Android App Lets You Steal Contactless Credit Card Data

mask.of.sanity writes "An Android application capable of siphoning credit card data from contactless bank cards has appeared on the Google Play store. The app was developed by a security penetration tester for research purposes and will steal card numbers and expiry dates, along with transactions and merchant IDs. It requires a near field device capable phone, or accessory."

Anyone surprised?

[dyingtolive]

Really. Broadcast data can be intercepted by anyone with the ability to receive?

Re:Anyone surprised?

[oPless]

Not entirely true.

Not all merchants in the world have Chip+Pin (which is terribly broken anyhow) and CSC is not taken by all merchants in the world either.

Card numbers and expiry dates are all you need.

Yes, outside Australia, the UK and (I think) the EU the uptake of CSC and Chip and Pin is rather low.

Re:Anyone surprised?

[dyingtolive]

Okay, you couldn't use it for online purchases, but at a brief glance, you can get magnetic card encoders for 150+ USD. Not sure about whatever tech they use for the contactless style ones, but here's what I'm thinking:

Step 1: Steal contactless CC data.
Step 2: Burn semi-realistic magnetic card with CC data. Emboss the number on the front. 99% of all retail employees will not look twice at the card.
Step 3: Profit.

You don't need the security code for purchases made in person, and if you're doing this in person, you can probably speculate what the zip code is for the few places that even ask for that. Granted, this requires making purchases in person, so you're subject to video surveilance for anyone who REALLY wants to come after you, but since you can repeat this process, it's essentially a use one, throwaway kind of thing.

Re:Anyone surprised?

[Thanshin]

Yes. Pleasantly surprised.

It proves that the Android app store is not strongly censored.

Re:Anyone surprised?

[kelemvor4]

Yes, outside Australia, the UK and (I think) the EU the uptake of CSC and Chip and Pin is rather low.

As are nfc capable phones.

Re:Anyone surprised?

Better yet send him the article and bill it to his card. Then he will be impressed.

Re:Anyone surprised?

[plate_o_shrimp]

Okay, you couldn't use it for online purchases, but at a brief glance, you can get magnetic card encoders for 150+ USD. Not sure about whatever tech they use for the contactless style ones, but here's what I'm thinking:

Step 1: Steal contactless CC data.

Step 2: Burn semi-realistic magnetic card with CC data. Emboss the number on the front. 99% of all retail employees will not look twice at the card.

Step 3: Profit.

You don't need the security code for purchases made in person, and if you're doing this in person, you can probably speculate what the zip code is for the few places that even ask for that. Granted, this requires making purchases in person, so you're subject to video surveilance for anyone who REALLY wants to come after you, but since you can repeat this process, it's essentially a use one, throwaway kind of thing.

Or,
2a: Burn numbers into some other magnetic card (even a customer loyalty card will work, so I'm told). Use cloned card at self-checkout, gas pump, or other unattended POS system. No need to emboss or even disguise the card.
3: Profit!

I know this works, because my CC info has been stolen twice in the last year and used to make cloned cards (the cloned cards were used at a brick-and-mortar store which is how I know the card was physically cloned). The first time was February, the second time was yesterday. Still don't know where the breach is occurring. I don't shop anywhere sketchy....

Granted the numbers were probably not stolen via the mechanism this story is about, but once you have the numbers the procedure is the same.

Re:Anyone surprised?

[Joce640k]

Here in Spain (and rest of Europe?) all physical stores require a PIN when you pay with plastic. Most online stores send a six digit code to my mobile phone which I have to enter on the web site to authorize the transaction.

Even if you find my card in the street it won't help you much. You need my PIN and/or cellphone too.

Re:Anyone surprised?

[L4t3r4lu5]

Are contactless cards shipped in Faraday cage envelopes? If not, can the card numbers be lifted before the card reaches the recipient?

Re:Anyone surprised?

[petermgreen]

The criminals don't have to use the stolen details in the country they stole them from.

Re:Anyone surprised?

[cdrguru]

This is clearly not really the case, although you might think it is.

One obvious fallacy is if I (from the US) come in with my PIN-less credit card and want to make a purchase. No PIN exists, so what are they going to do? Telling me to go away is not a winning strategy. So someone comes in with a re-striped card without a PIN and they are going to be able to pay just like I can.

I suspect the store isn't sending the code but the card issuer. Great for validation but it sucks for the folks trying to use stolen credit card information.

You see, in the US the card holder, the card issuer and the card organization (VISA or MasterCard) don't care about fraud. For everyone but the merchant it is meaningless and the merchant just has insurance to cover their losses due to fraud. So it is important for things to be as easy as possible for people getting stuff with stolen credit card information. Well, I guess you would need to call it "borrowed" because they really haven't stolen anything - just made a copy.

And nobody is ever prosecuted for this sort of stuff, unless you do something wild and crazy with a million credit card numbers.

I do not see this situation changing, ever. Why would it? It doesn't really affect anyone except the cardholder who has to get a new card with a different number. Yes, some people get away with buying stuff that nobody ever pays for, but the merchant is covered by insurance so they lose nothing. Certainly the insurance companies don't want it to change because then nobody would buy the insurance.

Re:Anyone surprised?

[Ariven]

Do you check all atms, gas pumps, etc that you use for card skimmers? http://krebsonsecurity.com/all-about-skimmers/ , http://www.thelocal.de/national/20110818-37041.html and http://boston.cbslocal.com/2011/11/17/atm-skimming-device-found-at-eastern-bank-in-taunton/

They are getting pretty good at making realistic ones. And in some cases have gotten them inside gas pumps.

Re:Anyone surprised?

[MrAngryForNoReason]

Chip 'n PIN is easy to defeat anyway, steal the card, put a few volts through the chip to fry it, then it will automatically fall back on the signature, which is handily represented on the card so you can learn to copy it in an hour or so.

I don't know where you are posting from but certainly in the UK most retailers will refuse a card if the chip doesn't work. If they choose to accept a signature then according to the terms of their contract with Visa/Mastercard they take full liability for the transaction. Meaning that if it is deemed to be fraudulent the money comes out of the retailers pocket rather than from the credit card company. The vast majority of retailers don't want to assume that risk, so they don't accept signature authorised payments.

Re:Anyone surprised?

[spectral]

RFID cards are pretty insecure, since there's no requirement that the user do anything before you can steal the data. I don't even know why they bothered with them. Once you have multiple cards with identical NFC systems in a physical wallet, you can't even use the excuse that it lets you tap your wallet without taking out the card. Most people have more than one credit card.

NFC in phones is neat. You don't have to use it for wallet-like stuff, you can use it for things that previously people would use IrDA (infrared) for: moving contacts, etc. It's only on when your screen is on, their antennas are pretty awful so they really only work rather close, and every thing I've seen that reads from the phone has an action the user of the phone has to take (i.e. google wallet: you have to enter a pin, android beam you have to 'tap to beam' from the source phone, etc.) NFC in phones isn't scary, but yes it can be disabled easily if you'd rather not have the rather minimal battery drain.

Electronic wallets will be nice, because it will hopefully let you get rid of all of those 'loyalty' cards: http://tomfishburne.com/2012/01/loyalty.html

Using credit cards, *if you have the money to do so and pay it off every month* is a no-brainer. Get a rewards card and an interest-bearing checking account, and you get some more interest collected in the checking account until the credit card bill is paid, and the rewards from the credit card, even at 2%, are rather nice. Plus usually credit cards have other perks (if someone steals my wallet, I'm not responsible for the charges. I am out all of the cash they just stole though), often there's complimentary travel insurance, etc.

Now, credit cards charge fees to the merchants, so using them at stores you really like, or smaller chains might not be a 'nice' thing to do. But at large chains which have likely 1: negotiated lower fees and 2: have such a high percentage of people paying with cards that they already have adjusted their pricing of goods to accommodate for the likelihood of someone paying with a card, I don't feel guilty at all.

So in conclusion:
RFID (NFC) physical credit cards (without any second factor): dumb
Credit cards vs. cash: credit cards all the way.
Actually carrying a balance on credit cards: exceedingly dumb
Different mentality for cash vs. credit card: well, just know that it exists and intentionally go against that behavior, if you like. I'm very lucky to have a job and to not live paycheck to paycheck, so I can afford to have the 'credit card mentality' of comparing benefits before comparing price.

Re:Anyone surprised?

[jjhall]

There is so much wrong with that comment that I don't even know where to start...

First of all, most retailers do not have "insurance" that covers fraud. Yes accidental liability insurance for legit (or less than legit) accidents. As far as merchandise goes they simply "write off" any loss of products in whatever form (shoplifting, credit card fraud, bad checks, damaged, etc.) in the retail industry we call this "shrink." In that aspect you are correct. Insurance is a gambling game, the insurance company is betting they'll pay out less than the insured has in claims. Something like shrink, which is all but guaranteed to happen, is not something an insurance company is going to be offering. They may have some policies on individual high-ticket items in some cases, but I don't know of any "umbrella" shrink insurance available.

Where you really go astray is in saying this "write off" is a "victimless" crime. Let's take your example of walking into a store and buying a $1000 TV with a stolen card. Right off the bat, the merchant will pay somewhere in the 1-3% range to take that card, depending on its card processing volume, card brand and type and other factors. Let's just say 2% to make it easy and call it $20. Anywhere from 1-90 days later (more in some cases) the merchant receives a chargeback request from the card processor, saying the cardholder is disputing the charge. Merchant sends all required information, but since the cardholder wasn't actually the one using the card, the dispute is successful. Merchant now has $1000 removed from their account, along with a $25 chargeback fee. They've now spent $45 out of pocket, plus they're out the merchandise which probably cost them closer to $800 (electronics themselves don't have that high of a markup rate, unlike accessories like cables.) All said and done the merchant lost $845 tangible costs, plus intangible costs like the employee time required to stock that item on the shelves, the cashier's time to run that transaction, etc. Where the retailer would have made $200 on the item, they now have to sell 5 of them to make up for the one lost item and have a little profit.

Now do you think the merchant is just going to accept that loss and move on? Of course not, they have sales numbers and profit margins they expect to maintain. If they have no control over whether that item left, which at the time of the sale they had a card approval and no reason to suspect otherwise, what can they control? They can control the price they charge for all of their items. Retailers expect to have a certain percentage of shrink, so that percentage of profit is added back into every item they sell in the form of higher prices. When shrink goes up over time, retail prices go up accordingly. If the retail market won't support higher prices, then costs must be cut by means of reduced personnel and other means, or they close their doors completely.

What this means in the end is that you and I, along with every other honest customer, are the victims. Because of this credit card fraud, we pay higher prices and deal with reduced service levels at the stores. Even if there is a shrink insurance that some retailers may have, the money to pay for the premiums and deductibles would be passed down to us in the same way.

Enforcement for any retail fraud, including shoplifting, seems to take a back burner for police. Unless the retailer has the person detained (which can be a whole new can of worms) police are very unlikely to pursue the case, even if the retailer has positive identification and video of the person leaving the establishment with the merchandise. Even if they do, prosecution is likely to plea it down to a lesser charge so the person gets a slap on the wrist and is free to go do it again, learning from the mistake of getting caught. Credit card fraud is even worse because it involves coordinating with out-of-state organizations such as the card processor, the actual cardholder if it wasn't a local theft of the card itself, etc.

It was only a matter of time

[Quick+Reply]

I mean really, how idiotic do these companies need to be to make a system where the full Credit Card information is TRANSMITTED over the air with no authentication. Even a token would be more acceptable.

The Credit Card system is quite happy to take a loss on all the money they have to pay back with protection guarantees when consumers get scammed, instead of actually tackling the problem by inventing a SECURE SYSTEM that is impervious to skimming methods.

This app does not add any additional functionality that scammers don't already have, but a good highlight of how damn simple it is to do, while Mastercard/Visa and the financial institutions who use them do nothing.

Re:It was only a matter of time

[AuMatar]

It's the ease with which it's done, and the fact that physical security is no longer enough. If the card isn't NFC capable, you have to physically hand the card to someone. With an NFC reader, bumping up against them in a crowded club/street may be enough. I can protect against handing my card to people who don't have a legit reason for it, and I can prevent it leaving my sight when not at home. I'm not capable of preventing anyone who wants to from brushing against me. So yes, this is a big deal.

Re:It was only a matter of time

[Joce640k]

You contradict yourself.

It's skimming while the card is still in your pocket. It's exactly the same as handing your card to random people for them to play with.

Hate broadcasting CC

[AwesomeMcgee]

I am so mad that every one of my CC's/Debit cards that has expired has been replaced by the banks with ones that do this broadcasting shit. Has anyone been able to get them to replace with one that doesn't do this shit? There's absolutely no reason I would want my CC to broadcast its info for devices to read, and swiping the thing is just as easy as passing it over an NFC device.

Or perhaps can anyone name a national bank who has allowed them to get a debit card that doesn't do this?

Re:Hate broadcasting CC

[fsulawndart]

You could always just drill a hole through the chip. That's what I do.

Test this

[SmallFurryCreature]

Because I have had to implement credit card payments where the field was marked as required but never checked or stored anywhere. So, if you didn't fill it in or put in a random value, it worked perfectly fine and this was on sites doing millions in transactions per year.

There is also nothing in the contracts with processors that this is required, it is recommended but not required.

A lot of web companies are terribly afraid to turn away any customer because they might have to think for a second while making a purchase.

I confirm this in another response

[SmallFurryCreature]

I can vow that this is true, have had to implement it like this myself. It is often marked as required but never actually checked.

Three reasons, the web master is afraid of putting up any hurdles to a purchase.

During testing, the CVC check is often disabled, so its proper functioning can only be tested on a live account.

And lastly not every card has it and so the idea exists with web shop owners that if they enforce it, they might loose X% of customers.

IF you happily filled in your number correctly for years, that is no proof it was ever checked. Welcome to the online purchasing!