Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shmoocon Demo Shows Easy, Wireless Credit Card Fraud

Posted by timothy on from the now-how-much-would-you-pay dept.

Sparrowvsrevolution writes with this excerpt from a Forbes piece recounting a scary demo at the just-ended Shmoocon: "[Security researcher Kristin] Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer's credit card onstage and obtained the card's number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer's money with the counterfeit card she'd just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.) ... A stealthy attacker in a crowded public place could easily scan hundreds of cards through wallets or purses."

4 of 273 comments (clear)

  1. Glossing over one problem... by Shoten · · Score: 5, Informative

    Randy Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. “We’ve got six years of history, a hundred million users of these cards, and we haven’t seen any documented cases of this kind of fraudulent transaction. The reason we think that’s the case is that it’s very difficult to monetize this as a criminal,” says Vanderhoof. “The premise that this is a new threat is absolutely false and isn’t supported by [Paget's] demonstration.”

    In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor that detects multiple transactions with the same code or codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number for one transaction, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.

    So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here. Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals. The RFID spec for these cards has no provision for collision detection or avoidance.

    --

    For your security, this post has been encrypted with ROT-13, twice.
    1. Re:Glossing over one problem... by Big+Smirk · · Score: 5, Informative

      Both, wrong... you less so.

      The credit cards use an induction form of RFID. The wavelengths in question are very long - would require a big antenna to transmitt and an equally big antenna on the card to receive.... well the cards aren't big enough. So you see this spiral pattern (inductive loop) that is the antenna.
      YAGI won't do it. You need something more along the lines of the magnetic sensors as you leave a store (EAS - Electronic Article surveillance).

      Credit cards are 13.56 MHz RFID. That's a wavelength of ~75ft. Not going to hide that YAGI very well....

      Nope, inductive loops. That's why it only works over about a meter because the strengths of the magnetic fields.

      --
      TODO: create/find/steal funny sig.
  2. Re:Aluminum Foil in the Wallet by _0xd0ad · · Score: 5, Informative

    Grounding a Faraday cage accomplishes two things:

    1) The cage is made from a conductive material. If a hot wire shorts against it, and you touch the cage, you could be electrocuted. Grounding it is therefore prudent.

    2) If anything inside the cage is trying to transmit, it turns the entire planet into its antenna. Your transmission is going to be pretty weak if you're trying to drive a planet-sized antenna with a few milliwatts of power. (Actually, no weaker than normal, but only if you're far enough away from the antenna that it looks like a point-source.)

    Note the significant absence of "prevents radio signals from getting into the Faraday cage". It doesn't. Grounding has nothing to do with preventing radio signals from getting into the Faraday cage. The cage's mesh diameter is the only factor that affects which radio signals can get into the cage.

  3. Re:Is this news? by hawguy · · Score: 5, Informative

    If you have an unusually thin wallet, that may work. But the attacker isn't going to get closer and closer to you until it works. That would be pretty silly, and rather conspicuous. They are going to bump up against you.

    In a crowded commuter train or bus an attacker can inconspicuously bump his RFID reader containing backpack against 100 people without arising suspicion while pusing his way from one end of the train to the other. On a less crowded train, he can put his reader under the seat in front of him (many transit agencies use thin fiberglass or plastic seats) and get it to within 1/4 inch of the seated passenger's back pocket wallet.

    I have an RFID access key I keep in my wallet. I think if I get it within 2 or three millimeters of the reader it will work. But I never do it that way. I just slap my wallet against the reader. Suggesting that a criminal would do it differently is just silly.

    My RFID card key works 3 or 4 centimeters from the reader. Like you I usually slap it against the reader, but I'm not worried about making the reader suspicious about why I'm touching it. I've seen people who keep the card in their wallet do a butt touch on the reader and the card works fine through their wallet and clothes. If RFID card keys are any indication, then it would be trivial for a thief to get close enough to read the card without actually touching you - after all, pickpockets are already able to slip a wallet from a pocket undetected, so I think they can manage to get a card reader a few cm from your wallet without touching you.

    I'm not sure how Credit Card RFID chips differ from the RFID chips used in passports, but Passport RFID readers with high gain antennas have been used to read a passport RFID chip from hundreds of feet away.