back to article Mr Bank Manager, help yourself to my smartphone contents

Hacking through the 1,100 press releases waiting for me upon my return from vacation has been a daunting task and has, as yet, revealed few surprises. Once I disposed of the misdirected (“I thought you might be interested in a case study from Golfbreaks.com...”) and semi-literate (“Hi hope your well?”) missives, most of the …

COMMENTS

This topic is closed for new posts.
  1. Destroy All Monsters Silver badge
    Big Brother

    "Look, the entire system of currency and exchange is based on trust, and we seem to be hell-bent on handing that trust to organisations who have been proven time and time again to be thoroughly untrustworthy."

    Sky is blue shocker? You know about those Central Banks, right?

  2. Martin 47

    Its only a short post because I am off to search for one of them shielded wallets.

    1. JohnG

      Shielded wallet

      ..or use a metal business card case.

  3. Anonymous Coward
    Anonymous Coward

    Anyone got a guide to damaging the contactless part of the card without harming the rest of it?

    1. CaptainHook

      Not so much a guide

      ... but I've cut a strip just above the chip & pin chip and I definately severed some wires which I assumed are the induction coil for the RFID chip.

      The Chip & Pin still works but I have weakened the card and I've found a high than usual read failure rate when using the card which I've put down to the chip not being seated properly in the card reader now the chip can bend out of position slightly.

      I've never tried the Wireless Payment since making the cut but I doubt it would work.

      I assume the induction coil makes a few loops around the edge of the card so taking a nick out of the edge might be a better way to sever the wires without structurally weakening the card like I have.

    2. Skrrp

      Pretty much as above. The aerial runs several times around the outside of the card.

      A cut of about 1cm or less in the middle of the long edge that isn't the mag stripe should do it.

      Google image search for 'mifare card' to see examples of internal layouts.

      When you do cut, the aerial wires should be visible (may need a magnifying glass) as small copper dots laid next to each other.

      1. JDX Gold badge

        Wrapping it in tin-foil would probably help - you seem likely to have plenty around.

  4. heyrick Silver badge

    "head across the Pacific ocean and turn left when you see the China coast

    Didn't you mean turn right?

    1. Bumpy Cat
      Happy

      I thought of making the same post, and then thought "Nah, that's too pedantic even for the Reg." I'm glad there's someone equally pedantic out there!

      1. Willd
        Coat

        Well, my map show there's a 75% chance you'd hit Japan first, so you'd almost have to be obtuse to get to China...

      2. Allan George Dyer
        Paris Hilton

        Hmmpf, I'm annoyed that there are two people who are not only equally pedantic, but faster.

        Alistair, turn left and you might find the land of slightly-damp disc drives and other exotic places.

    2. This post has been deleted by its author

    3. dssf

      Depends on the flight plan

      Suppose the plane is routed over the North Pole area, or the vessel is from North East Russia or some vessel transiting through the East Sea....

      Of course, the skies might be filled with giant bunny tubes, Habitrails, and Rogerin' Rabbits, hehehehe

  5. Fred Flintstone Gold badge

    So, what you're really suggesting..

    .. is that we ought to prevent the digital rodgering.

    What you need, thus, are digital chillies:

    http://www.theregister.co.uk/2012/08/23/red_hot_shoplifter/ ..

  6. Mickey Finn
    Big Brother

    Cash is King

    And always will be, if we all keep our eyes on the ball.

    The corporate pirates and gangsters, will do everything they can with their mates in government to prize our folding from our hands, because the same thing has worked over and over again...

    Money used to be made out of precious metal don't you know.

    1. Jediben
      Headmaster

      Re: Cash is King

      Hate to be that guy but...

      'Prise' is to forcibly open by leverage. 'Prize' is booty or an item awarded. I can appreciate the prize/booty/pirate theme though.

    2. dssf

      Re: Cash is King

      Well, until some country pulls a North Korea Currency Color Change: just change the color of the paper and ban the previous color. Suddenly, all the corrupt politicians and weapons-dealing officers and black market (and other colors markets) dealers are as poor as the cashless peasants.

      Of course the non-NK variation would be to ban change the DOMESTIC color to ban import and export of untaxed wealth (or non-wealth earnings)and at the same time herding more people to go cashless.

      Oops... Sorries... Did I just give world governments some ideas?

      No worries... Doing that could cause world insurrection or whirled end sir rection...

  7. Trollslayer
    Mushroom

    This is why

    I don't bother with a smartphone, plus twice I have nearly run over people who are so busy playing Angry Birds that they walked in front of my car.

    If I get a credit card with NFC then it is a screened liner, freely available for the wallet or purse.

  8. no_RS
    WTF?

    NFC Cards

    Well I just got a replacement card from my bank with contactless payment technology in, interesting conversation with them about why I just wanted one without. Eventually they agreed to send one out without it (did mention closing all my accounts with them).

    I do not understand why they think this is a secure way of making payments? The blurb that came with it said your pin will be requested for the first few transactions but after that probably not required, this is a recipe for fraud albeit only upto £15-20 per transaction at the moment. No doubt limits will go up same way as they do on your credit card.

    This reminds me of the incidents that Tesco had when the automated tills were first introduced, they didn't need a PIN to be entered for small transaction values, they got ripped off and had to modify the tills to require a PIN for all transactions.

    De Ja Vu all over again..

    1. Christopher Rogers
      Headmaster

      Re: NFC Cards

      So its De Ja Vu of a De Ja Vu?

      1. Havin_it
        Headmaster

        @Christopher Rogers

        What he was trying to say there is a common (and deliberate) misuse (or perhaps mis-usage) of the loanphrase in question. Whether he knew that, of course, is between him and his deity ;)

        If you must grammarnazi him about something, then let it be how he (and you in turn) mangled the term déjà vu.

        The above probably won't render as I'd like it to but, damn it all, I'm on a platform bereft of Character Map or ZombieKeys :(

    2. BoldMan
      FAIL

      Re: NFC Cards

      I just had a new Barclaycard sent to me with that evil symbol on it so I duly phoned them up and asked them to send me a version without this security nightmare and they told me they couldn't do that, they did not have a card without RIFD, at which point I duly gave them notice I would be closing my account as I don't want any Tom, Dick or Harriet nicking a tenner from my credit card whenever they got within a few feet of me.

    3. Chris Parsons
      Headmaster

      Re: NFC Cards

      déjà vu

  9. Pen-y-gors
    Meh

    I suppose it COULD be handy....

    but I still wouldn't trust them. If/when the idea becomes widespread I'll do what I did for general online shopping - get a separate card with the lowest possible credit limit (£250, £500?) and use only that for any swipe-type transactions, then if/when things go wrong the potential damage is rather limited. Probably still want a lead wallet though.

  10. Dan Paul
    Pirate

    No one ever heard of long range RFID????

    I assume you have RFID for highway tolls in the UK like we have using "Easy Pass". Reads the card on the window or license plate as you drive 90 mph.

    With a little hacking, those same large high power antennae can read your card right in your pocket as you walk down the street. The power for the card signal comes via induction from the reader not the card. The higher the power, the greater to distance between the card and reader can be.

    What's to stop a slightly smaller high power version from scanning your card in a crowded subway or bar?

    Absolutely nothing, and phone companies are not regulated like banks and credit card companies are so you stand a very good chance of never recovering that money.

    1. LaeMing

      Re: No one ever heard of long range RFID????

      I imagine scanning a tenner out of every card in a crowded subway car would be quite lucrative!

  11. Soruk
    WTF?

    Incomprehensible emails...

    > Hi hope your well?

    Um.. hi. I don't know who you are, and you appear to have prematurely hit the "Send" button before making the enquiry about my well. Yes, it's a standard stone-block lined well, and is currently up for sale (buyer collects).

    1. Captain DaFt

      Re: Incomprehensible emails...

      @Soruk;

      Better keep an eye on your well!

      A neighbor of mine put his up for sale, and then it went missing!

      Turns out some miscreant had pulled it out of the ground, and cut it up for postholes!*

      *Yes, I'm being silly, but you started it!

  12. glen waverley

    "give them unchecked access to your current account"

    Shirley you mean "unchequed"?

    Oops, must have left the book in my other coat. Tide me over till Monday?

  13. Some Beggar

    Finished with my woman 'cause she couldn't help me with my mind ...

    I don't want to scoff at genuine concerns about electronic payment and wireless payment, but the worries expressed in this article are fairly ill-informed. The issues of a spotty herbert in a corner shop apply to whatever non-cash method you use to pay. The concerns about untrustworthy banks and businesses apply to any online transaction or simply passing your credit card to a dodgy waiter. The physical insecurity of the NFC transport itself is poorly stated: it's highly directional and on your smartphone it would be switched off by default ... it's theoretically possible to steal your iCloudWallet(tm) from a distance but only if you carefully point it at the would-be thief (who you'll recognise by the enormous induction coil he's wearing as a natty hat) and press the big red enable button. The reason there's a booming market in lead-lined wallets is because people are idiots. You wouldn't use the booming homeopathy market as evidence that homeopathic water is magic.

    1. Alistair Dabbs

      Re: Finished with my woman 'cause she couldn't help me with my mind ...

      Flourishing my smartphone over a hacked reader would be akin to carefully pointing it at a thief.

      1. Some Beggar
        FAIL

        Re: Finished with my woman 'cause she couldn't help me with my mind ...

        A hacked NFC reader is the same risk as a hacked card reader or ATM except that it is marginally more difficult and hence less likely. Which is what I said in my original post. Perhaps it might have been a good idea to read it a couple of times before replying.

    2. frank ly

      Re: Finished with my woman 'cause she couldn't help me with my mind ...

      "...booming homeopathy market as evidence that homeopathic water is magic."

      Actually, this is good evidence of a particular form of magic called 'headology'. (ref. Granny Weatherwax)

    3. Anonymous Coward
      Anonymous Coward

      Re: Finished with my woman 'cause she couldn't help me with my mind ...

      Agreed - spotty herbert is not going to be able to nick £50 from your wallet because said herbert would need a merchant terminal to do so - the money doesn't go into his wallet, it goes into his merchant account like a regular Visa. In that sense this is no different to a card-not-present transaction - you can challenge a fraudulent one, and a retailier will lose their merchant status if they abuse it.

      Of course I'm making the whacking great assumption about the T&C's of the card, and that you're comfortable using a credit card to buy stuff online or over the phone. No doubt a few will reply to say they buy everything with cash still but I don't think that's the norm.

    4. Anonymous Coward
      Anonymous Coward

      Re: Finished with my woman 'cause she couldn't help me with my mind ...

      Yeah, yeah, yeah, tell us all again that RFID is safe.

      http://www.theregister.co.uk/2009/02/02/low_cost_rfid_cloner/

      Of course no criminal is going to clone your payment card or Smartphone RFID identity are they.

  14. Richard 111
    Pirate

    Video of RFID fraudsters in action.

    There is a littler clip of people using RFID scanners in a VICE magazine video:

    http://m.vice.com/en_uk/rule-britannia/the-vice-guide-to-the-olympics-part-4

    For the action go to 6:20 till 7:38. Some of the video is NSFW.

    I think it's time to buy a RFID blocking wallet.

    1. Andy E
      FAIL

      Re: Video of RFID fraudsters in action.

      The video is hardly convincing as the 'expert' passes the reader directly over the card almost if not touching it. There's no material or handbag between the card and the reader. The video just shows a hoodie walking about getting next to people and then showing off a roll of nice new £20 notes. How he manages to convert the 16 digit card number's he has allegedly swiped into cash is left to the imagination.

      1. Richard 111

        Re: Video of RFID fraudsters in action.

        The 'expert' is a former fraudster who was caught and now runs an anti-fraud consultancy. I agree that there is no evidence that the card reader can really pick up the card numbers through the bags etc. But I think it shows that people are thinking about it and if they get it to work through the layers of material they will be in for some rich pickings. Once you have the card number you can use the normal routes for buying things and converting those goods into cash.

        The idea is not new of course and there are far more cards around now than in 2009:

        http://www.wired.com/threatlevel/2009/08/fed-rfid/

        Card encryption may have improved since the first gen cards and it is not until we see a court case come up that we will know for sure that people have been successful.

    2. Thorne

      Re: Video of RFID fraudsters in action.

      The problem is RFID is used as the password instead of the verification.

      For a phone it should work like such

      Wave phone near reader

      Reader send transaction request to your bank

      Bank sends confirmation to your phone

      You enter your pin on your phone

      Phone sends confirmation to bank

      Bank send confirmation to store

      Off you go.

      To steal your details they would need to steal your phone and have your PIN. PIN is no good without the phone and vice versa.

  15. dkjd

    Get a tin-foil hat

    and keep the credit card there, next to your brain.

    (I have lost more money to dodgy £1 coins given as change in pubs than to any electronic fraud).

  16. Anonymous Coward
    Mushroom

    For your edification...

    http://globalguerrillas.typepad.com/globalguerrillas/2006/01/weapons_the_rfi.html

  17. Alistair Dabbs

    Turn left

    Regular SFTWS readers know that I drop a clanger like this every week. It may be accidental, it may be deliberate, who can say any more? And would you believe me?

  18. Anonymous Coward
    Anonymous Coward

    drink Fluoride and take the NFC

    actually I used the NFC in my CC a couple of times. Its cool because I forgot the pin so I just wave it over the reader and wow it works, its almost criminal. good thing i own the card. It's so fast, I had plenty of time to go home and drink my Fluoride.

  19. Anonymous Coward
    Coffee/keyboard

    How long until

    How long until somebody crafts contact details or other information on there phone that is formated in a way yhat any application accessing it and passing it onto a backend could end up compreimising the backend. SQL injection formated contacts which a application will marketingly steal would be a interesting area of hacking. Technicaly in that situation the party marketing those details of your device would be hacking themselfs as they would be the ones instigating the attack. Your contacts, your phone, no statement of contract detailing that they must be valid contacts and formated details on your part in any way. You gets what you pay for many say.

  20. Arachnoid
    Thumb Down

    Hum...... just to point ot the lead/foil lined wallets are useless at protecting your contactless cards.To work they require not just to encompase the card but also to be grounded to the Earth so unless you have a conductive wire going down your pants to the ground they are about as useful as those sticky wire ariels they used to sell to increase mobile phone reception.

    If you want a better understanding of the risks watch the video its quite revealing on the lack of security with the service

    http://youtu.be/HRXb-FZ6WFM

This topic is closed for new posts.

Other stories you might like