A US TV station has demonstrated how easy it is to lift credit card details from proximity-payment cards, though in the process showing just how pointless the activity is. The video does a nice job of demonstrating just how close you have to be to read a card, which are induction-powered so have very limited range; you needn't …
NFC Scanning is pointless?
Surely if an NFC card can be used to make payments then a payment can be sucked out of it by the bloke next to you in the tube... They said Chip&Pin couldn't be hacked only to be proven wrong.
Obvious methods are:
1) Copy details from as many cards as possible and process them en-masse through a broken/modified NFC till, small amount x many transactions = big number.
2) Duplicate cards and sell them 'in the pub' - punter beware but seller long since gone.
Sounds like tech best avoided!
Also will anyone notice?
There was something in the press recently about a gang that raised a lot of money by making very small (maybe < $0.50?) transactions to various credit cards. Most people didn't bother to contest the charge because it's too much hastle, hence they got away with it for a long time.
Now imagine that your credit card bill lists every transaction you make for a bus ticket or newspaper, at several transactions for a few pence every day. Probably very few people would even spot what you have done, let alone complain...
The details read from the card are there TO BE READ. It's actually part of the design! :) So someone being able to read them is nothing particularly amazing.
When you perform a transaction, the card generates a cryptogram using secret keys on the card that only the card issuer knows and the card never reveals. This cryptogram changes each time based on things like amounts, but also transaction counters.
An online transaction sends the cryptogram to the issuer for checking (basically, they perform the same calculation and compare the results). Without the correct keys, the cryptogram will not verify and the transaction is declined.
An offline transaction is where the cryptogram is sent later, in a batch with others. By the time this happens, the goods/service will have been provided and someone will have pocketed the profit.
Most transactions in the US are online transactions, so are well protected against making up fake cards.
Something else to note is that contactless cards can have 2 or 3 account numbers on them. Contact for Chip + PIN (printed on the front), mag stripe (possibly same as contact) and contactless (different from the others). If a contactless account number is read from the card, but submitted via a webpage (e.g. mail order), then it'll be declined. This stops people using the contactless account number for card not present transactions.
So the real risk is for offline transactions. However, in a dispute, it's very easy to check the cryptogram and see that it wasn't correct - so the card holder shouldn't need to prove they didn't perform the transaction.
>>"Now imagine that your credit card bill lists every transaction you make for a bus ticket or newspaper, at several transactions for a few pence every day."
On the other hand, If there were online readers reporting transactions quickly, the trail could provide a record of where you are or have recently been, allow odd transactions to get rapidly flagged up, and maybe even get warnings/temporary blocks sent out, and so could make cloned details rapidly useless.
"This cryptogram changes each time based on things like amounts, but also transaction counters."
And how is this unpowered chip going to know any of that? The only thing it could do would be a challenge / response using a secret key.
RFID and NFC power the chip by inducing current, like a transformer.
Horses for courses
Potentially handy for American diplomats at the UN then?
and the benefits over cash are?
I keep asking this question but no-one seems to have an answer;-
If i use the nearest of near field comms;- contact through putting coins in the shopkeep's hand then i do not need to be concerned about skimming in my pocket. Problem solved by keeping it simple, stupid.
No one seems to have done a cost benefit analysis on NFC or why i need it.
benefits over cash
1. Visa makes no money at all when you use cash. When you use NFC, they can charge a handling fee...
2. Someone has to count all that cash and take it to the bank before someone else turns up with a cucumber in a carrier bag and asks for it instead.
3. The coins keep wearing holes in the pockets of my jeans.
4. Someone might use fake cash, and the shopkeeper will be out of pocket. NFC could never be used fraudulently.
Of course cards with contacts solve all these problems too!
Advantages over cash
There are quite a few cards giving you 1% cash back on all your transactions here in US; if you pay in full each month this is free money. I have no reason to carry cash with me - if I lose the card I have zero liability, while cash it is gone forever. In addition, there is a lot less bulk and weight to carry around compared to cash, and it is accepted everywhere.
Chase sent me a replacement card with RFID built-in and cash back; for now it is stored in a full metal jacket as I keep on using my old cards, with no RFID stuff built into them.
Reading the number and expiration date with off-the-shelf equipment makes the job easier for crooks; they need less work to figure out the rest. Now you need to worry if the guy who just walked with you for the past 30 minutes is following you home to get a name and an address to go with the CC number he just got in the bus or if he is just a new guy living in the area....
1) if very few people have more than spare change in their pockets, criminals have less incentive to rob people.
2) no trips to ATMs/banks to refill cash supply
3) sales tax gets paid 100% of the time (no under the table deals)
4) Receipt trail (a card number can be used to look up a lost receipt, no such luck for cash), so I can always get proof of warranty later if i loose a receipt, and return things without one too.
5) I pay the same price either way, but i get points using the card, extended warranties, theft protection, and I can stop payment if I think I git screwed or they refuse a product return.
6) lost card != lost money (especially most that have fraud/theft protections on plastic too)
7) Merchant can't be given counterfeit money (and even fraudulent transactions are guaranteed to be paid to him if Visa approved it).
8) No "crap, i don't have enough cash on me" moments what waste time and turn into no-sale with customers (and also no "sorry you made that pizza, but i only have $5, so, throw it out I guess." moments either)
9) Merchant can't get robbed for as big a loss since less cash is on hand.
10) less time counting down the till, and less mistakes too.
11) harder for cashiers to pocket a transaction instead of ringing it through. (charge customer cash, cancel transaction at last second, pocket money, no longer possible).
12) costs the same, roughly, as processing a check, but is more secure and comes with guarantees for the merchant.
I can easily go on.
No card necessary
The only practical advantage NFC can have over existing chip 'n' pin readers is that the 'card' need not actually be a card. It could be a mobile phone. Japan already uses mobiles for this purpose, and you can link it in to your mobile billing to keep it topped up. It is quite neat and handy, you're never short of loose change.
Of course, that does nothing to prevent skimming. However the phone could act as a management app for the NFC payments. You could get a listing of all transactions anytime anywhere, so you might be able to rapidly spot dodgy transactions. Also the phone could turn off the NFC part whilst, for example, your phone keypad is locked. That would do a pretty good job of preventing skimming. I think that some of (if not all) of these possiblities are already on Japanese mobiles.
Personally speaking I agree with yourself - cash is straight forward and the worse that can happen is losing it. I don't see why a card needs to be NFC. We're quite good at putting cards in slots at the moment, so why does that aspect of their use need to change? The only true benefit of NFC is that something other than a card, like a mobile, can do the job instead.
Paying the same price
"I pay the same price either way"
Not in Australia you (increasingly) don't. The big stores all charge a flat rate still but down here, service stations and smaller retailers are increasingly charging a 1-2% credit card transaction fee.
Amex users are hit the hardest.
Do you trust Mastercard or Visa?
"1) if very few people have more than spare change in their pockets, criminals have less incentive to rob people."
And more incentive to point a gun at you and direct you to the nearest ATM.
There's some advantages to plastic, but you'll never replace the instantness and convenience of cash. Plus the government can't stop you spending it, the US government in particular can't decide that you are unfriendly to their interests and bar your account (yay wikileaks), and you don't have every single transaction on a record.
Frankly I'd rather retain that level of control.
the benefit is,,,
it is a step towards the obsolescence of cash.
No cash = no cash-in-hand = more tax for the greedy bastard government.
Further distance too?
I seem to remember demonstrations of reading contactless cards from a greater distance by using a much higher powered reader that could energise the card from further away?
All you need to do is transmit enough welly at the thing, which is trivial, and have a very sensitive receiver (which is harder, but where money is concerned, do-able).
It seems to me though that the problem is the same old one. The card gives up the magic number that is the 16 digit account number, and that same number can make unlimited transactions! Why is it that the rest of the world has moved on to one-time transaction codes and salted hashes / public-private keys, but the people who "look after" our money for us are still doing it the stone-aged way?
There are several countries where you don't need a CVV to do credit card transactions. Lift the details and sell them onto foreign gangs.
selling credit card numbers
Nowadays even in batches of 1000 cards, a credit card will go for 2$ USD. An identity (DOB, name, surname, address, phone number), will instead go for 50$ USD. With an identity you can apply for many cards... with a stolen card you get a few free transactions, if any.
not just countries
Amazon don't require it either!
NFC has obvious security issues
NFC strikes me as a solution in search of a problem. Yes it has benefits and in some cases such as tagging on & off of public transport perhaps NFC is justifiable. I don't think it is particularly handy for purchases either to the store or to the customer. If users are randomly challenged for a PIN, the system is going to be more of a pain in the arse than always being challenged.
People who say "it doesn't matter", or "thieves can't do anything with the data" don't get it. The point is that someone walking past me is able to obtain information without physically removing it from my person. By the time I check my card next there might be dozens of small payments on my card. Depending on what information leaks over NFC they may also be able to clone my card, or find out my name & details or other personal info. Perhaps stores and / or casinos could also create chokepoints where people must pass NFC readers which skim numbers (and RFIDs embedded in clothing etc.) to aid with tracking of particular people.
Let's hope the NFC code changes with each challenge and there is no obvious association between the NFC value and the card's name & number. At least that way, perhaps there is no way to clone a device or track someone or replay a code to simulate a transaction.
People are naive
"People who say "it doesn't matter", or "thieves can't do anything with the data" don't get it."
Didn’t Jeremy Clarkson challenge anyone to try and do something with his bank account number and then regret the challenge? Why obscure the card details on receipts if the information is so innocuous?
Yes, he did... Someone setup a Direct Debit with his account number/sort code (AFAIK not available from the NFC application on the chip.) he called up the bank, the money was refunded through the Direct Debit Guarantee. End of story.
"Didn’t Jeremy Clarkson challenge anyone to try and do something with his bank account number and then regret the challenge? "
Someone did. IIRC They put him down for a standing order to a charity. He didn't think preventing identity theft was that difficult.
Doesn't think that now though.
Very true, but this is more because the current system is inherently insecure, built before proper technological security maturity. If you can build an inherently secure system, then the need for "security through obscurity" - the current setup - is not needed. In that world, while I would certainly prefer my details remain private wherever possible, I would also be assured that their being public is not going to be harmful to me.
the real danger would be someone setting up a skimmer near a NFC payment contact point and collecting all the transactions. But people do that now with ATM's and magstripes so it's not really a new threat - it's just much easier to build a discreet skimmer for NFC than magstripes.
Electronic Track2 communications ...
The main way in which sniffed 'NFC communications' from a credit card would be used would be to burn the data onto a goold old fashioned magstripe card. THen, just use the 'backward compatibility' features left around by the issuing connunity to commit good, old-style fraud. No need to worry about PIN or security code because of the good old excuse of "looks like the chip's broken"
Worrying ... especially the complacency of the payPass/SecureWave pushers.
The account number for contactless interface is different to the magstripe account number. Presenting the contactless account number to a magstripe reader would cause the transaction do be declined.
Which is why I don't trust 'em
I either request a card from the bank without a chip in it, or if the bank / cc company refuses, then the application of a dull implement to the chip gives a satisfying crack of silicon and no more NFC from me.
The technology gets used for years in Japan and there's no problem, comes to the west and it's immediately exploited by criminals. Says a lot about East and West.
Nah, they have asian crooks also...
I wonder... I suspect they have equally ingenious and malicious crims out there. If we feel we have more of it here, I suspect it's either due to us being careless, our implementations being poor or - most likely - we're being more worried about it because it's new and unknown.
But I reckon they have their fair share of crime out there but they manage it... much the same way we do with our current tech. The question is, would this change make it better or worse and, if worse, is the added convenience an acceptable tradeoff for it?
You seriously actually believe there are no criminal problems with this tech in Japan?
My god, you have NO idea!!!
Easy to fix
So simply design the card to only become active if a pressure sensitive area is active. Ie someone is holding it?
Need an address for online ?
I don't think so chummy.
contactless payments why!
I am quite happy with pushing a card into a swipe machine and pushing in some numbers, I'd be even more happy if I can opt for a one time password the likes of which RSA provide.
However I really really dont see the need to make this activity, wireless. Other then reducing wear and tear on the cards which WE PAY FOR ANYWAY VIA CHARGES.
So contact-less payment monkey bothers, please turn your effort into what I want, not what you want.
cash, debit card, my problem
credit card, bank's problem
put a faraday cage around debit card*, only use credit card - let bank sort out fraud problems
*adapt a conductive film bag, like wot your memory stick came in, or do a deal with wallet manufacturer to create faraday section (while you're at it, make a passport holder too) share royalties with me...
Err... CVV and Address Not Required
I've seen online shops that require neither CVV or any AVS matches. So it's far from worthless - especially when the details are put on a card and used in America - where card security is so lax it's unbelievable. As merchants over here in Europe we get hassled constantly about PCI DSS and surcharges if they think a transaction went through without being PCI DSS compliant - yet in the good old US of A from what I've seen hardly any merchant is even 1% towards being PCI DSS - In some places you don't even have to sign for your transaction let alone use chip 'n' pin.
Re: CVV and Address not required
Indeed. I just did a lot of online holiday shopping last night, and several merchants did not ask for CVV. (The article incorrectly has "CCV", by the way - someone should fix that.) I think all the sites I used wanted either CVV or correct billing address, but I couldn't swear to it.
In any case, one comment claimed the NFC account number is different from the embossed / magstripe account number. If that's true, then the danger of NFC sniffing is NFC cloning. That's at least good enough for petty crime, and reason enough in my book to kill this pointless feature.
And no, I don't want to pay for things with my phone, either. I can see how that might be useful for some, but let's have it be an option that's off by default. That's how my phone treats Bluetooth, and it's the right approach. People who can't figure out how to turn it on probably shouldn't be using it anyway.
If you've got the card number and expiry, just put the details on a regular magstripe card and use that. The US doesn't have chip and PIN so nearly all credit car purchases still only need a signature. Some shops are smart and ask for photo ID, but most don't.
yeah... card security is crazy weak out in the US
I got out to the US and it is ridiculous how poor the card security here is. I got a debit card a year ago and use it every day for transactions. I sign for almost everything (you can usually use a PIN but it's never mandatory). However, I've still not signed my card, which means not one of the thousands of transactions I have done has ever checked my identity. I could nab anyone's card and empty it in the shops before the victim could report it...
Online here you don't typically use the CVV, but usually need an address. Not sure if that's a hard rule though.
Don't they make wallets
...that prevent this?
For some reason I thought I had run across something like that - maybe even a DiY way to put RF shielding in your own wallet.
If this isnt a problem
And your not worried about it, then post your credit card number and expiry date...
Dont want to?
No didn't think so...
@Advantages over cash
@Advantages over cash
It's not 1% free cash, it's 1% extra charged to the merchant who in turn has to increase his prices by at least 1%. The reality is you're paying more than you get back and forfeiting some of your freedom of choice and privacy in the process.
Even though track2 can be seen, it is still more secure than mag-stripe...
OK, for NFC cards, there are cards which work like current EMV cards in that they generate and transmit data as if the card is being read from a chip reader - For these, authentication is through ARQC/ARPC (uses dynamic data for each transaction therefore is extremely difficult to clone) with or without iCVV/CVC3.
The other NFC transmit "track2 equivalent data" as if the card has been read from a mag-stripe - But it's not done in the same way. Every time the card is used, whilst the PAN and expiry date will be the same, other bits of data within the track2 information will be different for every transaction - The card verification digits within the track2 are generated dynamically because a component of the algorithm now includes a transaction counter, which is incremented for each new transaction. The issuing bank keeps a track of the transaction counter, so you can't use it again, and it would take a long time to crack the keys used in the algorithm to generate the card verification digits.
So whilst you may be able to capture details from an NFC transaction, it's not going matter because:-
(a) You can't use the same track2 details again for a second transaction
(b) You don't know the encryption keys used to generate the card verification digits for the next counter.
(c) even if you did, you have to hope that the real cardholder hasn't used their card again in the meantime...
"...tube travellers might be concerned about the one pressed against them..."
There's a flap for that:
My coat's the one with the copper microwire skein lining...
Tinfoil wallet sir?
Random PIN requests = security FAIL
If they're random for small amounts, then why wouldn't criminals take that chance? If each time they charge $1 to a card there's a 1 in 4 (for the sake of argument) chance of needing the PIN then you've just made $3. Every time you're prompted for a PIN, just cancel the transaction. I'm guessing that the banks/credit card companies won't even notice since they likely only flag failed PIN entries, not transaction voiding (this may be incorrect, I honestly don't know).
Name this "business" cleverly ("[name of city] Convenience Shops" seems like a good choice) and walk around all day with a netbook, an NFC reader, and a WAN connection bumping into people. Even if they check their statements I doubt a tiny charge from something like that would raise an eyebrow.
But the requirement for a PIN entry comes from the chip, once you've been asked to verify by PIN, you've got to verify by PIN to auth the next transaction.
>>"Name this "business" cleverly ("[name of city] Convenience Shops" seems like a good choice) and walk around all day with a netbook, an NFC reader, and a WAN connection bumping into people."
If you're suggesting someone setting up a fake business to take the proceeds, doesn't that fail if there's a time-lag before a business (or at least, a newish business) can draw money they deposited from transactions?
Even a couple of days would likely be long enough for multiple people to spot and report a dodgy transaction, and for the receiving account to be frozen.
So don't retry the same card
So if you get a PIN request, you don't retry the same card. Walk around sniffing NFC details. Collect lots of accounts. Make small transactions. Don't use an account after you get a PIN prompt against it; don't use an account that's older than X hours.
Sure, it's not the crime of the century - just contactless pocket-picking. It's still a reason not to stick this pointless feature into credit and debit cards.
Not worth the effort
Stolen card numbers are available so cheaply online, in plentiful quantities, that it's hard to imagine anyone going to the trouble of stealing them this way. Besides, most of the people who fret about this sort of thing will happily let a waiter walk off with their card, or read the number out loud into a telephone.
- Geek's Guide to Britain BT Tower is just a relic? Wrong: It relays 18,000hrs of telly daily
- Product Round-up Smartwatch face off: Pebble, MetaWatch and new hi-tech timepieces
- Review: Sony Xperia SP
- Geek's Guide to Britain The bunker at the end of the world - in Essex
- Dell's PC-on-a-stick landing in July: report