Unfortunately bad use of technology - Flir

[EEVblog]

NFC is STUPID.  BECAUSE ALL YOUR INFO IS STORED ON THE CARD AS PLAIN TEXT RFID.

None of my 3 NFC credit cards (3 different banks, two mastercard, one VISA) show any usable ASCII data in any of the 16 segments using NFC Tag Info on my Android tablet.
That info does yours show?

[EEVblog]

Strangely there is no massive fraud going on in Japan. Nobody thought of building a giant NFC antenna and sucking money off people's cards as they walk past. Maybe because it's a completely impractical attack, since you can't do card-to-card transactions. You can only do transactions as a registered payment processor, and clearly if you are a fraudster being a registered payment processor with a registered business and bank account is probably not such a good idea.

That's how understood it, which is why I've never heard of any fraud in this area.
And I'm pretty sure you more than the NFC data to make a copy of the card so you could go around buying stuff at under $100 a pop until it's reported stolen.

As for stealing the card, it's no worse with an NFC enabled card than with a traditional one. You still have to call your bank and cancel it, they still have to reverse any charges that were made.

It's better than before because the old signature system was nothing short of a joke, the signature is right there for you to copy, not that anyone checked it anyway, and you could use that for any amount. Now it limits them to sub $100 transactions, and no cash out transactions.

I love NFC, it's just so easy. No mucking about with cash.

Yep, I love it, and groan any time I have to actually enter a pin now, or any time someone fumbled cash or pin in the line in front of me.

[firewalker]

I like using cash. I tend to spend more money when using electronic transactions. And in many cases it's faster too (e.g. systems that utilize gsm network to verify the card).

Alexander.

[zapta]

Yes, the secure key can't be read over NFC and uses tamper-proof memory for storage. Atmel make some, among others.

The other thing is that the card keeps a transaction history. If someone somehow did manage to clone your card the transactions wouldn't show up on it, so it would be obvious that they were fraudulent.

There is still the possibility of a man in the middle attack. You stand in a busy train, hacker A next to you has a reader that is connected to a remote hacker that make purchases with you account. It will show up in your card's history.

[rs20]

Yes, the secure key can't be read over NFC and uses tamper-proof memory for storage. Atmel make some, among others.

The other thing is that the card keeps a transaction history. If someone somehow did manage to clone your card the transactions wouldn't show up on it, so it would be obvious that they were fraudulent.

There is still the possibility of a man in the middle attack. You stand in a busy train, hacker A next to you has a reader that is connected to a remote hacker that make purchases with you account. It will show up in your card's history.

Unless the card reader at the turnstiles has very strict constraints on how long the card has to respond to a request. Sure, it could probably be MITM hacked if you had a point-to-point two-way radio designed specifically for the job, but the moment you try to use any sort of packet-based radio, think public infrastructure (Wi-Fi or 4G), the latency would be so obviously through the roof.

[sacherjj]

NFC is STUPID.  BECAUSE ALL YOUR INFO IS STORED ON THE CARD AS PLAIN TEXT RFID.

None of my 3 NFC credit cards (3 different banks, two mastercard, one VISA) show any usable ASCII data in any of the 16 segments using NFC Tag Info on my Android tablet.
That info does yours show?

There are apps all about that will print out the plain text of the NFC data.  I can see the full card number and exp dates and other info that is used to do the NFC PoS transaction..

[sacherjj]

There are apps all about that will print out the plain text of the NFC data.  I can see the full card number and exp dates and other info that is used to do the NFC PoS transaction..

You mean the same stuff that is printed on the face of the card? That isn't all that is required for an NFC payment. There is a cryptographic challenge/response that uses data which cannot be read out of the chip, even with debugging tools. The information isn't enough to do online payments either, as it doesn't include the CVV code printed on the back of the card.

Yep, the same things that are printed on the front of the card.  The same things that can "clone" the card into the Android device and repeat it to NFC sales locations to make transactions on my card without my authorization.   

The only NFC purchase I made with the card, before I cancelled the account due to insanely stupid security around these, had no action required on my part than moving the card over the display until it beeped.  It really didn't care if it was my card or a copy of my card.

[rs20]

Yep, the same things that are printed on the front of the card.  The same things that can "clone" the card into the Android device and repeat it to NFC sales locations to make transactions on my card without my authorization.   

The only NFC purchase I made with the card, before I cancelled the account due to insanely stupid security around these, had no action required on my part than moving the card over the display until it beeped.  It really didn't care if it was my card or a copy of my card.

Maybe you're talking about a particularly poor specific implementation of an NFC payment system. But well-designed NFC payment systems use a challenge-response based security system (or similar) that means you can't just read the entire state of the card; so it's practically impossible to have a Android device usefully clone a (well-designed) NFC payment card.

[sacherjj]

Yep, the same things that are printed on the front of the card.  The same things that can "clone" the card into the Android device and repeat it to NFC sales locations to make transactions on my card without my authorization.   

The only NFC purchase I made with the card, before I cancelled the account due to insanely stupid security around these, had no action required on my part than moving the card over the display until it beeped.  It really didn't care if it was my card or a copy of my card.

Maybe you're talking about a particularly poor specific implementation of an NFC payment system. But well-designed NFC payment systems use a challenge-response based security system (or similar) that means you can't just read the entire state of the card; so it's practically impossible to have a Android device usefully clone a (well-designed) NFC payment card.

This is the only system I have used from a standard American bank.  The only real way American banks know how to do things is poorly.

[Delta]

Could it be vulnerable to relay attacks like RFID based vehicle keyless entry systems, due to the "proxity means authenticity" thing?

media.hacking-lab.com/scs3/scs3_pdf/SCS3_2011_Capkun.pdf

[apis]

You need the card for payments but there are plenty of door keypads that don't require a key/token, so might be a problem there.

The crappy security on bank cards is because the banks isn't held responsible for skimming, the consumer takes all the risk. Because of that banks have no incentive to improve security, in fact it would even be illegal for them in certain countries since it would be an unnecessary (from the banks perspective) expense that reduce profit for the share holders.

[Marco]

Banks had to repay skimming fraud to consumers here, but one way or another we'll always be paying for it. They are completely reactive, they have very little capacity to think like a fraud (well a technical fraud, fraudulently using/avoiding the law they're much better at). It took years of MitM attacks on internet banking for my bank to do something (they now use a small dedicated device which reads a code from the screen of your computer display and then shows the transaction data on it and a code to authorize it, you don't have to rely on what you see on the computer screen).

It would have cost less than a cent per reader to do ToF distance detection/limiting with NFC. Of course compared to the idiocy that is SEPA in the EU it's small potatos ...

[Halcyon]

One light tap with a hammer via a flat-ended punch, on the location of the chip inside the card puts an end to that 'no contact RF' stuff. Didn't ask for it, don't want it.
The result is you have to insert the card in POS terminals (twice) till it figures out that the chip is broken and doesn't work with the contacts either. Then you can just swipe the magnetic strip and enter your PIN.

I find it interesting that the readers won't accept a mag stripe swipe first, until they have been told (twice) that the chip is broken. That bit of logic suggests the aim is to phase out mag stripes entirely.

The problem with this method is most of the new pin pads these days don't have mag readers anymore. It's either RF or the chip. I almost exclusively use card for everything and I'd probably have to say that at least half of the readers I come across don't support mag stripe (mostly Ingenico and Quest branded units).

Is there a way you can break the NFC antenna leaving the chip intact? If it doesn't stop NFC completely, it would at least severely limit its range.

Not sure what kind of card this is but would all cards be made this way?...

[mikeselectricstuff]

Is there a way you can break the NFC antenna leaving the chip intact? If it doesn't stop NFC completely, it would at least severely limit its range.

Yes - the antenna is a fairly large coil - search google images for credit card x-ray for some examples.
It's occasionally visible if you shine a very bright light through the card.
A small hole, or cut at the edge to break the coil would disable the NFC functionality.

[apis]

Banks had to repay skimming fraud to consumers here, but one way or another we'll always be paying for it.

I believe the Banks here covered some of the obvious skimming frauds that got media attention but they were not legally obligated to. The reasoning by the court was along the lines that it would put an unreasonable burden on the banks to prove if there was an actual fraud or not. The root cause of the problem however was the non existent security in the cards to begin with, and it's the banks that want us to stop using cash in the first place since card systems are so profitable for them. So even though it was their negligence of security that caused the problem, since the burden of evidence was put on the consumer they really didn't have any incentive to fix it until it became a huge problem exploited by organised crime.

they now use a small dedicated device which reads a code from the screen of your computer display and then shows the transaction data on it and a code to authorize it, you don't have to rely on what you see on the computer screen

Interesting, so it has a camera you hold up to the screen? Or just a photo diode?

[Marco]

Yeah it has a camera, it shows what it's looking at on the screen of the device so you can point it correctly.

NFC is small potatoes compared to skimming and internet banking fraud, it's only a single relatively small payment for something hard to convert into cash and you can't really obscure your face from security cameras so if it gets discovered they have your mugshot.

PS. of course a lot of people won't verify the account number on the device, those people will be screwed in the case of a MITM attack ... but at least verified merchants get to show the company name instead of their bank account numbers, so you don't always have to check the account number.

[TheElectricChicken]

[TheElectricChicken]

oh and then the heavies forced him to retract everything he said, I can't be bothered even watching that one, probably every bit as riveting as ' who killed the electric car ' part two.

The paywave thing, it's just to tag and identify everyone. As to how far away it can be read, it depends with what. Certainly tens of meters with a decent covert-use designed reader, and any hacker could get several meters out of them. There are plenty of people at the checkouts with stories of how someone else had accidentally used their card on the checkout behind them without realizing it and so on.

The sole point of paywave is so that when there is a civil disobedience protest, 'they' can walk through the crowd and record the details of all the people 'they' don't like and deal with them later.

[Marco]

AFAICS for the same SNR the area of your "antenna" has to increase by a square of the distance.

[Falcon69]

Well Here's one for you, talking about security with credit cards....

I recently made a purchase of $600+ on my Home Depot credit card.  After I swiped the card and signed, the lady gave me the receipt.  I asked her why she did not ask for my ID and that I could have been anyone (the purchase only required signature, NOT PIN) who found or stole the card and used it to buy these new tools.  Her reply was, "Oregon recently passed a privacy law and we are no longer allowed to ask for your ID for any purchases, unless you appear to be under 35 and purchasing alcohol or cigarettes." 

Man, I hope that is NOT true. I was very upset. I haven't had time yet, but I will be contacting Home Depot Merchant Credit Card customer service and ask them why I was not asked for my ID on such a large purchase.


EDIT:  Holy crap!  The first google search came up with this!
https://www.privacyrights.org/ar/Alert-FS15.htm
Man I am pissed.

[TheElectricChicken]

I was not asked for my ID on such a large purchase.
EDIT:  Holy crap!  The first google search came up with this!
https://www.privacyrights.org/ar/Alert-FS15.htm
Man I am pissed.

Yeah, I think the basic idea here is that 'they' have become such completely obvious criminals in the public eye, that 'they' want to do everything they can to help the rise of the old time petty criminals, the tommy gun gangsters, the razor gangs, the people to cross the street for so they don't electronically rob you blind with that thing that looks like a mobile phone. That way you won't be thinking that 'they' are such big criminals after all. what do you think ?

[Delta]

The sole point of paywave is so that when there is a civil disobedience protest, 'they' can walk through the crowd and record the details of all the people 'they' don't like and deal with them later.

I assume you always pay cash for your weekly supply of tinfoil?

And please stop using large and/or coloured text.  Cheers.

[TheElectricChicken]

The sole point of paywave is so that when there is a civil disobedience protest, 'they' can walk through the crowd and record the details of all the people 'they' don't like and deal with them later.

I assume you always pay cash for your weekly supply of tinfoil?

And please stop using large and/or coloured text.  Cheers.

actually I was trying to help people who are just skimming the page to notice that particular part. Thank you for copying it onto this page, it doubles the chances that people will see it.

[Bud]

I will be contacting Home Depot Merchant Credit Card customer service and ask them why I was not asked for my ID on such a large purchase.

You should check your Client Agreement first to see what is there, i.e. yours/their liability. It may well be they take all risk and you will not be liable if fraud happens. Still, they should have had a much smaller limit without requiring a PIN, i.e. not more than $100.

[Falcon69]

For Credit Card Purchases....If it is under $50, just swipe and go, over $50 a Signature is required.  That is it.

With all the identity theft problems the World faces today, you think these people in office would make it harder for people to steal your identity and money.  Seems to me they are making it easier.