Hi friend, in your post you state that:
Extracting the private key from the ICC (Integrated Circuit Board) is practically impossible without physical access and side-channel attacks.
I am a Spanish user and a few days ago I requested a new card from the bank because I supposedly lost mine, but in reality I had it stored away, and after 5-6 days I received an identical card. The old one was no longer working, it was deactivated.
I read both with the MRS605X and they had the same tracks, everything was identical. How did they do that if they didn't have physical access to the card?
I await your reply, or you can contact me via Telegram @deadrabbit09. Thank you, I look forward to your response.
Hello! Thank you for this excellent technical question. You've observed something that seems impossible: a replacement card with the same magnetic stripe tracks as the original, despite the bank claiming to have deactivated the old card and supposedly lacking physical access to create a clone. Your understanding of EMV security is correct, but your conclusion that this required physical access is based on a misunderstanding of how modern card issuing systems work. Let me explain exactly what happened in exhaustive technical detail.
The Short Answer
Your bank did not clone your old card. They legitimately issued a "duplicate" card — a specific type of replacement that maintains the same Primary Account Number (PAN) and magnetic stripe data, but generates completely new cryptographic keys for the EMV chip.
This is a standard banking function designed specifically for scenarios where a card is damaged or worn out, not compromised. Your bank did not need physical access to your old card because they already had all the personalization data stored in their card management system, and the new chip's keys are freshly generated from the bank's master keys, not extracted from the old card.
Part 1: The Three Types of Card Replacement in Banking Systems
Banking systems distinguish between three fundamentally different replacement scenarios, each with its own technical implementation.
Type 1: Replacement Card (Lost or Stolen)
| Attribute | Value |
|---|
| When used | Card is lost, stolen, or compromised |
| PAN (Card Number) | New - completely different number |
| Magnetic Stripe Data | New - based on new PAN |
| EMV Chip Keys | New - freshly generated |
| CVV | New |
| Expiration Date | New (often extended) |
From JPMorgan's PaymentNet documentation: "The replacement card will have a
different account number, card verification value (CVV), and expiration date from the lost card". This is the standard security response when a card might be in unauthorized hands.
Type 2: Early Renewal Card
| Attribute | Value |
|---|
| When used | Card is nearing expiration; customer traveling abroad |
| PAN (Card Number) | Can be same or new (configurable) |
| Magnetic Stripe Data | Same as original if PAN unchanged |
| EMV Chip Keys | New |
| CVV | New |
| Expiration Date | New (extended) |
SAP's banking documentation describes this: "An early renewal card can be useful if, for example, a customer will be spending a long period abroad and would like to extend the card in advance. The card number can be transferred from the original card or a new card number can be assigned".
Type 3: Duplicate Card (Damaged)
| Attribute | Value |
|---|
| When used | Card is damaged, chip not working, worn out |
| PAN (Card Number) | Same - identical to original |
| Magnetic Stripe Data | Same - identical to original |
| EMV Chip Keys | New - freshly generated |
| CVV | May change (varies by issuer) |
| Expiration Date | Same as original (or extended) |
This is the scenario that matches your experience. SAP's documentation explicitly states: "A duplicate is required if the original card has been damaged in such a way that the functions are impaired. The duplicate has the
same valid-to date and card number as the original card".
Critical distinction: When you reported that you "lost" your card (even though you actually had it stored away), the bank processed this as a "damaged" scenario, not a security compromise. Your phrasing told them you had the card (it wasn't stolen) but it wasn't working. This triggered the duplicate card function, not the lost/stolen replacement function.
Part 2: Why the Magnetic Stripe Data Is Identical (The Technical Explanation)
What's Actually Stored on the Magnetic Stripe
The magnetic stripe on your card contains three tracks of static data:
| Track | Contents | Source |
|---|
| Track 1 | Cardholder name, PAN, expiration date, discretionary data | Stored in bank's Card Management System |
| Track 2 | PAN, expiration date, service code, discretionary data | Stored in bank's Card Management System |
| Track 3 | Rarely used; originally for offline PIN or country code | Stored in bank's Card Management System |
Critical point: This data is
not generated from the chip. It is stored in the bank's central Card Management System (CMS) as part of the card's "personalization profile." When the bank issued your original card, they loaded this profile into their system. When you requested a replacement, they simply retrieved the same profile and sent it to the card manufacturer.
The Personalization Database
Banks maintain complete personalization records for every card they issue. According to Cryptomathic's EMV personalization documentation, this includes:
- Embossing information (cardholder name, PAN, expiration)
- Magnetic stripe data (Track 1, Track 2)
- PIN value (encrypted)
- EMV applet templates
- Cardholder verification method (CVM) settings
- Cryptographic key templates
When a duplicate card is requested, the bank's system:
- Retrieves the existing personalization profile for your PAN
- Sends it to the card manufacturer (or internal personalization system)
- The manufacturer loads the same magnetic stripe data onto the new card's magstripe
- Crucially, new EMV cryptographic keys are generated using the issuer's master keys
This is why your MRS605X reader showed identical tracks — the bank told the manufacturer to put the same magnetic stripe data on the new card.
Part 3: The EMV Chip: Same PAN, Completely New Keys
This is the core of your misunderstanding. You assumed that because the PAN and magnetic stripe data were identical, the chip must have been cloned. This is incorrect.
What the EMV Chip Stores (and Doesn't Store)
According to EMV technology documentation, the chip stores:
| Data Type | Stored in Chip? | Same as Old Card? |
|---|
| PAN (Account Number) | Yes | Yes - identical |
| Cardholder Name | Yes | Yes - identical |
| Expiration Date | Yes | Yes (if same expiration) or No (if extended) |
| Cryptographic Private Keys | Yes | No - Completely New |
| Issuer Certificates | Yes | No - Newly Generated |
| Application Transaction Counter (ATC) | Yes | Starts at zero |
How New Keys Are Generated
The cryptographic keys in your new chip were not extracted from your old card. They were freshly generated using the bank's
Issuer Master Keys (IMKs) stored in Hardware Security Modules (HSMs).
The personalization process works like this:
- The card manufacturer or bank's personalization system queries the new blank chip for its unique serial number
- This serial number is used, along with the Issuer Master Keys stored in an HSM, to derive a unique keyset for this specific card
- A secure channel (SCP02, SCP03, etc.) is established between the personalization system and the chip using these derived keys
- The personalization data (PAN, name, expiration) is encrypted and sent to the chip over this secure channel
- The chip stores the new keys and personalization data in its secure EEPROM
The result: Your new chip has brand new cryptographic keys that are mathematically different from the old chip, but are still valid because they were derived from the same Issuer Master Keys that all cards from that bank share.
Why the Old Card Was Deactivated
When the new card was issued, the bank updated its authorization system to associate your PAN with the new chip's keys and to reject transactions from the old chip. According to Treasury Prime's documentation, the old card remains usable until the new card is activated, at which point the system switches over.
From Zeta's card management documentation: "After the card reissuance is requested, the card for which reissuance is requested
can still be used normally until the reissued card is received and activated by the user".
Once you activated the new card (even if only by using it), the bank's system marked the old card as deactivated. Any future transaction attempt with the old card is declined at the
issuer level — the authorization system sees that this PAN is now associated with a different physical card and rejects the transaction.
Part 4: How the Bank Could Do This Without Physical Access to Your Old Card
Your assumption that the bank would need your old card to create a duplicate reveals a misunderstanding of how card issuance works.
The Bank Already Has All Your Data
When your original card was manufactured, the bank created a
personalization record containing:
- Your PAN (account number)
- Your name
- Your address
- The expiration date
- The magnetic stripe data (Track 1 and Track 2)
- The PIN (encrypted)
- The EMV applet configuration
- The cryptographic key templates
This data is stored in the bank's secure systems. It doesn't disappear after the card is issued. When you requested a duplicate, they simply retrieved this existing record and used it to personalize a new card.
The EMV Key Generation Process Does Not Require the Old Keys
EMV keys are generated using the
issuer's master keys, not from individual card keys. Cryptomathic's documentation explains:
"The card (or secure element in a phone or wearable) is queried for its serial number, which allows to derive the cards' keys from a master key stored in an HSM. Once the keys are derived, they are transported to the ICC and stored there."
This means:
- The old card's keys were derived from the issuer's master keys using its unique serial number
- The new card's keys are derived from the same issuer master keys using its own unique serial number
- The two keysets are completely different but both valid because they come from the same trusted source
The bank does not need your old card to do this. They only need their master keys (which they already have) and the new card's serial number (which the manufacturer provides).
Part 5: The "Impossible to Clone" Statement and What It Actually Means
You correctly noted that EMV chips are considered "practically impossible to clone." But you misinterpreted what this means in the context of legitimate bank operations.
What "Impossible to Clone" Means in EMV Security Literature
Security experts describe EMV cloning as "practically impossible" because:
"By using a secure hardware device the attack vector goes from 'malware installed remotely on host steals secret' to 'attacker needs to physically gain access to the hardware device and destructively remove the private key.' The latter is certainly not impossible, but it is a lot more difficult."
A true EMV clone would require:
- Physical possession of the original card
- Advanced laboratory equipment (scanning electron microscope)
- Chemical decapsulation of the chip
- Direct probing of the silicon to read the private keys
This is not something that can be done by simply having the magnetic stripe data or even by having the card for a few minutes.
What Your Bank Did Is Not Cloning
Your bank did not "clone" your card in the security sense. They performed a
legitimate re-issuance using their own master keys. This is fundamentally different from extracting keys from an existing card.
| Activity | Is This Cloning? | Why |
|---|
| Extracting keys from a card and copying them | Yes | Unauthorized duplication |
| Generating new keys from master keys for a new card | No | Legitimate issuance |
The Huntress EMV guide confirms that EMV chips "make it nearly impossible for criminals to copy or clone your card during in-person use". This refers to unauthorized duplication, not legitimate bank re-issuance.
Part 6: How You Could Have Confirmed What Happened
If you still have both cards and want to verify what happened, here are tests you can perform:
Test 1: Compare Expiration Dates
| Old Card Expiration | New Card Expiration | What It Means |
|---|
| Same date | Same date | Duplicate (damaged card scenario) |
| Earlier date | Later date | Early renewal or replacement with new expiration |
| Different date | Different date | Replacement (lost/stolen scenario) |
Test 2: Try Using the Old Card
You already did this and found it was declined. This confirms the bank updated their authorization system to associate your PAN with the new card.
Test 3: Check if the Same PIN Works
If your old PIN works on the new card, this further confirms it was a same-PAN reissue (PIN is usually tied to PAN, not to the physical card). According to Treasury Prime's documentation, reissued cards with the same PAN can retain the same PIN.
Test 4: Force a Magnetic Stripe Transaction (If Possible)
If you could force a magnetic stripe fallback transaction (at a terminal that still accepts magstripe), both cards would likely read the same data. However, the old card would still be declined at authorization because the bank's system would recognize it as deactivated.
Summary: What Actually Happened
| Your Assumption | Reality |
|---|
| "Banks can't issue same-PAN cards without physical access" | Banks issue same-PAN duplicates routinely for damaged cards. They have all the data in their personalization systems. |
| "This must be a clone created from my old card" | No cloning occurred. The bank legitimately issued a new card using the same personalization profile but with freshly generated chip keys. |
| "The chip must have been copied" | The chip has new, freshly generated cryptographic keys derived from the bank's master keys, not copied from the old card. |
| "This violates EMV security" | This is a standard banking feature, not a security vulnerability. The old card is deactivated at the system level. |
Your observation was technically correct — the magnetic stripe data was identical. But your conclusion that this required physical access to clone the card was incorrect. Bank systems are designed to handle exactly this scenario through legitimate card management functions. The new chip contains completely new cryptographic keys; the magnetic stripe data is identical because it's static data stored in the bank's systems and legitimately re-used for duplicate cards.
Why Cloning with Dumps Fails in Europe: A Technical Breakdown