Android App Lets You Steal Contactless Credit Card Data

mask.of.sanity writes "An Android application capable of siphoning credit card data from contactless bank cards has appeared on the Google Play store. The app was developed by a security penetration tester for research purposes and will steal card numbers and expiry dates, along with transactions and merchant IDs. It requires a near field device capable phone, or accessory."

Re:Anyone surprised?

[oPless]

Not entirely true.

Not all merchants in the world have Chip+Pin (which is terribly broken anyhow) and CSC is not taken by all merchants in the world either.

Card numbers and expiry dates are all you need.

Yes, outside Australia, the UK and (I think) the EU the uptake of CSC and Chip and Pin is rather low.

Re:Anyone surprised?

[Joce640k]

Here in Spain (and rest of Europe?) all physical stores require a PIN when you pay with plastic. Most online stores send a six digit code to my mobile phone which I have to enter on the web site to authorize the transaction.

Even if you find my card in the street it won't help you much. You need my PIN and/or cellphone too.

I confirm this in another response

[SmallFurryCreature]

I can vow that this is true, have had to implement it like this myself. It is often marked as required but never actually checked.

Three reasons, the web master is afraid of putting up any hurdles to a purchase.

During testing, the CVC check is often disabled, so its proper functioning can only be tested on a live account.

And lastly not every card has it and so the idea exists with web shop owners that if they enforce it, they might loose X% of customers.

IF you happily filled in your number correctly for years, that is no proof it was ever checked. Welcome to the online purchasing!

Re:Anyone surprised?

[jjhall]

There is so much wrong with that comment that I don't even know where to start...

First of all, most retailers do not have "insurance" that covers fraud. Yes accidental liability insurance for legit (or less than legit) accidents. As far as merchandise goes they simply "write off" any loss of products in whatever form (shoplifting, credit card fraud, bad checks, damaged, etc.) in the retail industry we call this "shrink." In that aspect you are correct. Insurance is a gambling game, the insurance company is betting they'll pay out less than the insured has in claims. Something like shrink, which is all but guaranteed to happen, is not something an insurance company is going to be offering. They may have some policies on individual high-ticket items in some cases, but I don't know of any "umbrella" shrink insurance available.

Where you really go astray is in saying this "write off" is a "victimless" crime. Let's take your example of walking into a store and buying a $1000 TV with a stolen card. Right off the bat, the merchant will pay somewhere in the 1-3% range to take that card, depending on its card processing volume, card brand and type and other factors. Let's just say 2% to make it easy and call it $20. Anywhere from 1-90 days later (more in some cases) the merchant receives a chargeback request from the card processor, saying the cardholder is disputing the charge. Merchant sends all required information, but since the cardholder wasn't actually the one using the card, the dispute is successful. Merchant now has $1000 removed from their account, along with a $25 chargeback fee. They've now spent $45 out of pocket, plus they're out the merchandise which probably cost them closer to $800 (electronics themselves don't have that high of a markup rate, unlike accessories like cables.) All said and done the merchant lost $845 tangible costs, plus intangible costs like the employee time required to stock that item on the shelves, the cashier's time to run that transaction, etc. Where the retailer would have made $200 on the item, they now have to sell 5 of them to make up for the one lost item and have a little profit.

Now do you think the merchant is just going to accept that loss and move on? Of course not, they have sales numbers and profit margins they expect to maintain. If they have no control over whether that item left, which at the time of the sale they had a card approval and no reason to suspect otherwise, what can they control? They can control the price they charge for all of their items. Retailers expect to have a certain percentage of shrink, so that percentage of profit is added back into every item they sell in the form of higher prices. When shrink goes up over time, retail prices go up accordingly. If the retail market won't support higher prices, then costs must be cut by means of reduced personnel and other means, or they close their doors completely.

What this means in the end is that you and I, along with every other honest customer, are the victims. Because of this credit card fraud, we pay higher prices and deal with reduced service levels at the stores. Even if there is a shrink insurance that some retailers may have, the money to pay for the premiums and deductibles would be passed down to us in the same way.

Enforcement for any retail fraud, including shoplifting, seems to take a back burner for police. Unless the retailer has the person detained (which can be a whole new can of worms) police are very unlikely to pursue the case, even if the retailer has positive identification and video of the person leaving the establishment with the merchandise. Even if they do, prosecution is likely to plea it down to a lesser charge so the person gets a slap on the wrist and is free to go do it again, learning from the mistake of getting caught. Credit card fraud is even worse because it involves coordinating with out-of-state organizations such as the card processor, the actual cardholder if it wasn't a local theft of the card itself, etc.