Channel 4 News has been bothering contactless bank cards again, and managed to wirelessly extract the customer's name from ANY Visa-branded card within a few centimetres. Previously the programme had only demonstrated the technique on Visa cards issued by Barclays, and not all of those. However ViaForensics (the company hired …
... there's also the fact (a "known issue") that Barclays Visa Debit "wave and pay" cards won't work with certain types of mobile payment terminal.
I found this out last October when I took a payment which appeared to go through successfully, but I didn't notice until later that the Merchant Copy of the payment slip said "Declined" instead of "Pin Verified" meaning I lost £28 (fortunately it wasn't more!)
Now I have to put through payments with these cards as "Cardholder not Present" as it's the only way to get them to work properly.
Wow! Channel 4 has exposed that people's names can be obtained. They neglected to mention how easy it is to take payments from NFC cards but I don't suppose people are worried by that so long as its just money people are taking, not their names....
How do you take money from one then?
I don't get why people are surprised by this. It's a chip, in your card, that allows your payment details to be grepped wirelessly, and you thought that was a good idea??
Because no-one would ever see my name and card number (sometimes account number and sort code as well) by merely looking at the card and recording the data wirelessly (with a camera) when I get it out to pay at a shop.
Look after your stuff better...
And if you weren't paying attention, what they've got now is more than previously. What happens when they break the whole thing open? "Oh, it's just all my important data being slurped from inside my jacket by some guy on the other side of the train. What's the big moan?"
These cards only work over about 20cm in a lab, more usually 10cm max in real life. The myth of someone sitting at the entrance to a shopping centre and harvesting everyone's details, is just that: A myth.
"The myth of someone sitting at the entrance to a shopping centre and harvesting everyone's details, is just that: A myth."
I think the same things were said about RFID in passports etc., then people started seeing how far away they could actually read them, some guy managed to read them at over 200 feet with $2,500 of hardware.
NFC is fundamentally different from RFID, in that the transmitter in the card is actively powered from an induced current from the reader. The reader can't induce a current that far away, probably more than 20cm, admittedly, but not that far. Crucially, though the transmitter in the card won't transmit above its design and subsequently they don't work over more than about 10-20cm.
10-20cm is more than enough in any kind of busy environment.
That's further away than pickpockets work, with the added bonus of not having to actually touch the mark.
It's quite normal for someone to come that close on a bus or train, even a nearly empty one (eg aisle seats) and normal for people to be that close on the high street, in a shopping centre etc.
Here's a game for you to play:
Next time you go out shopping in somewhere busy (New York in Lincolnshire doesn't count), try to count the number of people who come within 20cm of your wallet or handbag during the journey there and back and the actual shopping experience.
So, given that you could clone the name and card numbers of all those people, you've got rather a lot of data you could sell to overseas criminal gangs - or use on any online retailers that's not checking CVV!
In a single day you could get hundreds if not thousands of valid name/CCN pairs with no risk of being detected whatsoever. Flog 'em to some gan to use, and you've got yourself a pretty penny with no risk.
I can see this kind of fraud becoming rather popular over the next few years. Well done banks, you've only gone and broken it again!
@ Anon: NFC is RFID
Also, it's a shame to see someone so taken in by marketing.
These are in fact the same technology.
Have a Wikipedia article (it's not outright wrong)
NFC is simply the branding of a set of RFID standards aimed at this kind of 'cash' and 'ID' usage.
So couple a high-powered directional transmitter with a highly-sensitive directional receiver. The transmitter pumps enough power to reach the chip and power it while the receiver picks up the faint transmission.
While there are plenty of NFC reader apps in the marketplace, none of them seem to be able to read my bank cards beyond saying they're made by Infineon. Anyone know of an app where you can have a rummage around in the data on your own card?
Re: App details
If you've got a PCSC-compliant smartcard reader (you can obtain contactless-only ones for ~£30 - and contact-only ones are even cheaper), and access to a (virtual) machine running Linux, then you can easily read data from EMV cards using extremely easy to find Open Source tools.
Obviously, the EMV specifications are freely-available to the public; and all EMV-based cards will happily provide at least some plain-text data related to what's embossed or printed on the face of the card.
Re: App details
I was thinking more of the "app" that ViaForensics stuck on the off-the-shelf phone with NFC capability.
If I wanted to display my name walking down the street I would print it on a fecking t-shirt
RFI wallets all round it seems.
Re: If I wanted to display my name walking down the street I would print it on a fecking t-shirt
Ah! At last, an explanation for the surprising number of people called Calvin round my way.
Try google next time ..... ;-)
I quote from the viaForensics blog .... "Recently viaForensics developed a proof of concept mobile app running on an Android device that was capable of reading data from contactless credit cards by simply placing the device on or near the card. "
There is still no word if the information obtained from the card is enough to make a fraudulent payment and that one has successfully been made.
> to make a fraudulent payment
The ability to make a fraudulent payment would depend on the merchant's aquirer not verifying one or both the following for a CNP (Cardholder Not Present) transaction :
(1) The digits in the billing address
(2) The CVV2
I was under the impression that the card number given up by the NFC card different to the number embossed on the card? The point being that if you manage to obtain this number, you still can't do a CNP transaction.
i.e. if they verify just one of the above, then the ability to make fraudulent use of the card would be limited.
Re: Card number
I was also under the impression that NFC transaction value was limited.
Re: Card number
Even so, the term "nickel-and-diming" springs to mind. Simply make a bunch of little transasctions which then add up.
Re: Card number
Yes, you may get away with it for a few weeks, but banks do have sophisticated anti-fraud systems which would pick up a merchant carrying out this sort of activity and the Rozzers would be dispatched aid in resolution of the issue.
Re: Card number
>but banks do have sophisticated anti-fraud systems
What he said. Plus cardholder would simply need to request a chargeback for all and any fraudulent charges to be null and voided. Then it would be up to the banks and their insurers as to how heavy handed they came down on the merchants and/or acquirers concerned.
Loads of places take your payment without notifying you that your address did not pass AVS and the bank processes it without query.
Anybody heard of TRACK1...?
Don't really know what all the fuss is about here... for years your names were available encoded on the TRACK1 of the Magntic Stripe of your cards - this is the NFC equivalent of this field.
This is media hype! The vast majority of Contactless Cards use Dynamic Card Verification Values which ensure that (in the unlikely event data is wirelessly sniffed from the card) any attempt to create a cloned transaction is fruitless...
Re: Anybody heard of TRACK1...?
Yup. I assume you're of the opinion that this simply doesn't matter in the slightest? Mastercard and Visa appear to disagree enough to try to keep it vewwy qwiet.
Name and CCN is enough to make a transaction in many countries around the world, and even in the EU it's still often enough to make an online or phone transaction.
Re: Anybody heard of TRACK1...?
Actually - most of the Issuers that do a "proper" job of Issuing and Implementing Contactless provide the Contactless Application a completely separate PAN. If (for whatever reason) a transaction is received by the Card Management System that is formatted as anything other than a Contactless Transaction using the Contactless PAN the Transaction is simply declined and a Customer Service Representative normally contacts the cardholder to investigate and possibly issue another card if appropriate.
Anyway - regardless of this - even if people do capture a workable PAN, Expiry Date and Customer Name - they will not have the CVV2/CSC2 with which to Process a successful Customer Not Present or PAN Key Entered Transaction - any Acquirer processing this transaction will automatically be on a sticky wicket when it comes to the Fraud/Dispute/Chargeback Case subsequently raised.
I stand by my original comment - this is pure media hype. Stick to ramping fuel and pasties...
Also to the moron that tried to process a £28 contactless transaction...
The floorlimit is £20 quid in the UK - anything higher will prompt you to dip the chip...
There is a know issue at certain coffee chains where they [the terminals] cannot format correct the Contactless EMV Data correctly resulting in the Card Declining the transaction.
Sony are just as bad as Amazon
A recent experience with the PlayStation Network shows that Sony don't even check the CVV - I entered the wrong number by mistake, and the transaction authorised anyway - and this was the FIRST use of this card on the PSN!