Author Topic: Unfortunately bad use of technology - Flir  (Read 24114 times)

0 Members and 1 Guest are viewing this topic.

Offline EEVblog

  • Administrator
  • *****
  • Posts: 38715
  • Country: au
    • EEVblog
Re: Unfortunately bad use of technology - Flir
« Reply #25 on: September 01, 2014, 06:18:08 am »
NFC is STUPID.  BECAUSE ALL YOUR INFO IS STORED ON THE CARD AS PLAIN TEXT RFID.

None of my 3 NFC credit cards (3 different banks, two mastercard, one VISA) show any usable ASCII data in any of the 16 segments using NFC Tag Info on my Android tablet.
That info does yours show?
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 38715
  • Country: au
    • EEVblog
Re: Unfortunately bad use of technology - Flir
« Reply #26 on: September 01, 2014, 09:12:16 am »
Strangely there is no massive fraud going on in Japan. Nobody thought of building a giant NFC antenna and sucking money off people's cards as they walk past. Maybe because it's a completely impractical attack, since you can't do card-to-card transactions. You can only do transactions as a registered payment processor, and clearly if you are a fraudster being a registered payment processor with a registered business and bank account is probably not such a good idea.

That's how understood it, which is why I've never heard of any fraud in this area.
And I'm pretty sure you more than the NFC data to make a copy of the card so you could go around buying stuff at under $100 a pop until it's reported stolen.

Quote
As for stealing the card, it's no worse with an NFC enabled card than with a traditional one. You still have to call your bank and cancel it, they still have to reverse any charges that were made.

It's better than before because the old signature system was nothing short of a joke, the signature is right there for you to copy, not that anyone checked it anyway, and you could use that for any amount. Now it limits them to sub $100 transactions, and no cash out transactions.

Quote
I love NFC, it's just so easy. No mucking about with cash.

Yep, I love it, and groan any time I have to actually enter a pin now, or any time someone fumbled cash or pin in the line in front of me.
 

Offline firewalker

  • Super Contributor
  • ***
  • Posts: 2452
  • Country: gr
Re: Unfortunately bad use of technology - Flir
« Reply #27 on: September 01, 2014, 09:22:15 am »
I like using cash. I tend to spend more money when using electronic transactions. And in many cases it's faster too (e.g. systems that utilize gsm network to verify the card).

Alexander.
Become a realist, stay a dreamer.

 

Offline zapta

  • Super Contributor
  • ***
  • Posts: 6289
  • Country: 00
Re: Unfortunately bad use of technology - Flir
« Reply #28 on: September 02, 2014, 02:05:35 am »
Yes, the secure key can't be read over NFC and uses tamper-proof memory for storage. Atmel make some, among others.

The other thing is that the card keeps a transaction history. If someone somehow did manage to clone your card the transactions wouldn't show up on it, so it would be obvious that they were fraudulent.

There is still the possibility of a man in the middle attack. You stand in a busy train, hacker A next to you has a reader that is connected to a remote hacker that make purchases with you account. It will show up in your card's history.
 

Offline rs20

  • Super Contributor
  • ***
  • Posts: 2320
  • Country: au
Re: Unfortunately bad use of technology - Flir
« Reply #29 on: September 02, 2014, 02:14:12 am »
Yes, the secure key can't be read over NFC and uses tamper-proof memory for storage. Atmel make some, among others.

The other thing is that the card keeps a transaction history. If someone somehow did manage to clone your card the transactions wouldn't show up on it, so it would be obvious that they were fraudulent.

There is still the possibility of a man in the middle attack. You stand in a busy train, hacker A next to you has a reader that is connected to a remote hacker that make purchases with you account. It will show up in your card's history.

Unless the card reader at the turnstiles has very strict constraints on how long the card has to respond to a request. Sure, it could probably be MITM hacked if you had a point-to-point two-way radio designed specifically for the job, but the moment you try to use any sort of packet-based radio, think public infrastructure (Wi-Fi or 4G), the latency would be so obviously through the roof.
 

Offline sacherjj

  • Frequent Contributor
  • **
  • Posts: 993
  • Country: us
Re: Unfortunately bad use of technology - Flir
« Reply #30 on: September 03, 2014, 04:07:27 am »
NFC is STUPID.  BECAUSE ALL YOUR INFO IS STORED ON THE CARD AS PLAIN TEXT RFID.

None of my 3 NFC credit cards (3 different banks, two mastercard, one VISA) show any usable ASCII data in any of the 16 segments using NFC Tag Info on my Android tablet.
That info does yours show?

There are apps all about that will print out the plain text of the NFC data.  I can see the full card number and exp dates and other info that is used to do the NFC PoS transaction..
 

Offline sacherjj

  • Frequent Contributor
  • **
  • Posts: 993
  • Country: us
Re: Unfortunately bad use of technology - Flir
« Reply #31 on: September 03, 2014, 08:45:07 pm »
There are apps all about that will print out the plain text of the NFC data.  I can see the full card number and exp dates and other info that is used to do the NFC PoS transaction..

You mean the same stuff that is printed on the face of the card? That isn't all that is required for an NFC payment. There is a cryptographic challenge/response that uses data which cannot be read out of the chip, even with debugging tools. The information isn't enough to do online payments either, as it doesn't include the CVV code printed on the back of the card.

Yep, the same things that are printed on the front of the card.  The same things that can "clone" the card into the Android device and repeat it to NFC sales locations to make transactions on my card without my authorization.   

The only NFC purchase I made with the card, before I cancelled the account due to insanely stupid security around these, had no action required on my part than moving the card over the display until it beeped.  It really didn't care if it was my card or a copy of my card.
 

Offline rs20

  • Super Contributor
  • ***
  • Posts: 2320
  • Country: au
Re: Unfortunately bad use of technology - Flir
« Reply #32 on: September 03, 2014, 10:30:57 pm »
Yep, the same things that are printed on the front of the card.  The same things that can "clone" the card into the Android device and repeat it to NFC sales locations to make transactions on my card without my authorization.   

The only NFC purchase I made with the card, before I cancelled the account due to insanely stupid security around these, had no action required on my part than moving the card over the display until it beeped.  It really didn't care if it was my card or a copy of my card.

Maybe you're talking about a particularly poor specific implementation of an NFC payment system. But well-designed NFC payment systems use a challenge-response based security system (or similar) that means you can't just read the entire state of the card; so it's practically impossible to have a Android device usefully clone a (well-designed) NFC payment card.
 

Offline sacherjj

  • Frequent Contributor
  • **
  • Posts: 993
  • Country: us
Re: Unfortunately bad use of technology - Flir
« Reply #33 on: September 03, 2014, 10:37:40 pm »
Yep, the same things that are printed on the front of the card.  The same things that can "clone" the card into the Android device and repeat it to NFC sales locations to make transactions on my card without my authorization.   

The only NFC purchase I made with the card, before I cancelled the account due to insanely stupid security around these, had no action required on my part than moving the card over the display until it beeped.  It really didn't care if it was my card or a copy of my card.

Maybe you're talking about a particularly poor specific implementation of an NFC payment system. But well-designed NFC payment systems use a challenge-response based security system (or similar) that means you can't just read the entire state of the card; so it's practically impossible to have a Android device usefully clone a (well-designed) NFC payment card.

This is the only system I have used from a standard American bank.  The only real way American banks know how to do things is poorly.
 

Offline Delta

  • Super Contributor
  • ***
  • Posts: 1221
  • Country: gb
Re: Unfortunately bad use of technology - Flir
« Reply #34 on: August 25, 2015, 07:29:34 pm »
Could it be vulnerable to relay attacks like RFID based vehicle keyless entry systems, due to the "proxity means authenticity" thing?

media.hacking-lab.com/scs3/scs3_pdf/SCS3_2011_Capkun.pdf
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: se
  • Hobbyist
Re: Unfortunately bad use of technology - Flir
« Reply #35 on: August 25, 2015, 07:55:56 pm »
You need the card for payments but there are plenty of door keypads that don't require a key/token, so might be a problem there.

The crappy security on bank cards is because the banks isn't held responsible for skimming, the consumer takes all the risk. Because of that banks have no incentive to improve security, in fact it would even be illegal for them in certain countries since it would be an unnecessary (from the banks perspective) expense that reduce profit for the share holders.
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 6971
  • Country: nl
Re: Unfortunately bad use of technology - Flir
« Reply #36 on: August 25, 2015, 08:44:00 pm »
Banks had to repay skimming fraud to consumers here, but one way or another we'll always be paying for it. They are completely reactive, they have very little capacity to think like a fraud (well a technical fraud, fraudulently using/avoiding the law they're much better at). It took years of MitM attacks on internet banking for my bank to do something (they now use a small dedicated device which reads a code from the screen of your computer display and then shows the transaction data on it and a code to authorize it, you don't have to rely on what you see on the computer screen).

It would have cost less than a cent per reader to do ToF distance detection/limiting with NFC. Of course compared to the idiocy that is SEPA in the EU it's small potatos ...

« Last Edit: August 25, 2015, 09:21:11 pm by Marco »
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 5975
  • Country: au
Re: Unfortunately bad use of technology - Flir
« Reply #37 on: August 25, 2015, 09:30:18 pm »
One light tap with a hammer via a flat-ended punch, on the location of the chip inside the card puts an end to that 'no contact RF' stuff. Didn't ask for it, don't want it.
The result is you have to insert the card in POS terminals (twice) till it figures out that the chip is broken and doesn't work with the contacts either. Then you can just swipe the magnetic strip and enter your PIN.

I find it interesting that the readers won't accept a mag stripe swipe first, until they have been told (twice) that the chip is broken. That bit of logic suggests the aim is to phase out mag stripes entirely.

The problem with this method is most of the new pin pads these days don't have mag readers anymore. It's either RF or the chip. I almost exclusively use card for everything and I'd probably have to say that at least half of the readers I come across don't support mag stripe (mostly Ingenico and Quest branded units).

Is there a way you can break the NFC antenna leaving the chip intact? If it doesn't stop NFC completely, it would at least severely limit its range.

Not sure what kind of card this is but would all cards be made this way?...
« Last Edit: August 25, 2015, 09:37:40 pm by Halcyon »
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 13998
  • Country: gb
    • Mike's Electric Stuff
Re: Unfortunately bad use of technology - Flir
« Reply #38 on: August 25, 2015, 11:11:46 pm »
Is there a way you can break the NFC antenna leaving the chip intact? If it doesn't stop NFC completely, it would at least severely limit its range.
Yes - the antenna is a fairly large coil - search google images for credit card x-ray for some examples.
It's occasionally visible if you shine a very bright light through the card.
A small hole, or cut at the edge to break the coil would disable the NFC functionality.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: se
  • Hobbyist
Re: Unfortunately bad use of technology - Flir
« Reply #39 on: August 25, 2015, 11:58:53 pm »
Banks had to repay skimming fraud to consumers here, but one way or another we'll always be paying for it.
I believe the Banks here covered some of the obvious skimming frauds that got media attention but they were not legally obligated to. The reasoning by the court was along the lines that it would put an unreasonable burden on the banks to prove if there was an actual fraud or not. The root cause of the problem however was the non existent security in the cards to begin with, and it's the banks that want us to stop using cash in the first place since card systems are so profitable for them. So even though it was their negligence of security that caused the problem, since the burden of evidence was put on the consumer they really didn't have any incentive to fix it until it became a huge problem exploited by organised crime.

they now use a small dedicated device which reads a code from the screen of your computer display and then shows the transaction data on it and a code to authorize it, you don't have to rely on what you see on the computer screen
Interesting, so it has a camera you hold up to the screen? Or just a photo diode?
« Last Edit: August 26, 2015, 12:01:51 am by apis »
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 6971
  • Country: nl
Re: Unfortunately bad use of technology - Flir
« Reply #40 on: August 26, 2015, 12:59:38 am »
Yeah it has a camera, it shows what it's looking at on the screen of the device so you can point it correctly.

NFC is small potatoes compared to skimming and internet banking fraud, it's only a single relatively small payment for something hard to convert into cash and you can't really obscure your face from security cameras so if it gets discovered they have your mugshot.

PS. of course a lot of people won't verify the account number on the device, those people will be screwed in the case of a MITM attack ... but at least verified merchants get to show the company name instead of their bank account numbers, so you don't always have to check the account number.
« Last Edit: August 26, 2015, 01:05:19 am by Marco »
 

Offline TheElectricChicken

  • Frequent Contributor
  • **
  • Posts: 480
  • Country: au
Re: Unfortunately bad use of technology - Flir
« Reply #41 on: August 26, 2015, 01:07:00 am »
 

Offline TheElectricChicken

  • Frequent Contributor
  • **
  • Posts: 480
  • Country: au
Re: Unfortunately bad use of technology - Flir
« Reply #42 on: August 26, 2015, 01:10:04 am »
oh and then the heavies forced him to retract everything he said, I can't be bothered even watching that one, probably every bit as riveting as ' who killed the electric car ' part two.

The paywave thing, it's just to tag and identify everyone. As to how far away it can be read, it depends with what. Certainly tens of meters with a decent covert-use designed reader, and any hacker could get several meters out of them. There are plenty of people at the checkouts with stories of how someone else had accidentally used their card on the checkout behind them without realizing it and so on.

The sole point of paywave is so that when there is a civil disobedience protest, 'they' can walk through the crowd and record the details of all the people 'they' don't like and deal with them later.
« Last Edit: August 26, 2015, 01:15:48 am by TheElectricChicken »
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 6971
  • Country: nl
Re: Unfortunately bad use of technology - Flir
« Reply #43 on: August 26, 2015, 01:39:21 am »
AFAICS for the same SNR the area of your "antenna" has to increase by a square of the distance.
 

Offline Falcon69

  • Super Contributor
  • ***
  • Posts: 1482
  • Country: us
Re: Unfortunately bad use of technology - Flir
« Reply #44 on: August 26, 2015, 01:49:46 am »
Well Here's one for you, talking about security with credit cards....

I recently made a purchase of $600+ on my Home Depot credit card.  After I swiped the card and signed, the lady gave me the receipt.  I asked her why she did not ask for my ID and that I could have been anyone (the purchase only required signature, NOT PIN) who found or stole the card and used it to buy these new tools.  Her reply was, "Oregon recently passed a privacy law and we are no longer allowed to ask for your ID for any purchases, unless you appear to be under 35 and purchasing alcohol or cigarettes." 

Man, I hope that is NOT true. I was very upset. I haven't had time yet, but I will be contacting Home Depot Merchant Credit Card customer service and ask them why I was not asked for my ID on such a large purchase.


EDIT:  Holy crap!  The first google search came up with this!
https://www.privacyrights.org/ar/Alert-FS15.htm
Man I am pissed.
« Last Edit: August 26, 2015, 01:51:28 am by Falcon69 »
 

Offline TheElectricChicken

  • Frequent Contributor
  • **
  • Posts: 480
  • Country: au
Re: Unfortunately bad use of technology - Flir
« Reply #45 on: August 26, 2015, 01:58:21 am »
I was not asked for my ID on such a large purchase.
EDIT:  Holy crap!  The first google search came up with this!
https://www.privacyrights.org/ar/Alert-FS15.htm
Man I am pissed.

Yeah, I think the basic idea here is that 'they' have become such completely obvious criminals in the public eye, that 'they' want to do everything they can to help the rise of the old time petty criminals, the tommy gun gangsters, the razor gangs, the people to cross the street for so they don't electronically rob you blind with that thing that looks like a mobile phone. That way you won't be thinking that 'they' are such big criminals after all. what do you think ?
 

Offline Delta

  • Super Contributor
  • ***
  • Posts: 1221
  • Country: gb
Re: Unfortunately bad use of technology - Flir
« Reply #46 on: August 26, 2015, 01:58:56 am »


The sole point of paywave is so that when there is a civil disobedience protest, 'they' can walk through the crowd and record the details of all the people 'they' don't like and deal with them later.

I assume you always pay cash for your weekly supply of tinfoil?

And please stop using large and/or coloured text.  Cheers.
 

Offline TheElectricChicken

  • Frequent Contributor
  • **
  • Posts: 480
  • Country: au
Re: Unfortunately bad use of technology - Flir
« Reply #47 on: August 26, 2015, 02:10:16 am »
The sole point of paywave is so that when there is a civil disobedience protest, 'they' can walk through the crowd and record the details of all the people 'they' don't like and deal with them later.

I assume you always pay cash for your weekly supply of tinfoil?

And please stop using large and/or coloured text.  Cheers.

actually I was trying to help people who are just skimming the page to notice that particular part. Thank you for copying it onto this page, it doubles the chances that people will see it.
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7126
  • Country: ca
Re: Unfortunately bad use of technology - Flir
« Reply #48 on: August 26, 2015, 02:31:49 am »
I will be contacting Home Depot Merchant Credit Card customer service and ask them why I was not asked for my ID on such a large purchase.

You should check your Client Agreement first to see what is there, i.e. yours/their liability. It may well be they take all risk and you will not be liable if fraud happens. Still, they should have had a much smaller limit without requiring a PIN, i.e. not more than $100.
Facebook-free life and Rigol-free shack.
 

Offline Falcon69

  • Super Contributor
  • ***
  • Posts: 1482
  • Country: us
Re: Unfortunately bad use of technology - Flir
« Reply #49 on: August 26, 2015, 02:41:39 am »
For Credit Card Purchases....If it is under $50, just swipe and go, over $50 a Signature is required.  That is it.

With all the identity theft problems the World faces today, you think these people in office would make it harder for people to steal your identity and money.  Seems to me they are making it easier.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf