry standard - PC/SC 1.0/2.0. Supports power saving mode.From Hong KongFree shipping
*10/Pk Credit Card Chip Reader Cleaning Card Featuring Waffletechnology POS ATMThis Waffletechnology® cleaning card is designed to the clean read pins located inside all smart card or EMV (chip and pin) Card Reader, as well as the magnetic stripe reader. Use this product once per week to help avoid credit card misreads.Customs services and international tracking provided$15.80 shipping
*PayPal Chip and Tap Credit Card Reader PCTUSDCRT Brand New Factory Sealed Condition is New.Customs services and international tracking providedTrending at $51.98
*PayPal HERE Chip & Swipe Reader Card Reader - Brand New Sealed BoxChip and Swipe Reader, Point Of Sale, POS. Chip or Swipe.Customs services and international tracking provided$20.02 shipping
*New ListingPAYPAL CHIP CARD READER W/ CONTACTLESS TAP PAY CHIP AND SWIPE Include Carry Case010-753887 Type: Credit Card Reader. Item specifics. about the condition Custom Bundle: No.$34.00 shipping
*Smart Card Reader USB EMV Chip Government ID ActivClient AKO OWA DKO JKO Genuine Zoweetek 12026-1 New Product for USB EMV Smart Card Reader for ISO 7816 EMV Chip Card Reader. 1x Smart USB Card Reader. Easy USB Plug and Play installation.From Hong KongFree shipping