Share My Creation Vicino - Your wallet in my pocket

the attached is a simplistic demonstration of contactless (NFC) credit card recognition. it works for me (i have 2 credit cards). i have no idea whether it can communicate with your card. i would be interested in knowing whether it does and what you see (personal data obfuscated, of course). the enormity of the emv documentation and the number of credit card id's and api's boggle the mind. the whole system is designed not to be trivially hacked. but for anyone wanting to know if it's possible to "see" a contactless credit card with b4a, it is. exactly what all you can see is controlled by what each card issuer wants you to see.

update: thanks to feedback from jaguilar, new version attached.

also note, the thing can read regular NFC tags (text, http links and maybe others). i borrowed from an earlier project to include credit cards.

edit 15.01.22 new version (3) attached. shows the dialog between card and "terminal". some comments after #7

edit 5.2.22 new version(6) attached. "working hard to read your card"

 

[josejad]

i have no idea whether it can communicate with your card

It works with my credit card and with my spanish id.

With my ex-gym card, it shows an error:
"Error ocurred: An error has occured in sub: main_activity_resume (ava line: 658) java.lang.RuntimeException: Object should first be initialized (JavaObject) Continue?"

 

[drgottjr]

excellent! thanks. can i ask what type of credit card it was (mastercard, eurocard, visa, etc?) did you see your account number? as for the gym card, could be a private card returning null when i try to talk to it. careless error, severe punishment in store for me, but thanks for the feedback.

updated version attached to post #1. i ran it with my card. no problem, so i didn't seem to mess up by "fixing" the error. i don't have an unrecognized card to test the error with, so i can only ask you to download the update and try again with your gym card. you should just get a message this time. thanks again.

 

[josejad]

Hey drgottjr:

It's a mastercard (debit). It doesn't show the account number, just the "label: mastercard", and with the new version a new toast: "Is maybe a credit card nearby?"

as for the gym card, could be a private card

Yes, it's private. I get the same error with the new version

 

[drgottjr]

thanks for your time and effort. i also found there's a crash if you move the device away from the card in mid-read. i need to find a private card in somebody's trash for testing. i'd like to see if wrapping the whole thing in a try/catch block would be helpful. then i'd have to have a giant try/catch block, given the various types of errors that can occur. thanks again.

 

[Xfood]

congratulations on your app, it works. I tried to read my postapay, and it reads me only the VISA sought, and no other info, I think it is the card that alone this information.

 

[drgottjr]

thanks for testing. more data is on the card (some data is kept only available on bank server). the card will talk to a terminal that has been programmed to read certain cards. there is a dialog between terminal and card. the card has a program. it is activated when "electricity" from the terminal (or device) comes near. it is possible to capture some information without being a terminal, but it is not easy. before continuing with the project, i wanted to see if it could be used in different countries, not just mine. thanks again.

 

[drgottjr]

GO BACK TO THE FIRST POST FOR LATEST VERSION (06.02.2022)

attached is latest version (3). it shows the dialog that takes place between a contactless smartcard (at least a bank card) and the terminal processing the transaction.
being a terminal is not easy (or cheap). the card expects certain information from the terminal or it clams up. technically, i can answer most of the questions, but i would have to build a number of data tables containing country codes, currency codes, numerous terminal capabilities, etc. not to mention the hundreds of tags and codes associated with the dialog. i know enough to know when the card doesn't want to talk anymore. and i've captured enough of the dialog to be able to present a good idea of what goes on. in addition, some of the data is kept on bank servers which the terminal would connect with to compete the transaction. that data isn't on the card anyway.

 

[josejad]

attached is latest version

Hi drgottjr, it seems you’ve attached the wrong file

 

[drgottjr]

Hi drgottjr, it seems you’ve attached the wrong file

let's try that again. tks.

 

[rabbitBUSH]

the card expects certain information from the terminal or it clams up.

At what point - if at all - would a card become inactive because it 'thinks' that it is being hacked? Just a question because if one is testing on your behalf - it could mean a dead card result.

Maybe the card's software isn't that intelligent?

 

[drgottjr]

very good. no more testing for you; i forbid it. yes, it was all part of my master plan to
render everyone's contactless credit cards unusable. but you were not fooled.
you may now run my country, mr president!

 

[josejad]

Hi:

Now it works with the gym card

 

[drgottjr]

"works" is being kind, thanks. too bad it won't connect. at least it didn't crash like before.

in the dialog, as short as it is in this case, when the card is awakened by the signal from the device, it broadcasts which nfc technology it uses. the device tells us which technologies the device can support. in this case, the device can handle all 3 technologies the card has. the device would look for a shared type and go from there.

connecting is a different story. since the card is private, any terminal reading that card has to have been programmed to send the appropriate handshake. with bank cards like mastercard, that handshake is well known, so i can connect with them.

the part i am missing is the one last exchange where the card will issue a result code for a given transaction. (there are a number of different transaction type; a certified pos terminal would have to know them.)

to obtain that result, i have to answer the questions the card asks correctly. there are hundreds (if not thousands) of possibilities. it's all done at the bit level, so every byte can have 256 different possible answers. on my visa card, the expected answers fill 33 bytes! and every card type expects different answers. to be a certified pos terminal, you have to know what they are. even if i eventually guess the correct answer for my visa card, the correct answer for your bank card could be different. some of the questions are easy,eg, the amount of the transaction. some are very difficult and would only be know by the card issuer when it sells and certifies software for some company that wants to sell pos terminals.

 

[josejad]

at least it didn't crash like before

Hehe, that's what I wanted to say

 

[Zeev Goldstein]

attached is latest version (3). it shows the dialog that takes place between a contactless smartcard (at least a bank card) and the terminal processing the transaction.
being a terminal is not easy (or cheap). the card expects certain information from the terminal or it clams up. technically, i can answer most of the questions, but i would have to build a number of data tables containing country codes, currency codes, numerous terminal capabilities, etc. not to mention the hundreds of tags and codes associated with the dialog. i know enough to know when the card doesn't want to talk anymore. and i've captured enough of the dialog to be able to present a good idea of what goes on. in addition, some of the data is kept on bank servers which the terminal would connect with to compete the transaction. that data isn't on the card anyway.

hi
as i am struggling with NFC and i see you've got it to work for you
i was wondering if i may approach and ask for your assistance (happy to py)

i need a sample code or library that i can use to read track2 from credit card and the tags
for more detailed info can we be in direct contact?

thanks

 

[drgottjr]

the quote you took from a post of mine says it all, i'm afraid.

there is no guarantee that a contactless smartcard will provide track 2 data to any entity other
than a certified reader. and wanting "the tags" is a very strange wish, at least on its face.
i don't understand what it means.

i don't think you're not going to find what you're looking for here. i am the only one here who has
taken the time to look into contactless smarcards (specifically, bank cards), and i am telling you
it will be difficult to base a commercial application on unreliable communications. and i definitely
don't want to be contacted every time a particular card won't reveal its track 2 data, and somebody
is pressuring you because "that code" you bought "doesn't work". i spent too many years on both
sides of that situation.

i could get into a long explanation, but i'll keep it short:
1) i think you are bogged down trying to code without understanding the flow (between card and reader).
this has nothing to do with code. it's found in EMV's documentation. not here.
2) you would probably have better luck integrating a certfied commercial stripe or chip reader into your
application. while you wouldn't (necessarily) be able to transact business with the card, you would
probably be able to read the stripe or chip reliably. i think some people here have coded for contact
reading. i haven't looked as my interest was in contactless reading.

let me modify my statement about not finding what you are looking for here:
there is plenty of open source code out there for contactless reading. whether the authors guarantee track
2 reading for all cards, i cannot say. such code should be wrappable. once wrapped, it could be integrated into a
b4a project, but you would still have to understand how to use it. your call for programmers should be directed
to someone to wrap (one or more of) those projects. there are several people here who can do that. i can write
libraries, but i've never taken the time to understand using the tools necessary for wrapping.

 

[f0raster0]

i am the only one here....it will be difficult to base a commercial application

I said it too..

time ago I did a project using B4A using RFID (including read a card visa..) but when the lib was updated my project stopped working.. then I leaved it
then I really think it's a matter of the current library (still I think for a commercial product will be difficult to use it). Using the current NCF library included in B4X I only can read the card ID of a my visa.

 

[drgottjr]

@f0raster0, sorry. what i meant was i am the only one now. i don't use a library, and i can read a lot more than the card id. if you wanted to restart your project, there is no reason not to then you can help the other member if you wish. i believe we are both telling him the same things: he needs to do some work, and the result will not be reliable without keys and software from companies that issue the smart cards. that is why i do not want to get involved and why i stopped responding to the other thread. you seemed to be responding to him, so i was happy with that. he addressed a message to me in this thread; so i responded. i hope we're clear.

 

[f0raster0]

if you wanted to restart your project, there is no reason not to then you can help the other member if you wish.

I used a HID iclass reader and a microcontroller to do the job - looking back I think it was a good idea, probably it's still running ahah