The acid test
Bill,
Would you be happy to pop up your credit card details on here - card holder's name, number and expiry date? It would certainly act as a powerful demonstration as to how there isn't a problem here.
Another North American TV network has discovered credit card numbers can be read using a phone, and whipped itself into a media frenzy due to its failure to understand how NFC works. This time it's Canadian outfit CBC News, last time it was Memphis-based News Channel 3, but the facts remain the same: an NFC-equipped card will …
Yes you are protected, but I rarely go over my credit card statement with a fine tooth comb. I use it for everything so there are typically more than 50 transactions and I only ever check the high value ones. This means that it would be possible for somebody to remove small amounts without my notice.
I guess all those news items about databases being hacked for CC details or shopping tills and ATMs being infected with malware are simply scare stories designed to keep you awake at night. Who would have thought that criminal gangs would waste their money obtaining and trading these worthless numbers.
firstly your laziness in checking for fraud on your card statement is rather immaterial. The fact is that credit cards numbers are not secret and people who rely on them being so are misguided. The problem of database insecurity and atm's being infected is that they do contain the secrets required to make the transactions by virtue of them making the transactions in the first place, hence the data being worth something. I am not saying the system is ideal but the point is that you have to have the private data (PIN or CVV or authentication secret etc) to actually make the transaction which is not transmitted by NFC.
> credit cards numbers are not secret
Actually they (kind of) are. This is why receipts only have the last few digits of the card printed on them and not the full number.
There are any number of ways the credit card number can be used to obtain cash/goods/services. You may or may not detect it, but it will be a real pain to chase down a refund just because somebody got to close to you on the tube.
http://www.kjrh.com/dpp/news/local_news/investigations/thieves-caught-turning-stolen-credit-card-numbers-into-quick-cash
http://www.bet.com/news/music/2012/07/13/guerilla-black-arrested-for-buying-stolen-credit-card-numbers.html
Neither of the above involved any pIn or CVV number.
ISTR that the reason that Amazon don't tend to ask for the CVC is because the rules say that they must use the CVC instantly, and may not store in on their systems. Amazon only charge the card when they ship, and therefore cannot use the CVC on the order.
What I don't know is where other sellers stand on the consumer credit act, which AFAIK does not allow them to charge credit for something until you have it (but e.g. booking a holiday is not the same because you have actually paid for the booking, not the actual going).
I suppose that sites that store your credit card to re-use later (e.g. iTunes) must obviously use the numbers sans CVC for the later transactions.
Many US merchants don't ask for CVC. Some will accept payment from the 16-digit PAN and expiry alone. These are usually fly-by-night porn outfits, and they pay for the "privilege" with high merchant fees, but the business is commercially worthwhile to them, it's the banks that pay for card fraud, not the card clearing companies, so who cares...
In any case, there's nothing new here. I have a device on my phone which uses electromagnetic radiation to acquire a copy of the details printed on any credit card. It's called a camera.
Put your mass-transit ticket card, or your building's door-access card, in front of it - or another NFC-enabled credit or debit card, for that matter.. The remote NFC snooper that everyone's so afraid of (despite it never having been demonstrated to work in a real-life setting) will trigger both cards and be unable to read from either.
Just because an attack is "high-tech" doesn't mean it's worthwhile for an attacker to pursue. There are easier and cheaper ways of acquiring card numbers than trying to radio them out of peoples' wallets. A few quid in the hand of a dishonest waiter in a busy tourist bar is much better return on investment.
"Put your mass-transit ticket card, or your building's door-access card, in front of it - or another NFC-enabled credit or debit card, for that matter.. The remote NFC snooper that everyone's so afraid of .. . will trigger both cards and be unable to read from either."
Not so.
I have three such cards in a badge wallet, for access to three diferent sites. Some of the badge readers can happily find the right card when I wave the wallet at them, others require me to extract the card concerned. It seems to depend on the sophistication of the card reader,.
OK - so now there's a 3 digit number between you and the attacker. They'll never guess that...
Just to spell this out. Pick a CVC. Capture a 1000 card details. Try each of them with the same CVC. You aren't scanning through the CVCs on the same card, so fraud detection, which is card oriented, won't notice you trying. Your odds of getting a card are pretty good. Presumably you can actually try several CVCs for each card without the issuer noticing, so you can improve your yeild.
There must be loads of sites that handle 10s of 1000s of cards a day. It's those sites that NFC is aimed it.
"Another North American TV network has discovered credit card numbers can be read using a phone, and whipped itself into a media frenzy due to its failure to understand how NFC works"
Or
"Another story on The Reg has reported credit card numbers can be read using a phone, and the commentators have whipped themselves into a frenzy due to their failure to understand how NFC works"
No, if Apple releases a phone with NFC, they'll probably do something different to improve the security and/or make it more convenient. Like replacing typing in a PIN with a thumbprint on the home button (not that fingerprints are particularly secure, as the Mythbusters and many others have demonstrated) Apple haters will wail and moan about Apple not following standards, ignoring that there are multiple competing NFC pay by bonk standards, as well as complain that Apple is trying to lock in its users and make jokes about Apple charging 30% for all NFC transactions. Now I'm sure there will be some Apple fanboys who claim however Apple does NFC is superior to the Android implementations and give Apple credit for it if NFC takes off after Apple supported it, but what do you expect from fanboys? Certainly not logic.
I still maintain NFC is a solution looking for a problem, and "pay by bonk" offers nothing over bonking a card, or swiping a card for that matter. The "not having to carry a wallet" is silly, unless you think that you'll be able to use your phone as a driver's license anytime soon, or that others who want proof of identity will accept a picture of your license (like the picture of my medical insurance card I have in my phone so I don't have to remember to bring it when I visit the doctor) Good luck buying a beer that way.
Companies that promote NFC do so because they think they can get a small cut from trillions in purchases, but there are so many players who hope to claim a piece of that pie that the processors must either accept less than they get today (fat chance) or merchants must accept a bigger hit for processing NFC transactions (again, fat chance, absent legislation that forces it down their throats)
Those supporting NFC today just do it because there is a certain segment of people who think it is "cool", not because it is actually any better at all over existing payment methods. Apple haters promote it only because iPhones can't do it, many of them will quickly lose interest in it if/when Apple products ever support it and go back to complaining about the lack of SD or removable battery.
I was in a cafe a few weeks ago and a woman was ordering something via her mobile, she clearly stated name, address, card number, expiry and cvc number for all to hear... As I said to my children, practise remembering 16 digit numbers and you will never need to go short....
It's not really clear, I suspect there are several reasons, but US banking is fairly odd in terms of technology. They still rely upon cheques (checks) and have introduced some novel systems to approving the cheque quickly - a modern solution to an ancient problem - but they haven't addresses the easy fraudulent use of cheques. Chip and PIN is coming to the US, I believe it's recently been rolled out in Canada, one of the other hold-outs. This is mainly because the rest of the world are getting sick of their magstripes being cloned and used fraudulently in the USA and the payment processors have finally said "enough".
Prepare yourself for lots of conspiracy theory web sites popping up from many different sources when the rollout does commence.
http://thebankwatch.com/2008/10/28/chip-and-pin-canada-the-basic-flaw/
We've had them in Canada for years, not sure what you mean by recently?
No conspiracy theory needed: the answer is more mundane. Unlike elsewhere, US banks pass the full cost of the terminal equipment onto the merchant. It's a once-off fee, and the terminals then belong to the merchants. As the merchants would have to pay for new Chip-n-PIN terminals, they see little benefit in doing so, especially as the benefits aren't going to be obvious to them in terms of lower transaction costs. Similarly, the acquiring companies can't just cut off the magstrip services either, because as long as the merchants keep paying their service fees and refuse to pay for new equipment, forcing a change would result in loss of revenue.
In Europe, on the other hand, the terminal is the bank's property, and is rented to the merchant as part of their monthly service fee. So, if the bank wants to upgrade their security, they tell the merchant that they'll be sending a new terminal, and that's that.
(The US situation is a pain in the hole for security, as it's the only reason why the rest of the world is stuck with magnetic strip readers -- the easiest method of stealing card numbers)
"El Reg would be interested to know which retailers sell five grand's worth of kit without checking the CVC, the home address or even the signature."
play.com (I know a victim)
They have a policy of only delivering the first order to the card holders home address. The second order can be sent to any address. Sadly however there is no time delay enforced between placing the orders, so the victim receives a single DVD at their home address from the first order and the thief receives all subsequent orders placed the same day at their drop address.
But Play.com will be on the hook for any fraudulent activity on the card... It's not if someone is a victim, it's how quickly that's put right, there will always be fraud in the system the balance is how to make the system work in a useable manner but also be resilient to as much fraud as possible, without costing the earth.
> But Play.com will be on the hook for any fraudulent activity on the card..
Which Play factors into their prices, so that all Play's customers end up paying for it. That's how all businesses handle theft, by adding it in as a "business cost".
It does not mean that it can be ignored because there's apparently no important victim...
I was under the impression that the number that's given up by the NFC portion of the card is not, in fact the PAN and that all the different applications of the card have a different account number. That is: the embossed number and magstripe have a different account number to the chip and pin and to the NFC etc. Can anyone confirm this?
The Chip-n-pin certainly gives up the same details on the card (number, name, etc.), but not the CVC. As for the NFC, don't know. If the NFC is the same, all it takes is a shoulder surfer / cam near an ATM and and NFC reader and you could clone the mag-stripe on the card, with no suspicious add-on bulges on the machine.
This post has been deleted by its author
"you'd need a suspicious bulge to house the NFC reader"
Because my Galaxy S3 is sooo suspicious and bulgey. Who would notice the guy behind them at the ATM using his mobile? Just pretend you're using it to talk or text and no one would be suspicious. You probably don't even need to take it out of a pocket depending on how you write the card snaffling software.
> Did you miss the bit where I said that you'll not be able to get NFC to work over more than about 20cm and that's in a lab? We're not talking about RFID here.
Stand behind someone in the ATM queue. They usually have their card or wallet in their hand ready for their turn. Bend down and pretend to pick up a coin and tap them on the shoulder. "Is this yours?" you say as you hand them the coin with your phone in your hand. You wont have any problem getting within 20cms.
If you try to hand somebody something they will automatically reach out to take it. They might ultimately refuse but by then it is to late because you have got within the 20cms.
That's not going to work ATMs are covered by CCTV and have it built into them. How much pay-off do you think that would have before someone noticed suspicious activity and the person doing it got arrested, particularly compared to a skimmer on the ATM?
Personally if someone bumped into me or touched me in the queue to an ATM, I'd be hugely suspicious and, yet again, I'll point out that the 20cm is in a lab, not real life.
There is no touching involved and the contrived reason for getting close does not have to be immediately in front of the ATM. The point being that it is possible to get card details remotely.
> yet again, I'll point out that the 20cm is in a lab, not real life.
And I'll point out that you don't have a personal force field preventing people from getting within 20cm of you.
The school I work for use a Miifare entry system (same system as some Oyster cards - I can actually access the property with my Oyster because I programmed it onto the system).
When we tried a Galaxy S4 near it, it went mad, recording lots of non-existent card numbers on the Miifare reader. Once we worked out what it was, we just kept tapping. Through the Miifare interface it appears to give a largely random huge (16 digit I think) number that is presumably used for NFC payments. We couldn't make it give out a consistent number (so, no, my boss couldn't enter the building using just his Galaxy S4 even if he wanted to).
That's not to say that that is ALL the information it gives out, but over the Miifare NFC system (which appears to be compatible insofar as it detects an ever-changing number whenever you "doink" a reader) it appears to give some sort of transaction hash rather than easily-readable card numbers. A "PayWave" NFC pre-pay credit card that I have tested also had similar results.
Personally, though, I wouldn't trust it hence why the only NFC device I own is a pre-pay card that you can't spend anything unless I put it on anyway (yeah, sure, the banks say the same, but I *KNOW* there's only £5 on the card).