Netherlands
Wasn't this already the case for the Dutch bus cards. There wasn't an Android app but the principle was the same - about five years ago with the same dreadful mifare cards
Cybercrooks have developed an Android app that makes it possible to hack RFID payment cards, researchers discovered after a Chilean transport system was defrauded. The app at the centre of the scam hacked into the user’s radio frequency ID (RFID) bus transit card in order to recharge credits. The fraud-enabling Android tool, …
It was, though they have since updated said cards to a newer version of the mifare card which is not succeptible to the same exploits. I have no doubt someone somewhere has cracked the new version as well though.
Because of the way the dutch system works, hacked cards are detectable though, so after a few uses they will probably be blocked from working with the system. (All the fixed checkpoints are networked to a central database system)
If you can hack one card, you can hack them all. The question is just when it gets discovered.
quote:
"Don't fret, your contactless bank card is likely NOT susceptible"
That is the biggest BS i have ever read, who is that brainless idiot?
Every RFID chip can be hacked, that is as old as the RFID chip exists.
Actually if you really want to disable the NFC, you just have to drill a hole partway into the card near the chip (holding it up to a bright light will show you where the NFC antenna coil connection wires are. Seeing as the bank are liable for any NFC transactions tho, doesn't really do much but inconvenience you, the user ;)
This post has been deleted by its author
"Pop it in the microwave for a few seconds."
As others have mentioned here (including other places), that would likely fry all the electroncs in your card, and depending, it could also damage your magnetic strip.
I'll give you a clue - no-one does physical imprint credit card transactions anymore. May as well give them your cardboard business card for all the good it'll do.
"“The Bip card is based on the MIFARE classic card," Miller explained. "This card is one of a range of RFID cards, each offering different levels of security for a relative cost.
"This particular type is one of the lowest cost cards available, but is also one of the most insecure. Methods to exploit this type of card were shown as early as 2007," he added."
The problem is, indeed, the lowest security cards are the cheapest. And NXP, of course, is not withdrawing lowest sec cards because of low cost and massive revenue (people don't understand security and of course buy the cheapest).
So, unless any given state/organisation is putting law pressure onto the card provider for guarantied security, this situation will prevail. Shit security will be in every smart card product. Shame, but true.
Anon, since I was involved in this problem ....
PS: why am I not going black hat ? I'm dumb ...
I work in this industry.
It is true that Mifare classic has been broken for a long time and can easily be cracked with cheap readers and open source tools.
What the payment card did wrong in this case is held the balance on the card protected only by the lock keys.
If they had implemented some form of readback and check-at-base like I suspect my local bus company does* then they could match card IDs to wildly changing balances and invalidate the IDs of the cards that are being hacked.
Another layer of security such as combining the current balance, the date/time of last transaction and using the card ID as a salt being pumped into a simple bcrypt routine to produce a validation hash would have also foiled this method.
This sounds like sloppy implementation security around guarding the validity of the balance. Nothing to see here.
Bank cards are a different matter. My bank card identifies itself to my phone as a simple Mifare Classic, with a lot of locked sectors. Nothing unusual. When presented to my cracking tool my bank card thinks about it then starts to return timeouts on the sector probes. On the second run, my bank card times out immediately and refuses to talk to the reader. While the chip structure of my bank card may well be a Classic inside, there is something else in there. There is a guard that is sitting between the RFID interface and the chip that is preventing the repeated probings needed to crack the keys. Your bank cards are safe for a while.
*My local bus company uses Desfire cards, so I haven't been able to check their methods.
There was a guy who made a microcontroller based mifare read/writer, which could emulate the oyster cards used on London transport. In addition to reading and writing the contents on the oyster card, he could clone the cards of others then use those accounts for travel.
He never released the code and specs of what he did, but I remember there being a bit of a rukus a couple of years later about a large number of fraudulent oyster top-ups popping up, with TFL making changes to the system (Oyster is Mifare classic, from what I remember).
Presumably now they don't store the balance on the card, but some sort of ID which is linked to a central account. Still possible to clone them, but not to just issue "free" top ups.
It was deemed too expensive to rip out every single Oyster-enabled device and replace with a newer system, so I suspect that the above loophole is still viable, for those with the time and inclination for it.
"The problem is, indeed, the lowest security cards are the cheapest. And NXP, of course, is not withdrawing lowest sec cards because of low cost and massive revenue (people don't understand security and of course buy the cheapest)."
Maybe they *do* understand security. Given they're loading $16 on the card, and it's for an intangible asset (unauthorized use of the transit) rather than tangible (lifting $16 worth of items from a store or something), they may have gone in knowing they were not getting the highest security card, ran the numbers and figured the card cost savings outweighed the fraud risk. I wonder if it could be "fixed" on the back end like the Dutch system in a post above, so "Android reloaded" cards would be deactivated.