User: Password:
|
|
Subscribe / Log in / New account

Android application reads credit card data over NFC (The H)

The H discusses a new demonstration application published by a German security researcher capable of reading credit card information over NFC. "Contactless credit card systems have been hacked in the past and while the problems with the technology are worrisome, access via NFC is not a viable way to harvest a great amount of credit card data for obvious reasons. The relatively easy availability of smartphone applications like paycardreader will most likely make them attractive for opportunist fraudsters, however."
(Log in to post comments)

Android application reads credit card data over NFC (The H)

Posted Jun 22, 2012 17:46 UTC (Fri) by rich0 (guest, #55509) [Link]

So, who designed an RF credit card system where ANYTHING that leaves the card is useful for fraud?

We've had RSA for decades now. Have the card provide an identifier, and then a response to a challenge issued by the bank. You can eavesdrop that all you want and it will be useless for impersonating the card.

I can understand that the traditional way of using credit cards is completely insecure, since that was invented in the dark ages and has hung on due to compatibility. Why anybody would issue a completely new and electronic payment system and not do it right is beyond me...

Android application reads credit card data over NFC (The H)

Posted Jun 22, 2012 22:51 UTC (Fri) by wmf (subscriber, #33791) [Link]

Does passive NFC/RFID provide enough power to run a public-key protocol?

Android application reads credit card data over NFC (The H)

Posted Jun 23, 2012 0:12 UTC (Sat) by JanC_ (guest, #34940) [Link]

> Does passive NFC/RFID provide enough power to run a public-key protocol?

Why not? You can also build an AM/FM radio receiver without battery power, if you want.

Android application reads credit card data over NFC (The H)

Posted Jun 25, 2012 13:49 UTC (Mon) by rriggs (subscriber, #11598) [Link]

AM I have done, but FM? How's that done?

Android application reads credit card data over NFC (The H)

Posted Jun 23, 2012 1:58 UTC (Sat) by kevinm (guest, #69913) [Link]

It doesn't even need to be public key, in this scenario you can have the bank and the card share a secret. RFID cards can certainly calculate HMAC.

Android application reads credit card data over NFC (The H)

Posted Jun 23, 2012 16:28 UTC (Sat) by keeperofdakeys (subscriber, #82635) [Link]

You don't need anything as complex as public-key crypto, you can simply use a symmetric key algorithm like 3-DES or AES in hardware. If you wanted door control with this scheme, you can then use a challenge from a central server, and verify if the response if valid for a card in the system. Now you can arbitrarily add or remove cards from the central database.

Android application reads credit card data over NFC (The H)

Posted Jun 23, 2012 10:54 UTC (Sat) by tialaramex (subscriber, #21167) [Link]

The contactless systems are designed for low-value transactions.

The rationale is that these aren't a major target for fraud.

Previous experience says that there will be some serious holes resulting from bad assumptions in the banks, card companies, payment providers and consumer businesses. The main thing I'd worry about would be whether any of those holes impact the consumer, next after that whether they affect the retailer, and I have no interest at all in whether the banks, card companies or payment providers take a hit.

Examples of things the system is supposed to do, and how they'll probably go wrong:

1. These aren't normal credit cards. Data from a touch transaction shouldn't be valid for larger transactions and the card company should reject larger transactions

1a. But it probably won't. Sooner or later a bank is going to tell a customer that their $15 limit touch token bought $15000 of diamond jewellery in a country they've never visited.

1b. Lots of small transactions add up. Somebody's off-line transaction system or broken fraud pattern spotting will allow criminals to put thousand of dollars onto someone's card by keeping each purchase under $5

2. Some fraction of transactions are supposed to be checked. This should make small-scale fraud too risky because you'll be caught after a relatively small number of attempts

2a. But retailers are notoriously non-compliant on such checks. Given the choice between "possibly inconvenience a real customer" and "lose millions of dollars to fraud" apparently the second choice is always preferred.

2b. Small-scale fraud often involves insiders anyway. The same low-paid shop workers who agree to turn a blind eye to the use of a card in the name of "Mrs Jia Wong" used without a PIN by a 17 year old white guy with no ID to buy $500 of brand name spirits can be "persuaded" not to perform the manual check when the proximity card reader requests it.

3. Local laws should protect consumers so that the banks have to eat the cost of their own mistakes

3a. But repeated practical experience shows that judges and juries believe whatever they're told by the man in a smart suit from the bank, even when outsider engineers can see that it's completely bogus. So there's a good chance the bank can legally pin someone else's fraud on you by insisting that its systems work even if you have proof they don't. Increased scepticism towards the banks by the general public might help here, but don't count on it.

Android application reads credit card data over NFC (The H)

Posted Jun 23, 2012 17:56 UTC (Sat) by apoelstra (subscriber, #75205) [Link]

Because your attacker will certainly have access to one of your cards, so no matter what you do, he'll be able to figure out how to pretend to be a pinpad. (Although if you do it right, it would require very expensive equipment to read the keys from the chip.) So on some level, you're screwed no matter what.

That's one plausible reason. Another is that the credit card companies are actually run by morons. This is the impression I get -- the last time they sent me a card, I was on the phone with them beforehand, and explicitly asked for one without any RFID. The woman on the phone had no clue what I was trying to ask for. She kept assuring me that the card would have PayPass, but I "didn't have to use it if it made me uncomfortable".

So as soon as I got the card, I shone a light through it and dremeled out the antenna. Problem solved, I suppose, but since the card has clearly printed on it that it is the property of the bank, not me, I'm on questionably legal ground.

Android application reads credit card data over NFC (The H)

Posted Jun 25, 2012 3:41 UTC (Mon) by devkev (subscriber, #74096) [Link]

> So as soon as I got the card, I shone a light through it and dremeled out the antenna.

Ironically, having a holey or somewhat mangled card is more likely to raise suspicions of merchants. And a "likely story" of protecting your privacy/funds is going to be a hard sell to people who are, more or less, just like the woman you spoke to on the phone.

Android application reads credit card data over NFC (The H)

Posted Jun 25, 2012 16:43 UTC (Mon) by apoelstra (subscriber, #75205) [Link]

>Ironically, having a holey or somewhat mangled card is more likely to raise suspicions of merchants. And a "likely story" of protecting your privacy/funds is going to be a hard sell to people who are, more or less, just like the woman you spoke to on the phone.

I wish. I've gotten some funny looks and a lot of "I hope this works, haha" from merchants, but nobody has declined me or even asked for secondary ID. I've had the mangled card now for ~6 months.

Strangers (e.g. friends of friends who I'm out with) often ask questions about the card when I pull it out, though.

Android application reads credit card data over NFC (The H)

Posted Jun 23, 2012 0:08 UTC (Sat) by JanC_ (guest, #34940) [Link]

https://github.com/thomasskora/android-nfc-paycardreader gives me a 404...

Seems like GitHub removed the repository for his PoC?

Android application reads credit card data over NFC (The H)

Posted Jun 24, 2012 2:25 UTC (Sun) by nodus (subscriber, #62518) [Link]

looks like someone has a clone of this repo up on bitbucket. https://bitbucket.org/mjcoder/android-nfc-paycardreader . No idea what happened to the repo linked in the summary.


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds