back to article Stealing credit card details via NFC is easy/pointless

A US TV station has demonstrated how easy it is to lift credit card details from proximity-payment cards, though in the process showing just how pointless the activity is. The video does a nice job of demonstrating just how close you have to be to read a card, which are induction-powered so have very limited range; you needn't …

COMMENTS

This topic is closed for new posts.

Page:

  1. sT0rNG b4R3 duRiD
    FAIL

    To add on...

    If this is not an issue, Mr. Bill Ray, I would advise you to wear the usernames of all your accounts on your t-shirt. There's no password there so that's not an issue isn't it?

  2. Arctor

    Passthrough

    As other have pointed out this is not that much of a problem as reading the card is allowed.

    Each time you perform a transaction the card generate a unique cryptogram based on information from the reader so having read the data is no use unless you have the secure keys.

    As to the other information without the CVV2 code on the back of the card it shouldn't work for offline and with out the CVV/iCVV it won't work for mag stripe or chip. The track 2 mag stripe contains a CVV code which is different from the one on the back and cryptographically generated and designed to stop people making track2 data out of a PAN and expiry date.

    Where it could be a concern is if the 'card' present is actually acting a passthrough and then reading someone elses card like the person behind you. In this scenario the 'card' will connect (probably through some wireless tech like bluetooth) through to a unit in your pocket and then pass those details on to another card (like the person behind you.) This becomes a lot easier if the NFC chip is not a card but a mobile phone , like what google would like.

    PIN's and one time passwords can stop this but a PIN / password goes against the convience factor that is promised by NFC. I'm also unsure how succesful PIN will be given there is a good chance that the contact will break when someone needs to put the card down to key in a PIN.

    1. John Rose

      Questions

      Reading the Passthrough message made me wonder about existing chip & pin debit/credit cards (i.e. the standard ones used at ATMs etc). Am I correct in thinking that the magnetic stripe holds the PIN (as well as the bank account number) in a standard position on the tracks? Thus, a fraudster can work out the PIN? And that the card can therefore have its magnetic stripe contents copied onto a new card's magnetic stripe with the result that an ATM will accept the bogus card and give out money to the fraudster? If this is so, why do the banks still put a magnetic stripe on chip & pin cards?

  3. Anonymous Coward
    Anonymous Coward

    Obvious astroturfing obvious.

    The spec says a score centimetres. Other people have already demonstrated metres with suitably beefed-up equipment. Bill conveniently ignores this.

    Pickpockets have been with us for quite a while and are quite adept at their trade. Now they don't even need to reach /in/ the pocket any longer. That makes it /less/ dangerous for the criminals. Assertions that there are dangers to the criminals do nothing. They're less than before and if a little more doesn't deter then a little less certainly won't.

    Not having the CCV or even the address is not a problem in enough places to make scamming feasible. Skim and run. This gives the criminal a better lead because the theft is much less likely to be detected. Of course, digging into a TJX type goldmine of credit cards would be nicer, but this is nice and easy to do, so why not. Low profile hath its upsides.

    Skimming a lot of cards isn't too hard and random PIN checks are easily defeated by a deluge of cards to try. Recall that CAPTCHAs were considered defeated when automated recognition rates reached 30 or so percent. That PIN checking measure likely won't run to one in three. That's at least 60% of free success, without retrying later at a different terminal. This same math is what shows so painfully clearly why machine-driven anti-terrorist measures simply cannot work. Maybe that's why the banks like it so much: The governments swear by it, and that's where they get their bail-out money, after squandering yours.

    Soonish there will be more RFID-enabled things in the same wallet, some of which might reveal a name (hello RFIDed ID card*, RFIDed driver's licence, etc.), which in turn might be used to divine an address.

    But even without that, skimmed card numbers already are so much sellable raw material. Someone else in the criminal food chain will buy up the data, perhaps with skimming location, and divine things like probable address. Then sell the resulting package on to a cashing syndicate. This sort of thing already happens. Thus at the very least, RFID-read card credentials make for easy to get, good low grade sellings. For someone writing as much about this sort of technology as Bill does, he seems deliberately obtuse and oblivious to, to us techies very obvious, flaws in these toutings.

    Wonder what dear Bill is getting in kickbacks. At least we do know that *he* doesn't worry about people getting close, living out in the sticks.

    * I know, not in Blighty for the time being. Elsewhere in Europe, you are forced by law to always carry one.

    1. david wilson

      @Obvious astroturfing obvious.

      Even if there actually was stealable, misusable information on cards, and misuse got to be any kind of threat, would it be hard to have a whole slew of boobytrapped numbers as a response, the use of which either immediately raised an alarm at a point of sale, or kicked off a silent one, without asking for a PIN?

      If someone's grabbing data at random in a crowd, it wouldn't be hard to have any number of fake sources with suitable numbers on them in likely skimming locations.

      A smart active source could also detect one or more attempts at making contact. Having detectors fixed, and done somewhere with CCTV coverage and multiple reporting sources, it might not be hard to pick up what was happening, and identify who's doing it.

      A sensitive detector that picks up attempted contact could also be used to quickly narrow down possible perpetrators

  4. Anonymous Coward
    Thumb Down

    Pointless

    First, despite reading all the (admittedly good) points made in this thread, I am convinced that NFC credit/debit cards are,at best, pointless and at worst, dangerous.

    Why are they pointless? Take my own card use. When I use my current cards, it takes me maybe 20-30 seconds per transaction. This includes entering the PIN and authorising the card. I do maybe one or two transactions each day (at most). Using NFC card would reduce this to 15-20 seconds.

    Now, if my day is packed enough that a 20 or 30 second saving in time is a big deal, then, tbh, I need to look at my time management.

    Why do I say it's dangerous? Simple. The cards may use various algorithms, keys and other data that is never transmitted. But, the algorithms used to generate these *will* be cracked. Anyone that thinks they won't just needs to remember that they thought that both DVDs and Blu Rays could not be cracked.

    Fixing the algorithms would probably require replacement of the cards. It won't just be a case of fixing them remotely, as if the cards can accept that kind of programming remotely, the criminals could well use that..

    OK, so the banks do replace the cards already, but this happens once every 12, 18 or 24 months. Please tell me the banks won't have people wandering round with compromised cards for 24 months, or even 12.

    Could someone tell me the actual benefit of having my card transmit my details to all and sundry? OK, so they may use one shot codes, but, TBH, the banks could implement those on Chip and PIN cards, without the potential security problems caused by the transmission of the data wirelessly.

    1. david wilson

      @Pointless

      >>"Why do I say it's dangerous? Simple. The cards may use various algorithms, keys and other data that is never transmitted. But, the algorithms used to generate these *will* be cracked. Anyone that thinks they won't just needs to remember that they thought that both DVDs and Blu Rays could not be cracked."

      Though for online transactions, it's perfectly possible for an encryption algorithm to be public, but for a given card's encryption key to be purely random, and known only to the card and the issuer, so that it's possible to verify that only the one true card could be the source of the responses.

      With a series of small data transfers that would be easy to muddy with padding data before encryption, it may be impossible for a key to be deduced from a card's lifetime transactions.

  5. Fred Flintstone Gold badge

    You can read them from a much larger distance

    Your principal weapon of choice if your aerial. Right after that you can mess around with the receiver circuitry because at distance you get much less return signal (hence the need for a larger aerial) so you need to do some more work to preserve a decent signal-to-noice ratio.

    AFAIK, under ideal conditions 30m is possible. This is not as much as passport RFIDs - I think their max range is now somewhere around 70m.

    I will avoid these things like the plague. It's all jolly well announcing random PIN checks (which nullifies the whole "wave" idea, ahem) but in volume you can just annulate the transactions that need PIN. Get a merchant account and put up a tent at Oxford Street and presto, merry Xmas..

    1. Anonymous Coward
      Anonymous Coward

      Err...

      You are getting NFC and RFID confused.

      RFID can be read over fairly large distances, NFC relies on induction to power the chip and cannot.

  6. John Smith 19 Gold badge
    Joke

    NFC details not worth stealing

    *yet*

  7. M Gale

    £15? Price of a cup of coffee?

    Where's that, Harrods?

    Yes, £15 is the maximum spend for this sort of thing. So.. you buy £15 worth of something in one shop, £15 in another, £15 in another, £15 in another, and throw the card away when it asks for a PIN. Sell the gear you got for £5 cash each, then go over to your dealers for enough smack to kill an elephant.

    Yeah, not worried about NFC at all, me.

  8. John Rose

    Further to questions about passthrough

    I've just read about Skimming (on Wikipedia). And, as I understand it now, a skimming device attached to an ATM allows the card owner's PIN to be read as it is keyed by the owner and the card's magnetic stripe contents to also be read. Thus a fraudster would duplicate a card's magnetic stripe onto a a 'blank' card and the be able to extract cash from an ATM using the read PIN. I do not understand why banks still put magnetic stripes onto chip & pin cards, since the chip is very difficult to copy onto a 'blank' card. Can anybody explain why?

    1. Anonymous Coward
      Anonymous Coward

      Magstripe

      The magstripe is still required due to the many countries who haven't moved over to chip and pin, it's basically a legacy thing. The only times that you'll use a magstripe in the UK/EU (and other c'n'p regions) is when the chip reader is broken (ATM or POS PED) and the merchant is trusted to use magstripe or if you're card doesn't have a chip - ie you're a tourist.

      1. John Rose

        Magstripe

        So if a fraudster used a skimming device to read the PIN as it's keyed and its also took a copy of the magstripe's contents, then your account may be pillaged at ATMs. Why have consumer organizations not requested the banks to issue 2 cards: one with a chip & no magstripe and one (if wanted by the customer) with a magstripe?

        1. Anonymous Coward
          Anonymous Coward

          @John

          There are fairly few ATMs which will allow a card that has a chip to auth using a magstripe. Mostly the ones that will let you are in a bank in what is considered to be a low risk area.

          1. John Rose

            ATMs using magstripe on chip & pin cards

            Is it possible to obtain a list of ATMs which allow using magstripe on chip & pin cards? BTW I have found that approximately half the ATMS in central Wolverhampton will not accept my Chip and Pin card after I 'cleared' the magstripe using a Neodymium (i.e. strong) magnet.

  9. Tom 7 Silver badge

    Bankings getting more like the casinos and one armed bandit makers

    Sure there are ways to buck the system - they're even designed in by the manufacturer. One excuse as to why you pay 5% for an electronic transaction that should be virtually free to both parties is to cover the costs of fraud- I bet they make more money 'managing' the fraud than moving the cash and the figures leftover reveal they aren't making excessive profits in case of a government enquiry into excessive charges.

    And they need to sell some cheap electronics at vastly inflated cost to cover the salary increases they've implemented to cover the reduced bonuses at the bank.

  10. Bod

    NFC

    I do a little bit of NFC stuff through work and having the kit tried it out on my bank card. Oh look, I can read the details!

    But that's as far as I got. As said, it's not much use for online and no use in a shop if a PIN is requested.

    The only risk is for the small contactless cash payments where you are lucky enough to not be asked for a PIN. Yes it's small amounts, but then stolen credit cards are often used in bulk for small payments anyway (had mine done a few times like this). The thieves don't really care if some cards are blocked and the transactions are limited to £10.

    I doubt this is any more of a risk compared to stolen card details online, and probably less of a risk as it's easier to steal the details from leaking online sites than it is to go around the high street bumping into people in the hope of stealing their NFC data (and you have to get the reader fairly close to the card for it to work reliably).

    Maybe just having two NFC cards in your wallet is enough to stop this anyway as I suspect it would confuse the reader. Or some kind of shielding in wallets. Tin foil?

  11. Kubla Cant Silver badge
    Unhappy

    The wonders of plastic

    Nothing to do with NFC, but an indication that the brave new world is still some way off:

    On Saturday I tried to order a laptop from HP. It was a gift for sombody resident in the USA, so it made sense to order from HP's US web site. No go - you can't enter a cardholder address in the UK as it has no state or zip code.

    So I phoned HP's sales line in the US. The bozo on the line told me they couldn't accept non-US cards because "people from all over the world would do it to get the US prices". The bozo's supervisor (superbozo?) agreed to try to process the order but was unable to do so - I suspect she was just using the same crappy web forms as me.

    So it seems the only way to get an HP computer delivered to a US address and paid for with a UK card is to have it shipped across the Atlantic. Some business model.

    I don't know why, but I'm always suprised at how bureaucratic, xenophobic, and just plain old-fashioned the USA is.

  12. Anonymous Coward
    Anonymous Coward

    so far

    every comment has focussed on a man in the middle attack. That doesn't worry me as much as a rogue vendor, with an overpowered reader charging me for a newspaper, or coffee, everytime i walk past.

    1. Anonymous Coward
      Anonymous Coward

      Ok...

      Please try to understand:

      NFC DOESN'T WORK LIKE THAT

      And

      THE POS/PED IS SEALED AND WILL BREAK ITSELF IF OPENED FOR MODIFICATION.

    2. david wilson

      @so far

      >>"That doesn't worry me as much as a rogue vendor, with an overpowered reader charging me for a newspaper, or coffee, everytime i walk past."

      Even if it was possible to hack the reader hardware, all it would take would be a small proportion of 'active' devices in the general population to make the chances of quick detection high, and for a scam's lifetime to be too short to be worthwhile.

      If there was NFC in phones, etc, it'd presumably not be hard to have a phone set to vibrate or chime on the completion (or attempted start) of a transaction. Someone having their phone going off unprompted would be likely to be suspicious.

Page:

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019