back to article Pay-by-bonk 'glitch' means cards can go kaching-for-crims

Researchers from the UK's Newcastle University have outlined how pay-by-bonk cards can be p0wned by a “rogue POS terminal” running on a mobile phone. To be detailed on Wednesday at the 21st ACM Conference on Computer and Communications Security, the attack is said to rely on a “rogue POS terminal” being set up with a pre-set …

  1. Nate Amsden

    I'd expect..

    that this is limited to the credit line of the card? If I have a $30k credit line there's no way the card/system could approve a $999,999 transfer?

    1. Silver

      Re: I'd expect..

      It's my understanding that there is also a limit on the maximum amount Visa will pass through their service for your bank to authorise.

      Plus this only works for offline transactions, those low value payments where the cost of a small amount of fraud is offset by the speed and convenience of not having to go online every transaction (eg. car park ticket machine). No merchant does this with high value items.

      There is a probably a good reason why they haven't tried this out in the real world, as I doubt it'll work. I would still expect Visa to look into it though to see what (if anything) can be changed to prevent this.

  2. gerryg

    Who knew pay by bonk was insecure? It's bonkers, I tell you

    No PIN, no need to prove the card is yours, etc.

    So the crims are going to steal money from your credit card company (not you, obviously, what with the transaction being fraudulent n'all) but how are they going to hang on to it? Unidentified?

    I understand cloning and buying a Porsche - the crims convert to goods and then sell them on. Good luck with that one. But this requires them to get the cash out of the system which takes time. For example, my credit card company, if not them all is fairly tuned up to weird transactions in which case I get an SMS inviting me to confirm.

    While I think about it, the last time I tried to pay by bonk in a supermarket without removing the card from my opened wallet, the terminal got confused by the card in the other half of my wallet. When I pay by bonk on London Transport (tube or bus) the system is less sensitive but does require a firm hand, as it were.

    So I'd like to know the physical circumstances in which this could work.

    1. Voland's right hand Silver badge

      Re: Who knew pay by bonk was insecure? It's bonkers, I tell you

      but how are they going to hang on to it? Unidentified?

      The only way they can do this is if they set up a merchant (described in the article actually). There are quite a few checks and traceability requirements to set-up a merchant nowdays. So "setting it up" is IMHO out of the question.

      Things become considerably more interesting if you "own" a merchant. Instead of lifting the cards, you add your remote pay-by-bonk terminals operated by the pawns around the world to the merchant transaction system. Then you lift the money out of the merchant accounts. This is a tall order - you need to "own" that merchant's infrastructure top top bottom - interface for POS, transactions, accounts and banking backend. Not infeasible, but probably too much effort for the payback you are going to get for a normal "pay by bonk pickpocketing" in bars and malls. Now setting up a 1.5m parabolic antenna aimed at the morning queue at one of the London subway stations or drive by skimming of bus queues... That may be worth it...

  3. psychonaut

    surprised? anyone?

    Bueller?

    1. Richard 12 Silver badge

      Re: surprised? anyone?

      Nope, this has been "bloody obvious" from the start.

      A rogue terminal can do whatever it wants.

      So if they set it to £20, and just bonk everyone on the tube, they'll get quite a bit fairly fast and probably get away with it.

      The entire security of this system relies on the bank's back-end fraud detection. Which is rubbish and slow.

      I wouldn't mind so much on a credit card, because consumers have a legal gap to challenge it before payment.

      However, on a debit card this can easily destroy someone - if you run close to the edge, a single denied payment can spiral fast!

      Sooner or later this will happen.

      1. Dr. Mouse

        Re: surprised? anyone?

        So if they set it to £20, and just bonk everyone on the tube, they'll get quite a bit fairly fast and probably get away with it.

        I doubt it.

        Credit card processors do not immediately release the money. I would say it would be pretty difficult to get the money out before the banks caught on.

        1. Richard Jones 1
          FAIL

          Re: surprised? anyone?

          While card companies do have moderately responsive systems, even they are not perfect and do sometimes require that you detect the irregular actions. The banks will often turn down the genuine while letting others, shall we say less genuine through. Just look at the hassle if you make a payment with slightly wrong account data. The money is withdrawn faster than you can say hang on a minute. I know that there is a recent attempt to spike those guns but the proof will be in the long term pudding.

          Now all I need to do is disable pay by mistake capabilities for the damned cards that I have.

          1. VinceH

            Re: surprised? anyone?

            "While card companies do have moderately responsive systems, even they are not perfect and do sometimes require that you detect the irregular actions. The banks will often turn down the genuine while letting others, shall we say less genuine through."

            Indeed - and there's a good example of that here. The point of the post is more about Barclaycard themselves being the weak link - but note the two fraudulent transactions mentioned: They'd picked up on the £3 transaction, but thought the £2,000+ transaction was genuine.

            1. Dr. Mouse

              Re: surprised? anyone?

              To be honest, I wasn't talking about the money being taken from your account. That can, and will, happen.

              The point is that most would be picked up by the account holder before the criminals could draw the money from their merchant account (which would be weeks later). The bank would quite quickly, with so many reports, realise the criminal is committing fraud, and put the account on hold.

            2. Anonymous Coward
              Anonymous Coward

              Re: surprised? anyone?

              I have absolutely zero faith in their fraud detection - in any case they have a vested interest in not stopping a fraudulent payment reaching your account.

              A few years ago I had a Barclaycard nicked in Thailand. I reported it within the hour, yet two months later on my statement were three transactions for 20 quid or so that were clearly made after I'd reported it. They removed them after I called, but it took an hour and having to reexplain the circumstances to do so. So even with the total clarity of a cut off time and two months to work it out, they still didn't catch the dodgy transactions. Perhaps cynically, the message I took from that was that they couldn't care less how they racked up the account balance if they could get away with it.

              I'm honestly not surprised that this attack is possible; the NFC card payments without any authentication have always looked to me like an accident waiting to happen.

  4. DainB Bronze badge

    Merchant account

    "he flaw could see crims set up a merchant somewhere in the world and then launch attacks in different locations"

    Last time I've tried get merchant account bank demanded fair amount of identity documents as well as lots of other paperwork, I'd imagine these rules dictated by Visa/MC/AmEx and would be pretty much the same everywhere in the world. So yeah, good luck getting one.

    1. Anonymous Coward
      Anonymous Coward

      Re: Merchant account

      They can surely avoid the tedium of having to acquire forged or stolen identity documents by just hijacking someone elses' account.

      But I think you will find that banks in many parts of the World really are very lax about the identity proof.

      1. DainB Bronze badge

        Re: Merchant account

        Yes, under the risk to be cut off from payment system completely and permanently. Sure, they are THAT dumb in those parts of the world.

        What you will actually find that in many parts of the world getting PayPass enabled merchant account is next to impossible,.

  5. Anonymous Coward
    Anonymous Coward

    UK needs to learn from other countries

    Got a new Visa card from my French bank. It had pay-to-bonk enabled so, without much hope, I asked if it could be disabled. To my considerable surprise the response was "Mais oui.". <click>, <click>, sign this. Job done.

    I asked if they had many people asking, the response was "No, mostly just our British customers. It causes problems on the Tube, apparently."

    1. Jess--

      Re: UK needs to learn from other countries

      hole punch through the antenna loop works quite well too, just choose your spot carefully so you don't get rid of something you need on the card

      no loop means no induction to power the chip (chip n pin / magstripe all still work)

      1. Horridbloke

        Re: UK needs to learn from other countries

        This works well but a shop assistant might get worried about the visibly mutilated card. The job can be done more discreetly by making a small nick with a craft knife, though this really needs an nfc-capable phone to confirm the card really has been snipped.

        It's probably a good idea to make a test purchase afterward to verify the card's normal chip & pin function still works - have an alternative payment method just in case.

        1. Zimmer
          Stop

          Re: UK needs to learn from other countries

          How about asking the bank to provide you with a card WITHOUT the facility... it is what I did.. (NATWEST, should you be interested) .

          Makes it clear to the banks your feelings on the matter.

  6. sisk

    Yet more proof pay-by-bonk is a bad idea. The first time I saw it I got on the nope train. I've seen no reason to regret that decision and plenty of evidence it was a prudent one since.

  7. imanidiot Silver badge
    Facepalm

    And yet...

    the lovely young lady behind the counter at my local bank office looked at me funny when I told her I didn't WANT a pay-by-bonk enabled card. (Unfortunately they don't provide any other. And even force me to use the new card well before the expiry date of the old one. Without warning me. The only option is to turn "contactless payment" off on the website and trust them on their pretty blue eyes it won't actually work)

    1. sisk

      Re: And yet...

      Unfortunately they don't provide any other.

      Time to look for another bank I'd say.

      1. imanidiot Silver badge

        Re: And yet...

        @sisk,

        Unfortunately there are no Dutch banks that DO offer a non-nfc card.

    2. Oninoshiko

      Re: trust them on their pretty blue eyes it won't actually work

      You could, I don't know, disable it on the site then try to use it. If it works, you'll know about it and can complain.

    3. Horridbloke

      Re: And yet...

      I couldn't see any on-line option to turn it off (the provider is MBNA), so I've sent them a message asking whether they can turn it off for me. I'll post again if I get a reply.

      You can't beat physical sabotage though.

      1. gollux

        Re: And yet...

        Heh, my millwright uncle had no problems with the magstripe technology, he says a day at work around any heavy motors degausses them pretty effectively. His maximum life on card readability was about two weeks once.

        We'll have to see how chip & pin and NFC fare under that environment.

      2. Horridbloke
        FAIL

        Re: And yet...

        I have received the following reply from MBNA on the matter...

        Thank you for contacting us {Horridbloke}. I appreciate your concerns however rest assured that Contactless technology has been extensively tested to ensure the absolute security of your account. This is a new development in the card industry that lets you make a payment for retail purchases without entering a PIN or signing to authorise the transaction wherever you see the Contactless acceptance symbol. Paying with a Contactless card is just as secure as paying by Chip and PIN because it is based on the same secure technology as Chip and PIN, it only works when you hold the card up to the terminal (within 4 cm), so you can’t accidentally pay for someone else's shopping and occasionally you will be asked to make a normal Chip and PIN transaction instead of a Contactless one. There is nothing wrong with your card; this is a security check to limit fraud and would likely occur if you made multiple Contactless transactions within a short time period. For additional security when you are sent your Contactless card you must first make a Chip and PIN transaction. This is just to make sure it’s got to the right person and to enable it to work. In addition, you are still covered for any fraudulent activity on your card just as with Chip and PIN transactions, providing you let us know as soon as you notice any unrecognised transactions on your statement. All our cards now come with Contactless functionality and are perfectly secure. Contactless offers many benefits, but if you don’t want to use it in this way you don’t have to. We are unable to issue a card without Contactless functionality however you can continue to make your payments by Chip and PIN if you prefer. If you log on to the website. Click on the tab "Account Home" and you can select the tab "View all transactions" and you will be able to see any transactions in current activity if you wish to monitor your account. Many thanks.

        I guess I'll carry on using the craft knife.

        1. sisk
          Facepalm

          Re: And yet...

          They actually claimed that it's 'perfectly secure'? This despite the known flaws in the system and the well known IT concept that perfect security doesn't exist?

          This is what happens when you let marketing types talk about technology.

        2. Anonymous Coward
          Anonymous Coward

          Re: And yet...

          "This is a new development in the card industry that lets you make a payment for retail purchases without entering a PIN or signing to authorise the transaction wherever you see the Contactless acceptance symbol."

          This sentence quite clearly says that all contactless transactions are by definition unauthorised. Good to know.

  8. Christian Digby-Firth

    Must dash

    It's ka-ching. Kaching is what our cricketers don't do enough of. Hyphens matter.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like