The acid test
Bill,
Would you be happy to pop up your credit card details on here - card holder's name, number and expiry date? It would certainly act as a powerful demonstration as to how there isn't a problem here.
Another North American TV network has discovered credit card numbers can be read using a phone, and whipped itself into a media frenzy due to its failure to understand how NFC works. This time it's Canadian outfit CBC News, last time it was Memphis-based News Channel 3, but the facts remain the same: an NFC-equipped card will …
Yes you are protected, but I rarely go over my credit card statement with a fine tooth comb. I use it for everything so there are typically more than 50 transactions and I only ever check the high value ones. This means that it would be possible for somebody to remove small amounts without my notice.
I guess all those news items about databases being hacked for CC details or shopping tills and ATMs being infected with malware are simply scare stories designed to keep you awake at night. Who would have thought that criminal gangs would waste their money obtaining and trading these worthless numbers.
firstly your laziness in checking for fraud on your card statement is rather immaterial. The fact is that credit cards numbers are not secret and people who rely on them being so are misguided. The problem of database insecurity and atm's being infected is that they do contain the secrets required to make the transactions by virtue of them making the transactions in the first place, hence the data being worth something. I am not saying the system is ideal but the point is that you have to have the private data (PIN or CVV or authentication secret etc) to actually make the transaction which is not transmitted by NFC.
> credit cards numbers are not secret
Actually they (kind of) are. This is why receipts only have the last few digits of the card printed on them and not the full number.
There are any number of ways the credit card number can be used to obtain cash/goods/services. You may or may not detect it, but it will be a real pain to chase down a refund just because somebody got to close to you on the tube.
http://www.kjrh.com/dpp/news/local_news/investigations/thieves-caught-turning-stolen-credit-card-numbers-into-quick-cash
http://www.bet.com/news/music/2012/07/13/guerilla-black-arrested-for-buying-stolen-credit-card-numbers.html
Neither of the above involved any pIn or CVV number.
ISTR that the reason that Amazon don't tend to ask for the CVC is because the rules say that they must use the CVC instantly, and may not store in on their systems. Amazon only charge the card when they ship, and therefore cannot use the CVC on the order.
What I don't know is where other sellers stand on the consumer credit act, which AFAIK does not allow them to charge credit for something until you have it (but e.g. booking a holiday is not the same because you have actually paid for the booking, not the actual going).
I suppose that sites that store your credit card to re-use later (e.g. iTunes) must obviously use the numbers sans CVC for the later transactions.
Many US merchants don't ask for CVC. Some will accept payment from the 16-digit PAN and expiry alone. These are usually fly-by-night porn outfits, and they pay for the "privilege" with high merchant fees, but the business is commercially worthwhile to them, it's the banks that pay for card fraud, not the card clearing companies, so who cares...
In any case, there's nothing new here. I have a device on my phone which uses electromagnetic radiation to acquire a copy of the details printed on any credit card. It's called a camera.
Put your mass-transit ticket card, or your building's door-access card, in front of it - or another NFC-enabled credit or debit card, for that matter.. The remote NFC snooper that everyone's so afraid of (despite it never having been demonstrated to work in a real-life setting) will trigger both cards and be unable to read from either.
Just because an attack is "high-tech" doesn't mean it's worthwhile for an attacker to pursue. There are easier and cheaper ways of acquiring card numbers than trying to radio them out of peoples' wallets. A few quid in the hand of a dishonest waiter in a busy tourist bar is much better return on investment.
"Put your mass-transit ticket card, or your building's door-access card, in front of it - or another NFC-enabled credit or debit card, for that matter.. The remote NFC snooper that everyone's so afraid of .. . will trigger both cards and be unable to read from either."
Not so.
I have three such cards in a badge wallet, for access to three diferent sites. Some of the badge readers can happily find the right card when I wave the wallet at them, others require me to extract the card concerned. It seems to depend on the sophistication of the card reader,.
OK - so now there's a 3 digit number between you and the attacker. They'll never guess that...
Just to spell this out. Pick a CVC. Capture a 1000 card details. Try each of them with the same CVC. You aren't scanning through the CVCs on the same card, so fraud detection, which is card oriented, won't notice you trying. Your odds of getting a card are pretty good. Presumably you can actually try several CVCs for each card without the issuer noticing, so you can improve your yeild.
There must be loads of sites that handle 10s of 1000s of cards a day. It's those sites that NFC is aimed it.
"Another North American TV network has discovered credit card numbers can be read using a phone, and whipped itself into a media frenzy due to its failure to understand how NFC works"
Or
"Another story on The Reg has reported credit card numbers can be read using a phone, and the commentators have whipped themselves into a frenzy due to their failure to understand how NFC works"
No, if Apple releases a phone with NFC, they'll probably do something different to improve the security and/or make it more convenient. Like replacing typing in a PIN with a thumbprint on the home button (not that fingerprints are particularly secure, as the Mythbusters and many others have demonstrated) Apple haters will wail and moan about Apple not following standards, ignoring that there are multiple competing NFC pay by bonk standards, as well as complain that Apple is trying to lock in its users and make jokes about Apple charging 30% for all NFC transactions. Now I'm sure there will be some Apple fanboys who claim however Apple does NFC is superior to the Android implementations and give Apple credit for it if NFC takes off after Apple supported it, but what do you expect from fanboys? Certainly not logic.
I still maintain NFC is a solution looking for a problem, and "pay by bonk" offers nothing over bonking a card, or swiping a card for that matter. The "not having to carry a wallet" is silly, unless you think that you'll be able to use your phone as a driver's license anytime soon, or that others who want proof of identity will accept a picture of your license (like the picture of my medical insurance card I have in my phone so I don't have to remember to bring it when I visit the doctor) Good luck buying a beer that way.
Companies that promote NFC do so because they think they can get a small cut from trillions in purchases, but there are so many players who hope to claim a piece of that pie that the processors must either accept less than they get today (fat chance) or merchants must accept a bigger hit for processing NFC transactions (again, fat chance, absent legislation that forces it down their throats)
Those supporting NFC today just do it because there is a certain segment of people who think it is "cool", not because it is actually any better at all over existing payment methods. Apple haters promote it only because iPhones can't do it, many of them will quickly lose interest in it if/when Apple products ever support it and go back to complaining about the lack of SD or removable battery.
I was in a cafe a few weeks ago and a woman was ordering something via her mobile, she clearly stated name, address, card number, expiry and cvc number for all to hear... As I said to my children, practise remembering 16 digit numbers and you will never need to go short....
It's not really clear, I suspect there are several reasons, but US banking is fairly odd in terms of technology. They still rely upon cheques (checks) and have introduced some novel systems to approving the cheque quickly - a modern solution to an ancient problem - but they haven't addresses the easy fraudulent use of cheques. Chip and PIN is coming to the US, I believe it's recently been rolled out in Canada, one of the other hold-outs. This is mainly because the rest of the world are getting sick of their magstripes being cloned and used fraudulently in the USA and the payment processors have finally said "enough".
Prepare yourself for lots of conspiracy theory web sites popping up from many different sources when the rollout does commence.
http://thebankwatch.com/2008/10/28/chip-and-pin-canada-the-basic-flaw/
We've had them in Canada for years, not sure what you mean by recently?
No conspiracy theory needed: the answer is more mundane. Unlike elsewhere, US banks pass the full cost of the terminal equipment onto the merchant. It's a once-off fee, and the terminals then belong to the merchants. As the merchants would have to pay for new Chip-n-PIN terminals, they see little benefit in doing so, especially as the benefits aren't going to be obvious to them in terms of lower transaction costs. Similarly, the acquiring companies can't just cut off the magstrip services either, because as long as the merchants keep paying their service fees and refuse to pay for new equipment, forcing a change would result in loss of revenue.
In Europe, on the other hand, the terminal is the bank's property, and is rented to the merchant as part of their monthly service fee. So, if the bank wants to upgrade their security, they tell the merchant that they'll be sending a new terminal, and that's that.
(The US situation is a pain in the hole for security, as it's the only reason why the rest of the world is stuck with magnetic strip readers -- the easiest method of stealing card numbers)
"El Reg would be interested to know which retailers sell five grand's worth of kit without checking the CVC, the home address or even the signature."
play.com (I know a victim)
They have a policy of only delivering the first order to the card holders home address. The second order can be sent to any address. Sadly however there is no time delay enforced between placing the orders, so the victim receives a single DVD at their home address from the first order and the thief receives all subsequent orders placed the same day at their drop address.
But Play.com will be on the hook for any fraudulent activity on the card... It's not if someone is a victim, it's how quickly that's put right, there will always be fraud in the system the balance is how to make the system work in a useable manner but also be resilient to as much fraud as possible, without costing the earth.
> But Play.com will be on the hook for any fraudulent activity on the card..
Which Play factors into their prices, so that all Play's customers end up paying for it. That's how all businesses handle theft, by adding it in as a "business cost".
It does not mean that it can be ignored because there's apparently no important victim...
I was under the impression that the number that's given up by the NFC portion of the card is not, in fact the PAN and that all the different applications of the card have a different account number. That is: the embossed number and magstripe have a different account number to the chip and pin and to the NFC etc. Can anyone confirm this?
The Chip-n-pin certainly gives up the same details on the card (number, name, etc.), but not the CVC. As for the NFC, don't know. If the NFC is the same, all it takes is a shoulder surfer / cam near an ATM and and NFC reader and you could clone the mag-stripe on the card, with no suspicious add-on bulges on the machine.
This post has been deleted by its author
"you'd need a suspicious bulge to house the NFC reader"
Because my Galaxy S3 is sooo suspicious and bulgey. Who would notice the guy behind them at the ATM using his mobile? Just pretend you're using it to talk or text and no one would be suspicious. You probably don't even need to take it out of a pocket depending on how you write the card snaffling software.
> Did you miss the bit where I said that you'll not be able to get NFC to work over more than about 20cm and that's in a lab? We're not talking about RFID here.
Stand behind someone in the ATM queue. They usually have their card or wallet in their hand ready for their turn. Bend down and pretend to pick up a coin and tap them on the shoulder. "Is this yours?" you say as you hand them the coin with your phone in your hand. You wont have any problem getting within 20cms.
If you try to hand somebody something they will automatically reach out to take it. They might ultimately refuse but by then it is to late because you have got within the 20cms.
That's not going to work ATMs are covered by CCTV and have it built into them. How much pay-off do you think that would have before someone noticed suspicious activity and the person doing it got arrested, particularly compared to a skimmer on the ATM?
Personally if someone bumped into me or touched me in the queue to an ATM, I'd be hugely suspicious and, yet again, I'll point out that the 20cm is in a lab, not real life.
There is no touching involved and the contrived reason for getting close does not have to be immediately in front of the ATM. The point being that it is possible to get card details remotely.
> yet again, I'll point out that the 20cm is in a lab, not real life.
And I'll point out that you don't have a personal force field preventing people from getting within 20cm of you.
The school I work for use a Miifare entry system (same system as some Oyster cards - I can actually access the property with my Oyster because I programmed it onto the system).
When we tried a Galaxy S4 near it, it went mad, recording lots of non-existent card numbers on the Miifare reader. Once we worked out what it was, we just kept tapping. Through the Miifare interface it appears to give a largely random huge (16 digit I think) number that is presumably used for NFC payments. We couldn't make it give out a consistent number (so, no, my boss couldn't enter the building using just his Galaxy S4 even if he wanted to).
That's not to say that that is ALL the information it gives out, but over the Miifare NFC system (which appears to be compatible insofar as it detects an ever-changing number whenever you "doink" a reader) it appears to give some sort of transaction hash rather than easily-readable card numbers. A "PayWave" NFC pre-pay credit card that I have tested also had similar results.
Personally, though, I wouldn't trust it hence why the only NFC device I own is a pre-pay card that you can't spend anything unless I put it on anyway (yeah, sure, the banks say the same, but I *KNOW* there's only £5 on the card).
The only reason any banks & retailers ever considered NFC Bonking is that they hoped it would reduce their cash handling costs and/or credit card costs. As it turns out it will cost about the same, so most of them really cannot be bothered with YET ANOTHER payment method. So, we will almost certainly stay with cash and card. Most of them were relieved when cheques were finally phased out last year.
As for the north American credit card security panics, that is because they have yet to implement Chip&Pin (EMV) so all in person transactions require a signature (like that ever prevented fraud) and all remote transactions require the CVC. As a consequence card fraud over there is rife and increasing but they are starting to implement EMV this year. Canada has less than half the Card Fraud rate of the USA or Mexico but it is still double that of the western EU countries.
Cheques in the UK remain a valid payment method for transactions with businesses that choose to accept them. What has been phased out is the 'cheque guarantee' function of your card.
What has happened is that most major retailers have chosen to not accept cheques (it is their choice), although they did it on the back of the presumption that cheques would be phased out. In the end, they weren't because of the lack of a non-cash, disconnected payment method that many older people and particularly charities complained was missing. The Payments Council concluded that there was still a role for cheques (http://www.paymentscouncil.org.uk/media_centre/press_releases/-/page/1575/)
After making such an inaccurate about cheques being withdrawn, I wonder whether the icon you've chosen is actually justified.
Cheques won't die any time soon.
Finance people still write cheques. Businesses that want to deal with that finance department still have to accept payment by cheque. Banks, thus, still have to issue and accept cheques, en masse. Personal users still send cheques to their kids at college. Cheques are how you get refunded when you've overpaid on a bill or demand compensation / a refund.
And, in the end, a cheque is nothing more than a contract or promisary note in the eyes of the law. Phase out cheques and people will write the equivalent and make the bank handle them somehow. You can't really outlaw cheques, only one particular "official" form of them. You can cash a cheque that someone has given you without your own bank even being involved, really. When I bought a house last year, I had to send off the payment via a cheque despite the entire conveyancing, mortgaging and purchasing side being done online. And I had to send things by fax, too!
What's dead is retailers voluntarily accepting cheques. They fell for the bank's line that it was a lot of hassle for them and all they've done is managed to put themselves into the hands of a bank charging them per transaction where they weren't charged before (oh, and with Chip & Pin trying to push the liability for fraud to the retailer, make them have expensive integrated equipment, make their business reliant on an always-on Internet connection, etc.). Was it really that much hassle to accept a cheque before? I don't think so.
To be honest, I haven't issued a cheque in years. Paid in three in the last few months, though, including a refund of an overpayment on my car insurance (even though I pay by DD). I watched a stack of cheques get signed by a school bursar only the only day (and a parent paying school fees by cheque just this morning - we have all the card facilities, but not everyone uses them).
What matters is not the method of payment, it's what method is accepted. BitCoin might be a perfectly useful method of paying for goods and have real value. But until I can *BUY* things with it in *NORMAL* shops, it's never going to become mainstream. Cheques will go the same way eventually. But by then a £10 a month bank account to do bugger-all will be the norm.
But finding merchants that can launder them for you can be a bit harder, especially now everything is electronic.
One of the reasons why credit card companies charge merchant such hefty fees is that they serve as vetters of customers. They have, and do use, considerable resources to track down and punish abuse of their payment processing cartel. Anyone laundering cards faces the risk of paying for any products paid for with them, plus any criminal charges and possible loss of banking access.
The industry talks up the sums involved when it wants more power, higher rates or protection from competition but in reality even in the fraudsters' paradise of America the costs are not that high. They are other, safer ways of defrauding people. Just as Goldman Sachs, JP Morgan, et al.!
"They have, and do use, considerable resources to track down and punish abuse of their payment processing cartel."
Not in my experience. Recently a vendor called me from California to ask if a transaction was valid. It wasn't. The vendor then kindly offered to give the police all the information the buyer had supplied, including the bogus address that had triggered the phone call.
I thanked them and called Visa, who were supremely uninterested in following up on that, there apparently being no procedural path to get that information to anyone who cared. I, as a resident in a state thousands of miles from California was unable to initiate a police procedure over the phone, and the crime was committed there so my local police couldn't care less.
End result: I got my money back ( the thief had gone shopping with a vengeance but made a mistake on that last purchase), the thief got some of the stuff and Visa's fraud fund were out a few hundred dollars.
...have made transactions on (Canadian, as it happens) websites with purely the name, number and expiry date - CVC not required. Address not required. Postcode not required. And the transaction cleared.
Whilst it may be that the retailer (not the bank) is liable for fraudulent use, that's not much good to me when my account has several hundred quid/dollars/rubles missing and I need to pay my leccy bill now is it?
Whilst transactions capable of being made like this are rare - hence a lot of people not believing that they can be made, but they can. If you don't believe me, go ahead, put your CC details on here and I'll donate a fiver to charity on your behalf. AC in case someone takes me up on the offer.
Speaking as someone who has had his credit card "borrowed" on many occasions, starting on New Years Eve 1984 (I am absolutely sure of the location and date the initial crime occurred) when someone duped my Access card by the simple act of having access to the onion skin and took it to Atlantic City (unaware of the pathetic credit limit it had), and continuing through the internet store era where my card has taken trips to Queens and California sans my permission, can I just say that assuming that having the number and name is *not* enough for a fraud to take place is delightfully naive?
I'm sure the homeland security bods in both the USA and the UK are *sure* that one cannot gain enough information from a slurp of a biometric passport to do any harm, yet in these very pages I've read about the wisdom of carrying those documents in a Faraday cage wallet. So why the double standard? Wait - I see the mention of a smartphone there. Nothing bad can come of <insert favourite brand of smartphone> use can it?
As you were.
Apart from the fact that the range on NFC is completely pathetic.... most websites that I use ask for the CVC on the back of the card, there are some that don't - they have been highlighted above by other people. Additionally - I quite often have to enter certain digits from my bank account password too - further reducing the possibility that someone might be able to do something with just my card details.
Having been the victim of a very low tech and *never* reported fraud scam though - I no longer worry about these things - because the reality is there is *literally* (and that is being used in the proper context) NOTHING* you can do to prevent being a victim.
* shops could - but they choose not to.
The range of NFC is entirely dependent on the size and directionality of the antenna.
What you are mistaking is the powering up of the circuit (for which, yes, you need to be close enough to apply the magnetic induction necessary to power the other side of the connection). That has to be "close". The radio waves, however, could be coming from and going to anywhere.
All you need is an accomplice (perhaps even unwitting) to carry a device into NFC power range that powers up the NFC devices, and a directional radio antenna connected to the most basic of software radios or scanners. Once something is in the air, you can't claw it back, I think that's the point of the article
So although we take a small step towards "impractical", we're much further from "impossible" than you would think.
I am less worried about fraud than I am about privacy. I don't worry too much about fraud. Travelling for work, I use cards all the time, all over the world, in some quite dodgy places: I have rarely been a fraud victim and when I have been it has been sorted out.
But I do worry about the privacy & safety implications. I don't want shops to be able to track my coming and going, particularly in a way which they could relate to my card number (and hence my purchases). More seriously, I don't want a criminal to watch for people leaving a train station carrying Gold AmEx cards (or something) because they are likely to also be carrying more cash. Worse still, I don't want it to be easy for the terrorist to set up their IED to explode when someone carrying a Western credit card walks past.
In other words, my credit card information is mine, and private to me. I don't want some device broadcasting it to anyone nearby who asks. NFC could, and should, have required that the user press a physical button to enable the read-out. As they didn't, it is dangerous.