back to article Canadian TV station wails: NFC bonking... it's not SAFE

Another North American TV network has discovered credit card numbers can be read using a phone, and whipped itself into a media frenzy due to its failure to understand how NFC works. This time it's Canadian outfit CBC News, last time it was Memphis-based News Channel 3, but the facts remain the same: an NFC-equipped card will …

COMMENTS

This topic is closed for new posts.

Page:

  1. Chris 3

    The acid test

    Bill,

    Would you be happy to pop up your credit card details on here - card holder's name, number and expiry date? It would certainly act as a powerful demonstration as to how there isn't a problem here.

    1. David Ireland

      Re: The acid test

      Yes, come on, do a Jeremy Clarkson, it worked out so well for him!

      1. TheVogon
        Mushroom

        Re: The acid test

        Clarkson posted his bank account and sort code details - which someone used to donate £500 to a charity via direct debit. Just like with a credit card, if you didn't authorise the payment, you are protected.

        1. Anonymous Coward
          Anonymous Coward

          Re: The acid test

          Yes you are protected, but I rarely go over my credit card statement with a fine tooth comb. I use it for everything so there are typically more than 50 transactions and I only ever check the high value ones. This means that it would be possible for somebody to remove small amounts without my notice.

          I guess all those news items about databases being hacked for CC details or shopping tills and ATMs being infected with malware are simply scare stories designed to keep you awake at night. Who would have thought that criminal gangs would waste their money obtaining and trading these worthless numbers.

          1. David Ward 1
            FAIL

            Re: The acid test

            firstly your laziness in checking for fraud on your card statement is rather immaterial. The fact is that credit cards numbers are not secret and people who rely on them being so are misguided. The problem of database insecurity and atm's being infected is that they do contain the secrets required to make the transactions by virtue of them making the transactions in the first place, hence the data being worth something. I am not saying the system is ideal but the point is that you have to have the private data (PIN or CVV or authentication secret etc) to actually make the transaction which is not transmitted by NFC.

            1. Anonymous Coward
              Anonymous Coward

              Re: The acid test

              > credit cards numbers are not secret

              Actually they (kind of) are. This is why receipts only have the last few digits of the card printed on them and not the full number.

              There are any number of ways the credit card number can be used to obtain cash/goods/services. You may or may not detect it, but it will be a real pain to chase down a refund just because somebody got to close to you on the tube.

              http://www.kjrh.com/dpp/news/local_news/investigations/thieves-caught-turning-stolen-credit-card-numbers-into-quick-cash

              http://www.bet.com/news/music/2012/07/13/guerilla-black-arrested-for-buying-stolen-credit-card-numbers.html

              Neither of the above involved any pIn or CVV number.

      2. Anonymous Coward
        Anonymous Coward

        Re: The acid test

        It did actually, because of the DD guarantee, he got all his money back pretty damn pronto.

  2. Bruno Girin

    "there's really no need to go around [...] rehashing discredited ideas into new TV"

    How would they make new TV then? Surely you're not suggesting they get *new* ideas!?

  3. The Axe
    Trollface

    CBC

    Well CBC regularly promote AGW which is just as dodgy in science terms as the idea that getting just the number and expiry of a card via NFC is the end-of-times for credit cards.

  4. Chloe Cresswell Silver badge

    NFC

    "Ordering anything online will need the Card Verification Code (CVC)"

    Except for sites that don't need it?

    Amazon, for example, doesn't require it..

    1. Semaj

      Re: NFC

      It asked me for mine. It does remember the details until the card expires though - but that's linked to the account so it should be OK.

      1. Chloe Cresswell Silver badge

        Re: NFC

        With my cards, I just added the type/card number/name/expriry date.

        It never asked for the CVC, either adding the card, or when I completed an order.

    2. Anonymous Coward
      Anonymous Coward

      Re: NFC

      Amazon don't ask for the CVV, but because of this they are on the hook for all fraud, it's likely that they took a value judgment and value of one click is much higher to them than the cost of any potential fraud.

      1. BristolBachelor Gold badge

        Re: NFC

        ISTR that the reason that Amazon don't tend to ask for the CVC is because the rules say that they must use the CVC instantly, and may not store in on their systems. Amazon only charge the card when they ship, and therefore cannot use the CVC on the order.

        What I don't know is where other sellers stand on the consumer credit act, which AFAIK does not allow them to charge credit for something until you have it (but e.g. booking a holiday is not the same because you have actually paid for the booking, not the actual going).

        I suppose that sites that store your credit card to re-use later (e.g. iTunes) must obviously use the numbers sans CVC for the later transactions.

    3. Kristian Walsh Silver badge

      Re: NFC

      Many US merchants don't ask for CVC. Some will accept payment from the 16-digit PAN and expiry alone. These are usually fly-by-night porn outfits, and they pay for the "privilege" with high merchant fees, but the business is commercially worthwhile to them, it's the banks that pay for card fraud, not the card clearing companies, so who cares...

      In any case, there's nothing new here. I have a device on my phone which uses electromagnetic radiation to acquire a copy of the details printed on any credit card. It's called a camera.

      1. Anonymous Coward
        Anonymous Coward

        Re: NFC

        > to acquire a copy of the details printed on any credit card. It's called a camera.

        I'd like to see you do that when my card is in my wallet in my pocket. The point about obtaining card details with NFC is that it can be done with the card still in your wallet.

        1. Kristian Walsh Silver badge

          Re: NFC

          Put your mass-transit ticket card, or your building's door-access card, in front of it - or another NFC-enabled credit or debit card, for that matter.. The remote NFC snooper that everyone's so afraid of (despite it never having been demonstrated to work in a real-life setting) will trigger both cards and be unable to read from either.

          Just because an attack is "high-tech" doesn't mean it's worthwhile for an attacker to pursue. There are easier and cheaper ways of acquiring card numbers than trying to radio them out of peoples' wallets. A few quid in the hand of a dishonest waiter in a busy tourist bar is much better return on investment.

          1. Anonymous Coward
            Anonymous Coward

            Re: NFC

            The card number, expiry date and name will be handing over to an unauthenticated reader which means a phone with NFC can read it.

            The "high-tech" attack is risk free and cheap since there is no investment in specialist equipment (any NFC enabled smart phone will do).

          2. Phil O'Sophical Silver badge
            Stop

            Re: NFC

            "Put your mass-transit ticket card, or your building's door-access card, in front of it - or another NFC-enabled credit or debit card, for that matter.. The remote NFC snooper that everyone's so afraid of .. . will trigger both cards and be unable to read from either."

            Not so.

            I have three such cards in a badge wallet, for access to three diferent sites. Some of the badge readers can happily find the right card when I wave the wallet at them, others require me to extract the card concerned. It seems to depend on the sophistication of the card reader,.

  5. David Ireland
    FAIL

    The 3 digit CVC is such strong protection

    OK - so now there's a 3 digit number between you and the attacker. They'll never guess that...

    Just to spell this out. Pick a CVC. Capture a 1000 card details. Try each of them with the same CVC. You aren't scanning through the CVCs on the same card, so fraud detection, which is card oriented, won't notice you trying. Your odds of getting a card are pretty good. Presumably you can actually try several CVCs for each card without the issuer noticing, so you can improve your yeild.

    There must be loads of sites that handle 10s of 1000s of cards a day. It's those sites that NFC is aimed it.

    1. Anonymous Coward
      Anonymous Coward

      Re: The 3 digit CVC is such strong protection

      Card fraud detection is rather more sophisticated than you understand it to be. It wouldn't get this straight away, but it would flag up suspicious activity PDQ.

  6. Anonymous Coward
    Anonymous Coward

    Err...

    "Another North American TV network has discovered credit card numbers can be read using a phone, and whipped itself into a media frenzy due to its failure to understand how NFC works"

    Or

    "Another story on The Reg has reported credit card numbers can be read using a phone, and the commentators have whipped themselves into a frenzy due to their failure to understand how NFC works"

  7. Fido L Dido
    Angel

    NFC is evil, until...

    Don't you know that NFC is evil and flawed?

    That is until Apple decide to launch a phone with NFC, then it'll be lovely, the public will believe Apple invented it, Apple will file a patent for it, and NFC will be the best thing that ever happened.

    1. Anonymous Coward
      Anonymous Coward

      Re: NFC is evil, until...

      No, if Apple releases a phone with NFC, they'll probably do something different to improve the security and/or make it more convenient. Like replacing typing in a PIN with a thumbprint on the home button (not that fingerprints are particularly secure, as the Mythbusters and many others have demonstrated) Apple haters will wail and moan about Apple not following standards, ignoring that there are multiple competing NFC pay by bonk standards, as well as complain that Apple is trying to lock in its users and make jokes about Apple charging 30% for all NFC transactions. Now I'm sure there will be some Apple fanboys who claim however Apple does NFC is superior to the Android implementations and give Apple credit for it if NFC takes off after Apple supported it, but what do you expect from fanboys? Certainly not logic.

      I still maintain NFC is a solution looking for a problem, and "pay by bonk" offers nothing over bonking a card, or swiping a card for that matter. The "not having to carry a wallet" is silly, unless you think that you'll be able to use your phone as a driver's license anytime soon, or that others who want proof of identity will accept a picture of your license (like the picture of my medical insurance card I have in my phone so I don't have to remember to bring it when I visit the doctor) Good luck buying a beer that way.

      Companies that promote NFC do so because they think they can get a small cut from trillions in purchases, but there are so many players who hope to claim a piece of that pie that the processors must either accept less than they get today (fat chance) or merchants must accept a bigger hit for processing NFC transactions (again, fat chance, absent legislation that forces it down their throats)

      Those supporting NFC today just do it because there is a certain segment of people who think it is "cool", not because it is actually any better at all over existing payment methods. Apple haters promote it only because iPhones can't do it, many of them will quickly lose interest in it if/when Apple products ever support it and go back to complaining about the lack of SD or removable battery.

  8. Pie
    Happy

    You don't need NFC, just a good memory.

    I was in a cafe a few weeks ago and a woman was ordering something via her mobile, she clearly stated name, address, card number, expiry and cvc number for all to hear... As I said to my children, practise remembering 16 digit numbers and you will never need to go short....

  9. Crisp

    No Chip and Pin in America?

    Why not?

    1. Anonymous Coward
      Anonymous Coward

      Re: No Chip and Pin in America?

      It's not really clear, I suspect there are several reasons, but US banking is fairly odd in terms of technology. They still rely upon cheques (checks) and have introduced some novel systems to approving the cheque quickly - a modern solution to an ancient problem - but they haven't addresses the easy fraudulent use of cheques. Chip and PIN is coming to the US, I believe it's recently been rolled out in Canada, one of the other hold-outs. This is mainly because the rest of the world are getting sick of their magstripes being cloned and used fraudulently in the USA and the payment processors have finally said "enough".

      Prepare yourself for lots of conspiracy theory web sites popping up from many different sources when the rollout does commence.

      1. Mike VandeVelde
        Boffin

        "I believe it's recently been rolled out in Canada"

        http://thebankwatch.com/2008/10/28/chip-and-pin-canada-the-basic-flaw/

        We've had them in Canada for years, not sure what you mean by recently?

    2. Charlie Clark Silver badge

      Re: No Chip and Pin in America?

      Historically because banks have made more by selling fraud insurance than they lose due to fraud.

      1. turnip handler
        Meh

        Re: No Chip and Pin in America?

        If you made less money selling fraud insurance than you lose to fraud then you shouldn't be in the business of selling insurance.

        1. Kristian Walsh Silver badge

          Re: No Chip and Pin in America?

          No conspiracy theory needed: the answer is more mundane. Unlike elsewhere, US banks pass the full cost of the terminal equipment onto the merchant. It's a once-off fee, and the terminals then belong to the merchants. As the merchants would have to pay for new Chip-n-PIN terminals, they see little benefit in doing so, especially as the benefits aren't going to be obvious to them in terms of lower transaction costs. Similarly, the acquiring companies can't just cut off the magstrip services either, because as long as the merchants keep paying their service fees and refuse to pay for new equipment, forcing a change would result in loss of revenue.

          In Europe, on the other hand, the terminal is the bank's property, and is rented to the merchant as part of their monthly service fee. So, if the bank wants to upgrade their security, they tell the merchant that they'll be sending a new terminal, and that's that.

          (The US situation is a pain in the hole for security, as it's the only reason why the rest of the world is stuck with magnetic strip readers -- the easiest method of stealing card numbers)

          1. Ian Yates
            Alert

            Re: No Chip and Pin in America?

            "the easiest method of stealing card numbers"

            Didn't you read the article?!

    3. Syldra
      Joke

      Re: No Chip and Pin in America?

      No, only chips and pints...

  10. Velv
    FAIL

    "El Reg would be interested to know which retailers sell five grand's worth of kit without checking the CVC, the home address or even the signature."

    play.com (I know a victim)

    They have a policy of only delivering the first order to the card holders home address. The second order can be sent to any address. Sadly however there is no time delay enforced between placing the orders, so the victim receives a single DVD at their home address from the first order and the thief receives all subsequent orders placed the same day at their drop address.

    1. Anonymous Coward
      Anonymous Coward

      But Play.com will be on the hook for any fraudulent activity on the card... It's not if someone is a victim, it's how quickly that's put right, there will always be fraud in the system the balance is how to make the system work in a useable manner but also be resilient to as much fraud as possible, without costing the earth.

      1. Phil O'Sophical Silver badge
        Thumb Down

        > But Play.com will be on the hook for any fraudulent activity on the card..

        Which Play factors into their prices, so that all Play's customers end up paying for it. That's how all businesses handle theft, by adding it in as a "business cost".

        It does not mean that it can be ignored because there's apparently no important victim...

  11. Killraven

    Sarcasm Mode = On

    Yep, cards without the security card are worthless. That's why there no ATM scammer anywhere anymore.

    Uh-huh.

  12. Anonymous Coward
    Anonymous Coward

    I was under the impression that the number that's given up by the NFC portion of the card is not, in fact the PAN and that all the different applications of the card have a different account number. That is: the embossed number and magstripe have a different account number to the chip and pin and to the NFC etc. Can anyone confirm this?

    1. BristolBachelor Gold badge

      The Chip-n-pin certainly gives up the same details on the card (number, name, etc.), but not the CVC. As for the NFC, don't know. If the NFC is the same, all it takes is a shoulder surfer / cam near an ATM and and NFC reader and you could clone the mag-stripe on the card, with no suspicious add-on bulges on the machine.

      1. Anonymous Coward
        Anonymous Coward

        You'd need a suspicious bulge to house the NFC reader and it's going to need to be close to the card slot. The best distance I've heard NFC working over is about 20cm and that's in lab conditions.

        1. This post has been deleted by its author

        2. Irongut

          "you'd need a suspicious bulge to house the NFC reader"

          Because my Galaxy S3 is sooo suspicious and bulgey. Who would notice the guy behind them at the ATM using his mobile? Just pretend you're using it to talk or text and no one would be suspicious. You probably don't even need to take it out of a pocket depending on how you write the card snaffling software.

          1. Anonymous Coward
            Anonymous Coward

            Did you miss the bit where I said that you'll not be able to get NFC to work over more than about 20cm and that's in a lab? We're not talking about RFID here.

            1. Anonymous Coward
              Anonymous Coward

              > Did you miss the bit where I said that you'll not be able to get NFC to work over more than about 20cm and that's in a lab? We're not talking about RFID here.

              Stand behind someone in the ATM queue. They usually have their card or wallet in their hand ready for their turn. Bend down and pretend to pick up a coin and tap them on the shoulder. "Is this yours?" you say as you hand them the coin with your phone in your hand. You wont have any problem getting within 20cms.

              If you try to hand somebody something they will automatically reach out to take it. They might ultimately refuse but by then it is to late because you have got within the 20cms.

              1. Anonymous Coward
                Anonymous Coward

                That's not going to work ATMs are covered by CCTV and have it built into them. How much pay-off do you think that would have before someone noticed suspicious activity and the person doing it got arrested, particularly compared to a skimmer on the ATM?

                Personally if someone bumped into me or touched me in the queue to an ATM, I'd be hugely suspicious and, yet again, I'll point out that the 20cm is in a lab, not real life.

                1. Anonymous Coward
                  Anonymous Coward

                  There is no touching involved and the contrived reason for getting close does not have to be immediately in front of the ATM. The point being that it is possible to get card details remotely.

                  > yet again, I'll point out that the 20cm is in a lab, not real life.

                  And I'll point out that you don't have a personal force field preventing people from getting within 20cm of you.

    2. Lee D Silver badge

      The school I work for use a Miifare entry system (same system as some Oyster cards - I can actually access the property with my Oyster because I programmed it onto the system).

      When we tried a Galaxy S4 near it, it went mad, recording lots of non-existent card numbers on the Miifare reader. Once we worked out what it was, we just kept tapping. Through the Miifare interface it appears to give a largely random huge (16 digit I think) number that is presumably used for NFC payments. We couldn't make it give out a consistent number (so, no, my boss couldn't enter the building using just his Galaxy S4 even if he wanted to).

      That's not to say that that is ALL the information it gives out, but over the Miifare NFC system (which appears to be compatible insofar as it detects an ever-changing number whenever you "doink" a reader) it appears to give some sort of transaction hash rather than easily-readable card numbers. A "PayWave" NFC pre-pay credit card that I have tested also had similar results.

      Personally, though, I wouldn't trust it hence why the only NFC device I own is a pre-pay card that you can't spend anything unless I put it on anyway (yeah, sure, the banks say the same, but I *KNOW* there's only £5 on the card).

      1. MrXavia

        he has a fabled S4?

        I thought they were rumours spread by tech bloggers......

        (only envious as mine has not yet arrived)

  13. Great Bu

    All this talk.....

    ...has made me hungry.

    Oh, no. Hang on, I'm thinking of KFC.

    1. Anonymous Coward
      Anonymous Coward

      Re: All this talk.....

      I think I'd rather eat my NFC than a KFC...

Page:

This topic is closed for new posts.

Other stories you might like