Boom!
You could almost see this coming!
Money hacker Peter Fillmore has created an Android app that can clone some of Australia's most popular contactless credit cards. In attacks that slipped beneath banks' and credit card providers' radars, the Aussie boffin probed the protocols behind Visa and Mastercard payment cards and proved the viability of an attack by …
Yep. I remember last time I travelled I saw special travel wallets that were designed to protect against people electronically cloning/reading your passport and credit cards.
It's my - perhaps old-fashioned - opinion that everything convenient is insecure. (Well, within the given sphere.)
The problem is that the convenience and 'innovation' is seen as more important than security, so we have things deployed before they are really ready to be. Better to get a product to market sooner with flaws than to wait and get it right, it seems.
This post has been deleted by its author
Ummm... this has been known for a number of years. Last year at Ruxcon I meet 3 "researchers" who all had done this. Yes, all on Android phones, and all making claims about stealing tramfuls of credit cards.
When questioned about the actual mechanics - i.e. the antenae and the signal processing required to manage multiple signals and paths, they all just responded "that's just engineering - someone will work it out". Seriously - this was their answer. Needless to say, none of them had a grasp of how RF works.
So yes, it is a proof of concept. Why does everyone think that (1) the banks are unaware of this, (2) they have not considered this, and (3) they have no controls in place. Every security manager and professional in banks that I have spoken with are well aware of this problem.
So this is simple just another self-aggrandising person looking for security work.
Anonymous (naturally)
Maximum read length of a passive NFC is listed at 20cm (without any signal processing, could be more with bigger antenna, more power) http://physics.stackexchange.com/questions/44037/why-is-near-field-communication-nfc-range-limited-to-about-20cm
no multiple signals are required, iso14443 provides support for multiple tags in 1 field (not commonly supported on commercial readers, but not too difficult to implement) read the Iso14443-3 spec.
Card brands were not aware that banks were setting the random number requirement this low. Additionally bad RNGs are prevalent in EMV readers and kernels, making attacks like this easier (EMVco do not mandate an RNG, or test the RNGs)
Happy to take some extra security work ;) unfortunately I agree that I'm totally self-agrandizing,
Micheal Roland deserves the credit http://www.mroland.at/publications/bibliography/43/#c43
I just rolled my own implementation of his awesome work.
Regards!
Peter Fillmore
@Adam 1
More annoyingly, however, they are prone to not working, cost more than most people were paying for their monthly or multi ticket, are a pain to recharge anonymously and track you if you link it to your credit card.
They are also thicker in the wallet, take longer to register at the gate and - at my station - one of the readers seems to be broken every other week.
I imagine they are vulnerable to this attack as well so you can add that to the list.
In the US we were able to scan a MSD contactless card with a Vivopay 4500 using a blue tooth serial communications with an NFC cell phone. We transmitted typical queries to the card and we saved the answers to the cell phones memory then went to a contactless terminal at a merchant and just played back the same answers to each question from the reader. The news anchors kind of mixed two different attacks in this news piece but you can see us paying with our own payment app at the merchant. http://www.nbclosangeles.com/news/local/Android-iPhone-iPad-Apps-Credit-Card-Scam-204624791.html
The tool hopefully approached the banks or disclosed correctly to the authorites before he disclosed publicly,what does he want a friggin job with the crims ! or a medal ,its not new except he did it on new hardware.
Lock the prick up till he finds the solution,no foil hat for this wank.
Rin Tin Tin foil bloddy hat for my cards now.
Your tapped now buddy ,watch those packets !.