back to article Stealing credit card details via NFC is easy/pointless

A US TV station has demonstrated how easy it is to lift credit card details from proximity-payment cards, though in the process showing just how pointless the activity is. The video does a nice job of demonstrating just how close you have to be to read a card, which are induction-powered so have very limited range; you needn't …

COMMENTS

This topic is closed for new posts.
  1. Whitter
    Joke

    Horses for courses

    Potentially handy for American diplomats at the UN then?

  2. Anonymous Coward
    FAIL

    NFC Scanning is pointless?

    Surely if an NFC card can be used to make payments then a payment can be sucked out of it by the bloke next to you in the tube... They said Chip&Pin couldn't be hacked only to be proven wrong.

    Obvious methods are:

    1) Copy details from as many cards as possible and process them en-masse through a broken/modified NFC till, small amount x many transactions = big number.

    2) Duplicate cards and sell them 'in the pub' - punter beware but seller long since gone.

    Sounds like tech best avoided!

    1. BristolBachelor Gold badge

      Also will anyone notice?

      There was something in the press recently about a gang that raised a lot of money by making very small (maybe < $0.50?) transactions to various credit cards. Most people didn't bother to contest the charge because it's too much hastle, hence they got away with it for a long time.

      Now imagine that your credit card bill lists every transaction you make for a bus ticket or newspaper, at several transactions for a few pence every day. Probably very few people would even spot what you have done, let alone complain...

      1. david wilson

        @BristolBachelor

        >>"Now imagine that your credit card bill lists every transaction you make for a bus ticket or newspaper, at several transactions for a few pence every day."

        On the other hand, If there were online readers reporting transactions quickly, the trail could provide a record of where you are or have recently been, allow odd transactions to get rapidly flagged up, and maybe even get warnings/temporary blocks sent out, and so could make cloned details rapidly useless.

    2. Anonymous Coward
      Boffin

      Some details...

      The details read from the card are there TO BE READ. It's actually part of the design! :) So someone being able to read them is nothing particularly amazing.

      When you perform a transaction, the card generates a cryptogram using secret keys on the card that only the card issuer knows and the card never reveals. This cryptogram changes each time based on things like amounts, but also transaction counters.

      An online transaction sends the cryptogram to the issuer for checking (basically, they perform the same calculation and compare the results). Without the correct keys, the cryptogram will not verify and the transaction is declined.

      An offline transaction is where the cryptogram is sent later, in a batch with others. By the time this happens, the goods/service will have been provided and someone will have pocketed the profit.

      Most transactions in the US are online transactions, so are well protected against making up fake cards.

      Something else to note is that contactless cards can have 2 or 3 account numbers on them. Contact for Chip + PIN (printed on the front), mag stripe (possibly same as contact) and contactless (different from the others). If a contactless account number is read from the card, but submitted via a webpage (e.g. mail order), then it'll be declined. This stops people using the contactless account number for card not present transactions.

      So the real risk is for offline transactions. However, in a dispute, it's very easy to check the cryptogram and see that it wasn't correct - so the card holder shouldn't need to prove they didn't perform the transaction.

      1. Tom 35 Silver badge

        What?

        "This cryptogram changes each time based on things like amounts, but also transaction counters."

        And how is this unpowered chip going to know any of that? The only thing it could do would be a challenge / response using a secret key.

        1. Anonymous Coward
          Anonymous Coward

          @Tom

          RFID and NFC power the chip by inducing current, like a transformer.

  3. Anonymous Coward
    Anonymous Coward

    and the benefits over cash are?

    I keep asking this question but no-one seems to have an answer;-

    If i use the nearest of near field comms;- contact through putting coins in the shopkeep's hand then i do not need to be concerned about skimming in my pocket. Problem solved by keeping it simple, stupid.

    No one seems to have done a cost benefit analysis on NFC or why i need it.

    1. BristolBachelor Gold badge
      Joke

      benefits over cash

      1. Visa makes no money at all when you use cash. When you use NFC, they can charge a handling fee...

      2. Someone has to count all that cash and take it to the bank before someone else turns up with a cucumber in a carrier bag and asks for it instead.

      3. The coins keep wearing holes in the pockets of my jeans.

      4. Someone might use fake cash, and the shopkeeper will be out of pocket. NFC could never be used fraudulently.

      Of course cards with contacts solve all these problems too!

    2. Anonymous Coward
      FAIL

      Advantages over cash

      There are quite a few cards giving you 1% cash back on all your transactions here in US; if you pay in full each month this is free money. I have no reason to carry cash with me - if I lose the card I have zero liability, while cash it is gone forever. In addition, there is a lot less bulk and weight to carry around compared to cash, and it is accepted everywhere.

      Chase sent me a replacement card with RFID built-in and cash back; for now it is stored in a full metal jacket as I keep on using my old cards, with no RFID stuff built into them.

      Reading the number and expiration date with off-the-shelf equipment makes the job easier for crooks; they need less work to figure out the rest. Now you need to worry if the guy who just walked with you for the past 30 minutes is following you home to get a name and an address to go with the CC number he just got in the bus or if he is just a new guy living in the area....

    3. Michael C

      Well....

      1) if very few people have more than spare change in their pockets, criminals have less incentive to rob people.

      2) no trips to ATMs/banks to refill cash supply

      3) sales tax gets paid 100% of the time (no under the table deals)

      4) Receipt trail (a card number can be used to look up a lost receipt, no such luck for cash), so I can always get proof of warranty later if i loose a receipt, and return things without one too.

      5) I pay the same price either way, but i get points using the card, extended warranties, theft protection, and I can stop payment if I think I git screwed or they refuse a product return.

      6) lost card != lost money (especially most that have fraud/theft protections on plastic too)

      7) Merchant can't be given counterfeit money (and even fraudulent transactions are guaranteed to be paid to him if Visa approved it).

      8) No "crap, i don't have enough cash on me" moments what waste time and turn into no-sale with customers (and also no "sorry you made that pizza, but i only have $5, so, throw it out I guess." moments either)

      9) Merchant can't get robbed for as big a loss since less cash is on hand.

      10) less time counting down the till, and less mistakes too.

      11) harder for cashiers to pocket a transaction instead of ringing it through. (charge customer cash, cancel transaction at last second, pocket money, no longer possible).

      12) costs the same, roughly, as processing a check, but is more secure and comes with guarantees for the merchant.

      I can easily go on.

      1. Goat Jam

        Paying the same price

        "I pay the same price either way"

        Not in Australia you (increasingly) don't. The big stores all charge a flat rate still but down here, service stations and smaller retailers are increasingly charging a 1-2% credit card transaction fee.

        Amex users are hit the hardest.

      2. M Gale

        Do you trust Mastercard or Visa?

        "1) if very few people have more than spare change in their pockets, criminals have less incentive to rob people."

        And more incentive to point a gun at you and direct you to the nearest ATM.

        There's some advantages to plastic, but you'll never replace the instantness and convenience of cash. Plus the government can't stop you spending it, the US government in particular can't decide that you are unfriendly to their interests and bar your account (yay wikileaks), and you don't have every single transaction on a record.

        Frankly I'd rather retain that level of control.

    4. bazza Silver badge

      No card necessary

      The only practical advantage NFC can have over existing chip 'n' pin readers is that the 'card' need not actually be a card. It could be a mobile phone. Japan already uses mobiles for this purpose, and you can link it in to your mobile billing to keep it topped up. It is quite neat and handy, you're never short of loose change.

      Of course, that does nothing to prevent skimming. However the phone could act as a management app for the NFC payments. You could get a listing of all transactions anytime anywhere, so you might be able to rapidly spot dodgy transactions. Also the phone could turn off the NFC part whilst, for example, your phone keypad is locked. That would do a pretty good job of preventing skimming. I think that some of (if not all) of these possiblities are already on Japanese mobiles.

      Personally speaking I agree with yourself - cash is straight forward and the worse that can happen is losing it. I don't see why a card needs to be NFC. We're quite good at putting cards in slots at the moment, so why does that aspect of their use need to change? The only true benefit of NFC is that something other than a card, like a mobile, can do the job instead.

    5. Knowledge
      Black Helicopters

      the benefit is,,,

      it is a step towards the obsolescence of cash.

      No cash = no cash-in-hand = more tax for the greedy bastard government.

  4. BristolBachelor Gold badge

    Further distance too?

    I seem to remember demonstrations of reading contactless cards from a greater distance by using a much higher powered reader that could energise the card from further away?

    All you need to do is transmit enough welly at the thing, which is trivial, and have a very sensitive receiver (which is harder, but where money is concerned, do-able).

    It seems to me though that the problem is the same old one. The card gives up the magic number that is the 16 digit account number, and that same number can make unlimited transactions! Why is it that the rest of the world has moved on to one-time transaction codes and salted hashes / public-private keys, but the people who "look after" our money for us are still doing it the stone-aged way?

  5. Richard Wharram
    Stop

    Title

    There are several countries where you don't need a CVV to do credit card transactions. Lift the details and sell them onto foreign gangs.

    ...

    Profit.

    1. Anonymous Coward
      Anonymous Coward

      selling credit card numbers

      Nowadays even in batches of 1000 cards, a credit card will go for 2$ USD. An identity (DOB, name, surname, address, phone number), will instead go for 50$ USD. With an identity you can apply for many cards... with a stolen card you get a few free transactions, if any.

    2. Bod

      not just countries

      Amazon don't require it either!

  6. DrXym Silver badge

    NFC has obvious security issues

    NFC strikes me as a solution in search of a problem. Yes it has benefits and in some cases such as tagging on & off of public transport perhaps NFC is justifiable. I don't think it is particularly handy for purchases either to the store or to the customer. If users are randomly challenged for a PIN, the system is going to be more of a pain in the arse than always being challenged.

    People who say "it doesn't matter", or "thieves can't do anything with the data" don't get it. The point is that someone walking past me is able to obtain information without physically removing it from my person. By the time I check my card next there might be dozens of small payments on my card. Depending on what information leaks over NFC they may also be able to clone my card, or find out my name & details or other personal info. Perhaps stores and / or casinos could also create chokepoints where people must pass NFC readers which skim numbers (and RFIDs embedded in clothing etc.) to aid with tracking of particular people.

    Let's hope the NFC code changes with each challenge and there is no obvious association between the NFC value and the card's name & number. At least that way, perhaps there is no way to clone a device or track someone or replay a code to simulate a transaction.

    1. Anonymous Coward
      Thumb Up

      People are naive

      "People who say "it doesn't matter", or "thieves can't do anything with the data" don't get it."

      Absolutely!

      Didn’t Jeremy Clarkson challenge anyone to try and do something with his bank account number and then regret the challenge? Why obscure the card details on receipts if the information is so innocuous?

      1. Anonymous Coward
        Anonymous Coward

        @aTallPhotoPerson

        Yes, he did... Someone setup a Direct Debit with his account number/sort code (AFAIK not available from the NFC application on the chip.) he called up the bank, the money was refunded through the Direct Debit Guarantee. End of story.

      2. John Smith 19 Gold badge
        Happy

        @TallPhotoPerson

        "Didn’t Jeremy Clarkson challenge anyone to try and do something with his bank account number and then regret the challenge? "

        He did.

        Someone did. IIRC They put him down for a standing order to a charity. He didn't think preventing identity theft was that difficult.

        Doesn't think that now though.

      3. Alexander 3

        very true...

        Very true, but this is more because the current system is inherently insecure, built before proper technological security maturity. If you can build an inherently secure system, then the need for "security through obscurity" - the current setup - is not needed. In that world, while I would certainly prefer my details remain private wherever possible, I would also be assured that their being public is not going to be harmful to me.

  7. RollinPowell

    skimming danger

    the real danger would be someone setting up a skimmer near a NFC payment contact point and collecting all the transactions. But people do that now with ATM's and magstripes so it's not really a new threat - it's just much easier to build a discreet skimmer for NFC than magstripes.

  8. Anonymous Coward
    Unhappy

    Electronic Track2 communications ...

    The main way in which sniffed 'NFC communications' from a credit card would be used would be to burn the data onto a goold old fashioned magstripe card. THen, just use the 'backward compatibility' features left around by the issuing connunity to commit good, old-style fraud. No need to worry about PIN or security code because of the good old excuse of "looks like the chip's broken"

    Worrying ... especially the complacency of the payPass/SecureWave pushers.

    1. Anonymous Coward
      Boffin

      Wouldn't work...

      The account number for contactless interface is different to the magstripe account number. Presenting the contactless account number to a magstripe reader would cause the transaction do be declined.

  9. Anonymous Coward
    Stop

    Which is why I don't trust 'em

    I either request a card from the bank without a chip in it, or if the bank / cc company refuses, then the application of a dull implement to the chip gives a satisfying crack of silicon and no more NFC from me.

  10. Anonymous Coward
    Anonymous Coward

    It's funny

    The technology gets used for years in Japan and there's no problem, comes to the west and it's immediately exploited by criminals. Says a lot about East and West.

    1. Alexander 3

      Nah, they have asian crooks also...

      I wonder... I suspect they have equally ingenious and malicious crims out there. If we feel we have more of it here, I suspect it's either due to us being careless, our implementations being poor or - most likely - we're being more worried about it because it's new and unknown.

      But I reckon they have their fair share of crime out there but they manage it... much the same way we do with our current tech. The question is, would this change make it better or worse and, if worse, is the added convenience an acceptable tradeoff for it?

    2. Anonymous Coward
      Unhappy

      Really?

      You seriously actually believe there are no criminal problems with this tech in Japan?

      My god, you have NO idea!!!

  11. Stuart Halliday
    Thumb Up

    Easy to fix

    So simply design the card to only become active if a pressure sensitive area is active. Ie someone is holding it?

  12. LawLessLessLaw
    Boffin

    Need an address for online ?

    I don't think so chummy.

  13. Chris 211

    contactless payments why!

    I am quite happy with pushing a card into a swipe machine and pushing in some numbers, I'd be even more happy if I can opt for a one time password the likes of which RSA provide.

    However I really really dont see the need to make this activity, wireless. Other then reducing wear and tear on the cards which WE PAY FOR ANYWAY VIA CHARGES.

    So contact-less payment monkey bothers, please turn your effort into what I want, not what you want.

  14. Anonymous Coward
    Black Helicopters

    who, whom

    cash, debit card, my problem

    credit card, bank's problem

    put a faraday cage around debit card*, only use credit card - let bank sort out fraud problems

    *adapt a conductive film bag, like wot your memory stick came in, or do a deal with wallet manufacturer to create faraday section (while you're at it, make a passport holder too) share royalties with me...

  15. Anonymous Coward
    Stop

    Err... CVV and Address Not Required

    I've seen online shops that require neither CVV or any AVS matches. So it's far from worthless - especially when the details are put on a card and used in America - where card security is so lax it's unbelievable. As merchants over here in Europe we get hassled constantly about PCI DSS and surcharges if they think a transaction went through without being PCI DSS compliant - yet in the good old US of A from what I've seen hardly any merchant is even 1% towards being PCI DSS - In some places you don't even have to sign for your transaction let alone use chip 'n' pin.

    1. Michael Wojcik Silver badge

      Re: CVV and Address not required

      Indeed. I just did a lot of online holiday shopping last night, and several merchants did not ask for CVV. (The article incorrectly has "CCV", by the way - someone should fix that.) I think all the sites I used wanted either CVV or correct billing address, but I couldn't swear to it.

      In any case, one comment claimed the NFC account number is different from the embossed / magstripe account number. If that's true, then the danger of NFC sniffing is NFC cloning. That's at least good enough for petty crime, and reason enough in my book to kill this pointless feature.

      And no, I don't want to pay for things with my phone, either. I can see how that might be useful for some, but let's have it be an option that's off by default. That's how my phone treats Bluetooth, and it's the right approach. People who can't figure out how to turn it on probably shouldn't be using it anyway.

  16. IR

    Easy fraud

    If you've got the card number and expiry, just put the details on a regular magstripe card and use that. The US doesn't have chip and PIN so nearly all credit car purchases still only need a signature. Some shops are smart and ask for photo ID, but most don't.

    1. Alexander 3

      yeah... card security is crazy weak out in the US

      I got out to the US and it is ridiculous how poor the card security here is. I got a debit card a year ago and use it every day for transactions. I sign for almost everything (you can usually use a PIN but it's never mandatory). However, I've still not signed my card, which means not one of the thousands of transactions I have done has ever checked my identity. I could nab anyone's card and empty it in the shops before the victim could report it...

      Online here you don't typically use the CVV, but usually need an address. Not sure if that's a hard rule though.

  17. Anonymous Coward
    Anonymous Coward

    Don't they make wallets

    ...that prevent this?

    For some reason I thought I had run across something like that - maybe even a DiY way to put RF shielding in your own wallet.

  18. Anonymous Coward
    Anonymous Coward

    If this isnt a problem

    And your not worried about it, then post your credit card number and expiry date...

    Dont want to?

    No didn't think so...

  19. Anonymous Coward
    WTF?

    @Advantages over cash

    @Advantages over cash

    It's not 1% free cash, it's 1% extra charged to the merchant who in turn has to increase his prices by at least 1%. The reality is you're paying more than you get back and forfeiting some of your freedom of choice and privacy in the process.

  20. Pumpkinpositive

    Even though track2 can be seen, it is still more secure than mag-stripe...

    OK, for NFC cards, there are cards which work like current EMV cards in that they generate and transmit data as if the card is being read from a chip reader - For these, authentication is through ARQC/ARPC (uses dynamic data for each transaction therefore is extremely difficult to clone) with or without iCVV/CVC3.

    The other NFC transmit "track2 equivalent data" as if the card has been read from a mag-stripe - But it's not done in the same way. Every time the card is used, whilst the PAN and expiry date will be the same, other bits of data within the track2 information will be different for every transaction - The card verification digits within the track2 are generated dynamically because a component of the algorithm now includes a transaction counter, which is incremented for each new transaction. The issuing bank keeps a track of the transaction counter, so you can't use it again, and it would take a long time to crack the keys used in the algorithm to generate the card verification digits.

    So whilst you may be able to capture details from an NFC transaction, it's not going matter because:-

    (a) You can't use the same track2 details again for a second transaction

    (b) You don't know the encryption keys used to generate the card verification digits for the next counter.

    (c) even if you did, you have to hope that the real cardholder hasn't used their card again in the meantime...

  21. K. Adams
    Coat

    "...tube travellers might be concerned about the one pressed against them..."

    There's a flap for that:

    -- http://www.difrwear.com/

    My coat's the one with the copper microwire skein lining...

  22. Pat 11

    Tinfoil wallet sir?

    difrwear.com

  23. Anonymous Coward
    FAIL

    Random PIN requests = security FAIL

    If they're random for small amounts, then why wouldn't criminals take that chance? If each time they charge $1 to a card there's a 1 in 4 (for the sake of argument) chance of needing the PIN then you've just made $3. Every time you're prompted for a PIN, just cancel the transaction. I'm guessing that the banks/credit card companies won't even notice since they likely only flag failed PIN entries, not transaction voiding (this may be incorrect, I honestly don't know).

    Name this "business" cleverly ("[name of city] Convenience Shops" seems like a good choice) and walk around all day with a netbook, an NFC reader, and a WAN connection bumping into people. Even if they check their statements I doubt a tiny charge from something like that would raise an eyebrow.

    1. Anonymous Coward
      Anonymous Coward

      Okay...

      But the requirement for a PIN entry comes from the chip, once you've been asked to verify by PIN, you've got to verify by PIN to auth the next transaction.

      1. Michael Wojcik Silver badge

        So don't retry the same card

        So if you get a PIN request, you don't retry the same card. Walk around sniffing NFC details. Collect lots of accounts. Make small transactions. Don't use an account after you get a PIN prompt against it; don't use an account that's older than X hours.

        Sure, it's not the crime of the century - just contactless pocket-picking. It's still a reason not to stick this pointless feature into credit and debit cards.

    2. david wilson

      @AC

      >>"Name this "business" cleverly ("[name of city] Convenience Shops" seems like a good choice) and walk around all day with a netbook, an NFC reader, and a WAN connection bumping into people."

      If you're suggesting someone setting up a fake business to take the proceeds, doesn't that fail if there's a time-lag before a business (or at least, a newish business) can draw money they deposited from transactions?

      Even a couple of days would likely be long enough for multiple people to spot and report a dodgy transaction, and for the receiving account to be frozen.

  24. Orv Silver badge
    FAIL

    Not worth the effort

    Stolen card numbers are available so cheaply online, in plentiful quantities, that it's hard to imagine anyone going to the trouble of stealing them this way. Besides, most of the people who fret about this sort of thing will happily let a waiter walk off with their card, or read the number out loud into a telephone.

  25. sT0rNG b4R3 duRiD
    FAIL

    To add on...

    If this is not an issue, Mr. Bill Ray, I would advise you to wear the usernames of all your accounts on your t-shirt. There's no password there so that's not an issue isn't it?

  26. Arctor

    Passthrough

    As other have pointed out this is not that much of a problem as reading the card is allowed.

    Each time you perform a transaction the card generate a unique cryptogram based on information from the reader so having read the data is no use unless you have the secure keys.

    As to the other information without the CVV2 code on the back of the card it shouldn't work for offline and with out the CVV/iCVV it won't work for mag stripe or chip. The track 2 mag stripe contains a CVV code which is different from the one on the back and cryptographically generated and designed to stop people making track2 data out of a PAN and expiry date.

    Where it could be a concern is if the 'card' present is actually acting a passthrough and then reading someone elses card like the person behind you. In this scenario the 'card' will connect (probably through some wireless tech like bluetooth) through to a unit in your pocket and then pass those details on to another card (like the person behind you.) This becomes a lot easier if the NFC chip is not a card but a mobile phone , like what google would like.

    PIN's and one time passwords can stop this but a PIN / password goes against the convience factor that is promised by NFC. I'm also unsure how succesful PIN will be given there is a good chance that the contact will break when someone needs to put the card down to key in a PIN.

    1. John Rose

      Questions

      Reading the Passthrough message made me wonder about existing chip & pin debit/credit cards (i.e. the standard ones used at ATMs etc). Am I correct in thinking that the magnetic stripe holds the PIN (as well as the bank account number) in a standard position on the tracks? Thus, a fraudster can work out the PIN? And that the card can therefore have its magnetic stripe contents copied onto a new card's magnetic stripe with the result that an ATM will accept the bogus card and give out money to the fraudster? If this is so, why do the banks still put a magnetic stripe on chip & pin cards?

  27. Anonymous Coward
    Anonymous Coward

    Obvious astroturfing obvious.

    The spec says a score centimetres. Other people have already demonstrated metres with suitably beefed-up equipment. Bill conveniently ignores this.

    Pickpockets have been with us for quite a while and are quite adept at their trade. Now they don't even need to reach /in/ the pocket any longer. That makes it /less/ dangerous for the criminals. Assertions that there are dangers to the criminals do nothing. They're less than before and if a little more doesn't deter then a little less certainly won't.

    Not having the CCV or even the address is not a problem in enough places to make scamming feasible. Skim and run. This gives the criminal a better lead because the theft is much less likely to be detected. Of course, digging into a TJX type goldmine of credit cards would be nicer, but this is nice and easy to do, so why not. Low profile hath its upsides.

    Skimming a lot of cards isn't too hard and random PIN checks are easily defeated by a deluge of cards to try. Recall that CAPTCHAs were considered defeated when automated recognition rates reached 30 or so percent. That PIN checking measure likely won't run to one in three. That's at least 60% of free success, without retrying later at a different terminal. This same math is what shows so painfully clearly why machine-driven anti-terrorist measures simply cannot work. Maybe that's why the banks like it so much: The governments swear by it, and that's where they get their bail-out money, after squandering yours.

    Soonish there will be more RFID-enabled things in the same wallet, some of which might reveal a name (hello RFIDed ID card*, RFIDed driver's licence, etc.), which in turn might be used to divine an address.

    But even without that, skimmed card numbers already are so much sellable raw material. Someone else in the criminal food chain will buy up the data, perhaps with skimming location, and divine things like probable address. Then sell the resulting package on to a cashing syndicate. This sort of thing already happens. Thus at the very least, RFID-read card credentials make for easy to get, good low grade sellings. For someone writing as much about this sort of technology as Bill does, he seems deliberately obtuse and oblivious to, to us techies very obvious, flaws in these toutings.

    Wonder what dear Bill is getting in kickbacks. At least we do know that *he* doesn't worry about people getting close, living out in the sticks.

    * I know, not in Blighty for the time being. Elsewhere in Europe, you are forced by law to always carry one.

    1. david wilson

      @Obvious astroturfing obvious.

      Even if there actually was stealable, misusable information on cards, and misuse got to be any kind of threat, would it be hard to have a whole slew of boobytrapped numbers as a response, the use of which either immediately raised an alarm at a point of sale, or kicked off a silent one, without asking for a PIN?

      If someone's grabbing data at random in a crowd, it wouldn't be hard to have any number of fake sources with suitable numbers on them in likely skimming locations.

      A smart active source could also detect one or more attempts at making contact. Having detectors fixed, and done somewhere with CCTV coverage and multiple reporting sources, it might not be hard to pick up what was happening, and identify who's doing it.

      A sensitive detector that picks up attempted contact could also be used to quickly narrow down possible perpetrators

  28. Anonymous Coward
    Thumb Down

    Pointless

    First, despite reading all the (admittedly good) points made in this thread, I am convinced that NFC credit/debit cards are,at best, pointless and at worst, dangerous.

    Why are they pointless? Take my own card use. When I use my current cards, it takes me maybe 20-30 seconds per transaction. This includes entering the PIN and authorising the card. I do maybe one or two transactions each day (at most). Using NFC card would reduce this to 15-20 seconds.

    Now, if my day is packed enough that a 20 or 30 second saving in time is a big deal, then, tbh, I need to look at my time management.

    Why do I say it's dangerous? Simple. The cards may use various algorithms, keys and other data that is never transmitted. But, the algorithms used to generate these *will* be cracked. Anyone that thinks they won't just needs to remember that they thought that both DVDs and Blu Rays could not be cracked.

    Fixing the algorithms would probably require replacement of the cards. It won't just be a case of fixing them remotely, as if the cards can accept that kind of programming remotely, the criminals could well use that..

    OK, so the banks do replace the cards already, but this happens once every 12, 18 or 24 months. Please tell me the banks won't have people wandering round with compromised cards for 24 months, or even 12.

    Could someone tell me the actual benefit of having my card transmit my details to all and sundry? OK, so they may use one shot codes, but, TBH, the banks could implement those on Chip and PIN cards, without the potential security problems caused by the transmission of the data wirelessly.

    1. david wilson

      @Pointless

      >>"Why do I say it's dangerous? Simple. The cards may use various algorithms, keys and other data that is never transmitted. But, the algorithms used to generate these *will* be cracked. Anyone that thinks they won't just needs to remember that they thought that both DVDs and Blu Rays could not be cracked."

      Though for online transactions, it's perfectly possible for an encryption algorithm to be public, but for a given card's encryption key to be purely random, and known only to the card and the issuer, so that it's possible to verify that only the one true card could be the source of the responses.

      With a series of small data transfers that would be easy to muddy with padding data before encryption, it may be impossible for a key to be deduced from a card's lifetime transactions.

  29. Fred Flintstone Gold badge

    You can read them from a much larger distance

    Your principal weapon of choice if your aerial. Right after that you can mess around with the receiver circuitry because at distance you get much less return signal (hence the need for a larger aerial) so you need to do some more work to preserve a decent signal-to-noice ratio.

    AFAIK, under ideal conditions 30m is possible. This is not as much as passport RFIDs - I think their max range is now somewhere around 70m.

    I will avoid these things like the plague. It's all jolly well announcing random PIN checks (which nullifies the whole "wave" idea, ahem) but in volume you can just annulate the transactions that need PIN. Get a merchant account and put up a tent at Oxford Street and presto, merry Xmas..

    1. Anonymous Coward
      Anonymous Coward

      Err...

      You are getting NFC and RFID confused.

      RFID can be read over fairly large distances, NFC relies on induction to power the chip and cannot.

  30. John Smith 19 Gold badge
    Joke

    NFC details not worth stealing

    *yet*

  31. M Gale

    £15? Price of a cup of coffee?

    Where's that, Harrods?

    Yes, £15 is the maximum spend for this sort of thing. So.. you buy £15 worth of something in one shop, £15 in another, £15 in another, £15 in another, and throw the card away when it asks for a PIN. Sell the gear you got for £5 cash each, then go over to your dealers for enough smack to kill an elephant.

    Yeah, not worried about NFC at all, me.

  32. John Rose

    Further to questions about passthrough

    I've just read about Skimming (on Wikipedia). And, as I understand it now, a skimming device attached to an ATM allows the card owner's PIN to be read as it is keyed by the owner and the card's magnetic stripe contents to also be read. Thus a fraudster would duplicate a card's magnetic stripe onto a a 'blank' card and the be able to extract cash from an ATM using the read PIN. I do not understand why banks still put magnetic stripes onto chip & pin cards, since the chip is very difficult to copy onto a 'blank' card. Can anybody explain why?

    1. Anonymous Coward
      Anonymous Coward

      Magstripe

      The magstripe is still required due to the many countries who haven't moved over to chip and pin, it's basically a legacy thing. The only times that you'll use a magstripe in the UK/EU (and other c'n'p regions) is when the chip reader is broken (ATM or POS PED) and the merchant is trusted to use magstripe or if you're card doesn't have a chip - ie you're a tourist.

      1. John Rose

        Magstripe

        So if a fraudster used a skimming device to read the PIN as it's keyed and its also took a copy of the magstripe's contents, then your account may be pillaged at ATMs. Why have consumer organizations not requested the banks to issue 2 cards: one with a chip & no magstripe and one (if wanted by the customer) with a magstripe?

        1. Anonymous Coward
          Anonymous Coward

          @John

          There are fairly few ATMs which will allow a card that has a chip to auth using a magstripe. Mostly the ones that will let you are in a bank in what is considered to be a low risk area.

          1. John Rose

            ATMs using magstripe on chip & pin cards

            Is it possible to obtain a list of ATMs which allow using magstripe on chip & pin cards? BTW I have found that approximately half the ATMS in central Wolverhampton will not accept my Chip and Pin card after I 'cleared' the magstripe using a Neodymium (i.e. strong) magnet.

  33. Tom 7 Silver badge

    Bankings getting more like the casinos and one armed bandit makers

    Sure there are ways to buck the system - they're even designed in by the manufacturer. One excuse as to why you pay 5% for an electronic transaction that should be virtually free to both parties is to cover the costs of fraud- I bet they make more money 'managing' the fraud than moving the cash and the figures leftover reveal they aren't making excessive profits in case of a government enquiry into excessive charges.

    And they need to sell some cheap electronics at vastly inflated cost to cover the salary increases they've implemented to cover the reduced bonuses at the bank.

  34. Bod

    NFC

    I do a little bit of NFC stuff through work and having the kit tried it out on my bank card. Oh look, I can read the details!

    But that's as far as I got. As said, it's not much use for online and no use in a shop if a PIN is requested.

    The only risk is for the small contactless cash payments where you are lucky enough to not be asked for a PIN. Yes it's small amounts, but then stolen credit cards are often used in bulk for small payments anyway (had mine done a few times like this). The thieves don't really care if some cards are blocked and the transactions are limited to £10.

    I doubt this is any more of a risk compared to stolen card details online, and probably less of a risk as it's easier to steal the details from leaking online sites than it is to go around the high street bumping into people in the hope of stealing their NFC data (and you have to get the reader fairly close to the card for it to work reliably).

    Maybe just having two NFC cards in your wallet is enough to stop this anyway as I suspect it would confuse the reader. Or some kind of shielding in wallets. Tin foil?

  35. Kubla Cant Silver badge
    Unhappy

    The wonders of plastic

    Nothing to do with NFC, but an indication that the brave new world is still some way off:

    On Saturday I tried to order a laptop from HP. It was a gift for sombody resident in the USA, so it made sense to order from HP's US web site. No go - you can't enter a cardholder address in the UK as it has no state or zip code.

    So I phoned HP's sales line in the US. The bozo on the line told me they couldn't accept non-US cards because "people from all over the world would do it to get the US prices". The bozo's supervisor (superbozo?) agreed to try to process the order but was unable to do so - I suspect she was just using the same crappy web forms as me.

    So it seems the only way to get an HP computer delivered to a US address and paid for with a UK card is to have it shipped across the Atlantic. Some business model.

    I don't know why, but I'm always suprised at how bureaucratic, xenophobic, and just plain old-fashioned the USA is.

  36. Anonymous Coward
    Anonymous Coward

    so far

    every comment has focussed on a man in the middle attack. That doesn't worry me as much as a rogue vendor, with an overpowered reader charging me for a newspaper, or coffee, everytime i walk past.

    1. Anonymous Coward
      Anonymous Coward

      Ok...

      Please try to understand:

      NFC DOESN'T WORK LIKE THAT

      And

      THE POS/PED IS SEALED AND WILL BREAK ITSELF IF OPENED FOR MODIFICATION.

    2. david wilson

      @so far

      >>"That doesn't worry me as much as a rogue vendor, with an overpowered reader charging me for a newspaper, or coffee, everytime i walk past."

      Even if it was possible to hack the reader hardware, all it would take would be a small proportion of 'active' devices in the general population to make the chances of quick detection high, and for a scam's lifetime to be too short to be worthwhile.

      If there was NFC in phones, etc, it'd presumably not be hard to have a phone set to vibrate or chime on the completion (or attempted start) of a transaction. Someone having their phone going off unprompted would be likely to be suspicious.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019