Who's laughing now???
Not all you downvoters who mocked my RFID-proof wallet, that's for sure.
Aint noone slurping my details.
Consumer association magazine Which? has highlighted a security flaw in contactless card systems, which, if combined with a lack of checks by retailers, could be exploited by thieves to make expensive online purchases. Researchers bought contactless card-reading technology from a mainstream website before using it to remotely …
Contactless cards are a bad idea - they're easy to scam and lets face it, most of us have several cards, so at £30 per transaction per card, that soon adds up to £100's just by some scammer with a scanner brushing by you and swiping your card details.
So the aluminium/tinfoil+duct tape home-made wallets do work and if you are careful, cutting off a corner of your card should break the RFID aerial. But if you just contact your bank and demand a non-contactless card they are obliged to send you a replacement one - that way you can make it plain you dont want any contactless (securityless) cards.
Thing is - this is a scam - by the banks, they don't want you to pay for stuff with cash because they can't control the transaction, they want to skim a little bit off every transaction in micro-fees. If there is fraud, they will simply refund it and recoup the costs through lower-interest rates and/or bank charges - so as always you the consumer lose.
Contacless sucks - call your bank and demand a conventional card.
Apart from handing my passport to border control and (depending on airport) the check-in staff, I do not let my passport leave my pocket/hand, and my cards stay in my pocket too. There is no way on earth I'm putting them in the tray. I'd be pissed off if my wallet/ebook/phone went missing, but they are all insured and easily replaceable - not so my passport and cards.
While I upvote your RFID wallet, the key thing here is not the stealing of the card number, but the fact that merchants are accepting orders without checking the details. Why bother even stealing card numbers if the merchant isn't validating the address and CVV. Just make numbers up (there's a formula) and put the orders through, some will fail but I'm betting some will succeed.
Security works best when it's multi-layered. An RFID wallet is one good layer, but an RFID wallet is just as easily pick-pocketed as a standard wallet, so that's where all other protective measures come in to play. The big issue comes when Banks refuse to acknowledge fraud is possible at all stages.
"Official fraud figures show losses attributable to contactless fraud are less than 1p per £100, a very small percentage of the overall figure."
If the banks behave the same way as they usually do, they won't just refuse to acknowledge fraud is possible, they will have their defrauded customers arrested.
So it's hardly surprising that their official fraud figures are low.
This post has been deleted by its author
"Not all you downvoters who mocked my RFID-proof wallet, that's for sure.
Aint noone slurping my details."
From the article:
"The hack relied on getting volunteers to tap their cards onto a bogus card reader."
"“I don’t think the fact it is contactless is the issue here, as a traditional card skimmer would be able to take those details even from a traditional chip and pin purchase," Dine said."
I don't think your tinfoil wallet is going to help all that much, since your details can still easily be slurped if you ever actually use your card. This study had absolutely nothing to do with contactless cards, exactly the same could have been done using the magnetic stripe, chip and pin, those funny machines where they stamp the numbers onto carbon paper. or just looking at the card and remembering the numbers. As long as using your card involves potentially untrustworthy people and hardware (ie. always), this problem is going to be present. It doesn't matter how safe you keep your card when not in use, it's the use itself that is inherently insecure.
My Visa cards almost always ask for the 'verified by Visa', but I often pay with one of my girlfriends Mastercards, and I don't think I've had their equivalent pop up more than once or twice, even though its set up on all her cards. The box usually flashes up in passing, but thats it.
It certainly used to be common for suppliers to do offline auths - they'd save the card data entered on the website and process it in batch along with their mail order card auths. This is insecure for the merchant if they don't take the CVV and match the delivery and billing address. However, it's insecure for the customer if they do, as the merchant has an electronic record of all that information, possibly in perpetuity.
This isn't supposed to happen any more (PCI rules), but it's not uncommon for merchants to "take a view" on the risk of non-compliance (particularly if they're at a level they can self-certify), much as they do on the benefits vs. risks of ignoring the Data Protection Act.
The vendor is not allowed to store the CV2, which means that they can only take it if they bill you that second. However they are not allowed to bill you until they actually supply the goods or service (in the UK). Anyone who tales an order and then seems it later cannot officially use the CV2.
I'd be more upset that they've created a new system that has EXACTLY the same, known flaw as the last one, which is that it always uses the same number for every single transaction. Was it designe by someone more stupid than Homer Simpson?
Ok, you're going to struggle to buy thousands of pounds worth of goods with this - but surely the real way to abuse this system is with a cloned card and just keep paying for little things? Keep a stack of them and never pay for your tube journey again. Never pay for your petrol again (only fill up 1/4 of a tank at a time). Never pay for your round in the pub again... That's what has always really worried me about this contactless thing. Just because it's a small amount of money per transaction doesn't mean someone couldn't systematically steal a lot from you before your next bank statement arrives - I mean, who actually checks theirs daily to make sure it all lines up?
[comment]Ok, you're going to struggle to buy thousands of pounds worth of goods with this - but surely the real way to abuse this system is with a cloned card and just keep paying for little things? Keep a stack of them and never pay for your tube journey again. Never pay for your petrol again (only fill up 1/4 of a tank at a time). Never pay for your round in the pub again... That's what has always really worried me about this contactless thing. Just because it's a small amount of money per transaction doesn't mean someone couldn't systematically steal a lot from you before your next bank statement arrives - I mean, who actually checks theirs daily to make sure it all lines up?[/comment]
Sigh... your comments are typical of the ill informed "security researchers" that pop up every now and again to tell the world (and sell a story to a newspaper) about some hole in EMV or contactless.
Your idea of living off someones card are unworkable. It is sad because a little lie goes a long way on the internet. The terminal generates a random number which then forms the ARQC that the issuer validates. So unless you can pre-predict the random number that the terminal will generate your idea is.a crock shite (excuse my french).
Ok, sugerbear*
So, I borrow your contactless card in the pub and go get your round in for you. I don't need your pin, I don't need your address, I just press the card against the reader the nice barman points at me, and I paid for some beers with your card. Job done. Beers for the both of us.
Now lets say I take your card without asking. I can still do this. You'll get wise pretty soon, because you'll notice your card is missing and cancel it, but I have at least that long to enjoy tasty, tasty beers on you.
If in that time I can successfully clone your card and get it back to you so you don't know I've got a copy - A thing we know to be possible because it happens already - then I can keep paying for things with it as long as I never go over £20 and the place I'm buying from supports tap-to-pay, right up to the point your next bank statement rocks up and you notice that you've been spending an awful lot more time in the pub than is plausible for someone earning an honest living.
So, sugearbear**, at what point do I need to start predicting numbers in this scenario?
* This was worth it just to say that...
** Still funny.
If in that time I can successfully clone your card and get it back to you so you don't know I've got a copy - A thing we know to be possible because it happens already - then I can keep paying for things with it as long as I never go over £20
There is supposedly a second level or protection, after some small (5-6?) number of transactions the terminal will ask for a PIN, just as a check. I have no idea if this actually happens (my contactless card has a hole through the antenna), nor if Apple pay implements it, though.
@ theOtherJT
You would have to steal my card first. But fair enough, you take my card and use it buy everyone a round in the pub. I report it to my bank and the money is refunded, I have lost nothing in that scenario because i have not been negligent. You may or may not be filmed on CCTV buying those beers and if you are the type of person that does that kind of thing you are at some stage going to get caught.
"If in that time I can successfully clone your card and get it back to you so you don't know I've got a copy" how have you cloned the secure element of the chip and extracted the keys? Do you have access to a lab of some sort?
@Sugerbear
Except it isn't is it? Not really. I don't see why a few small purchases throughout the month wouldn't have a reasonable chance of going unnoticed byt the sort of person who uses wireless to pay for small things. So, you know, not really a crock at all, unless you can explain exactly how your ARQC reference would actually stop someone doing this?
@Dabooka.
You dont understand because you dont understand how EMV works maybe?
Anyway, short answer
The terminal generates a random number that is sent to the card along with a bunch of transaction info. The card then uses a secret key to generate an ARQC. The terminal then sends the random number + transaction information to the issuer who also hold a copy of the secret key. The issuer then uses the information supplied to the chip to recreate the ARQC and compare it to the one the chip generated. You can check the EMV CO manuals if you want to investigate further.
If you understand how it works you will understand why cloning a contactless transaction so you can use it later in a contactless terminal wont work because you can't predict the random number that the terminal will send to the card when you attempt to replay it.
Possibly we're misunderstanding one another here, sugarbear*
I'm not worried that someone is going to wirelessly snoop my card. I'm worried that someone is going to clone my card by other means - as actually happened to me a few years back - and it's going to be basically impossible for me to prove to my bank that I'm not the one ringing up the massive bar tab.
Maybe they'll be kind and refund me anyway - but that wasn't my experience last time. It was a bit of a pain.
What you seem to be saying is that the chip in the contactless ones is harder to copy than the one in the old chip-n-pin style ones, is that so?
* last time, I promise, but your handle is cute and makes me smile every time I say it!
@theOtherJT what sugarbear is saying is that it isn't possible to make a working replica contactless card using the information that can be obtained from the card. If you have in the past had your card cloned, either
1. The information from the card was used to shop online
2. The card was used in a store with the details read from the mag stripe or entered directly into the till
This article is about lax security verification in online stores. The contactless card part is moot, I could obtain this information using CCTV cameras, if you have an American express card I can even get the CV2 since this is on the front of those cards.
To add to your post, the chip in the card generates the ARQC which is sent to the card issuer, the card issuer verifies this as being genuine with an ARPC response to the card which validates it received a response from its issuer.
https://www.visa-asia.com/ap/center/merchants/productstech/includes/uploads/CTENov02.pdf
http://www.atmmarketplace.com/videos/arqc-and-arpc-generation-and-validation/
simply reading the card data with a reader should not be enough to clone it as you actually need the chip in the card to do do the encryption handshake at the point of sale.
This tech as implemented, was designed for warehouses. It should NEVER have been mis-applied to passports, credit/debit cards, retail labels, travel and door locks.
A connector (such as on cards already) is better. Though there is a horrible flaw in Chip and Pin that need not exist.
For retail tags any info should be in a database, only a serial number for warranty return purposes in the product.
No CVV and no Verified by Visa / Mastercard Securecode?
Name and shame the sites and get the banks, Visa and Mastercard to refuse to allow online transactions with them.
Bypassing the most fundamental of security checks is ridiculous, and I would've thought the retailers themselves would have to stand to any losses.
When my CoOp debit card was used rather naughtily a couple of years ago, the chap on the phone was chatting while we went through the transactions. He said (and I have no reason to disbelieve him) that they’ll often try a mobile top up of £10 or suchlike to see if the cards active and open to be hammered, and that they require next to no security checkups.
I know this argument goes on and on, but I STILL don't see the need.
I don't and won't use contactless but I am aware they're in my wallet regardless. When I find a nice one that blocks RFID I'll probably get it, for now I'm confident the 'white noise' emitted from the plethora of plastic will do a half decent job.
HSBC did that for me. Card came with contactless, phoned them and got it disabled that day, new non-contactless card received a few days later.
Still upset with their new less secure password only internet/phone banking logon facility that can't be disabled.
I don't want it to be easy to make a payment or access my account, a minimum of 2FA please - something I have & something I know.
We tested NFC cards in the lab when they were introduced and we could read them comfortably from about 1m distance with not too much in the way of equipment. That was the last time any of us used an NFC enabled card, and this was when they first introduced this stupidity.
Which? is a mite late to figure this one out IMHO.
To be fair, they are flagging up that nothing has been done to fix this flaw yet, which is correct. And Which? is also correct.
Regarding security, surely these are vulnerable to a MITM radio attack? Use a booster scanner to get the signal to your radio bridge, then beam both sides of the conversation to/from your fake card which has a tiny radio in it and that plays back whatever is asked to the real card.
You know, just like car thieves do!
The DPAN you would read from an ApplePay device won't work for a non-contactless transaction. Some contactless cards also have a different PAN in the chip from that embossed on the card, and the PAN captured in this way also wouldn't work for a non contactless transaction.
This post has been deleted by its author
Also Natwest a few months ago. Sent me a new super dooper contactless debit card without asking my permission first. They obviously thought I was some sort of paranoid nutter, but the new standard card arrived a couple of days or so later.
Silly beggars. They should have asked me first.
If you have trouble with your bank I suggest microwaving the little blighter - shows up the antenna a treat. Then go in and show it to them telling them it went phatang and ask for a new one. Ask again for a non contact one. If necessary explain, politely, in pedantic detail, just why the old card went phatang and the reasons for the research.
For bonus points ask if they can supply pre-cut shielding so that you can phatang the remote reading bit on its own without disabling the chip and pin bit. Politely point out the health and safety and legal risks of cack handed weilding of a craft knife.
Be prepared to change banks if you have to, but at least you'll have upset them already before you upset them by closing your account.
Double bonus points if you have an audio recording or better a video to share on social meeja if they still want to be eejits.
"will not give me the choice of having cards without it"
The cards have an antenna coil which can be disabled with a small cut. On my cards it has been on the same side as the mag stripe. Some cards are transparent enough to see the coil when held to a very bright light (a phone flash LED can work).
Of eaves-dropping on people on the train who give out their card details in very loud voices when making purchases over the phone. Not that I've ever exploited it. But I have actually sat near a group who, from their conversation, were obviously highly paid 'digital' consultants. One of them went on to do just this, and the others failed to say afterwards that it was a silly thing to do. I was very tempted to say something as I got off the train.
Something nobody has commented on. Am I the only one who spotted it - or who didn't already know this information was stored on the card?
"With an easily obtainable reader and free software to decode data, they were able to read the card number and expiry date from all 10 cards. Limited details of the last 10 transactions were also exposed."
The Which? article merely says "We were also able to read limited details of the last 10 transactions" - so no more information there.