Android App Lets You Steal Contactless Credit Card Data

mask.of.sanity writes "An Android application capable of siphoning credit card data from contactless bank cards has appeared on the Google Play store. The app was developed by a security penetration tester for research purposes and will steal card numbers and expiry dates, along with transactions and merchant IDs. It requires a near field device capable phone, or accessory."

Anyone surprised?

[dyingtolive]

Really. Broadcast data can be intercepted by anyone with the ability to receive?

Re:Anyone surprised?

[dyingtolive]

Without being quite so rude as the AC who responded, yeah, this, basically. I mean, I'm no expert. The only cards I've ever had are the good old fashioned magnetic strip variety, but I'm pretty sure that if you have that info, you're basically in.

Re:Anyone surprised?

[Inda]

I'm not the AC.

Without the Card Security Code (CSC) on the back, all that information would be useless. The CSC is not stored digitally on the card.

Cloning wouldn't work either. My Chip 'n PIN would stop that.

Tard.

Re:Anyone surprised?

[Hentes]

Except if they use secure encryption, it's not magic.

Re:Anyone surprised?

[DogDude]

"You need the 3 digit "security code" for online purchases"

No, you don't.

Re:Anyone surprised?

[oPless]

Not entirely true.

Not all merchants in the world have Chip+Pin (which is terribly broken anyhow) and CSC is not taken by all merchants in the world either.

Card numbers and expiry dates are all you need.

Yes, outside Australia, the UK and (I think) the EU the uptake of CSC and Chip and Pin is rather low.

Re:Anyone surprised?

[SJHillman]

Depends on the site. The vast majority of sites do require it.

Re:Anyone surprised?

[lucaq]

yes it would, it is, and it has been demonstrated. I will look up a link for you.

Re:Anyone surprised?

[dyingtolive]

Okay, you couldn't use it for online purchases, but at a brief glance, you can get magnetic card encoders for 150+ USD. Not sure about whatever tech they use for the contactless style ones, but here's what I'm thinking:

Step 1: Steal contactless CC data.
Step 2: Burn semi-realistic magnetic card with CC data. Emboss the number on the front. 99% of all retail employees will not look twice at the card.
Step 3: Profit.

You don't need the security code for purchases made in person, and if you're doing this in person, you can probably speculate what the zip code is for the few places that even ask for that. Granted, this requires making purchases in person, so you're subject to video surveilance for anyone who REALLY wants to come after you, but since you can repeat this process, it's essentially a use one, throwaway kind of thing.

Re:Anyone surprised?

Think about it- the data given in the contact-less credit card data is enough for someone to use the contact-less payment system. The only thing really protecting you would be how frequently you use the card.

Re:Anyone surprised?

[lucaq]

http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/

Re:Anyone surprised?

[lucaq]

Even if you did, that is included in what is skimmed, a one-time use CVV

Re:Anyone surprised?

[dyingtolive]

The problem with that is that you have no guarantee they do, short of getting one of these cards and doing this yourself to see just how the data is encoded.

Re:Anyone surprised?

[Kotoku]

It is pretty easy to get an empty pre-paid credit card and clone the mag strip of the card data you just swiped. So the data is indeed pretty valuable for in person purchases.

Re:Anyone surprised?

[dav1dc]

Is it just me, or is NFC technology not quite near enough to be secure?!?! :S

Re:Anyone surprised?

[Thanshin]

Yes. Pleasantly surprised.

It proves that the Android app store is not strongly censored.

Re:Anyone surprised?

[kelemvor4]

Yes, outside Australia, the UK and (I think) the EU the uptake of CSC and Chip and Pin is rather low.

As are nfc capable phones.

Re:Anyone surprised?

[drunkennewfiemidget]

Canada. We have chip & pin and it's pretty prevalent.

Re:Anyone surprised?

[AuMatar]

I received a new credit card about two year ago, my old one expired. 3 months ago, a website denied my card. After a few double checks, I found out the problem. The new card had the same number, but a different code. The code I had entered was th one from the old card, 2 years old. Every single place until then I had tried it at had accepted the old code, for two years.

Oh, and many places, including most pay by phones and about 1/3-1/2 of websites I go to don't ask for it. So not only do you not need it to bilk someone, but you don't even need the right one most of the time. I'm not even convinced that a random 3 digits wouldn't work for most of them if a 2 year old code did.

Re:Anyone surprised?

Better yet send him the article and bill it to his card. Then he will be impressed.

Re:Anyone surprised?

[plate_o_shrimp]

Okay, you couldn't use it for online purchases, but at a brief glance, you can get magnetic card encoders for 150+ USD. Not sure about whatever tech they use for the contactless style ones, but here's what I'm thinking:

Step 1: Steal contactless CC data.

Step 2: Burn semi-realistic magnetic card with CC data. Emboss the number on the front. 99% of all retail employees will not look twice at the card.

Step 3: Profit.

You don't need the security code for purchases made in person, and if you're doing this in person, you can probably speculate what the zip code is for the few places that even ask for that. Granted, this requires making purchases in person, so you're subject to video surveilance for anyone who REALLY wants to come after you, but since you can repeat this process, it's essentially a use one, throwaway kind of thing.

Or,
2a: Burn numbers into some other magnetic card (even a customer loyalty card will work, so I'm told). Use cloned card at self-checkout, gas pump, or other unattended POS system. No need to emboss or even disguise the card.
3: Profit!

I know this works, because my CC info has been stolen twice in the last year and used to make cloned cards (the cloned cards were used at a brick-and-mortar store which is how I know the card was physically cloned). The first time was February, the second time was yesterday. Still don't know where the breach is occurring. I don't shop anywhere sketchy....

Granted the numbers were probably not stolen via the mechanism this story is about, but once you have the numbers the procedure is the same.

Re:Anyone surprised?

[Joce640k]

Here in Spain (and rest of Europe?) all physical stores require a PIN when you pay with plastic. Most online stores send a six digit code to my mobile phone which I have to enter on the web site to authorize the transaction.

Even if you find my card in the street it won't help you much. You need my PIN and/or cellphone too.

Re:Anyone surprised?

[dyingtolive]

That sounds like a step in the right direction. I've often wished that there was some sort of SecurID type thing you could get implemented for your credit card, but I often wonder if that's beyond the ability of the average person to use. Even then, it's still breakable, but it's much more difficult.

Re:Anyone surprised?

[gagol]

You can add Canada to the list.

Re:Anyone surprised?

[DogDude]

That's irrelevant. Any credit card can be processed by anybody with a merchant account with just the number and the expiration date.

Re:Anyone surprised?

[fluffythedestroyer]

Even with wired devices, your not safe anymore. Look here for the info...it's really scary stuff now.

Re:Anyone surprised?

[L4t3r4lu5]

Are contactless cards shipped in Faraday cage envelopes? If not, can the card numbers be lifted before the card reaches the recipient?

Re:Anyone surprised?

[petermgreen]

The criminals don't have to use the stolen details in the country they stole them from.

Re:Anyone surprised?

[L4t3r4lu5]

I would swap to any bank which enabled OTP authentication for transactions.

Why can't you have an app / device into which you put your card number (or the card itself), the amount, and the merchant ID and have it output a code to give to the merchant? Date / time can be set by GSM signal, or by serial number and timing like RSA tokens. Hell, secure it with a PIN number as well if you must.

This idea seems so easy to implement, would work online and offline, and would make card fraud next to impossible without the card, the reader, and the pin number.

Re:Anyone surprised?

[dyingtolive]

Very similar to Van Eck phreaking. Scary that they pulled it off with a keyboard, and at such range.

Check this

Re:Anyone surprised?

[Verunks]

obligatory http://xkcd.com/538/

Re:Anyone surprised?

[History's+Coming+To]

Chip 'n PIN is easy to defeat anyway, steal the card, put a few volts through the chip to fry it, then it will automatically fall back on the signature, which is handily represented on the card so you can learn to copy it in an hour or so. It's almost as if the bank companies can make money from their customer's accounts being insecure.

Re:Anyone surprised?

[cdrguru]

In the US credit card fraud is essentially not prosecuted. Which means you can be in line next to a uniformed police officer and hand the clerk a card that the clerk is told (phone, terminal, cash register system, whatever) to confiscate the card. Nothing happens.

I suppose you could hand the clerk an obviously hand-forged credit card and again, nothing would happen. Video surveilance is meaningless for this because it is a non-prosecuted crime. Which is why there is so much of it.

But the important aspect of this is that it is pretty much a victimless crime today in the US. OK, so I drop my card on the street and some enterprising youth picks it up and decides to renew his five different World of Warcraft accounts. My credit card company sees this and flags it as fraud. Sorry, no renewals. Oh, Blizzard gets dinged for a chargeback but they have insurance for this or they just write it off. Same thing happens if the card gets used in a store and the person walks out with $1000 flat screen TV. The fraud might not get caught immediately, but it probably does. Even if it doesn't I can dispute the charge and it comes off immediately and is charged back. The merchant is out the TV (probably cost them $500) and the chargeback but again, they certainly have insurance for this or they have no business operating a retail store. The same insurance covers them when someone fakes a slip-and-fall and wants to sue for millions of dollars.

As far as I know, no card holder has ever had to pay for fraudulent use of a credit card or credit card number. Also, as far as I know nobody ever in the US has been charged with any crime using a credit card or credit card number in a fraudulent manner. Heck, I had a card stolen from a relative's house and the police refused to pursue it even when we knew who had the card and they were trying to buy stuff with it.

Couple this with the fact that you can sell credit card info for about $0.50 each today and you can see where this goes. I am not sure if the situation is the same in other countries - clearly with debit cards it is not - but the situation in the US is very much like the justification for bank robbery - you aren't stealing anything except some insurance money. And if insurance companies didn't have to pay out once in a while nobody would buy the insurance. So it is a win-win for everyone.

Re:Anyone surprised?

[Jane+Q.+Public]

I made this point last year. No matter how "low power" you make it, if it uses RF it can be detected at a distance with the proper equipment.

Remember the security researcher who read passport RFIDs in people's pockets 30 feet away, from inside his car, in San Francisco? All it takes is a well-designed and large enough antenna. It could also be 30 feet away, and even behind a wall.

Nobody paid any attention to me. Well... guess what? Not only are they being intercepted -- and it doesn't even take special equipment -- they are being decrypted, as well.

NFC has always been a Bad Idea.

Re:Anyone surprised?

[History's+Coming+To]

This is an additional system which allows you to pay small amounts (typically less than $20) without having to insert the card into a machine. This is required because customers and retailers are spending several seconds per transaction inserting cards and typing PINs, which is clearly unacceptable and there is no alternative for small purchases, such as small fixed value tokens in paper or metal form.

I'm not at all surprised it's been cracked, the obvious application is to set up a merchant account with an offshore company and then walk through a crowded place (bar, sporting event) stealing a few dollars from those standing around you. A few hours work should net a decent living and most people won't question a $5 charge in a bar. This has been obvious since the system was introduced.

Re:Anyone surprised?

[cdrguru]

This is clearly not really the case, although you might think it is.

One obvious fallacy is if I (from the US) come in with my PIN-less credit card and want to make a purchase. No PIN exists, so what are they going to do? Telling me to go away is not a winning strategy. So someone comes in with a re-striped card without a PIN and they are going to be able to pay just like I can.

I suspect the store isn't sending the code but the card issuer. Great for validation but it sucks for the folks trying to use stolen credit card information.

You see, in the US the card holder, the card issuer and the card organization (VISA or MasterCard) don't care about fraud. For everyone but the merchant it is meaningless and the merchant just has insurance to cover their losses due to fraud. So it is important for things to be as easy as possible for people getting stuff with stolen credit card information. Well, I guess you would need to call it "borrowed" because they really haven't stolen anything - just made a copy.

And nobody is ever prosecuted for this sort of stuff, unless you do something wild and crazy with a million credit card numbers.

I do not see this situation changing, ever. Why would it? It doesn't really affect anyone except the cardholder who has to get a new card with a different number. Yes, some people get away with buying stuff that nobody ever pays for, but the merchant is covered by insurance so they lose nothing. Certainly the insurance companies don't want it to change because then nobody would buy the insurance.

Re:Anyone surprised?

[Ironhandx]

And there needs to be more uproar about this. Chip and pin is ridiculously easy to defeat. They used to steal data from the mag strips and get your pin before the banks made ATMs that were resistant to the type of tampering required to get an additional mag stripe reader into them.

Now all they need is an RFID reader and a camera set an an ATM anywhere and they can pick up every fucking card in your wallet from 6-10 feet away plus have your pin with a camera that could be set up with a good zoom up to 100ft away. You can literally throw an RFID reader into the plastic trash can with a wireless transmitter on it and get every single card that passes the atm that day, then have the evidence (the RFID reader) destroyed for you because the banks incinerate their garbage.

Re:Anyone surprised?

[rjforster]

As I understand it, in the UK you can pay up to 15 UKP by only holding the contactless card near the reader. Yes, in some cases they will ask for your PIN but below 15 they don't always.

The £15 value is chosen by the banks, it was 10 when the tech was introduced in this country and I think it is going up again soon.

Re:Anyone surprised?

[Ariven]

Do you check all atms, gas pumps, etc that you use for card skimmers? http://krebsonsecurity.com/all-about-skimmers/ , http://www.thelocal.de/national/20110818-37041.html and http://boston.cbslocal.com/2011/11/17/atm-skimming-device-found-at-eastern-bank-in-taunton/

They are getting pretty good at making realistic ones. And in some cases have gotten them inside gas pumps.

Re:Anyone surprised?

[MrAngryForNoReason]

Chip and pin is ridiculously easy to defeat.

Now all they need is an RFID reader

Chip and pin has nothing to do with near field devices or RFID. The chip and pin system uses an exposed chip on the surface of the card. This chip is read by a chip and pin reader when the card is inserted. The user must then input their pin. You can't read them at a distance, the exposed chip needs to be in contact with the reader circuitry. This article isn't about chip and pin it is about near field devices used for contact-less payments.

they can pick up every fucking card in your wallet from 6-10 feet away

The near field communication devices used for contact-less payments have a range of about 4cm. I guess if you slapped someone on their ass you might be able to get a read on a card in their back pocket but reading them from 6 feet away is fantasy.

have your pin with a camera that could be set up with a good zoom up to 100ft away

I don't know how you type your pin in but ATMs are designed so that the body of the user blocks line of sight to the keypad. Most people also cover the pad with their other hand as they type in their pin to stop anyone in the queue from seeing. If you choose to expose your pin by standing right to the side of the ATM and not covering the pad then that is hardly a failure of the technology.

Re:Anyone surprised?

[MrAngryForNoReason]

Chip 'n PIN is easy to defeat anyway, steal the card, put a few volts through the chip to fry it, then it will automatically fall back on the signature, which is handily represented on the card so you can learn to copy it in an hour or so.

I don't know where you are posting from but certainly in the UK most retailers will refuse a card if the chip doesn't work. If they choose to accept a signature then according to the terms of their contract with Visa/Mastercard they take full liability for the transaction. Meaning that if it is deemed to be fraudulent the money comes out of the retailers pocket rather than from the credit card company. The vast majority of retailers don't want to assume that risk, so they don't accept signature authorised payments.

Re:Anyone surprised?

[misexistentialist]

The retailer still pays insurance rates based on claims. Possibly they can be written off, or are cheaper than implementing security measures....

Re:Anyone surprised?

[MrAngryForNoReason]

Are contactless cards shipped in Faraday cage envelopes? If not, can the card numbers be lifted before the card reaches the recipient?

I don't know about elsewhere but in the UK credit cards can't be used until they have been activated either online or over the phone. Not sure if you could skim the card and then wait until the card was activated to use the details but I am fairly sure that NFC connections are a one off deal, you can't store the information and use it over and over again.

Re:Anyone surprised?

[tlhIngan]

You need the 3 digit "security code" for online purchases, so it wouldn't work online. And what do you do in person, just read them a credit card number?

Most contactless (hah - you usually end up touching the reader with your card) transactions are a free-for-all for stuff under $25. No PIN, no swipe, no signature. Just tap and go (debit AND credit).

Just make a semi-realistic looking card (the cashier doesn't handle it - you just have to flash it and tap the reader) and you're done.

And $25 is small, but it doesn't mean you can't make larger purchases. After all, you can always use it to buy $25 gift cards one at a time then use them all at once to purchase something for $100 (happens often enough everywhere - people get small gift cards as gifts).

Larger transactions the reader doesn't work - you have to use the chip.

Re:Anyone surprised?

[jfengel]

Well, the insurance costs money, and the merchants would surely rather not be paying it. Insurance smooths out the costs, so that every merchant pays a little rather than being able to directly tot up the costs of the fraud. The total paid in insurance premiums = the total cost of fraud (plus a fee).

The merchants haven't demanded an end to it yet, so apparently the cost of fraud must be down in the cost-of-doing-business range for most merchants. There are other sources of loss (shrinkage, breakage, supply chain failures) and I take it the merchants must be putting them over the cost of fraud.

But we're computer people, and we assume that if the fraud can be done cheaply, then infinite amounts will occur. If it isn't yet, it will be, one of these days.

Re:Anyone surprised?

[cayenne8]

Yeah...I am NOT going to be happy with NFC put on all new phones coming out...I do hope there is a solid way to easily DISABLE this functionality.

I don't even accept credit cards with RFID chips in them. Bank tried to send me some...I called and asked to have them replaced with 'dumb' ones, and they were (fortunately) happy to comply.

I just see this as a huge security/privacy breech waiting to happen.

I certainly don't want to use my phone as my wallet. I prefer to make most purchases in meat space with good old cash. I used credit cards sparingly when I need something and not close to an ATM (or just write a check).....I pay off the CC's monthly.

That system is insecure too...but at least it requires for the most part..physical interaction to help a thief steal....but to have things be able to read your info, and possibly get info to steal from you as you just walk by during the course of your life.

No thanks.....I don't see the upside of this tech. And really...do *most* people need a way to let them spend money they don't have even easier?!?!?

Re:Anyone surprised?

[cayenne8]

Cloning wouldn't work either. My Chip 'n PIN would stop that.

What is "Chip'n Pin"? New term for me....is this something in EU?

Re:Anyone surprised?

[plate_o_shrimp]

Do you check all atms, gas pumps, etc that you use for card skimmers? http://krebsonsecurity.com/all-about-skimmers/ , http://www.thelocal.de/national/20110818-37041.html and http://boston.cbslocal.com/2011/11/17/atm-skimming-device-found-at-eastern-bank-in-taunton/

They are getting pretty good at making realistic ones. And in some cases have gotten them inside gas pumps.

If that was addressed to me: yes, I do, always. Although as you say, some skimmers now are undetectable to customer.

Re:Anyone surprised?

[JasterBobaMereel]

In the UK when trying to use a non-chip and pin card the normal reaction is pay by cash or credit card, which is insured against fraud if they ring to confirm funds/not stolen first (which they will do), cheques are not accepted by most retailers now (being phased out and only used by a very few mostly fraudulently ...)

With chip and pin the transaction takes 30s, without it can take a lot longer ... but the retailer is not willing to pay, so will do more through checks, since most have chip and pin now most people trying to pay without are trying to pass cloned cards ...

Re:Anyone surprised?

[nschubach]

So you are arguing for security through obscurity; that the only way these cards will ever be secure is if Apple/Google/Microsoft all strictly monitor what gets posted to their devices?

Sounds like a losing proposition. Just because you stick your fingers in your ears and say, "Only the elite hackers will be able to do this" will not make your data more secure.

Re:Anyone surprised?

[spectral]

RFID cards are pretty insecure, since there's no requirement that the user do anything before you can steal the data. I don't even know why they bothered with them. Once you have multiple cards with identical NFC systems in a physical wallet, you can't even use the excuse that it lets you tap your wallet without taking out the card. Most people have more than one credit card.

NFC in phones is neat. You don't have to use it for wallet-like stuff, you can use it for things that previously people would use IrDA (infrared) for: moving contacts, etc. It's only on when your screen is on, their antennas are pretty awful so they really only work rather close, and every thing I've seen that reads from the phone has an action the user of the phone has to take (i.e. google wallet: you have to enter a pin, android beam you have to 'tap to beam' from the source phone, etc.) NFC in phones isn't scary, but yes it can be disabled easily if you'd rather not have the rather minimal battery drain.

Electronic wallets will be nice, because it will hopefully let you get rid of all of those 'loyalty' cards: http://tomfishburne.com/2012/01/loyalty.html

Using credit cards, *if you have the money to do so and pay it off every month* is a no-brainer. Get a rewards card and an interest-bearing checking account, and you get some more interest collected in the checking account until the credit card bill is paid, and the rewards from the credit card, even at 2%, are rather nice. Plus usually credit cards have other perks (if someone steals my wallet, I'm not responsible for the charges. I am out all of the cash they just stole though), often there's complimentary travel insurance, etc.

Now, credit cards charge fees to the merchants, so using them at stores you really like, or smaller chains might not be a 'nice' thing to do. But at large chains which have likely 1: negotiated lower fees and 2: have such a high percentage of people paying with cards that they already have adjusted their pricing of goods to accommodate for the likelihood of someone paying with a card, I don't feel guilty at all.

So in conclusion:
RFID (NFC) physical credit cards (without any second factor): dumb
Credit cards vs. cash: credit cards all the way.
Actually carrying a balance on credit cards: exceedingly dumb
Different mentality for cash vs. credit card: well, just know that it exists and intentionally go against that behavior, if you like. I'm very lucky to have a job and to not live paycheck to paycheck, so I can afford to have the 'credit card mentality' of comparing benefits before comparing price.

Re:Anyone surprised?

[Lev13than]

And there needs to be more uproar about this. Chip and pin is ridiculously easy to defeat. They used to steal data from the mag strips and get your pin before the banks made ATMs that were resistant to the type of tampering required to get an additional mag stripe reader into them.

Now all they need is an RFID reader and a camera set an an ATM anywhere and they can pick up every fucking card in your wallet from 6-10 feet away plus have your pin with a camera that could be set up with a good zoom up to 100ft away. You can literally throw an RFID reader into the plastic trash can with a wireless transmitter on it and get every single card that passes the atm that day, then have the evidence (the RFID reader) destroyed for you because the banks incinerate their garbage.

Pretty much everything in your post is wrong.

PIN plus RFID interception = SFA. With an EMV-compliant transaction the message is encrypted and the key can't be pulled off the card. EMV encryption has not been broken, and that's not for lack of effort. You could take the entire EMV message and post it on the Internet with your PIN, and nobody would be able to do anything with it.

Plus, very few fraudsters use pinhole cameras any more - it's generally done with tampered PIN pads.

Older contactless cards emulate a mag stripe transaction, but if the bank is too stupid to catch someone putting the contactless info on a mag stripe then it's their own fault. The message here is that the US needs to get its act together and get on with the EMV conversion.

Re:Anyone surprised?

[jjhall]

There is so much wrong with that comment that I don't even know where to start...

First of all, most retailers do not have "insurance" that covers fraud. Yes accidental liability insurance for legit (or less than legit) accidents. As far as merchandise goes they simply "write off" any loss of products in whatever form (shoplifting, credit card fraud, bad checks, damaged, etc.) in the retail industry we call this "shrink." In that aspect you are correct. Insurance is a gambling game, the insurance company is betting they'll pay out less than the insured has in claims. Something like shrink, which is all but guaranteed to happen, is not something an insurance company is going to be offering. They may have some policies on individual high-ticket items in some cases, but I don't know of any "umbrella" shrink insurance available.

Where you really go astray is in saying this "write off" is a "victimless" crime. Let's take your example of walking into a store and buying a $1000 TV with a stolen card. Right off the bat, the merchant will pay somewhere in the 1-3% range to take that card, depending on its card processing volume, card brand and type and other factors. Let's just say 2% to make it easy and call it $20. Anywhere from 1-90 days later (more in some cases) the merchant receives a chargeback request from the card processor, saying the cardholder is disputing the charge. Merchant sends all required information, but since the cardholder wasn't actually the one using the card, the dispute is successful. Merchant now has $1000 removed from their account, along with a $25 chargeback fee. They've now spent $45 out of pocket, plus they're out the merchandise which probably cost them closer to $800 (electronics themselves don't have that high of a markup rate, unlike accessories like cables.) All said and done the merchant lost $845 tangible costs, plus intangible costs like the employee time required to stock that item on the shelves, the cashier's time to run that transaction, etc. Where the retailer would have made $200 on the item, they now have to sell 5 of them to make up for the one lost item and have a little profit.

Now do you think the merchant is just going to accept that loss and move on? Of course not, they have sales numbers and profit margins they expect to maintain. If they have no control over whether that item left, which at the time of the sale they had a card approval and no reason to suspect otherwise, what can they control? They can control the price they charge for all of their items. Retailers expect to have a certain percentage of shrink, so that percentage of profit is added back into every item they sell in the form of higher prices. When shrink goes up over time, retail prices go up accordingly. If the retail market won't support higher prices, then costs must be cut by means of reduced personnel and other means, or they close their doors completely.

What this means in the end is that you and I, along with every other honest customer, are the victims. Because of this credit card fraud, we pay higher prices and deal with reduced service levels at the stores. Even if there is a shrink insurance that some retailers may have, the money to pay for the premiums and deductibles would be passed down to us in the same way.

Enforcement for any retail fraud, including shoplifting, seems to take a back burner for police. Unless the retailer has the person detained (which can be a whole new can of worms) police are very unlikely to pursue the case, even if the retailer has positive identification and video of the person leaving the establishment with the merchandise. Even if they do, prosecution is likely to plea it down to a lesser charge so the person gets a slap on the wrist and is free to go do it again, learning from the mistake of getting caught. Credit card fraud is even worse because it involves coordinating with out-of-state organizations such as the card processor, the actual cardholder if it wasn't a local theft of the card itself, etc.

Re:Anyone surprised?

[X0563511]

Granted: the front-end software can reject it, but if it's allowed, the merchant will be downgraded (pay a higher fee for the transaction).

Not that a card thief would care...

Re:Anyone surprised?

[sjames]

Right, so you scan the mailbag, wait a month or two and then abuse the information.

Re:Anyone surprised?

[MobyDisk]

Heh, in the US, there are penalties for using a PIN!

For example: If I scan my bank card the terminal asks if I want to use credit or debit. Pressing credit means it won't ask for a PIN, and I am subject to the US laws on credit cards. The credit card processor is liable for fraud, I get special credit protections, and I get a guaranteed dispute resolution process and the ability to issue a chargeback. If I click debit, I must enter a 4-digit PIN (yeah, that's secure!) and none of the aforementioned protections apply.

Re:Anyone surprised?

[thetoadwarrior]

They don't always do anything with it either. You can put any three numbers in there and it doesn't matter, it's thrown away but it makes you feel safe and eventually they'll have to do something with anyway.

Re:Anyone surprised?

[History's+Coming+To]

Yup, I'm in the UK. I've worked for at least one retailer who would happily accept a signature. And you wouldn't believe the number of students I served who didn't even sign their cards, meaning they're not valid and we can't accept them. The best system I've seen is the US habit of writing "see photo ID" instead of signing it, but I believe this leads to an invalid card in the UK.

Re:Anyone surprised?

[lucaq]

It does in the US too, but you could do both (sign and put in BOLD letters, SEE ID)

Re:Anyone surprised?

[sjames]

The banks don't care because they set rules to make sure that the resulting higher retail prices affect even cash customers. They WOULD care if the extra costs of doing business by credit card were internalized by passing them only to credit card users since that would dent their bottom line by encouraging cash transactions.

So, in fact, everyone but the banks loses.

Re:Anyone surprised?

[sjames]

That insurance is not free. Businesses pay for it and pass the costs on to the consumer. Because of the way merchant agreements are done, the costs are even passed on to cash only customers so that you get dinged for the bank's laxity even if you do not have and do not want a relationship with the bank.

Re:Anyone surprised?

[cheater512]

Australian retailers are more than happy to fall back to signature.
It happens all the time. Usually because chip and pin isn't working on their terminal.

They are very very quick to blame the machine which helps even more with 'fry the chip' fraud.

Re:Anyone surprised?

[psiclops]

it's incredibly relevant, as for the card to be of any use to you, you would have to find a place that will accept number + exp that is willing to sell you something that you have some reason to get.

Re:Anyone surprised?

[psiclops]

if you're gonna hit him on the head with a wrench until he tells you his pin. and bring him along with you and hit him until he tells you the six digit code everytime you shop online, then you're probably better off taking his card in the same manner than using a phone to read his card without him knowing :p

Re:Anyone surprised?

[mjwx]

Really. Broadcast data can be intercepted by anyone with the ability to receive?

The millions of idiots who were believed Visa/Mastercard when they said this was safe.

Unless you mean anyone here. Well I'm sure there's a few.

Re:Anyone surprised?

[tehcyder]

Chip 'n PIN is easy to defeat anyway, steal the card...

From a customer's point of view, this is not a security risk, as once your card is stolen and you have reported it, you're no longer liable (at least in the UK, but I assume this is true everywhere).

It's when the information is copied and you don't know it's been stolen [*] that you're potentially in trouble.

[*] OK, maybe it's technically not theft until the copier uses the information to rape your account.

Re:Anyone surprised?

[tehcyder]

[Posting AC, as I'd already moderated on this one]

Your most likely places for card-cloning - at least in the UK - are garages/filling-stations and restaurants.

For whatever reason, in the UK garages tend to be the worst places. Restaurants are good too, with sheer number of transactions, and customers handing cards to wait-staff, who can then skim/store/clone card numbers.

Chip/Pin is making the restaurant side harder - they bring the machine to you *most* of the time - but it's still a high prevalence.

I don't understand this, every petrol station I go to has the card reader right in front of the cashier, they never touch your card or even see it. How is the cloning done? Once you are in the territory of the card reader itself being used to illegally copy the information, then you can't trust anywhere that has a credit/debit card reader.

I know restaurants were always dodgy because they took your card away out of your sight, but I just don't see why garages are particularly suspect.

Re:Anyone surprised?

[tehcyder]

In the UK at least, most people use debit rather than credit cards for normal transactions like shopping in supermarkets.

Yes, we all know that there are advantages to using credit cards, keeping money in the bank and paying off the balance once a month. But most people prefer the discipline of only spending what's in your bank account. It's too easy to start building up a credit card balance if you are not very well paid to start with.

The overriding reason that the banks want to introduce contactless payment cards is purely to wean people off using cash for small day to day purchases, as this is the normal way of paying in the UK, and it costs the banks money to handle and process all that cash.

Re:Anyone surprised?

[tehcyder]

Also, as far as I know nobody ever in the US has been charged with any crime using a credit card or credit card number in a fraudulent manner.

I might be missing the point here, but doing a quick google search on "us credit card fraud convictions" would suggest otherwise.

Re:Anyone surprised?

[History's+Coming+To]

Interesting point - personally I'd say a theft isn't involved, just a fraud when they withdraw money.xkcd

Re:Anyone surprised?

[Joce640k]

This is clearly not really the case, although you might think it is.

One obvious fallacy is if I (from the US) come in with my PIN-less credit card and want to make a purchase. No PIN exists, so what are they going to do? Telling me to go away is not a winning strategy. So someone comes in with a re-striped card without a PIN and they are going to be able to pay just like I can.

Not with MY card, they can't.

Re:Anyone surprised?

[MobyDisk]

In the UK at least, most people use debit rather than credit cards for normal transactions like shopping in supermarkets.

Oh, umm... misunderstanding here. In the US it works differently. Umm... how to explain...

I can pull out my "revolving credit card" and swipe it. This card draws goes against my "credit" and I am billed at the end of the month. After I swipe the card, the screen prompts me for "credit" -vs- "debit." Regardless of my selection, I am billed at the end of the month.

I can pull out my "bank card" and swipe it. This card withdraws money from my bank account immediately. After I swipe the card, the screen prompts me for "credit" -vs- "debit," Regardless of my selection, the money is withdrawn immediately.

Historically, the first was called a "credit card" and the second called a "debit card" but nowadays that is meaningless because many cards support both protocols. In my example, "credit" means without pin, and "debit" means with pin.

I never realized before how stupid this is.

It was only a matter of time

[Quick+Reply]

I mean really, how idiotic do these companies need to be to make a system where the full Credit Card information is TRANSMITTED over the air with no authentication. Even a token would be more acceptable.

The Credit Card system is quite happy to take a loss on all the money they have to pay back with protection guarantees when consumers get scammed, instead of actually tackling the problem by inventing a SECURE SYSTEM that is impervious to skimming methods.

This app does not add any additional functionality that scammers don't already have, but a good highlight of how damn simple it is to do, while Mastercard/Visa and the financial institutions who use them do nothing.

Re:It was only a matter of time

[lucaq]

It is a token of sorts, the CVV code is one-time use and I think the card gets flagged if the tokens get authorized out of order.

Re:It was only a matter of time

The amount of times my contactless mastercard doesn't work recently makes me wonder.

Usually what I'll do is take the card out, wave it to the paypass terminal, it may fail, I'll try again, it will fail, then given up and use the chip+pin

In nearly every situation where it fails, it's always after several days have gone past. But when it works consecutively, it's always when I use it at several stores in a row. The interesting thing is that if I go to the same store on consecutive days, without any other store in between, it doesn't work.

Or maybe Westfair foods just has broken equipment. The card itself has quite a bit of use, to the point where the plastic is actually peeling.

Captcha : Contacts

Re:It was only a matter of time

[Shoten]

There is authentication, it's just not done by a computer. Do you hand your credit cards out to people at random? Pass them around in a club for everyone to play with, regardless of whether you know them or not? Of course not...and why not? Because the simple act of doing so authorizes them to access the information on the card. Looking at it will give them your name on the card, the number, expiry date and CVV number on the back. With a $40 device, they can get the read direct off the magnetic strip as well (which is the exact same vulnerability as this). So I really don't see what the big deal is here. It's just skimming, using a new kind of reader.

Re:It was only a matter of time

[forand]

I think you have one major flaw with your conclusions: Credit Card processing companies have absolutely no reason to make their systems secure if there are any costs associated with it. The main reason for this is that they pass all the liability onto the retailer. Their goal is the provide the most convenient method to pay a bill on the part of the card holder. Until there is a disruption in this market they will continue to ignore security and pass the costs onto the retailer.

Re:It was only a matter of time

[AuMatar]

It's the ease with which it's done, and the fact that physical security is no longer enough. If the card isn't NFC capable, you have to physically hand the card to someone. With an NFC reader, bumping up against them in a crowded club/street may be enough. I can protect against handing my card to people who don't have a legit reason for it, and I can prevent it leaving my sight when not at home. I'm not capable of preventing anyone who wants to from brushing against me. So yes, this is a big deal.

Re:It was only a matter of time

[Joce640k]

You contradict yourself.

It's skimming while the card is still in your pocket. It's exactly the same as handing your card to random people for them to play with.

Re:It was only a matter of time

[Joce640k]

It is a token of sorts, the CVV code is one-time use

Is that why they print it permanently on the card?

Re:It was only a matter of time

[lucaq]

from http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/

"At the Shmoocon hacker conference, Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.)"

Re:It was only a matter of time

[bradley13]

I give occasional help to a retailer (in Europe, if it matters). The hoops the credit-card companies make them jump through are pretty amazing. Example: they have a simple web-shop with a web-form that allows the customer to enter credit-card info. This info stays online in the MySQL database for a short period of time, until their little ERP system sees it, downloads it and deletes it. In more than 10 years using this system, they have never had a problem.

Nonetheless, the credit-card companies want them to pay for a quarterly "network penetration test" on their website, and to provide detailed technical information on the website set-up. Since their web-site is hosted by a big ISP, they have no access to the necessary technical info, and the ISP doesn't really want network penetration tests pounding on their infrastructure all the time. This is a mess.

Bottom line: Having a couple of strings of unchanging numbers should not enable *any* financial transaction. The security problems are on the side of the credit cards. Given how poorly the credit-card companies treat merchants, I don't understand why no other online payment services has been able to get a bigger foothold. Probably backroom collusion amongst the big banks, to strangle any other solution in the cradle.

Re:It was only a matter of time

[mapkinase]

It's not that bad, some type of cards are more protected:

http://en.wikipedia.org/wiki/Contactless_smart_card#Contactless_bank_cards

Contactless MSD cards are similar to magnetic stripe cards in terms of the data they share across the contactless interface. They are only distributed in the USA. Payment occurs in a similar fashion to mag-stripe, without a PIN and often in off-line mode (depending on parameters of the terminal). The security level of such a transaction is better than a mag-stripe card, as the chip cryptographically generates a code which can be verified by the card issuer's systems.

Re:It was only a matter of time

[h4rr4r]

You don't need a secure system at all. Credit card numbers should be near worthless. They should require something held and something known.

Even that can be skipped if all purchases must be authorized by the purchaser via a website or text message. You give your CC number, you get txt or website login, that then gives you a chance to approve or deny.

Re:It was only a matter of time

[cdrguru]

The credit card issuer (bank?) doesn't take a loss - they charge it back to the merchant. The card holder doesn't take a loss - the fraudulent charges are removed from the bill. The merchant doesn't take a loss - they have insurance for this.

So nobody loses at all. So why make it secure? It is like having a combination lock on the bathroom door so nobody else can pee in your toilet.

Re:It was only a matter of time

[andrewbaldwin]

So nobody loses at all.

au contraire ...

The insurance company charges the merchant a premium to cover this. The merchant is not a charity and often works on small margins so, guess what, the premium is passed off in higher prices to the customer - so because of the fraudsters everybody loses a little (it's just spread out thinly).

Re:It was only a matter of time

[MrAngryForNoReason]

The main reason for this is that they pass all the liability onto the retailer.

This may be true where ever you are posting from but in the UK as long as a payment is made using the Chip and Pin system then the credit card company takes liability. If a payment is made online then again as long as the 3D Secure system is used then the credit card company take liability.

The only time a retailer is liable is if they essentially waive that protection by accepting a signature authorised payment in person, or allowing a customer to checkout without using 3D Secure online.

Re:It was only a matter of time

[MrAngryForNoReason]

Nonetheless, the credit-card companies want them to pay for a quarterly "network penetration test" on their website, and to provide detailed technical information on the website set-up. Since their web-site is hosted by a big ISP, they have no access to the necessary technical info, and the ISP doesn't really want network penetration tests pounding on their infrastructure all the time. This is a mess.

It is called PCI-DSS Compliance and it has been standard practice for years. If you don't store any credit card details then the compliance process is relatively straight forward, it takes a couple of hours and only has to be done once. The security scans are to verify that the web server is secure. If you use a web host that is already PCI compliant then the scan is just a formality.

On the other hand if you choose to store credit card details on your server, which there is no valid reason to do then it does becomes much more complicated. You also open yourself up to huge liability and a PR nightmare if you ever have a security breach and those credit card details are stolen.

Either use a third party processor and pass the credit card details straight on to them, or if you want your customers to be able to re-order without having to put in their credit card details again then use a token system. There is no reason to store the card details yourself even for a short period of time. Why doesn't the retailer you work with just store a transaction id to show the transaction has completed successfully?

Re:It was only a matter of time

[kingturkey]

There are different types of CVV/CCVs. RFID cards transmit a one time only CVV, so intercepted data is only valid for one transaction and the transaction will only be approved if used before the card is used again because the CVVs have to be used in order.

Re:It was only a matter of time

[mjwx]

I mean really, how idiotic do these companies need to be to make a system where the full Credit Card information is TRANSMITTED over the air with no authentication. Even a token would be more acceptable.

They're banks.

Further more, they don't give a shit who spends the cardholders money as long as they can charge fees for it (for the idiots who believe their cards are "fee free", the bank charges the merchant for accepting the card rather then you for using it).

Re:It was only a matter of time

[mjwx]

I think you have one major flaw with your conclusions: Credit Card processing companies have absolutely no reason to make their systems secure if there are any costs associated with it. The main reason for this is that they pass all the liability onto the retailer. Their goal is the provide the most fees that can be charged to the merchant and cardholder. Until there is a disruption in this market they will continue to ignore security and pass the costs onto the retailer.

There, fixed that for you.

Credit processing companies are there to make money, they do this by charging a fee every time you use your card. Because "consumers" don't like paying fees directly they charge the merchant for accepting the card instead. Merchant fees for paying in credit in Australia are up to 3% of the transaction depending on which bank owns the terminal. So banks endorse and pressure customers to use CC's instead of cash or debit (debit has a flat fee of about A$0.20) because they make a lot of money off it. The merchant is between a rock and a hard place because it costs them to accept cards or idiotic consumers get angry if they openly pass on the fee (surcharge), of course the merchant does not adsorb this fee, he has to pass it on and this is in the form of higher prices. Australia puts A$16-22 billion per month on the card, just 1% of this puts it in the A$20 million fees collected, $16-60 million dollars that people didn't have to pay per month but did.

Also in Australia, the liability isn't passed onto the retailer, it's passed onto the bank but the end result is the same, the costs of fraud are passed onto you.

Re:I like olde phones

[dyingtolive]

What I don't even....

Re:Funny...

[Stavr0]

Nope. Contact-less is a US thing. Europe uses chip and PIN.

Valid use

[hawicz]

This sounds like exactly what you'd need if you wanted to do something like accept card payments using your phone, similar to the iPhone credit card adapter. Same tech, different color hat.

Re:I like olde phones

[ColdWetDog]

That's right, you didn't.

Re:Funny...

[Kangburra]

We have it here in Australia, not happy about it, the new cards have it included for our convenience! lol

Re:Funny...

[lucaq]

Mastercard PayPass (Visa's equal is PayWave) is a pretty common card in the US now. Europe uses EMV (AKA chip and pin) and I have never seen a contactless card in europe, only the USA (FWIW, PayWave and PayPass are EMV compatible). So it has been demonstrated in the wild that you can skim these contact-less cards and then make a clone mag-stripe card, but it is only good for one transaction since the CVV code changes on the contact-less card with each transmission whereas the mag-stripe has it static. Not only that but you would have to use the mag-stripe before the next contact-less card transaction for it to be successfully authorized and I *believe* that even if you did, the next time that the card holder tried to use the card it would get rejected and flag the card. The industry doesn't try and make fraud-proof products, they try and balance usability with mitigating controls.

Re:Funny...

[Thanshin]

Most of these contact less cards, etc. are found in Europe, where the majority of credit cards are stolen.

Good ol' US still uses the crappy magnetic strips. Sure they are just as easy to clone, but only through contact with a skimmer.

Are you sure they're not exclusively used in america?

Re:Disaster waiting to happen

[oPless]

So I can buy an NFC reader for $60ish and connect it to my computer and read the cards that way instead?

The problem is with the protocol, not the hardware.

Re:Funny...

[oPless]

Hi I'm in the UK we have contactless cards here.

Last time I checked the UK was a founder of the EU and in Europe ;-)

Re:Disaster waiting to happen

[Dog-Cow]

I suppose the fact that this article is not related to anything you mentioned matters at all to you. It does show everyone who reads your comment that you are an idiot, though.

Wow, there is an app for that

[AbrasiveCat]

I am behind the times! Apple will be jealous! Can it read through my tin wallet?

I wonder what the range is, which I realize it is a function of the phone, but a ball park. Are we talking 10 cm, 50 cm, 1 m?

Re:Wow, there is an app for that

[Russ1642]

I have a steel business card case that I use as a wallet since I hardly ever carry cash anymore. All of the card readers I've used at various buildings will read my door pass (RFID?) right through the case as long as I hold it a little closer to the reader.

Re:Wow, there is an app for that

[mjwx]

I am behind the times! Apple will be jealous! Can it read through my tin wallet?

I wonder what the range is, which I realize it is a function of the phone, but a ball park. Are we talking 10 cm, 50 cm, 1 m?

Up to 20 metres, but distances in reality will be much lower. Passive RFID card range is dependent on the transmitter providing power to it IIRC.

Just imagine what you could do in a crowded shopping mall with a range of 5 metres and a system designed to reject numbers already collected/charged? The limit on paypass/paywave in OZ is A$35 per transaction, 100 unique cards pass you in 1 hour and that's A$3,500 ripped off. Many Aussies don't even earn that in a month and 100 unique cards is a very low number for a crowded mall.

Re:Wow, there is an app for that

[AbrasiveCat]

I have a steel business card case that I use as a wallet since I hardly ever carry cash anymore. All of the card readers I've used at various buildings will read my door pass (RFID?) right through the case as long as I hold it a little closer to the reader.

Thanks, I also have a steel business card case. I guess I can scrap that idea of easily blocking out the readers.

My wife can do better

[fluffythedestroyer]

She can siphon my credit card better than those stupid android app. All she needs is my wallet...fucking bitch

Re:Funny...

[yakumo.unr]

Barclays made a big thing about introducing this in the UK with the advert with a guy sliding down a near endless water slide buying things as he went.
I was livid as soon as I saw it, I had less than zero faith in it's security, I did NOT want it on my cards.

Even back then I realised it meant a stolen card was instantly usable even if only for the small daily limit before it was reported, I still did not want it. But over the air cloning was what I was expecting.

Re:card in a balloon in my rectum

[fluffythedestroyer]

Give my a powerful scanner and I'll scan your asshole lol

It could be so much better.

[Bocaj]

With NFC phones you could make an almost crack proof system. Since the phone has a second line of communication it could use NFC to generate an an encrypted transaction with the merchant terminal and then use it's cellular connection to verify that transaction with the bank, and at last the merchant terminal would use it's network connection to the bank to finalize that transaction. Yes that means both devices need a working network connection to make the transaction work, but it would be super secure since there would be no CC number. Each transaction would be unique and unrepeatable. The bank would get verification from both the merchant and the customer for each transaction.

Hate broadcasting CC

[AwesomeMcgee]

I am so mad that every one of my CC's/Debit cards that has expired has been replaced by the banks with ones that do this broadcasting shit. Has anyone been able to get them to replace with one that doesn't do this shit? There's absolutely no reason I would want my CC to broadcast its info for devices to read, and swiping the thing is just as easy as passing it over an NFC device.

Or perhaps can anyone name a national bank who has allowed them to get a debit card that doesn't do this?

Re:Hate broadcasting CC

[fsulawndart]

You could always just drill a hole through the chip. That's what I do.

Re:Hate broadcasting CC

[naturaverl]

Not so. I nuke the chip out of any CC I receive - the magnetic strip is still there and they still work at the ATM just fine.

Re:Hate broadcasting CC

[a90Tj2P7]

Aside from limited options and general gaudiness, that does nothing to help you when you're taking the card out of the wallet at the checkout or an ATM. It's nice and all, but if you were able to opt-out of an unrequested "upgrade" to this feature like the GP's saying, you wouldn't have to waste money on cheap, ugly RFID-blocking wallets in the first place. That's a bandaid fix for a broken system that, in this case, wasn't even asked for.

Re:Hate broadcasting CC

[trdtaylor]

Put in microwave 15 seconds. Card will work fine, antenna / chip will be fried. Works the same with the U.S. Passport as well

Re:Hate broadcasting CC

[ffflala]

What country? I'm loathe to recommend ING since they were purchased by Capital One, but you asked... in the US, unless they've changed their cards out in the past year, their debit card doesn't do this.

Re:Hate broadcasting CC

[hardie]

I use a hammer and punch.

Re:Hate broadcasting CC

[DaFallus]

None of my Bank of America debit cards have ever had NFC chips in them. I'm not sure about their credit cards. There are plenty of reasons to hate BoA, but at least this isn't one of them (so far).

Re:Hate broadcasting CC

[stephanruby]

Or perhaps can anyone name a national bank who has allowed them to get a debit card that doesn't do this?

You must be in Europe. In the US, most cards still don't have this functionality. Right now, this vulnerability seems to be limited to MasterCard nfc cards, not Visa nfc cards (and yes, the Mastercard nfc specs are supposed to be different from the Visa nfc ones, not that I've even seen the Visa ones, so I can't confirm that for a fact).

Your other option could be to use an NFC-phone to pay for things. Contrary to the popular opinion on slashdot, I believe that most nfc phones are actually much more secure than the leather/plastic wallet you might already be carrying.

And if you don't trust either of those options, there are always those faraday cages envelopes you can buy on ebay. Those will work for sure.

Re:Hate broadcasting CC

[AwesomeMcgee]

I'm in america, both USBank and Chase changed me over years ago. USBank tried the first time more years than that and I explicitly demanded otherwise, but after that card expired a few years later they no longer had a non-nfc card option.

Test this

[SmallFurryCreature]

Because I have had to implement credit card payments where the field was marked as required but never checked or stored anywhere. So, if you didn't fill it in or put in a random value, it worked perfectly fine and this was on sites doing millions in transactions per year.

There is also nothing in the contracts with processors that this is required, it is recommended but not required.

A lot of web companies are terribly afraid to turn away any customer because they might have to think for a second while making a purchase.

Re:Test this

[cdrguru]

It isn't required but you get dinged for a higher discount rate if you do not have it. So there is an incentive to process cards with this number.

Required? Heck no.

Re:Test this

[SJHillman]

I've had a few cases where a card went through even though I thought I made have typoed it, but wasn't sure. However, I have had more than a few cases where it was rected because I put in the wrong code.

Re:Test this

I've had a few cases where a card went through even though I thought I made have typoed it, but wasn't sure. However, I have had more than a few cases where it was rected because I put in the wrong code.

If you only typo'd one digit then it should never go through unless the merchant is an idiot. The last 4 (usually) digits are a checksum for the first string of numbers. Now, it's theoretically possible to make a couple of typos and accidentally end up with a valid number, but it's a pretty long shot. The checksum digits were developed specifically to address data entry errors, the actual card number sequences aren't anything secret and you can in fact get generators which will produce perfectly valid-looking numbers.
Now, sometimes merchant systems which (for whatever reason) can't communicate with the host will be set to automatically accept the charge, and hold it pending the next communication update. But they still should be rejecting any number with a checksum mismatch... although it's possible some shitty company might have code that doesn't do that.

The security code should always be required, because it's not all that hard to figure out valid numbers and try them with predictable expiration dates until you get a success. But that's just extra security, as you also need the person's name in most cases. However, it does help against attacks which are more well targeted, for example if someone drops their receipt which shows the last 4 digits, expiry, and name, you can run software to generate collisions on the checksum and end up with a pretty small pool of possible valid numbers. But if they require the security code, it's not on the receipt, and you're still out of luck.

So what you do, is you go out and get one of those RF card swipers you can hook up to a usb port, I think they sell them for iPhones now (not sure about Android.. yet). Then you sniff the name, expiry, and card number from people in the store. You go home, where you have a card writer, take an existing card and re-code it with the sniffed info. Now take it to damn near any brick-n-morter store and they won't even look at it 99% of the time. If you're scared, go to Wal-Mart where you can swipe it yourself and they don't even touch at it. You can get the card writers for between a few hundred and a few thousand bucks through any number of business equipment companies.

All in all, it's a pretty slick scam, and the only reason there isn't already massive fraud is because almost nobody actually has the RF chipped cards.... yet.

Re:Test this

[X0563511]

Keep in mind Visa and MC are going to start riding your ass for that. They will still authorize, but do it enough and they will start to bitch. (recent mandate)

I confirm this in another response

[SmallFurryCreature]

I can vow that this is true, have had to implement it like this myself. It is often marked as required but never actually checked.

Three reasons, the web master is afraid of putting up any hurdles to a purchase.

During testing, the CVC check is often disabled, so its proper functioning can only be tested on a live account.

And lastly not every card has it and so the idea exists with web shop owners that if they enforce it, they might loose X% of customers.

IF you happily filled in your number correctly for years, that is no proof it was ever checked. Welcome to the online purchasing!

Re:The word 'Steal' is not very appropriate here..

[squiggleslash]

OK, but what if I made a note of someone's VIN code and then used it to clone their car? Would that be stealing?

Wait, can you clone a car from a VIN code? Does that even make sense to begin with? DAMN THESE CAR ANALOGIES!

Let's try again - OK, suppose you have a series of cars, like, red, green, brown, etc, and then you make a note of the ones that pass you, and... no, this isn't working either.

So you're following a car, and you happen to crash into the back, launching yourself through your windshield and through the back window of the car you were following, landing on the backseat. There, you notice someone's handbag, and you quickly pull out your Android phone and scan the card. Would that be stealing? Hmmm? Hmmmmmmm?

Re:Funny...

[Teun]

Last time I checked the UK was a founder of the EU and in Europe ;-)

I see the smiley but am intrigued by your claim the UK was a founder of the EU...

http://en.wikipedia.org/wiki/History_of_the_European_Union

As a matter of fact the UK has so many exemptions to the otherwise general rules of the EU that it's even a bit of a stretch to call them a full member right now.

Re:Funny...

[dwightk]

RTFA Germany uses contact-less

Re:Disaster waiting to happen

Probably because it's a troll, incorrect and off topic.

That's Unpossible

The NFC card proponents and credit card companies said that this could not happen.

They said that the data was encrypted and virtually impervious to interception.

They said we could trust them.

They said that the people saying otherwise were clueless Chicken Littles.

Obviously this app is the product of highly sophisticated terrorists, or possibly an enemy state. /s

Re:The word 'Steal' is not very appropriate here..

[Impy+the+Impiuos+Imp]

No but if you then fraudulently misused the info, aye, there's he rub.

Foor most people, you wouldn't need encryption or security. You wouldn't need locks on doors or keys for cars. It's because there are lousy jackasses out there that these things are needed.

Re:I like olde phones

Just in case:
Parent is already modded down as troll, but just in case anyone really daft reads it:
Do not attempt to delete system32 from your Windows system. I'm not sure if it will even succeed but if it does it will leave your system unbootable.

So...

[Nemyst]

Does anyone know of a good credit card... "sleeve" that shields EM radiation? Ideally something you can put the card into that can fit in your usual wallet and which is still fairly easy to remove for when you do need to use it.

Re:So...

[BenJury]

Or drill a few holes in it to break the antenna that powers it. Job's a good 'un.

Re:So...

[colinnwn]

You can get those woven stainless steel billfolds for pretty cheap on ebay now. They used to be $100 or more from name brand retailers. I plan on buying one at some point.

Just the beginning of the end

[LeadSongDog]

When someone hooks this into a fast-spreading botnet this lame excuse for a transaction verification system will be turned off overnight. Amex, Visa and MC are not too big to fail. They know they need to roll out smart "cards" that do one-time verifications even they've been able to put it off so far.

This is (partly) BS!

I have an NFC-enabled Android smartphone and tried out this app (and several others with similar claims).

They simply do not work as advertised. Most cards I tried use encryption and the app wasn't able to break it (as a matter of fact it didn't even try...).

All that these apps can do consistently is detect if there is some kind of RFID chip nearby (as in "less than 10 cm away from the phone").
Some can read part of the information stored. But none of them could read the hidden data on any of the cards I tried that had encryption.

As for playing the info back, the success rate even with unencrypted cards (like for instance my company's door sensors) is quite low.

So don't panic. It's not nearly as bad as the summary and article (and most comments to TFA) imply.

Re:This is (partly) BS!

There is no encryption required to read the credit card number. Any NFC application can do it, if they code it properly - the apps are just buggy. It sits right there in the specifications, if you care to look.

Re:The word 'Steal' is not very appropriate here..

[CreatureComfort]

Because security through obscurity has proven to be such a great policy...

Re:Funny...

[oPless]

Exactly! :)

Re:Disaster waiting to happen

[naturaverl]

You sir, are an idiot.

lol removed.

[Mindscrew]

annnnddd....... its gone. App cant be found on the play store anymore.

Re:Disaster waiting to happen

[vmlemon]

Yes!

In fact, I managed to obtain a reader compatible with ISO14443-A/B cards (as used by European PayPass/PayWave, and public transport card implementations), and FeliCa (as used by Japanese payment systems) for about GBP35 from a Belgian online store, and a prepaid PayPass card for GBP5, ages ago; and successfully managed to read data from the card under Linux using a modified version of some scripts supplied with LibNFC.

I even discovered that it was possible to open the reader's case, remove the Secure Application Module card, and either insert a GSM SIM card, or hold an EMV card's contacts to the contacts on the device, in order to read data from it.

Installed by default

[tokiko]

This app should be installed by default on all NFC phones. Maybe it will help highlight the gross stupidity of using contactless credit cards.

Re:Funny...

[jjhall]

Where does all of this FUD come from here on /.? I just received a new card from my bank a month ago, and it has the contactless PayPass chip. This is from one of the big conglomerate banks.

Cripes, /. used to be a place to go for articles with somewhat intelligent comments. Now it is more and more like The Onion every day.

Hmmmm

[slashmydots]

I guess they never anticipated that a contactless magic wireless super lazy marketing gimmick receiver system could potentially have a similar device built to do the exact same thing the exact same way. I know, I'm sure they're just SHOCKED over there to find out someone did it.

Re:Disaster waiting to happen

[noh8rz4]

no, the problem is that there are 100 million of these phones out there that anybody can install a credit card stealer. at least when you buy your stuff off of warez.co then not everybody has it.

Re:Disaster waiting to happen

[noh8rz4]

[snork] that's fancy talk considering your comment history. "I hope your brain explodes messily."

Re:Funny...

[Builder]

These cards are all over Europe.

We have chip and pin too, but many UK and German cards now have this as well.

Disable the contactless feature in your cards

[PhilipJLewis]

I did some research this week. I found that on most of my UK credit and debit cards (Santander, MBNA, Barclays, etc) you can effectively disable the contactless feature by damaging the antenna. This is very easy and will NOT affect the Chip-and-PIN feature that s relied upon for ATMs and in-store purchases. (DON'T FOLLOW THOSE STUPID YOUTUBE VIDEOS THAT DRILL OUT THE VISIBLE CHIP!!!).

All you need to do is use a pair of scissors, make a small vertical cut of around 7mm at the top-middle of the card - just above the magnetic stripe. If you look very carefully into the cut you will see 4 or 5 very small wires that have been severed. Job done.

Without the antenna loop, the contactless chip cannot energise and communicate.

See my blog post on this in more detail: http://linuxcentre.net/disabling-contactless-cards

Does it actually work?

[Vrtigo1]

I downloaded the app and tried to see if I could pull data from any of my cards. I opened the app and didn't see any buttons that needed to be pressed to enable scanning, but the app's in a language I don't speak (German I assume). I ran it over a card with a chip and nothing popped up, I ran it over my entire wallet and nothing. I'm pretty sure I've got at least one card that is NFC-capable, and I know my phone is.

Re:Disaster waiting to happen

[jaymemaurice]

LOL there is soo much above that makes your comment seem uneducated.

1) Google did not poorly design the NFC system.
      1a)Google probably didn't design the NFC system at all.
      1b)Depending on perspective, it looks like they designed it really well... I mean you can now use a tablet for your point of sale app.
2) Even if there were no Android phones, skimming will still happen,
      2a) It has been happening
      2b) Before, even before Android
      2c) With contactless cards.
3) History has shown us anyone who wants to repurpose hardware will repurpose hardware
4) The information age is upon us
      4a) Anyone who wants information can get it trivally
      4b) When information is censored or classified, there are well known ways to still get it
      4c) Information can and will allow us, who can think, to do things that were not considered as the original intent.

All systems,even using paper and people, are vulnerable to fraud... that is why we have policies, laws, and basic protections.

Am I affraid of my contactless cards getting skimmed?? no. Go ahead, let them make a purchase on my card and send them to federal pound-them-in-the-ass prison.