back to article Contactless card fraud? Easy. All you need is an off-the-shelf scanner

Consumer association magazine Which? has highlighted a security flaw in contactless card systems, which, if combined with a lack of checks by retailers, could be exploited by thieves to make expensive online purchases. Researchers bought contactless card-reading technology from a mainstream website before using it to remotely …

  1. Yugguy

    Who's laughing now???

    Not all you downvoters who mocked my RFID-proof wallet, that's for sure.

    Aint noone slurping my details.

    1. Steve Davies 3 Silver badge

      Re: Who's laughing now???

      That won't stop the down voters but I'm there with you with the Wallet. I have an anti-RFID Passport cover as well.

      1. BillG

        Re: Who's laughing now???

        Not all you downvoters who mocked my RFID-proof wallet, that's for sure.

        Question - do RFID-proof wallets set off airport metal detectors?

        1. Annihilator

          Re: Who's laughing now???

          "Question - do RFID-proof wallets set off airport metal detectors?"

          Yes. But really, just put all your belongings in the little tray they give you, metal or not. It's just easier!

          1. AMBxx Silver badge
            Coat

            Re: Who's laughing now???

            For the more style aware, just use a pair of scissors to cut an inch into the card where the wires are. Job done.

            1. Yugguy

              Re: Who's laughing now???

              No, mine is not one of those weird looking metal mesh ones, it's a nice looking brown leather one with the mesh hidden in inside.

            2. enormous c word

              Re: Who's laughing now???

              Contactless cards are a bad idea - they're easy to scam and lets face it, most of us have several cards, so at £30 per transaction per card, that soon adds up to £100's just by some scammer with a scanner brushing by you and swiping your card details.

              So the aluminium/tinfoil+duct tape home-made wallets do work and if you are careful, cutting off a corner of your card should break the RFID aerial. But if you just contact your bank and demand a non-contactless card they are obliged to send you a replacement one - that way you can make it plain you dont want any contactless (securityless) cards.

              Thing is - this is a scam - by the banks, they don't want you to pay for stuff with cash because they can't control the transaction, they want to skim a little bit off every transaction in micro-fees. If there is fraud, they will simply refund it and recoup the costs through lower-interest rates and/or bank charges - so as always you the consumer lose.

              Contacless sucks - call your bank and demand a conventional card.

          2. Intractable Potsherd

            Re: Who's laughing now??? @Annihilator

            Apart from handing my passport to border control and (depending on airport) the check-in staff, I do not let my passport leave my pocket/hand, and my cards stay in my pocket too. There is no way on earth I'm putting them in the tray. I'd be pissed off if my wallet/ebook/phone went missing, but they are all insured and easily replaceable - not so my passport and cards.

    2. Velv

      Re: Who's laughing now???

      While I upvote your RFID wallet, the key thing here is not the stealing of the card number, but the fact that merchants are accepting orders without checking the details. Why bother even stealing card numbers if the merchant isn't validating the address and CVV. Just make numbers up (there's a formula) and put the orders through, some will fail but I'm betting some will succeed.

      Security works best when it's multi-layered. An RFID wallet is one good layer, but an RFID wallet is just as easily pick-pocketed as a standard wallet, so that's where all other protective measures come in to play. The big issue comes when Banks refuse to acknowledge fraud is possible at all stages.

      1. Christoph

        Re: Who's laughing now???

        "Official fraud figures show losses attributable to contactless fraud are less than 1p per £100, a very small percentage of the overall figure."

        If the banks behave the same way as they usually do, they won't just refuse to acknowledge fraud is possible, they will have their defrauded customers arrested.

        So it's hardly surprising that their official fraud figures are low.

      2. This post has been deleted by its author

    3. Cuddles

      Re: Who's laughing now???

      "Not all you downvoters who mocked my RFID-proof wallet, that's for sure.

      Aint noone slurping my details."

      From the article:

      "The hack relied on getting volunteers to tap their cards onto a bogus card reader."

      "“I don’t think the fact it is contactless is the issue here, as a traditional card skimmer would be able to take those details even from a traditional chip and pin purchase," Dine said."

      I don't think your tinfoil wallet is going to help all that much, since your details can still easily be slurped if you ever actually use your card. This study had absolutely nothing to do with contactless cards, exactly the same could have been done using the magnetic stripe, chip and pin, those funny machines where they stamp the numbers onto carbon paper. or just looking at the card and remembering the numbers. As long as using your card involves potentially untrustworthy people and hardware (ie. always), this problem is going to be present. It doesn't matter how safe you keep your card when not in use, it's the use itself that is inherently insecure.

  2. Lxbr
    WTF?

    Where are they shopping

    Where are Which? shopping online that they don't need to enter a CVV code or use 3D Secure? Because that sounds really convenient, if amazingly insecure.

    1. mark 120

      Re: Where are they shopping

      Amazon doesnt require a CVV.

      1. Anonymous Blowhard

        Re: Where are they shopping

        "Amazon doesnt require a CVV"

        They do the first time you use a card, but not for subsequent transactions.

        As far as the online fraudulent purchases go, they could probably get the same details from the front of a card using a camera aimed at a reader.

        1. Salts

          Re: Where are they shopping

          @blowhard

          Just to add for Amazon if you ask for delivery to a different address then you must give the CVV of the card for the first order to that address.

      2. Anonymous Coward
        Anonymous Coward

        Re: Where are they shopping

        I bought something 30 minutes ago from Amazon with a company credit card I had never used there before (it was something I needed for work, honest). I wasn't asked for the CV2, and neither did it activate the card's 3-D Secure SMS verification.

    2. Tony W

      Re: Where are they shopping

      And which bank is it that doesn't insist on the data that I've taken a lot of trouble to store securely? I'd like to avoid it.

    3. Anonymous Coward
      Anonymous Coward

      Re: Where are they shopping

      Curry's/PC World.

    4. Anonymous Coward
      Anonymous Coward

      Re: Where are they shopping

      My Visa cards almost always ask for the 'verified by Visa', but I often pay with one of my girlfriends Mastercards, and I don't think I've had their equivalent pop up more than once or twice, even though its set up on all her cards. The box usually flashes up in passing, but thats it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Where are they shopping

        My Visa cards almost always ask for the 'verified by Visa', but I often pay with one of my girlfriends Mastercards

        Upvoted for having your girlfriends pay for your stuff. You run a pattern?

        1. AMBxx Silver badge
          Boffin

          Re: Where are they shopping

          I thought verified by Visa et had been scrapped. They were too easy to circumvent and just placed the risk on the card user.

    5. Warm Braw

      Re: Where are they shopping

      It certainly used to be common for suppliers to do offline auths - they'd save the card data entered on the website and process it in batch along with their mail order card auths. This is insecure for the merchant if they don't take the CVV and match the delivery and billing address. However, it's insecure for the customer if they do, as the merchant has an electronic record of all that information, possibly in perpetuity.

      This isn't supposed to happen any more (PCI rules), but it's not uncommon for merchants to "take a view" on the risk of non-compliance (particularly if they're at a level they can self-certify), much as they do on the benefits vs. risks of ignoring the Data Protection Act.

    6. chris 17 Silver badge

      Re: Where are they shopping

      i have several new (this year) credit cards that don't use 3D secure.

    7. BristolBachelor Gold badge

      Re: Where are they shopping

      The vendor is not allowed to store the CV2, which means that they can only take it if they bill you that second. However they are not allowed to bill you until they actually supply the goods or service (in the UK). Anyone who tales an order and then seems it later cannot officially use the CV2.

      I'd be more upset that they've created a new system that has EXACTLY the same, known flaw as the last one, which is that it always uses the same number for every single transaction. Was it designe by someone more stupid than Homer Simpson?

  3. theOtherJT Silver badge

    Attack of the clones

    Ok, you're going to struggle to buy thousands of pounds worth of goods with this - but surely the real way to abuse this system is with a cloned card and just keep paying for little things? Keep a stack of them and never pay for your tube journey again. Never pay for your petrol again (only fill up 1/4 of a tank at a time). Never pay for your round in the pub again... That's what has always really worried me about this contactless thing. Just because it's a small amount of money per transaction doesn't mean someone couldn't systematically steal a lot from you before your next bank statement arrives - I mean, who actually checks theirs daily to make sure it all lines up?

    1. sugerbear

      Re: Attack of the clones

      [comment]Ok, you're going to struggle to buy thousands of pounds worth of goods with this - but surely the real way to abuse this system is with a cloned card and just keep paying for little things? Keep a stack of them and never pay for your tube journey again. Never pay for your petrol again (only fill up 1/4 of a tank at a time). Never pay for your round in the pub again... That's what has always really worried me about this contactless thing. Just because it's a small amount of money per transaction doesn't mean someone couldn't systematically steal a lot from you before your next bank statement arrives - I mean, who actually checks theirs daily to make sure it all lines up?[/comment]

      Sigh... your comments are typical of the ill informed "security researchers" that pop up every now and again to tell the world (and sell a story to a newspaper) about some hole in EMV or contactless.

      Your idea of living off someones card are unworkable. It is sad because a little lie goes a long way on the internet. The terminal generates a random number which then forms the ARQC that the issuer validates. So unless you can pre-predict the random number that the terminal will generate your idea is.a crock shite (excuse my french).

      1. theOtherJT Silver badge

        Re: Attack of the clones

        Ok, sugerbear*

        So, I borrow your contactless card in the pub and go get your round in for you. I don't need your pin, I don't need your address, I just press the card against the reader the nice barman points at me, and I paid for some beers with your card. Job done. Beers for the both of us.

        Now lets say I take your card without asking. I can still do this. You'll get wise pretty soon, because you'll notice your card is missing and cancel it, but I have at least that long to enjoy tasty, tasty beers on you.

        If in that time I can successfully clone your card and get it back to you so you don't know I've got a copy - A thing we know to be possible because it happens already - then I can keep paying for things with it as long as I never go over £20 and the place I'm buying from supports tap-to-pay, right up to the point your next bank statement rocks up and you notice that you've been spending an awful lot more time in the pub than is plausible for someone earning an honest living.

        So, sugearbear**, at what point do I need to start predicting numbers in this scenario?

        * This was worth it just to say that...

        ** Still funny.

        1. Phil O'Sophical Silver badge

          Re: Attack of the clones

          If in that time I can successfully clone your card and get it back to you so you don't know I've got a copy - A thing we know to be possible because it happens already - then I can keep paying for things with it as long as I never go over £20

          There is supposedly a second level or protection, after some small (5-6?) number of transactions the terminal will ask for a PIN, just as a check. I have no idea if this actually happens (my contactless card has a hole through the antenna), nor if Apple pay implements it, though.

          1. jonathanb Silver badge

            Re: Attack of the clones

            Normal pay-by-bonk cards do require a PIN every so often. Apple pay doesn't but requires a fingerprint instead.

          2. enormous c word

            Re: Attack of the clones

            @sugarbear,

            Hello....

            ...Apparently sugarbear has run away in the face of common sense and the harsh realities of life away from 'care bear land'

        2. sugerbear

          Re: Attack of the clones

          @ theOtherJT

          You would have to steal my card first. But fair enough, you take my card and use it buy everyone a round in the pub. I report it to my bank and the money is refunded, I have lost nothing in that scenario because i have not been negligent. You may or may not be filmed on CCTV buying those beers and if you are the type of person that does that kind of thing you are at some stage going to get caught.

          "If in that time I can successfully clone your card and get it back to you so you don't know I've got a copy" how have you cloned the secure element of the chip and extracted the keys? Do you have access to a lab of some sort?

      2. Dabooka

        Re: Attack of the clones

        @Sugerbear

        Except it isn't is it? Not really. I don't see why a few small purchases throughout the month wouldn't have a reasonable chance of going unnoticed byt the sort of person who uses wireless to pay for small things. So, you know, not really a crock at all, unless you can explain exactly how your ARQC reference would actually stop someone doing this?

        1. sugerbear

          Re: Attack of the clones

          @Dabooka.

          You dont understand because you dont understand how EMV works maybe?

          Anyway, short answer

          The terminal generates a random number that is sent to the card along with a bunch of transaction info. The card then uses a secret key to generate an ARQC. The terminal then sends the random number + transaction information to the issuer who also hold a copy of the secret key. The issuer then uses the information supplied to the chip to recreate the ARQC and compare it to the one the chip generated. You can check the EMV CO manuals if you want to investigate further.

          If you understand how it works you will understand why cloning a contactless transaction so you can use it later in a contactless terminal wont work because you can't predict the random number that the terminal will send to the card when you attempt to replay it.

          1. theOtherJT Silver badge

            Re: Attack of the clones

            Possibly we're misunderstanding one another here, sugarbear*

            I'm not worried that someone is going to wirelessly snoop my card. I'm worried that someone is going to clone my card by other means - as actually happened to me a few years back - and it's going to be basically impossible for me to prove to my bank that I'm not the one ringing up the massive bar tab.

            Maybe they'll be kind and refund me anyway - but that wasn't my experience last time. It was a bit of a pain.

            What you seem to be saying is that the chip in the contactless ones is harder to copy than the one in the old chip-n-pin style ones, is that so?

            * last time, I promise, but your handle is cute and makes me smile every time I say it!

            1. Fuzz

              Re: Attack of the clones

              @theOtherJT what sugarbear is saying is that it isn't possible to make a working replica contactless card using the information that can be obtained from the card. If you have in the past had your card cloned, either

              1. The information from the card was used to shop online

              2. The card was used in a store with the details read from the mag stripe or entered directly into the till

              This article is about lax security verification in online stores. The contactless card part is moot, I could obtain this information using CCTV cameras, if you have an American express card I can even get the CV2 since this is on the front of those cards.

      3. chris 17 Silver badge

        Re: Attack of the clones

        To add to your post, the chip in the card generates the ARQC which is sent to the card issuer, the card issuer verifies this as being genuine with an ARPC response to the card which validates it received a response from its issuer.

        https://www.visa-asia.com/ap/center/merchants/productstech/includes/uploads/CTENov02.pdf

        http://www.atmmarketplace.com/videos/arqc-and-arpc-generation-and-validation/

        simply reading the card data with a reader should not be enough to clone it as you actually need the chip in the card to do do the encryption handshake at the point of sale.

    2. jonathanb Silver badge

      Re: Attack of the clones

      Petrol purchases are linked to a photo of your number plate. They can be faked, but if it isn't on the insurance database, you risk getting stopped by the police.

      1. Anonymous Coward
        Stop

        Re: Attack of the clones

        so clone a legit number plate - not difficult

  4. Mage Silver badge
    Facepalm

    I said before

    This tech as implemented, was designed for warehouses. It should NEVER have been mis-applied to passports, credit/debit cards, retail labels, travel and door locks.

    A connector (such as on cards already) is better. Though there is a horrible flaw in Chip and Pin that need not exist.

    For retail tags any info should be in a database, only a serial number for warranty return purposes in the product.

  5. thesykes

    No CVV and no Verified by Visa / Mastercard Securecode?

    Name and shame the sites and get the banks, Visa and Mastercard to refuse to allow online transactions with them.

    Bypassing the most fundamental of security checks is ridiculous, and I would've thought the retailers themselves would have to stand to any losses.

  6. Ed

    I know one of the big mobile company's websites that doesn't check the CVV number when topping up, despite asking for it. You can type any number you like in. This has been the case for the last 2 or 3 years.

    1. Dabooka

      Common thing amongst the crooks

      When my CoOp debit card was used rather naughtily a couple of years ago, the chap on the phone was chatting while we went through the transactions. He said (and I have no reason to disbelieve him) that they’ll often try a mobile top up of £10 or suchlike to see if the cards active and open to be hammered, and that they require next to no security checkups.

  7. Notenoughnamespace

    We've been here before, and last time we had video too:

    http://www.theregister.co.uk/2013/04/29/cbc_nfc_tv/

    http://www.theregister.co.uk/2010/12/10/nfc_security/

    The video makes it more scary, to my mind, not to mention an excuse for lots of bum footage.

  8. Dabooka

    Still not for me.

    I know this argument goes on and on, but I STILL don't see the need.

    I don't and won't use contactless but I am aware they're in my wallet regardless. When I find a nice one that blocks RFID I'll probably get it, for now I'm confident the 'white noise' emitted from the plethora of plastic will do a half decent job.

    1. Chloe Cresswell Silver badge

      Re: Still not for me.

      Or if it's some banks.. you can just ask for a card with out the contactless.

      1. 4ecks

        Re: Still not for me.

        HSBC did that for me. Card came with contactless, phoned them and got it disabled that day, new non-contactless card received a few days later.

        Still upset with their new less secure password only internet/phone banking logon facility that can't be disabled.

        I don't want it to be easy to make a payment or access my account, a minimum of 2FA please - something I have & something I know.

  9. Anonymous Coward
    Anonymous Coward

    Hang on, this is *news*?

    We tested NFC cards in the lab when they were introduced and we could read them comfortably from about 1m distance with not too much in the way of equipment. That was the last time any of us used an NFC enabled card, and this was when they first introduced this stupidity.

    Which? is a mite late to figure this one out IMHO.

    1. YetAnotherLocksmith Silver badge

      Re: Hang on, this is *news*?

      To be fair, they are flagging up that nothing has been done to fix this flaw yet, which is correct. And Which? is also correct.

      Regarding security, surely these are vulnerable to a MITM radio attack? Use a booster scanner to get the signal to your radio bridge, then beam both sides of the conversation to/from your fake card which has a tiny radio in it and that plays back whatever is asked to the real card.

      You know, just like car thieves do!

  10. Steve Davies 3 Silver badge
    Black Helicopters

    Is this just making the case for

    systems like Apple Pay?

    or is that still vunerable when you press on the fingerprint scanner and make the transaction?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is this just making the case for

      The DPAN you would read from an ApplePay device won't work for a non-contactless transaction. Some contactless cards also have a different PAN in the chip from that embossed on the card, and the PAN captured in this way also wouldn't work for a non contactless transaction.

  11. Terry 6 Silver badge
    Joke

    Disappointed

    I thought the Which report was about recommending the best card scanner. :-)

  12. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: banks

      Move banks. HSBC replaced ours in 2 days.

      1. Anonymous Coward
        Anonymous Coward

        Re: banks

        Just called NatWest. Two mins on the phone and a new card is on the way.

        No contactless.

        The person I spoke with said that she'd had four calls about this today. All El Reg readers by any chance?

        1. jonathanb Silver badge

          Re: banks

          It has been reported in the mainstream media as well.

        2. Alan Brown Silver badge

          Re: banks

          "No contactless."

          'Very well, I'd like to close my account.'

          Watch how fast they'll change that tune.

      2. PNGuinn
        Go

        Re: banks

        Also Natwest a few months ago. Sent me a new super dooper contactless debit card without asking my permission first. They obviously thought I was some sort of paranoid nutter, but the new standard card arrived a couple of days or so later.

        Silly beggars. They should have asked me first.

        If you have trouble with your bank I suggest microwaving the little blighter - shows up the antenna a treat. Then go in and show it to them telling them it went phatang and ask for a new one. Ask again for a non contact one. If necessary explain, politely, in pedantic detail, just why the old card went phatang and the reasons for the research.

        For bonus points ask if they can supply pre-cut shielding so that you can phatang the remote reading bit on its own without disabling the chip and pin bit. Politely point out the health and safety and legal risks of cack handed weilding of a craft knife.

        Be prepared to change banks if you have to, but at least you'll have upset them already before you upset them by closing your account.

        Double bonus points if you have an audio recording or better a video to share on social meeja if they still want to be eejits.

        1. Yugguy

          Re: banks

          Barclaycard only do contactless now.

    2. JP19

      Re: banks

      "will not give me the choice of having cards without it"

      The cards have an antenna coil which can be disabled with a small cut. On my cards it has been on the same side as the mag stripe. Some cards are transparent enough to see the coil when held to a very bright light (a phone flash LED can work).

  13. Anonymous Coward
    Anonymous Coward

    I still like the good old-fashioned hack

    Of eaves-dropping on people on the train who give out their card details in very loud voices when making purchases over the phone. Not that I've ever exploited it. But I have actually sat near a group who, from their conversation, were obviously highly paid 'digital' consultants. One of them went on to do just this, and the others failed to say afterwards that it was a silly thing to do. I was very tempted to say something as I got off the train.

  14. VinceH

    Optional

    Something nobody has commented on. Am I the only one who spotted it - or who didn't already know this information was stored on the card?

    "With an easily obtainable reader and free software to decode data, they were able to read the card number and expiry date from all 10 cards. Limited details of the last 10 transactions were also exposed."

    The Which? article merely says "We were also able to read limited details of the last 10 transactions" - so no more information there.

  15. Oldfogey
    Coat

    Soon....

    In September the contactless payment limit goes up to £30.

    If it's 5 uses before a pin is requested, then that could be £150 down the drain.

    My coat is the one with the lead lined pocket with a combination lock.

  16. Alan Denman

    finger licking good?

    Just maybe this means that for any upcoming iPhone thefts the thieves will let you keep your finger.

  17. Alan Brown Silver badge

    "With an easily obtainable reader and free software to decode data"

    You don't even need that - most smartphones have NFC in them now.

    12-13MHz cards can be read from a surprising distance if you're determined enough to try.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like