Smartphone Used To Scan Data From Chip-Enabled Credit Cards

An anonymous reader sends this news from the CBC: "Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card. And it could be done through wallets, pockets and purses. ... Although the NFC antennas in current smartphones need to be very close to a card in order to work — no farther than 10 cm — that could change with the next generation of Android smartphones. Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced driving licenses and passports."

What are we going to call this?

I propose warstriding.

Re:What are we going to call this?

[GameboyRMH]

I'm pretty sure I proposed "cardsnarfing" many years ago, trying to find the post now...

Re:What are we going to call this?

[compro01]

Given how close you need to get to do this, more like wargrinding.

Testing with my GS3 and Interac Flash-enabled debit card, the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.

Re:What are we going to call this?

[Nerdfest]

Same with a Nexus 4. Even a thick case causes problems. I'd actually like to have a bit more range for reading NFC tags.

Re:What are we going to call this?

[fahrbot-bot]

the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.

Typical real-world vs. "guy" measurement. (right girls?)

Re:What are we going to call this?

How fast does it read the card?

"Gotta get skin-close and hold for a second or two" isn't quite usable for skimming. ... Unless you walk with "FREE HUGS" sign. Where can I get a suit with several NFC readers sewn in?

Re:What are we going to call this?

[compro01]

How fast does it read the card?

Using the TagInfo app from NXP (Who apparently made the NFC chip in my card), takes about 1.5 seconds to read it.

Re:What are we going to call this?

[Andy+Dodd]

Yeah, and the FUD comment that "omg phones MIGHT have greatly increased NFC range in the future" is bullshit.

Increasing range would require:
1) More power (eats battery)
2) More antenna surface area. To get a range of about 6-10 inches, you need an antenna that is more than a foot on each side. (I need to hold my badge within 6-10 inches of the reader when badging into the largest readers at my workplace - which are over a foot in both width and height.) Oh yeah, that's with a fixed reader that has all the power it could ever want.

Re:What are we going to call this?

[cheater512]

I found my GS3 could actually read a card with less than 1cm overlapping between the card and the phone's back.
Also it will easily go through my wallet. I can get about 2-4cm of range.

Re:What are we going to call this?

[foobsr]

Typical real-world vs. "guy" measurement. (right girls?)

Hopefully Adria Richards will not read your comment.

CC.

Re:What are we going to call this?

[FatdogHaiku]

Given how close you need to get to do this, more like wargrinding.

So... get CC data AND make a new friend!
Is that a smart phone in your pocket or are you just mildly pleased to see me?

Re:What are we going to call this?

[fahrbot-bot]

Typical real-world vs. "guy" measurement. (right girls?)

Hopefully Adria Richards will not read your comment.

Although, I could be implying the example, "I caught a fish this big..."

As for Ms. Richards... She has many valid points, but often seems to choose the wrong battles and/or focus on things that, while apparently important to her, are actually rather trivial and/or harmless in reality. Many jokes may be inappropriate, but finding offense is a task for the small minded and/or insecure. Perhaps she doth protest way too much. My heart goes out to her for standing up for what she believes and suffering the consequences, but in her methods, she's also demonstrated some jerky behavior herself. Perhaps she feels the ends justify the means (that usually doesn't end well for anyone).

Re:What are we going to call this?

[foobsr]

I appreciate your reply.

CC.

Re:What are we going to call this?

[wooferhound]

WarGroping . . .

Re:What are we going to call this?

I know it! Just like fancy new 16 core processors. The best one at my workplace is a quad core. I can't believe anyone would think its possible to make anything better than what we already have!

Re:What are we going to call this?

How hard would it be for someone to get close to your wallet in a subway during rush hour?

Re:What are we going to call this?

Actually, the "I'd fork his repository" comment was relating to "plagiarism is the sincerest form of flattery". Didn't deter ms. Richards from interpreting it her own way.

The scary part is people like her can take anything you said in entirely good faith and find sexual undercurrents in it. She got a guy in serious trouble (not sure if it was him or the other) for making an entirely innocent remark which she misunderstood and took offense in meaning that resulted from her own ignorance.

Re:What are we going to call this?

I can assure you this is not uncommon scenario in public transport.

In my city the monthly tickets contain RFID tag and are recharged. The automats that validate single-ride tickets can be used to check expiry date of your monthly ticket. I found it quite startling when the automat I was leaning on suddenly went "beep" and displayed my ticket data after it read it through my thick jacket and wallet.

Re:What are we going to call this?

[mjwx]

I'm pretty sure I proposed "cardsnarfing" many years ago, trying to find the post now...

I've known about this application for six months. On the play store it's called Card Test and blanks out the middle 10 numbers from scanned cards. But this application is based on the source code developed by someone else that doesn't blank out the numbers.

On my Visa it got the full card number, expiry date and name. Enough to make a purchase online. On my MasterCard it didn't get the name, but I'm sure that's only because the application was made for Visa's specifications instead of MasterCard's. The only thing stopping card sniffing on mobile phones is the fact that NFC on most phones is limited to a centimetre at most (certainly is on my Galaxy Nexus). But this is just a matter of getting better hardware, NFC has a theoretical range of 5 metres so imagine how many cards could get skimmed just by sitting in your average shopping centre (mall) for an hour or two.

If you want to disable NFC, you just need to sever the induction loop. If you dont want to damage the chip, the best place is usually right above the chip where the induction loop connects to it, make a cut there with a scalpel or stanley knife but be careful not to cut through the mag stripe. Other suggestions have been to drill though the card lining up the chip with the Visa/Mastercard logo (just above the last quartet of numbers) but this is hit and miss as I cant say where the induction loop is exactly.

Re:What are we going to call this?

[mjwx]

Given how close you need to get to do this, more like wargrinding.

Testing with my GS3 and Interac Flash-enabled debit card, the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.

This is only because phones have incredibly low powered NFC transmitters.

NFC has a theoretical range of 5 metres, so it's just a matter of having a better hardware platform and yes, you can buy them off the shelf. I've had an NFC device in my car that can communicate with a garage door receiver 2 metres away for years. It sat on my dashboard and I never had to move it to get the door to open (well it was meant to work this way). The range of NFC is determined by the power of the hardware, phones deliberately keep NFC power low in order to conserve battery, other NFC systems (like the garage door pass) which have a transmitter connected to mains have no such restrictions.

So maybe you wont be able to do this with a Galaxy S3 or my Galaxy Nexus. But you'll be able to do it with other off the shelf hardware.

Re:What are we going to call this?

[mjwx]

Yeah, and the FUD comment that "omg phones MIGHT have greatly increased NFC range in the future" is bullshit.

Forget about phones, you can already buy off the shelf NFC devices that have more range than phones.

Increasing range would require:
1) More power (eats battery)
2) More antenna surface area. To get a range of about 6-10 inches, you need an antenna that is more than a foot on each side. (I need to hold my badge within 6-10 inches of the reader when badging into the largest readers at my workplace - which are over a foot in both width and height.) Oh yeah, that's with a fixed reader that has all the power it could ever want.

More power yes, but a 60 CM wide antenna is utter bollocks. Even if you do have a 60 CM antenna, it will be so incredibly easy to get it into public places without being noticed it's not funny.

If I walked into a shopping centre wearing a high visibility vest with a ladder, a tool kit and my antenna, who the hell would question what I'm doing?

Never underestimate where you can get with only a high vis jacket and a clipboard.

Almost useless

Without the CVV (verification code) you cannot do anything usefull...

Re:Almost useless

Without the CVV (verification code) you cannot do anything usefull...

Bullshit. It will allow you to clone the card and make "swipe" based purchases. You can also use any online or phone retailer who doesn't ask for the CVV, and many of them don't ask.

Re:Almost useless

Not necessarily. A lot of times stores will only require two pieces of information match of the card number and either address or CVV. If you have a name, you could reasonably guess at an address with publicly available information and then you wouldn't need to worry about the CVV matching.

Re:Almost useless

Seriously, didn't anyone see this coming? "Swipe" the card and bam -- the purchase is done. How can that be considered secure? No signature, no PIN, no CVV, nothing; just pass it, and it's done. How the fuck was this even considered for adoption? Now, what everybody with half a brain imagined is happening.

Re:Almost useless

[langelgjm]

It will allow you to clone the card and make "swipe" based purchases.

Are you also going to fake the look and design of a bank card, including, possibly, raised numbering/lettering? Or are you just going to clone it on an old library card?

All this is is a slightly easier way to obtain credit card information from a limited number of NFC enabled cards... but getting that information wasn't particularly hard in the first place...

Re:Almost useless

[GameboyRMH]

The credit card industry is staffed by morons that wouldn't know security from their own asshole. Really, it's that simple.

Re:Almost useless

[parkinglot777]

Does that CVV really matter if a thief got everything he/she needs but merely 3-digit (or 4-digit) number? Is it impossible for someone to implement a way (even brute-force) to get those 3 (or 4) digit numbers? I highly doubt that there is NO way to obtain a card's CVV number. Think out of the box please...

Re:Almost useless

[GameboyRMH]

Look and design - Blank magstripe cards are the same shape and size, the face design can be printed:

http://pvc.idcardgroup.com/productdetails.aspx?item=800059-106-01

Raised lettering - using a set of letter stamps intended for metalwork.

Re:Almost useless

[click2005]

They do however employ very good lawyers and lobbyists who probably ensure that any liability ends with the consumer or the store not them.

Re:Almost useless

[langelgjm]

The point is not that it cannot be done - I have cloned magstripe cards myself. The point is that there are hurdles to jump before you have a card you can actually use in person, and other hurdles for card not present transactions.

If you are willing to print on the card face and do the raised lettering for each card's information, good for you - what is the time and cost involved in doing that, versus the value of the fraudulent purchase you can make, versus the risk of the fraud being traced back to you?

Re:Almost useless

Just like the IT staffers are morons who wouldn't know how to run a successful business from their own asshole. Really, it's that simple. Fuck convenience, usabilty, and all that other crap customers want! I KNOW that SECURITY is the most important thing.

Re:Almost useless

[compro01]

Is it impossible for someone to implement a way (even brute-force) to get those 3 (or 4) digit numbers?

Sure, you might even get 4 or 5 attempts before you get locked out.

Re:Almost useless

Well, depending on the backend security, somebody brute forcing credit card codes would be found easily and the card blocked.

Re:Almost useless

I could simply take my old expired card and write the copied data onto it. No one would notice that the numbers on the check don't match the visible ones on the card.

Re:Almost useless

[nomorecwrd]

Here in Chile PIN is mandatory... but cloning is still being done (a hidden camera usually captures your PIN)

News flash! Now they are cloning - and altering - the swipe machines, to capture everything including PIN and sending it through hi intensity bluetooth. The machines (GPRS -EDGE) are being switched without the merchant's knowledge.

Re:Almost useless

[alen]

almost every retailer has cameras
unless you use the card for small purchases the real owner won't notice, the cops will go after you

Re:Almost useless

[jeffmeden]

Seriously, didn't anyone see this coming? "Swipe" the card and bam -- the purchase is done. How can that be considered secure? No signature, no PIN, no CVV, nothing; just pass it, and it's done. How the fuck was this even considered for adoption? Now, what everybody with half a brain imagined is happening.

Sure they all saw it coming. And "smart chip" credit cards that would hold biometric authentication have been teased for a decade. Problem is, security doesn't *sell*. Not when you can just tell the merchant that fraudulent use is their problem, and then give them no viable way to increase security aside from asking tellers to ask for ID (and we know how well that works).

Re:Almost useless

[DougOtto]

Says the AC running a business from his/her own asshole.....

Re:Almost useless

[Cenan]

Of the three, only lack of security can bleed a company dry of funds in milliseconds.

Re:Almost useless

Or, I could just go to the grocery store and swipe a damn hotel card myself.

Re:Almost useless

[whoever57]

Without the CVV (verification code) you cannot do anything usefull...

Tell that to the criminals who were spending money in gas stations and restaurants in central California using a clone of my wife's card a couple of years ago.

Re:Almost useless

[realityimpaired]

The credit card industry is staffed by morons that wouldn't know security from their own asshole. Really, it's that simple.

Yes and no... a few years ago when I got my first RFID card from Mastercard, I had to threaten to cancel the card if they didn't send me one without it. Two years later, when I got one from Visa, it was a 5 minute phone call and the new card (minus RFID) was in my inbox 3 days later.

That says it all, I think. And TFA says that I was right, and I will be quite smug all day about it. ;) (and will continue to insist on having cards without the RFID).

Re:Almost useless

I'm sure they're aware it's insecure, it just a level of insecurity they are comfortable with. They don't want to change to a new (more secure) system because that means replacing legacy equipment. And, most importantly, the credit card companies that make the decision are not the people who lose money from fraud (except for the small second-order effect of people not using credit cards due to fear of fraud).

Re:Almost useless

gas stations don't tend to need any authorization. that's a bunch of money and a very common thing for people with stolen credit cards to resell.

Re:Almost useless

[mythosaz]

...and every grocery store, which has never, ever, checked my ID.

Re:Almost useless

[AuMatar]

ABout 2 years ago, I got a new credit card. I started making online purchases. A year later, I had a purchase rejected. Turns out that I used the wrong CVV- I used the CVV from the old card it replaced. I'd been using that CVV the whole time. I'd been using the wrong CVV for over a year, and this was the first time it had stopped the transaction.

Basically, almost no merchants check it.

Re:Almost useless

[omnichad]

Raised lettering is no longer required. Which is fine, because basically nobody has a manual imprinter these days. Which is terrible at the drive-through when the machines are down...again.

Re:Almost useless

[omnichad]

Wal-Mart, Best Buy, grocery stores....? Plenty of brick & mortar stores with big ticket items. Most of them let you swipe the card yourself, so it doesn't even have to look very real.

Re:Almost useless

[parkinglot777]

Dedicated thieves don't go the route most people think to make money. They may also have plenty of time in their hand and no need to make it obvious. Besides, What would they lose if they really try and got locked out? Unless they are not that sophisticated thieves and associate their real identity to the attempt.

Re:Almost useless

[eric_herm]

I think they just checked how much lack of security cost vs reducing the cost of security. IE, like a 1000$ system to protect a 10$ book is overkill, maybe that's the same kind of issue. If being a moron was the road to make money, I guess we would know by then.

Re:Almost useless

[neokushan]

Hai! "Expert" here (And by "expert" I mean I work in the industry, my company has a hand in testing everything from the cards themselves right up to the host in your Bank's basement).

Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about. It takes no time at all to clone a magstripe card. It can be done using a $10 reader off ebay. It's easy to do and has been a direct cause of so much fraud you wouldn't believe.

Chip cards, on the other hand, work completely differently. They use the same technology that's in the SIM card of most GSM phones, the chip isn't just a static bank of data but an actual miniature computer (likely running a cut-down version of Java). It doesn't just hand over your card details upon request, it actually uses a lot of cryptogeraphy, using public/private keypairs (Amongst other things) to ensure that no two transactions are ever the same. Cryptograms are used to ensure that data being sent and received is valid, it's impossible to change any data without breaking this. Even a compromised terminal can, at best, record an existing transaction and nothing more - it can't change amounts or anything like that without breaking it. If EITHER the card or the terminal suspects anything is up, it'll either decline or force the transaction "online" - to your bank, where they have the final say.

Contactless chip cards are nothing more than a wireless standard that compliments the above. Similar to Wi-fi versus ethernet, it's only the transmission medium that actually differs here, the same sorts of cryptograms and hashes are done here. The net result? Yes, you can skim some data using any NFC equipped smartphone, but it's useless to you because you cannot even replay a transaction because you don't have any of the private keys.

Yes, you can use the information to clone the magstripe on a card - the card gives you enough information in the clear to do this, but you'll find that the magstripe is largely useless to you as it's only used as a fallback. These days, even magstripe transactions are used "online" - that is, the terminal WILL contact the host to veryify it, a side effect of the rampant card fraud that goes on. The host will question why a chip-enabled terminal is doing magstripe with a card it knows is chip-enabled. The result? Transaction voided. Terminal prompts you to use the chip, because the terminal knows there's nothing wrong.

As for online shops - those shops that DON'T ask for the CVN are liable for the fraud, so few are left out there that don't. What's more, most cards these days have a secure online payment page requiring you to type in a password before continuing.

Sum total? This is a non-issue, there is nothing new in this article and anything else you hear is scaremongering. You cannot clone a chip card, it's physically impossible.

Re:Almost useless

[thomasw_lrd]

I was gonna suggest lawyers and lobbyists that ensure the government picks up the liablity.

That way the consumer's still happy, and keeps using the card, no matter how many times it gets stolen.

Re:Almost useless

[neokushan]

Not necessarily. You said the new card was a replacement for the old card - often those replacements don't change the card number, so really all that will have changed is the expiry date and the CVV. It's possible that the online systems thought you were still using your old card and thus accepted the CVV because the "new" card had never been activated. So it's not the CVV they don't necessarily check, but rather the expiry date (Because hey it's in the future and that's good enough).

It's not ideal though, it should be much stricter than that.

Re:Almost useless

[Minwee]

Just like the IT staffers are morons who wouldn't know how to run a successful business from their own asshole. Really, it's that simple. Fuck convenience, usabilty, and all that other crap customers want! I KNOW that SECURITY is the most important thing.

And that's how you just bought someone who stood next to you on the subway a couple of new iPhones.

Wasn't that convenient?

Re:Almost useless

[jwgreene]

So you enjoy having a far higher likelihood of credit card fraud? Chip and PIN technology vastly reduces the amount of fraud. In two years of using out chipped CCs, e haven't had a single unauthorized charge of any sort, in person, online, or by phone. This story is FUD for the most part, because anyone getting their phone that close to my wallet is going to be entirely noticeable and will get told to sod off.

Re:Almost useless

Except that they DID have the cvv because you wife's card stored it on the magnetic strip. If it was stored on an nfc chip (like the cards in the article), then it couldn't have been cloned.

Re:Almost useless

itunes store doesn't require cvv

Re:Almost useless

[langelgjm]

Raised lettering is no longer required.

I know, but the vast majority of cards still have it, which means that cards without it get more scrutiny... so if your cloned card with fake printing doesn't have raised lettering, it might get a second look, at which point the person swiping it might notice that something's a bit off.

Re:Almost useless

Chip and PIN != NFC

Re:Almost useless

This isn't Chip and PIN, it's RFID, which are two different things.

I'm guessing that the original poster is from the U.S., and I'm guessing that you're from Europe, probably the U.K. Credit cards in the U.S. don't have Chip and PIN. Some credit cards in the U.S. have RFID, which can allow you to read the card data at will.

Re:Almost useless

[MiSaunaSnob]

of course you could just use the cloned magstripe on a terminal that does not have a wierless or chip reader. Maybe they are commen where you are from but in the midwest USA i think i have only ever seen wireless readers at McD's and I have never seen a chip reading terminal. So that kind of blows a whole in a large part of your secuirty... and makes your "non-issue" into a big issue

Re:Almost useless

[Bert64]

How is something as arbitrary as a "signature" considered secure either? Anyone can make a random squiggle on a bit of paper. That provides absolutely no authentication whatsoever.
A PIN is about the best option available at the moment, since stealing or cloning the card won't get you that.

Re: Almost useless

If I swipe my chip enabled card on a chip capable pinpad my bank declines it. Even if I enter the correct pin. I have to use the chip if the pinpad supports chip.

Re:Almost useless

Not true. The card issuers know security backwards and forwards. Unfortunately, consumers are demanding and hot new startups are starting to offer alternatives to traditional cred and debit payments that use, well, lax security practices compared to traditional debit and credit requirements (I'm looking at you, Square). The card issuers know they have to come up with something quick or else they will lose the strangehold on the consumer payments market, so they are doing their best to make NFC a viable alternative. Also, it's not nearly as simple as "Swipe the card and bam it's done!" It uses a PKI setup to sign applications and cards to prevent easy cloning.

Re:Almost useless

[Bert64]

Since when do employees at the average retailer ever bother to check that the raised lettering actually corresponds to the data on the magstrip?
You could just need to create one realistic looking card and then you could keep rewriting it with fraudulent details whenever you liked.

Re:Almost useless

[neokushan]

Ah, well, see here's the thing - the USA is supposed to be moving entirely over to chip technology soon.

Of course, it isn't and nobody's in any position to move over because this takes a long time to roll out and a huge amount of the industry isn't as prepared for it as perhaps they should be.

But here's the good news! You're not liable for card fraud, the bank is. At least, the bank is for a short period of time, then that liability will switch over to the merchant because he hasn't upgraded to chip technology yet. That happens in 2015 and oh boy is it going to be a fun one to watch out for!

So anyway, getting back to my point - most of the rest of the world is already on Chip technology (known as EMV, by the way) - the US is the last of the G20 countries to move over to it. Canada did it years ago, the UK did it in the 1990's, etc.

However, as I mentioned above in the USA card fraud is already rampant, it's incredibly trivial to clone a magstripe card and there are already measures in place to fight against that (not quite as effective as moving to chip, of course, but it's there). The point is, there aren't many chip cards in the US so it isn't worth even trying to skim people's wallets for the odd one that DOES have a chip card, just so you can clone said card - it's far more efficient to tackle the magstripe swiping directly as every card has one. Then when the USA finally starts to switch to EMV and chip cards become more prevelant, the magstripe terminals will be mostly replaced and the ones that aren't - as I said earlier - you aren't liable for, the merchant is.

Re:Almost useless

[langelgjm]

Don't know where you shop, but I frequently observe employees asking for the card, then keying in the last four digits by reading them from the card, and this after swiping.

Re:Almost useless

Bullshit. You cannot clone a card with just this information. There is information encoded on the magstripe that is not given via RFID.

Similarly, you cannot make an online purchase without the billing address, let alone without the name and cvv2.

The risk with here is man in the middle, which is too hard and costly for lucrative, wide-spread crime based on this.

Usage of the information gleaned from NFC could only be used for social engineering (again too hard and costly for lucrative, wide-spread crime based on this).

There seems to be a lot of circlejerkery about the 'stupidity' of card companies. You fail to see that they have taken this into account. Just not the basis of absolute security of the individual cardholder, but minimizing the total cost of fraud (which *they* bear).

Re:Almost useless

You cannot clone a chip card, it's physically impossible.

Maybe hard, or no technique know, but physically impossible? I call bullshit.

Re:Almost useless

'mastercard' and 'visa' don't issue credit cards.. it's a bank or other financial institution that issues them... the card manufacturers (which is often not the issuer themselves) that press, program and mail the cards do so using the requirements of the issuing institution. so it is the bank (the one YOU chose to apply for a card through) that initially sent you the rfid-enabled cards, not the card company... don't blame mastercard or visa for this -- but there's a ton of other shit you can call them out on... such as allowing the ridiculous fees for merchants and allowing merchants to charge higher prices to credit card customers in order to cover some of those extra costs.

Re:Almost useless

[Mr_Silver]

Yes and no... a few years ago when I got my first RFID card from Mastercard, I had to threaten to cancel the card if they didn't send me one without it. Two years later, when I got one from Visa, it was a 5 minute phone call and the new card (minus RFID) was in my inbox 3 days later.

A minor point, but one that people on Slashdot don't seem to understand, is that you don't actually get your cards from Visa or MasterCard at all.

They are payment processors and they pass payments from one bank to another. They ensure that the X banks in the world don't have to build connectiors to X-1 other banks just to let you buy something at a shop or online. Instead each bank just connects into Visa or MasterCard (or sometimes both) and then calls it a day.

The relationship you have is actually with your bank (in industry speak, your card issuer). They are the ones that decide what payment scheme to use and issue you a card for that scheme. They are also the ones that would decide whether or not to make available to you the option to have a non-contactless card. Visa and MasterCard have no say in what they give you.

Hopefully that clears things up a bit.

Re:Almost useless

However, as I mentioned above in the USA card fraud is already rampant, it's incredibly trivial to clone a magstripe card and there are already measures in place to fight against that (not quite as effective as moving to chip, of course, but it's there).

A magstripe is trivial to clone only if you have physical possession of the card. Adding wireless access to the magstripe data means that I no longer have to hand my CC to someone for them to be able to clone the magstripe. So now, it's not just the four or five businesses I buy things from each week who might steal my card; now it's any of the thousand people I pass on the street.

Re:Almost useless

I believe the signature is about legal liability, not security. That is, forging a signature is a worse crime than just using someone else's credit card.

Re:Almost useless

Even a compromised terminal can, at best, record an existing transaction and nothing more - it can't change amounts or anything like that without breaking it. If EITHER the card or the terminal suspects anything is up, it'll either decline or force the transaction "online" - to your bank, where they have the final say.

While everything you've written is true within the bounds of your assumptions there are at least 2 gaping holes left. A malicious/tampered card terminal can potentially charge a card as someone walks by with no no indication to the person. A malicious/tampered card terminal can display that it is charging you $1, while the actual transaction is for $100. Given how often thieves have been tampering with card terminals in the past few years, both of these seem like rather worrisome weaknesses.

Re:Almost useless

Its all about creating as many debacles and crises that it will become relatively imperative that all people have chips implanted into their bodies. The day is coming when the chip in my fist will meet the phone in your nose..

Re:Almost useless

[MaskedSlacker]

They do however employ very good lawyers and lobbyists who probably ensure that any liability ends with the consumer or the store not them.

I don't think any cards with personal liability exist. Every card I have has zero liability for fraud--of course, that's kind of a scam, since they just charge me the cost of fraud in my interest rate.

Re:Almost useless

[MaskedSlacker]

You realize that prostitution IS big business, right?

Re:Almost useless

Would rather do it like it is now, as opposed to someone stealing your pin where you are then legally screwed. They used your pin, so you either did it yourself or gave it to them, end of story, do not pass go, do not collect $200. In the former case, they have to prove you did, in the later, you have to prove you didn't.

Re:Almost useless

In the UK (and probably other places) chip and PIN was brought in by the banks so they could push liability onto the customer. They argue that because chip and PIN is "secure" then you MUST have given your PIN to a third party, ending their liability.

Re:Almost useless

Yes, so very impossible researchers have already figure out methods of how it can be done:
Here

I know, I know, this is just some researchers, but it shows that where there's a will there's a way. Cloning a chips is possible. It's expensive but lets face it, what's expensive today is cheap tomorrow. Holding up chip and pin like it's some sort of silver bullet is stupid. It *will* fail and there is a lot of valid argument that it already is.

Re:Almost useless

[realityimpaired]

Canada, actually... most credit cards being issued here have RFID and Chip/PIN together. You have to ask them to send you one without RFID... they won't send you one without Chip/PIN because they're in the process of upgrading bank machines to require it. We've had Chip/PIN longer than Europe.

Re:Almost useless

You cannot clone a chip card, it's physically impossible.

Who cares about cloning when you can just use contactless interface and forward your purchases to another card. It is only a matter of time until RF payments will work like this,

1. scammer has a fake CC - puts it next to terminal
2. fake CC communicates with terminal + another device (phone, laptop, whatever)
3. the other device then interrogates all the cards around a 5m or 10m radius
4. once it finds another card, it forwards the transaction through the 3rd party.

scam card TO another device TO directional antenna TO scammed individual's CC

all contactless. All secured. All without cloning anything. And with advancement of directional solid state antennas, soon it will not even be necessary to carry anything bulky.

RF is *inherently* insecure to MITM, *always*, even when the MITM can't decrypt the info. The entire point of "safety of CC RF" is you need for proximity. Well, that is bullshit and any RF engineer knows that.

Re:Almost useless

(I'm the AC you replied to)

In my country, we use chip+PIN exclusively, and the system is pretty secure, yes. I was dissing specifically the NFC-type purchases, where you need to do nothing to confirm your purchase. When we used the mag stripe, you at least had to sign a receipt, so you could request that receipt for purchases you didn't recognize and, seeing as the signature would be different, you'd have a good case on "I didn't buy that stash of midget + donkey porn". With NFC, you pass the card near the reader (don't even need to get it out of the wallet) and the purchase is done. Where is the proof that YOU bought it? There isn't one.

Re:Almost useless

[AuMatar]

It's the CVV. Not all websites even ask for it, which is proof that it isn't needed.

Re:Almost useless

[gottabeme]

Yes, exactly. I didn't see anything in neokushan's posts to counter this problem, other than that eventually maybe everything will be on the chip terminals, which are supposedly immune to this problem.

But then my question is, how do we buy things online without having a chip reader hooked up to my PC?

Re:Almost useless

[Eugene]

It's funny to think that even Africa or Latin Amercan issuers issue more EMV cards then US, but sadly that's true. What's worse is people's groundless fear about using contactless technology for payments. Seriously, the biggest security problem in the credit card itself is the magnetic stripe itself.

Re:Almost useless

[Capt.Albatross]

Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about.

'Secure' and 'better than magstripe' are two different things, and as you acknowledge, it is the second of them that is most accurate. Nevertheless, it is a valid point that chip technology is much more secure than magnetic stripe.

Three things bother me, however. The first is that while the security is better, it has not, so far, been state-of-the-art. There is a team at Cambridge University that has found a number of exploits of the British chip 'n pin system, and good evidence that these exploits are being exploited by criminals. Some of the poor design decisions that opened the way for these exploits fall in the 'what were they thinking' class. A change of this magnitude only happens once in a couple of decades, and it is in something that matters a great deal. Is it unreasonable to expect that a great deal of care should be taken to make sure it is done as well as possible, such as by employing and paying attention to people who are at least as competent as the researchers (and the criminals, for that matter) who have been able to break these schemes? We cannot expect or demand perfection, but a significant reduction in gratuitous and easily avoided mistakes appears to be achievable and reasonable to expect.

The second thing (which may also be particular to the British experience) is that the banks have lobbied successfully to change the law so that the cost of fraud is transferred to the merchants and the cardholders. It has been revealed that this transfer was a major motivation for the banks to make the change in the first place (they would prefer to be secure than not, but what they really care about is not paying for fraud.) The lobbying for these changes included what turned out to be unjustified claims about the level of security the system provided. One particular aspect of this liability transfer is that they have been able to do it without producing the log files that might have exonerated those on whom the cost was being transferred.

The third thing is that these security blunders keep on happening - we have seen the same sort of complacent mediocrity (or outright incompetence) in electronic locks and voting machines, to pick just a couple of examples. What is it going to take for security to be taken seriously? For all I know, the chip card system being developed for the US may be better than that in the UK, but past experience makes me skeptical.

http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf

Re:Almost useless

[Eugene]

http://en.wikipedia.org/wiki/Chip_Authentication_Program

Re:Almost useless

[Capt.Albatross]

But here's the good news! You're not liable for card fraud, the bank is. At least, the bank is for a short period of time, then that liability will switch over to the merchant because he hasn't upgraded to chip technology yet.

So, after the 'short period of time', who is liable for fraud when the merchant has upgraded to to chip technology? There seems to be an assumption that with the technology in place, fraud will be impossible, at least without the collusion of the cardholder. That was the assumption in Britain, and on that basis, liability was legally transferred to the cardholder. It turned out, however, that fraud (without the cardholder's participation) was both definitely still possible and almost certainly happening, but as far as I know, the cardholder is still legally on the hook.

http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf

The particular error covered here may not be repeated in the US (though I would not automatically assume that), but perfection is unlikely. It looks to me that the banks have themselves a deal whereby, for continuing to bear the cost of fraud for a short time, they get the new system rolled out beyond the point of no return, after which they transfer the liability for whatever happens from then on to the merchants and cardholders. I'm not celebrating yet.

Re:Almost useless

What are you smoking? CCV is not stored on magstripe.

Re:Almost useless

[Pionar]

That's because generally these merchants have a "card-present" contract with the card company. This is cheaper than a "card-not-present" scheme, which requires a CVV. This is mostly just a wind and nod agreement, though.

Re:Almost useless

[foreverdisillusioned]

They use the same technology that's in the SIM card of most GSM phones, the chip isn't just a static bank of data but an actual miniature computer (likely running a cut-down version of Java)

Wow, what a relief, It's a good thing they haven't figuring out some kind of "SIM cloning" yet.

Realize that any "miniature computer" you can fit in a SIM (which you've claimed is the same that is found in credit cards) is not capable of the kind of secure, decent length keyed, challenge-response type system necessary to do this right. Certainly, the implicit claim it could do it in the time an average ATM withdrawal takes is laughable. I highly doubt we even need to get into the MITM arguments others are bringing up (are you honestly claiming that all third party ATMs are vetted and assigned independent certificates?) to demolish your claims.

You cannot clone a chip card, it's physically impossible.

Uh huh. By the way, you didn't specify what field you're in. I'm guessing marketing?

Re:Almost useless

[HJED]

Most chip and pin (or magstrip ) terminals don't provide that information to the retailer, or at least in Australia they don't.
A standard terminal will go through: enter amount>swipe w/ amount displayed>check savings credit>print customer receipt all of these screens have no personal data related to the card user on them.

Re:Almost useless

I don't think you understand what is Public Key Infrastructure and what is asymmetric encryption.

Please, think about what I just said above and how it would apply to the situation above.

You also seem to forget that purchases with smart chip CC needs a PIN to proceed.

But hey, don`t let ignorant and baseless fear stop you from pretending to be the only expert in the world who has thought of this.

(I had the same type of argument with my co-worker today. Yes I work with encryption security, as in breaking it)

Re:Almost useless

[Killjoy_NL]

And you have a place to swipe the card there :)
Time to install the NFC reader in the butt/vagina.

Re:Almost useless

The chip data is different from the magstripe data. Write the chip data to the magstripe and you get a failed transaction.

Card number, expiry and friends are in so many emails and recipts I get, if any vendor does a transaction based on those alone without the CVV, then that vendor is out of luck - his risk, his loss. Still, it will be frustrating for you to fight off those claims.

Also most banks are clue less. They buy every computer service and knowhow from external partners. And those partners don't know the systems they run well either - e.g. I know one large payment processor couldn't distinguish a magstripe transaction from the chip transaction in magstripe compatbility mode.

On top of that each player only gets to see his part of the specifications. Thus it is not uncommon to have a telco with 5 parties, and except for visa or master card, everyone only knows a tiny part of the payment specs and can't get the full picture on how the parts should work together. And one card brand had for example 1 chip specialist in europe in total. All detailed questions about bits and bytes in the spec and the detailed interpretation had to go though that one person.

EMV spec is many thousand pages and the brand internal specs from MC or VISA add many thousand pages on top. Some of those specs are nicely written and approachable, but the whole security voodoo locking the spec behind some NDA leads to very few people understanding what they do.

The only reason to trust the bank or card brand would be if they would cary the risk. After all they set the specs, the requirements for everyone else, have the power to investigate every issue and revoke certifications for companies not working as promissed. Problem is with current development the brands push the liability for many issues to the customer, who has no way to investigate any issue, no way to figure out if things are handled badly, no insight into the system. But you can be loud about he issues to hurt the brand of the bank, vendor or credit card brand as much as possible, if they try to move liability onto you.

Re:Almost useless

texas instruments, NXP, other companies create the chip. some company has a chip operating system for credit cards, they give the rom mask to above company and order many thousands chip. some perso bureau has the deal with the bank, they buy the chips with the credit card rom in it, they ask some company to print plastic cards with the magstripe, they have the machines to emboss and glue the chip into the card, and they have the machines to personalize the cards - put your name on it, emboss the card number, write data to the magstripe, initialize the chip with the security credentials and configuration. they work on behalf of the bank. the bank also has a company handing the transactions from them. and the bank is a customer to visa or master card so they can hand out those cards.

the bank might be clueless. if the credit card brand, the transaction handling company and the personalisation bureau all agree, then they are fine. banks don't have the technical know how otherwise.

Re:Almost useless

[neokushan]

That's what the 3-digits on the back of the card are for. They are NOT stored on the magstripe in any way.

Re:Almost useless

[neokushan]

Yes, but the point that perhaps I'm not making clear enough is that any vulnerability is due to the OLD systems, the magstripe stuff that should have been replaced years ago. The issue lies with the legacy system, not the new system.

Re:Almost useless

[neokushan]

That particular paper is well known and if you read it, the vulnerability lies with the terminal and the entering of the PIN. You still need the physical card there, which you cannot clone. If your card is stolen, online fraud is much more likely and dangerous than someone using a dodgy terminal (or a shim of some kind inserted into the terminal to perform a MITM attack).

Re:Almost useless

[neokushan]

By all means, show me a paper or something that shows how it's possible. The technology isn't new, it dates back to the 80's and is similar to the SIM technology used in mobile phones - show me a device capable of cloning any technology even remotely similar to that, then.

Re:Almost useless

[neokushan]

Just because the transaction is contactless does not mean that you don't still have to occasionally enter a PIN to approve of the transaction. As for the latter, there are floor and ceiling limits to both contact and contactless transactions - $1 you'd get away with, but $100 would require a much more involved process due to the terminal going online and such.

Still, you're right, the terminal could display an incorrect amount however there's literally nothing you can do against this other than watch your receipts - however this is no different than magstripe today. The chip card is still secure and this kind of fraud would be extremely easy to trace straight back to the merchant. You still wouldn't be liable.

Re:Almost useless

[neokushan]

Yes, read the article carefully...

The cryptographic flaw – the result of mistakes by both banks and card manufacturers in implementing the EMV* protocol

The vulnerable cards have not been properly designed for a start. What's more, this doesn't affect all cards (even if the unpredictable number is guessable) due to different authorisation methods.

Re:Almost useless

[Capt.Albatross]

Yes, but the point that perhaps I'm not making clear enough is that any vulnerability is due to the OLD systems, the magstripe stuff that should have been replaced years ago. The issue lies with the legacy system, not the new system.

The point I have been making is that experience elsewhere is that the new systems have, in practice, been found to be vulnerable, and it is naive to adopt policies that are predicated on an unjustified and unrealistic assumption of invulnerability.

Re:Almost useless

[Capt.Albatross]

That particular paper is well known and if you read it, the vulnerability lies with the terminal and the entering of the PIN. You still need the physical card there, which you cannot clone. If your card is stolen, online fraud is much more likely and dangerous than someone using a dodgy terminal (or a shim of some kind inserted into the terminal to perform a MITM attack).

And if you were to objectively read it and other papers on the topic you would see that there is good evidence that these or similar attacks have been used to commit fraud without the collusion of the cardholder. Furthermore, when one case of a poor design decision is found, we can reasonably assume it is not the only one, and that poor decision-making was pervasive.

As you are a self-proclaimed expert deeply involved in the testing of this system, I find your attitude deeply disturbing. You write, and presumably act, as an advocate for the system rather than as an impartial analyst and investigator, and I would not be surprised if that attitude is widespread in the organization you work for. Bruce Schneier, among others, has written about the necessity for people working on security to think like an attacker.

Re:Almost useless

[Capt.Albatross]

Yes, read the article carefully...

The cryptographic flaw – the result of mistakes by both banks and card manufacturers in implementing the EMV* protocol

The vulnerable cards have not been properly designed for a start. What's more, this doesn't affect all cards (even if the unpredictable number is guessable) due to different authorisation methods.

Leaving the implementation open for banks and card manufacturers to screw up was one of the bad decisions that indicate that the people who developed this system were not quite up to the job. in security, half a fence is no fence: you have to control everything.

All these responses that say 'that problem has been fixed' ignore the point that when you see one bad decision, it is almost certainly a sign that there are others that have just not surfaced. To give an example where lives were at risk, when it was found during the construction of the Los Angeles class submarines that a faulty weld on a torpedo rack had passed multiple inspections, it immediately threw doubt on every weld on every ship constructed under the program, because the inspection process for hull and reactor welds was not substantively different from the one that failed.

In addition, your use of non-sequiturs in your arguments, such as "this doesn't affect all cards", indicates that you are unwilling or unable properly evaluate the significance of the evidence.

Maybe this time it is better, but I am deeply concerned by how you, as someone involved in testing these systems, doesn't get these points and writes as an advocate for the thing you are supposed to be testing.
 

Re:Almost useless

>Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about. It takes no time at all to clone a magstripe card. It can be done using a $10 reader off ebay. It's easy to do and has been a direct cause of so much fraud you wouldn't believe

No... *here* is the deal and to me the major point in the article: contactless can be done AT A DISTANCE. Someone can walk past you and read your contactless chip. Magstripe needs actual physical contact - it needs to be swiped somewhere. As to the relative security of either scheme... that is almost totally beside the point.

Re:Almost useless

[Attila+Dimedici]

In other words, a chip reader hooked up to his PC.

Re:Almost useless

Or worse I purchased something at a discount electronics store in Canada and after swiping my card the sales clerk flipped it over and typed my CVV into the computer screen. I had a bird and snatched my card back. Exactly what friggin good is a CVV if he types into a database with my name and card number!!

Re:Almost useless

Because nobody's ever cloned a SIM card before

Re:Almost useless

[Rich0]

Are you also going to fake the look and design of a bank card, including, possibly, raised numbering/lettering? Or are you just going to clone it on an old library card?

First, I have a legitimate bank card in my wallet which has no raised lettering/etc.

Second, lots of terminals let you swipe the card yourself.

Third, you could just clone it onto an old credit card.

Re:Almost useless

[the_B0fh]

So, *you* personally haven't experienced fraud, therefore Chip and Pin is now magically safer?

Have you not been reading, on slashdot even, all the stories about chip and pins being broken? Multiple times? The last one was so broken that there's no way to fix it?

Re:Almost useless

[introp]

This is wrong, or misleading at best. Two of my credit cards are known by their issuer to have chips; both have been used hundreds of times on chip-capable terminals with only the magstripe (because the chip is missing from both cards) with zero complaints or problems; both have had their magstripes copied by restaurant employees and used to illegally purchase goods. If any retailers are treating magstrip info as second-class I've yet to run into one, QED. So the big problem with the chips is that you can reconstruct the magstripe info from quite a distance. And you only need the magstripe info to clone a card well enough to go buy something at your local Wal-Mart or any of the other thousands of shops that don't ask for the CVN2/CVV2 (which, around here, only Sears does ask).

So tell me again why I'd want to use this insecure contactless system when it saves me perhaps a second or two, tops?

Qiuck Everyone Panic!!!

[gooman]

This NFC technology must be stopped. Why should anyone's life be any more convenient than it already is.
Why back in my day a phone was attached to the wall with wires. It made phone calls and only phone calls and we liked it.
You youngsters and all your fancy gewgaws. Get off my lawn!

Re:Qiuck Everyone Panic!!!

Because swiping a card is ever so difficult. Our brittle wrists are just unable to cope with such massive stresses.

Re:Qiuck Everyone Panic!!!

[ArcadeMan]

You may be joking, but some of us actually carry platinum cards in our wallets. Do you know how heavy platinum is?

Re:Qiuck Everyone Panic!!!

This NFC technology must be stopped. Why should anyone's life be any more convenient than it already is.

NFC isn't that useful.

The premise was that you didn't need to take your credit card out of your wallet or purse.

But, if you have more than one NFC credit card, then you DO have to take out your card so that the correct card gets charged.

The other odd thing is that the credit card industry is has been moving to higher-security chip & pin cards instead of the magnetic stripe.

NFC is much, much easier to clone & spoof. The credit card industry believes the savings in convenience & faster transaction processing will offset the greater amount of fraud. I'm not sure about that.

Re:Qiuck Everyone Panic!!!

Less than your gargantuan ass?

Re:Qiuck Everyone Panic!!!

You may be joking, but some of us actually carry platinum cards in our wallets. Do you know how heavy platinum is?

Yeah, I'm so glad I upgraded to Amex Invisible.

Re:Qiuck Everyone Panic!!!

The credit card industry believes the savings in convenience & faster transaction processing will offset the greater amount of fraud.

They don't actually believe that. That's what they're telling the people who pay for fraud.

Re:Qiuck Everyone Panic!!!

Because swiping a card is ever so difficult. Our brittle wrists are just unable to cope with such massive stresses.

Your wrist can, but your brain can't. Watch people try to swipe their credit card. Count how many times it takes them to correctly orient the card. Time is money.

Re:Qiuck Everyone Panic!!!

If history tells us anything its that everything electronic can be hacked/bypassed/cracked. Great idea, lets broadcast our financial information on this 'secure' medium.

Its more corporate sales push then consumer desire/need.

Re:Qiuck Everyone Panic!!!

[pnutjam]

So, rather then add a read strip to each side of the reader, or put multiple swipe spots on a card, you want to champion a stupidly implemented security nightmare of a feature?

Forget tinfoil hats...

...what we need is tinfoil wallets!

(all joking aside, when I got my RFID enhanced driver's license I went out and got an RFID shielded wallet).

Re:Forget tinfoil hats...

[rgmoore]

Forget tinfoil; woven stainless steel is the in thing for wallets. I got mine more for the durability, but blocking RFID readers is a nice bonus.

Re:Forget tinfoil hats...

[fahrbot-bot]

...what we need is tinfoil wallets!

(all joking aside, when I got my RFID enhanced driver's license I went out and got an RFID shielded wallet).

All joking aside, when I got my RFID "enhanced" VISA card, I got a hammer and hole punch and punched through the chip.
Problem solved.

Re:Forget tinfoil hats...

Just ordered mine. I'll be careful not to get my cards physically strolen while I showcase it and show it off to friends!

Re:Forget tinfoil hats...

Except it does not block those readers. Check the comments on the page you linked.

Re:Forget tinfoil hats...

[BeaverCleaver]

I have a similar wallet. Unfortunately it's not more durable than leather, in my experience. The stainless steel "fabric" tends to tear along the weave. I've had mine for about 6 months now and it has a ~1cm tear in the middle, where the wallet folds.

It was only a cheapo from eBay, so I don't expect it to last forever. And making my cards a little more secure from drive by RF theft has a non-zero value to me as well.

The cat's out of the bag now

There's nothing stopping a motivated skimmer from adding a more capable external antenna to extend read range. It's much simpler than rolling your own wi-fi antenna. The NFC antenna's usually one of the most outermost parts of a phone or table, which makes it easy to get at, and it's not nearly so frequency dependent, which makes it easier to build.

Re:The cat's out of the bag now

[neokushan]

I don't think you know how NFC works. Tell me, how is this extended antenna going to power the card?

Re:The cat's out of the bag now

[pnutjam]

fixed antennas in a doorway, or stuck behind a poster on a wall and lightpost. Wire them into some batteries and you are good to go.

apply tags

[alphaminus]

Faraday Wallet. It's like a tinfoil hat in your pants! http://www.amazon.com/Travelon-Blocking-Travel-Wallets-Black/dp/B001HZBA2E/ref=sr_1_12?ie=UTF8&qid=1366832426&sr=8-12&keywords=rfid+wallet

Re:apply tags

A solution looking for a problem. I love how we invent all this crap and then have to invent more crap to make the crap barely usable. If you have to put the card in a faraday wallet then how is it any better than...say...SWIPING IT?

We seem to be able to introduce NFC, but we can't implement chip and pin. I can does security! Herp de derp...

Sensationalist....

[langelgjm]

If it's a card not present transaction, the security code should be required, and presumably that isn't being transmitted as well.

I've got a hot news story for you - everyone person you hand your credit card to is able to access your card number, name, and expiration date!

CBC News asked Google why apps capable of skimming credit card information were available on the Google Play store.

You mean, why are apps capable of using the NFC capabilities of your phone available on Google Play? You might as well ask why eBay sells magnetic card readers.

Re:Sensationalist....

[gstoddart]

I've got a hot news story for you - everyone person you hand your credit card to is able to access your card number, name, and expiration date!

Yes, but this provides opportunities for people you don't hand your card to to be able to get the same information.

So anybody on the street with a phone potentially has access to your information. And if some schmuck walked up to me on the street and asked me for my card number, name, and expiry date I wouldn't give it to them -- this makes it possible for people who you have no intention of giving this information to able to get it without you even knowing.

If NFC is so horribly broken that any random person with a free app from Google Play can access your credit card information without you knowing it, it's defective from the get go. Something I've always believed anyway. It's goal is to be convenient and spur people to use this as a payment option; it has never been designed with security and privacy in mind.

Re:Sensationalist....

[Zerth]

You'd be surprised how many people will give you that info if you just walk up to them and tell them you are a credit card technician from MC/Visa/etc while wearing a jacket with the logo badly sewn on it.

Re:Sensationalist....

[langelgjm]

And if some schmuck walked up to me on the street and asked me for my card number, name, and expiry date I wouldn't give it to them -- this makes it possible for people who you have no intention of giving this information to able to get it without you even knowing.

At which point, they face the same hurdles of using credit card information fraudulently that every other fraudster does.

I'm not saying this doesn't make it easier to get the information - it clearly does. However, you typically need to put in more effort than just getting that information before you can perpetrate the fraud, which the article ignores. I also don't care for the insinuation that Google should ban NFC apps.

They probably shouldn't put NFC chips in cards - there's little benefit to be had from tapping your wallet versus swiping a card. NFC payment via phone makes more sense, since you could toggle availability of the information. And NFC for automation of other tasks is great.

Re:Sensationalist....

[gstoddart]

Surprised isn't the right word. Appalled, sure. Surprised? No.

Then again, people still fall for spam, phishing, and those fake tech support calls from "the Windows provider" which people fall for.

Critical reasoning is a surprisingly uncommon thing. It depresses me, but it doesn't surprise me.

Re:Sensationalist....

The same problem exists with the chip+pin cards. Any off-the-shelf smartcard reader can in fact read even more data. The card number, account numbers, names, expiry, all of it.

The *correct* solution to this problem really is to stop having cards to begin with. If you have a smartphone, you select your virtual mastercard, NFC is switched on until the card reader is activated, then turned right back off. They could secure this better with one-time cypher's as well, but that's not something that a chip in a card is going to do.

Re:Sensationalist....

[realityimpaired]

I've got a hot news story for you - everyone person you hand your credit card to is able to access your card number, name, and expiration date!

With the advent of chip/pin cards, I can't remember the last time I actually had to hand my credit card to somebody in order to complete a transaction. It was many years and multiple cards ago.

the same can't be said for RFID cards: they can be read with a suitably powerful antenna from 50 feet away.

Re:Sensationalist....

[Bert64]

Or do away with the idea of pull based transactions completely...
Instead of giving the retailer access to your card, where they could pull any amount from it, rather operate a push system whereby they give you an address (lets say via qr code), you scan the code, approve the amount and your bank then sends that amount (and only that amount) to the retailers account. The retailer is not in control, you are.

Re:Sensationalist....

That's basically the design model behind Square and PayPal's wallet apps (which exist but are relatively new and not supported by many vendors): you walk into a merchant, open the app and use it to announce your presence (probably using GPS to give you a list of merchant locations you might be in), then the merchant sees your name/photo on their screen and can select you as a person to charge items to, and when you are done purchasing items, you hit the pay button on your own phone. Then all the actual communication is over the internet with the identification via photo ID + physical presence of the smart phone logged into your account (and possibly the unlock code for your smart phone if you want to get all three factors of authenication).

Re:Sensationalist....

[Mashiki]

Then again, people still fall for spam, phishing, and those fake tech support calls from "the Windows provider" which people fall for.

What the hell. You mean that *wasn't* microsoft calling me, to let me know that my 'nix system was compromised. Son of a...

Did anybody not see this coming?

[gstoddart]

I've always thought those tap-to-pay things were really a bad idea from a security perspective, as your card can be used without you even knowing it and without any form of authentication.

The fact that it will broadcast all of that information to just about anything tells me it's something which retailers and credit card companies like -- but it's mostly bad for security, but great for convenience.

I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.

I've always thought this was massively insecure, and it looks like I was right.

Re:Did anybody not see this coming?

[GameboyRMH]

I knew it was a terrible idea before it was cool. B-)

(No, seriously, like back when Bush was president).

Re:Did anybody not see this coming?

A hole puncher will take care of it. Pretty easy to disable. Just find the chip embedded in the card and pop it out.

Usually there's an ever so slight dimple in the surface of the card where the chip resides.

Re:Did anybody not see this coming?

[gstoddart]

I remember when it first came out people telling me about it.

My response at the time was "so, all you need to do is wave your card near the reader, and it takes your money ... how do you keep it safe?".

Of course, I was dismissed as somewhat paranoid and got a lot of suggestions I was blowing it out of proportion. From the sounds of it, these things are just waiting to gladly spend your money without caring about your security.

I may be somewhat on the paranoid side, but that doesn't mean this was a giant security hole waiting to happen.

Re:Did anybody not see this coming?

I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.

I know that CIBC will permit you to not have "Pay Wave" on your card. I had to complain for a while before they would agree to it, but they did send me a replacement card without it.

Re:Did anybody not see this coming?

[realityimpaired]

I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.

It was a 5 minute phone call for me, when I wanted my Visa to send me a new card without RFID. They sent me the card, and added a flag on my account to not automatically "upgrade" me to RFID ever again.

Re:Did anybody not see this coming?

[Andy+Dodd]

I am fairly certain the tap-to-pay systems add a capability not present in standard magstripe systems - a transaction counter within the card.

Yes, failed cards will occasionally trigger a few extra counts, but you can safely assume that all transactions with a given card are going to be monotonically increasing.

If a thief starts using your card, and then you use it - now the CC company is going to see cases where the transaction counter goes backwards, a sure sign that something is VERY WRONG. Easy fraud detection trigger.

Re:Did anybody not see this coming?

That would assume you never buy anything online.

Re:Did anybody not see this coming?

Just tell your bank to give you a card without the stupid NFC chip. Both Chase and Citi do that, I'm sure others can too.

Re:Did anybody not see this coming?

Use a hammer.
Really. Use a hammer on the cards. Find where the chip is, place it on something solid then whack the chip a few times.

Re:Did anybody not see this coming?

[neokushan]

You cannot clone a chip card. All you can do is record a transaction and replay it. as you've stated, there's a transaction counter that goes up, so this is useless to you as a thief. Furthermore, because of the way it works, cryptograms are used to verify that said data hasn't been tampered with.

In other words, this whole story is scaremongering. You cannot do anything with this data.

Re:Did anybody not see this coming?

[Sooner+Boomer]

It was a 5 minute phone call for me, when I wanted my Visa to send me a new card without RFID. They sent me the card, and added a flag on my account to not automatically "upgrade" me to RFID ever again

It took me less than one minute with a center punch and a hammer, and none of my RFID cards give away my information. Ever.

Re:Did anybody not see this coming?

[rastos1]

I may need to call my bank and see if I can get that disabled on my cards.

Last time I tried this, the clerk happily typed something to the terminal and told me: "done". It turned out that they only changed the limit for contact-less payments to 0. I told him: "look, the RFID chip is still in the card, knows nothing about what you typed into the computer and will happily answer any RF challenge that it receives. Can you reprogram/disable the chip itself?". I lost him on "RFID". They don't even issue non-contact-less cards anymore. Funny thing is that putting the card against strong light source reveals a frame-shaped RFID antenna embedded inside. I'm thinking about doing one or two well aimed deep scratches at the right place.

Re:Did anybody not see this coming?

[AmiMoJo]

It doesn't send any of the really important stuff without authorization. So they can't get the PIN number or CCV that would be needed to clone the card or make fraudulent transactions online. This is a total non-story in that sense.

Additionally the cards don't broadcast anything. They don't generate any signals themselves. They are powered by the RF field that is used for communication. The return signal relies on modulating the reader's RF field. You simply can't do that over more than at 20cm, no matter how powerful or sensitive your transceiver is. Laws of physic I'm afraid.

In reality the maximum range without large and bulky equipment in an ideal environment is about 3-4cm. You need to be in range for a few seconds to complete a transaction, so brushing against someone won't work. You would have to hold them still while you transact with their card through the clothing and wallet. It just isn't a practical attack.

Touch payment cards have been in use for years and years in Japan and in Europe. They are mostly stored value cards rather than credit cards, but if such an attack were possible someone would have done it long ago.

Re:Did anybody not see this coming?

[thegarbz]

I've always thought those tap-to-pay things were really a bad idea from a security perspective, as your card can be used without you even knowing it and without any form of authentication.

Yes usually the limit imposed without authentication is something like $50. My bank also imposes a strict time limit before it asks for authentication so the first tap under $50 is free, but if I do it again within the hour it asks for my pin.

But all of this is quite moot, see the chip is not a dumb storage device. It's actually quite clever and will never reveal more information than needed to complete the current transaction. So you've got the card number and the expiry date, cool. There's very few places you can use those these days without a CVVS code, and if your card is found used with one of those merchants and you claim fraud the bank will rain fire down upon them.

The chip is also impossible to clone based on the data that it sends so you don't have to worry about someone making a fake card and tapping it against a machine either. The whole reason the world has moved from the mag strip to the chip IS THE ADDED SECURITY!

Re:Did anybody not see this coming?

[rastos1]

You simply can't do that over more than at 20cm, no matter how powerful or sensitive your transceiver is. Laws of physic I'm afraid.

A device that fits in my pocket can receive a radio signal coming from transmitter that is 20000km away (hint: GPS). If you google a bit you can find pages talking about reading NFC from 10 meters away with the right equipment.

Re:Did anybody not see this coming?

[L4t3r4lu5]

I slipped a piece of tin foil into the note section of my wallet. With the wallet closed, any RFID / NFC cards are unreadable. You can buy individual sleeves for specific cards, say if you have an Oyster card and one of these NFC cards, but only want the NFC card blocked, but it seemed like overkill to me.

Re:Did anybody not see this coming?

Bad news. The card companies cannot disable this on their end and the limits are set by the merchants rather than the bank. I've tried to get them to disable it to no effect (which I think is BS -- if you can accept it, you can choose to *not* accept it). In any event, there is a site that shows you how to cut the NFC antenna in your card.

Re:Did anybody not see this coming?

Technically speaking, it's possible... Just very difficult.

Re:Did anybody not see this coming?

[pnutjam]

Don't bother talking to your bank, call your microwave, 1 second should do the trick.

Re:Did anybody not see this coming?

[pnutjam]

chip and pin is different then tap to pay.

Re:Did anybody not see this coming?

[neokushan]

No it isn't. Well, it is to a degree but it uses the same underlying technology - the "tap to pay" (What we call "contactless") is an antenna attached to the same chip. The transaction flow is a little different but it uses all of the same methods and technology as a chip transaction.

so?

[MintyKiwi]

these information are available on the card in TEXT FORM anyways.... it is easy to be "stolen" everytime you whip it out with the wonderful technology we call "EYES".... this is why pin number exist, this is why the 3 digit security code exist.... and without those information, any transaction processed on the card can be easily reverted by calling your credit card company.... non-issue... technically this makes phone payment more secure since it does not have card number, expiry date and name written in plain text, you don't need to worry about people reading it when you whip it out and NFC can be easily disabled and only enable by button press using apps such as tasker.... as long as you don't lose your phone (even if you do, google wallet for example has pin number and can be remotely disabled in google accounts)

Re:so?

Phone payment is more secure, because it has the option of showing you the payment amount and payee name and asking for confirmation before making the transaction. This is not how it is usually done with them, but you have the option.

You cannot easily copy real smart cards (ones with a real microcontroller chip instead of the simple memory chip) as they don't give access to data without cryptographic authentication. But then they are still inferior to the phones, since without an input/output device they can still be faked into accepting different transactions.

Common Unencrypted RFID Chips

[8Complex]

Just goes to show you how much the credit card companies /really/ care about security.

What got my attention

[glaurungn]

was that the summary says that more capable antennas could improve reading distance, while in reality the tecnology was desinged for very short ranges, with a practically working distance of less than 10 cm. This is I belive because most tags are passive, have no energy and most be powered by the reading device with magnetic induction.

Re:What got my attention

[YrWrstNtmr]

10 cm.

Install one or two of these in rear seat of a taxi. How many can you snag during a typical shift?

Re:What got my attention

was that the summary says that more capable antennas could improve reading distance, while in reality the tecnology was desinged for very short ranges, with a practically working distance of less than 10 cm. This is I belive because most tags are passive, have no energy and most be powered by the reading device with magnetic induction.

A decent antenna can greatly increase the range. Half a meter should be easy enough to obtain. However, with passive tags the real trick is to skim it when being used. If someone nearby energizes the tag (say at a checkout), a decent antenna and amp could read the tag from many meters away.

Re:What got my attention

That's actually incredibly hard to do. The signal coming off the card is 'backscatter' load modulation of the energising downlink signal. So any listener needs to cancel the downlink carrier (which can be dithered or modulated) before it can even come close to demodulating the uplink. Not impossible, but very difficult. This can be easily done in the transmitter as it can easily cancel its own carrier and send only the remaining backscatter modulated uplink to the demodulator. But a remote listener has to use other methods to magnetically couple and separate the two overlapping signals (with the downlink being overwhelmingly more powerful than the uplink). External interference is also much harder to remove for a third party to the link, as you don't have the advantage of the direct magnetically coupling between the two primary devices and must depend on the leakage inductance of the coupling.

This is also why it's hard to set up a really long range reader. The signal to noise of the magnetically induced energising carrier vs the backscattered response falls below the receiver's ability to demodulate it past a certain point. So cranking up the power indefinitely eventually hits a wall, as increasing the antenna gain/pattern hits a wall in being able to physically surround and couple to the antenna.

Passports are encrypted

[IamTheRealMike]

The data on a passport is encrypted with a key derived from the "machine readable zone" that's inside the book. To decrypt the data available via NFC you have to actually optically scan the open page. In addition US passports have a shielded chip so the book has to be open to be readable.

A simple solution

[GenieGenieGenie]

Most of the fear, FUD and panic will go away if the card requires some form of semi-prolonged contact with the reading device in order to activate or unmask the magnetic data. Then unsolicited reading will be more or less the same as swiping, but without the dedicated hardware.

what app is he using?

[YesIAmAScript]

I have a VISA card with NFC and multiple tag readers for my phone and none of the tag readers can get any info like that out of the card. I've got apps that can read fare cards, passports, etc. but I can't find anything on my credit card.

What am I missing?

Re:what app is he using?

[ColdWetDog]

The power switch?

Re:what app is he using?

[omnichad]

The data's probably encrypted. Of course in order to accept credit cards, a merchant needs the decryption key so this has probably leaked all over the place. An "App" is not going to have an illegal copy of the decryption key, but it's not hard to custom-program something for it.

Need a better source than some hack reporter

[Tony+Hoyle]

I'd be intrigued to know what app they're using that's returning the code and expiry date.. that information is encrypted on the card and none of the free nfc tag readers I've tried even attempt to decrypt it (I don't trust the banking system to use half decent encryption so not discounting the possibility entirely).

Of course it could just be the typical bullshit scare story that newspapers come out with..

Re:Need a better source than some hack reporter

[ImprovOmega]

At the very least it's very much open to a Man in the Middle attack. All you have to do is store exactly what the card present and code that into your own chip for use at any place that takes NFC read cards. More likely though it's just obfuscated because the terminal reading it still uses a dialup connection to phone the bank and transmits those details for processing. Which means it will remain "encrypted" for exactly however long it takes to reverse engineer one of those NFC readers.

Re:Need a better source than some hack reporter

If what this guy wrote is correct, MitM and replay attacks are pretty much useless here.

Re:Need a better source than some hack reporter

[AmiMoJo]

It is bullshit. The chip doesn't even store the CCV - the whole point of it is that it can only be read by a human from the card, not from the chip or magnetic strip. The pin number cannot be read either, all you can do it send a PIN to the card and have to accept or decline it. Naturally the chip rate limits attempts to guess the pin, and locks you out after a certain number of failures.

The information you can read via NFC isn't very useful. Same as the chip interface.

Re:Need a better source than some hack reporter

[tlhIngan]

At the very least it's very much open to a Man in the Middle attack. All you have to do is store exactly what the card present and code that into your own chip for use at any place that takes NFC read cards. More likely though it's just obfuscated because the terminal reading it still uses a dialup connection to phone the bank and transmits those details for processing. Which means it will remain "encrypted" for exactly however long it takes to reverse engineer one of those NFC readers.

No need to reverse engineer, man in the middle is here if you have a couple of Gnexes with 3G or WiFi connection between them and one has a modded Cyanogen kernel.

NFC Proxy. You can't read it and store later, but you can have your helper read an NFC card while you use your phone to pay for something. NFC Proxy basically captures the data sends it to the other phone which sends it to the card, then captures the card's response, sends it back, and your phone echoes the response to the terminal.

It's real-time only.

If you just want to capture cards to clone them, the other NFC readers work just fine capturing track 2 data that you can write back. You won't have CVV information though, and a lot of places require CVV as well.

Re:Need a better source than some hack reporter

[girlintraining]

The information you can read via NFC isn't very useful. Same as the chip interface.

You can read it and then replay it for a POS transaction a few minutes later. Since the data is a binary blob, you could have one person wandering a busy mall, and another person appearing to browse at an electronics store. Beep! And a minute later someone's standing in line ready to purchase a giant flat panel on your credit card.

So... you were saying something about how it "isn't very useful"?

Re:Need a better source than some hack reporter

[russotto]

You can't read it and store later, but you can have your helper read an NFC card while you use your phone to pay for something. NFC Proxy basically captures the data sends it to the other phone which sends it to the card, then captures the card's response, sends it back, and your phone echoes the response to the terminal.

Not even a helper needed... just keep one phone in your back pocket reading the cards of the sucker behind you in line.

Re:Need a better source than some hack reporter

[thegarbz]

(I don't trust the banking system to use half decent encryption so not discounting the possibility entirely).

As a matter of interest, why not? I do. Banks are held liable for all fraudulent transactions. Hell banks are held accountable for merchant fraud too such as incorrect products delivered. As a result security is in their best interest.

In the last 10 years we have gone from a magstripe and carbon copy paper to numbers that don't appear on the carbon copy and need to be used for all online transactions, to pin numbers, to chips (which are actually quite extensively secured by cryptography, I suggest you read it as the technology is actually quite interesting), to 2+ factor authentication not only for online banking but also online credit card purchases.

I actually have a lot of faith that my bank takes security seriously, and if they don't it sucks to be them when my card is used fraudulently.

Re:Need a better source than some hack reporter

[fleebait]

At the very least it's very much open to a Man in the Middle attack.

Not quite, The transaction terminal sends the time of day to the card. The card uses it's internal key, encrypts the TOD, and sends it back to the transaction terminal as verification.

Using "man in the middle" it is not possible to encrypt a new TOD that will be acceptable.

Simple, but as secure as the encryption algorithm, and key size

Re:Need a better source than some hack reporter

I live in Canada and use the pay swipe and it has a maximum of $50 charge to it. This scare tactic of flat panels being rung-up is bogus. Any transaction higher than $50 requires the chip insert. There's a possibility that this is retailer specific but so far anywhere I've shopped and tried that was the case.

I'm pretty impressed with the passports

[YesIAmAScript]

I was very much against them, in fact swearing I would smash my passport's smart chip when I got a new passport that had one.

But having read it with my phone, I'm impressed. You need key data from the printed page to make the NFC work and as you mention, the passports are unreadable when closed.

I think it's really well done. I'm a bit unsure quite what it's good for since it is slower than swiping it, I can only figure it was done just because putting that much info in a barcode was infeasible.

Now let me submit my pic as a link to a PNG or whatever instead of printing out a picture, having them scan it back in and turn it into a JPEG2000.

Re:I'm pretty impressed with the passports

[IamTheRealMike]

The data stored in the chip is signed using a new PKI. Modern chips can also do challenge/response. So it makes the passports impossible to forge. That's the reason for it.

Re:I'm pretty impressed with the passports

not impossible to forge. just improbable.

Re:I'm pretty impressed with the passports

[...] the passports are unreadable when closed.

This is not actually true for the majority of passports out there. The US added a metal foil in the cover after extensive privacy pressure group lobbying, but so far it's the only country to do so.

And of course it didn't do that automatically, it had to be forced to.

This shielding is only effective as long as that the passport stays closed, or opens no more than half a centimetre or so. I observed passports in the sun on a hot dashboard (not unusual waiting for a customs checkpoint, in fact we were doing exactly that) heating up, resulting in the covers warping, opening up about... a centimetre and a half.

The data you need fits just fine in a high-capacity 2D barcode. But going wireless was obviously "safer", because you can't see the bits, see? It's industry lobbying and waving with future "benefits" of adding pictures, fingerprints, threat assessments, and whatever else they think up next. It's the new "future proofing", ensuring more chip sales down the line. Printing a 2D barcode just takes a little ink, no fancy spendy electronics.

If you look at whose interest we're talking about, then the fancy electronics add nothing that is for your benefit.

As for the key, it's crackable in a fairly short period owing to key derivation weaknesses written right into the standard. This was demonstrated on live TV in the Netherlands, about 2005, as in pre-GPU times, with the government watching. Their comment? "We know this. It's in the standard. We hope they fix it next iteration of the standard." And that was that.

Thus, to me, the whole thing is a multi-layer cake of deceit and naïveté. The sick thing is that you actually do need tin foil to protect your privacy here.

I am safe, I dont care.

[140Mandak262Jamuna]

I keep all my credit cards and smart chip embedded driving lincens in my hat. And my hat is actually a Faraday's cage constructed using a product from Reynolds. I understand the product is made by electrolysis of bauxite. So no one can read anything from it from a distance.

Re:I am safe, I dont care.

So, it's just an overpriced tinfoil hat?

Re:I am safe, I dont care.

[Areyoukiddingme]

*wooosh*

Advertising

[ArcadeMan]

Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada...

Really? I don't know anyone with one. It's all flip-phones, HTC and iPhones where I live. And I'm in Canada.

Re:Advertising

I live in Canada too. I'm a driving instructor, and the Galaxy SIII is definitely what I see the most when I take away my students' phones before their lesson starts. That is followed by the iPhone, and then various Blackberries (a number that is shrinking every year). Also, I use a Galaxy SIII personally.
But neither of us are any more right; it's all just anecdotes.

Re:Advertising

[ArcadeMan]

Your anecdote is worth more than mine however, given that you see more new people in a given week than me.

"near" is a strange concept

[RichMan]

In RF land the concept of placing object A near object B means very little. The big question is antenna gain/directionality and reciever gain and the ability of both to reject out of band noise and not create in band noise.

If a cell phone can read a signal from your credit card over a 2" gap then an antenna in a van can do it from across the street and Jodrell Bank can do it from the other side of the planet.

Re:"near" is a strange concept

[NoImNotNineVolt]

Jodrell Bank can't power the chip through magnetic induction from the other side of the planet (unless they have a 8000 mile diameter charging coil). Similarly, the van can't do it from across the street either (unless the van has a street-width charging coil inside of it). Resonant inductive coupling could bring these requirements down quite a bit, maybe even by an order of magnitude. I don't think Jodrell Bank has an 800 mile diameter charging coil either, but the antenna-in-a-van approach might actually work. Of course packing a shit ton of expensive high-power RF equipment into a van probably isn't the most logical way to steal someone's credit card information; you might be better off doing it the old-fashioned way and just mugging someone.

Re:"near" is a strange concept

[tftp]

The antenna in a van will certainly work if you only focus on reading cards of people who walk on your side of the street - not on the other one. That kit won't be too expensive; 13.56 MHz is a convenient frequency that is easy to work with. You only need a small loop antenna and an accurate, digital recording device. You park the van at a busy street, walk away; come back, go home; then you take the recording and your computer searches the field for signs of modulation. Those are the cards.

you might be better off doing it the old-fashioned way and just mugging someone.

You lose stealth this way. A c/c thief can steal tens of thousands of cards; a gang with several vans can eventually gather c/c numbers of the whole city, and nobody would know. Did you hear how they define the perfect crime? As something that nobody even recognizes as a crime. A van with a long distance c/c reader fits that definition.

Re:"near" is a strange concept

Gaining the cc info isn't the crime, although I suppose some court might rule it's against some privacy or wiretapping law. Using that info to commit fraudulent transactions would be the crime, and definitely a not a perfect crime.

Re:"near" is a strange concept

[tftp]

IANAL, but according to the all-wise Internet, card skimming is a part of card fraud, and is prosecuted accordingly - as an element of a larger crime (if the info was used) or a conspiracy to commit crime (if not.)

There is no legal reason why would one covertly copy the c/c information of someone else. Every use of that information would be illegal.

Re:"near" is a strange concept

You might be able to energise the card with a ridiculously high powered and huge resonant antenna from further away. However, you can't increase the size of the antenna in the card, so the coupling will be up the shit. Which means you have no way of being able to receive a response as the backscattered uplink will be so far below the Shannon limit that you'll never be able to demodulate it.

Magnetic coupling with a load modulated (backscattered) uplink does not follow the same logic as a typical radio transmitter / receiver.

Disable the RFID

Many card companies probably won't provide a different card with RFID.
Instead, just drill a hole in the card to break the antenna wires and disable the RFID.
The chip and the magstripe should still work.

Just to repeat...

I've posted this as a reply to an AC above, but I want to make sure some people get to read it as it's actually important (and posting as AC myself so people know I'm not doing this for Karma).

Hai! "Expert" here (And by "expert" I mean I work in the industry, my company has a hand in testing everything from the cards themselves right up to the host in your Bank's basement).

Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about. It takes no time at all to clone a magstripe card. It can be done using a $10 reader off ebay. It's easy to do and has been a direct cause of so much fraud you wouldn't believe.

Chip cards, on the other hand, work completely differently. They use the same technology that's in the SIM card of most GSM phones, the chip isn't just a static bank of data but an actual miniature computer (likely running a cut-down version of Java). It doesn't just hand over your card details upon request, it actually uses a lot of cryptogeraphy, using public/private keypairs (Amongst other things) to ensure that no two transactions are ever the same. Cryptograms are used to ensure that data being sent and received is valid, it's impossible to change any data without breaking this. Even a compromised terminal can, at best, record an existing transaction and nothing more - it can't change amounts or anything like that without breaking it. If EITHER the card or the terminal suspects anything is up, it'll either decline or force the transaction "online" - to your bank, where they have the final say.

Contactless chip cards are nothing more than a wireless standard that compliments the above. Similar to Wi-fi versus ethernet, it's only the transmission medium that actually differs here, the same sorts of cryptograms and hashes are done here. The net result? Yes, you can skim some data using any NFC equipped smartphone, but it's useless to you because you cannot even replay a transaction because you don't have any of the private keys.

Yes, you can use the information to clone the magstripe on a card - the card gives you enough information in the clear to do this, but you'll find that the magstripe is largely useless to you as it's only used as a fallback. These days, even magstripe transactions are used "online" - that is, the terminal WILL contact the host to veryify it, a side effect of the rampant card fraud that goes on. The host will question why a chip-enabled terminal is doing magstripe with a card it knows is chip-enabled. The result? Transaction voided. Terminal prompts you to use the chip, because the terminal knows there's nothing wrong.

As for online shops - those shops that DON'T ask for the CVN are liable for the fraud, so few are left out there that don't. What's more, most cards these days have a secure online payment page requiring you to type in a password before continuing.

Sum total? This is a non-issue, there is nothing new in this article and anything else you hear is scaremongering. You cannot clone a chip card, it's physically impossible.

I guess you don't live in the US?

[langelgjm]

Chip-pin is standard in Europe (and maybe elsewhere too) but practically non-existent in the U.S. Everywhere here is still swipe with the magstripe. Sometimes you swipe on your own, but just as often you hand the card to someone else for them to swipe (or at restaurants, for them to take away to the terminal, swipe there, and bring back).

Re:I guess you don't live in the US?

[tftp]

In most fast food places the c/c terminal is either built into the till, or is placed right next to the cashier, or is on a counter that the customer can see. There is no danger of illicit copying of the card if you can observe it constantly.

If the waiter at a large restaurant wants to take your c/c, they cannot refuse you to tag along. The terminal will be not too far anyway.

Re:I guess you don't live in the US?

[realityimpaired]

Canada... we had Chip/PIN before Europe did. I know this, because I had a Chip/PIN card last time I travelled in Europe, and nobody knew what it was. :)

Re:I guess you don't live in the US?

[jimbo]

Europe is a large number of countries. Some have used chip and pin since the early nineties.

When I moved to Canada in 2007 I felt I'd returned to the distant past. After having used PIN for a decade in Denmark and UK I suddenly had to sign for Everything, I couldn't freely transfer money between accounts in different banks and I was charged for Incoming calls, Incoming! I even saw top loading washing machines with analog dials, like in childhood movies.

We've been introducing it gradually here in Canada during the last few years. Some stores here in Vancouver have had the terminals for a while but only started using PIN last year.

I love it here though, it's the first country I feel at home.

Harder to forge

[Sycraft-fu]

That's what it is all about. If the data on the chip doesn't match the data printed on the passport, they know a forgery has taken place.

Re:Harder to forge

That's what it is all about. If the data on the chip doesn't match the data printed on the passport, they know a forgery has taken place.

It's actually goes one step better. If the data on the chip isn't properly signed with the right private key that presumably a forger wouldn't have access to, and verified by the reader using the well-known public key then the data on the chip is also forged.

Re:Harder to forge

Typically, though, they're not looking very hard, or at all. People've stuck pictures of Elvis on the chip and nobody noticed.

And given the (demonstrated) weaknesses, it actually worsens security in applications like the fully automated all singing and dancing customs ports that scan the chip (but don't look at the passport) then try and match that to a scan of your face.

That works so well that a husband and wife had accidentally swapped passports and the machines didn't notice. And that's when the things seem to be working. Most of the time they're turned off because they keep throwing hissy fits. That was in a recent report about, from memory, Manchester airport criticising both the deployment and an earlier report that didn't flag the obvious.

So the whole thing is more about security theatre and keeping the security-industrial complex going than about actual security or protecting citizens or whatever. It fits well in the modern trend of making you into the product, not the beneficiary.

The best defence against tampering is not the technology, but trained and alert customs agents spotting any irregularities then taking a closer look. Fancy printing techniques help, but "digital" by its very nature not so much. If you want an actually hard to forge passport, kick out the chip, and hire competent customs people, not the goons (and goonery) the TSA is infamous for.

Bullshit.

CBC provides absolutely no evidence for their claims, which fly in the face of widely known technological fact.

NFC readers do not have the ability to read the card number from a credit card. That information is encrypted on the chip, only decrypted in the cloud after being sent over the write.

The weakness for RFID is MITM, not reading a card and being able to clone it. I am disgusted by the CBC for this utter lack of journalistic standards.

If I told you I could read your (ssl sent) password over the wire, without proof, would you believe me? That is what the CBC are doing.

Security through Obscurity

[Snowlock45]

I had a course several years ago with a high lead counsel of a very well known company in the e-payments business. I ended up writing a final paper for them called "Security through Obscurity" basically explaining why their credit cards were incredibly insecure and detailing the existing cheap tech that was already accessible to average consumers. The card companies concept of security generally revolves around the idea that if they keep their security methods in a black box, no one will be able to crack it. Which works great until the first person looks in the box... then its all over. The card companies also employ thousands and subcontract to even more. They didn't like the paper. 6 months after the class was over, his company had a problem with their card system effectively taken verbatim from my paper. I sent them the news article and said he should revise my grade. I was disappointed I never heard back.

Warfrotting?

[wibblewibble]

So you have to rub against the card - warfrotting?

This also works with bus cards

[WillAffleckUW]

One of the research scientists here at the UW actually found it works with the ID cards everyone gets, and you can download all your bus trips from the added bus pass we have.

Don't you love not having privacy?

eel skin wallets!

Nature's farady cage....lol

http://www.snopes.com/science/eelskin.asp

Chip-and-pin is not secure

Hi "Expert". As you might or might not be aware, many chip-and-pin implementations are vulnerable to attacks that are approximately as effective as just cloning the card. Of course its a lot more work, but calling chip-and-pin "secure" doesn't pass the laugh test. Here for example. http://www.schneier.com/blog/archives/2012/09/new_attack_agai_2.html

Chip-and-pin does make fraud harder, but its purpose is mostly to allow banking institutions to fob the liability off on cardholders.

Re:Chip-and-pin is not secure

[Eugene]

EMV card is not as simple as that.. you have layers of security, such as Offline Card Authentication (Offline CAM), Cardholder Verification (PIN, Signautere..) and online CAM (where that MAC happens), unless you have means to obtain the private/secret keys required for transaction, it's going to be extremely hard to calculate

Re:Chip-and-pin is not secure

[neokushan]

Yes, this is a vulnerability in older cards that had a somewhat predictable "unpredictable number". However, it still doesn't allow you to clone a card in a meaningful way and later cards (I can't give you a timeframe as it depends entirely on your issuer, your country, etc.) aren't susceptible to such things, even when the unpredictable number is, er, predictable, due to a thing called CDA.

Not me!

[Zaphod-AVA]

My wallet is made of stainless steel. Good luck with that.

Care is restricted

[msobkow]

I had an ATM have trouble reading my card, so it resorted to using the magstripe. However, when in magstripe mode I was limited to withdrawing only $20. So the magstripe is pretty much useless nowadays, at least up here in Canuckistan.

Of course there are security holes!

[bradley13]

Lots of people arguing with the expert that there are still security holes.

Of course there are security holes with the chip and NFC. It's kind of like DRM: in the end, you need to be able to access the content. This means that, ultimately, the content must be decrypted into a usable form. It is at least good news that the card companies are finally - at the speed of a slow snail - adding something resembling security.

Re:Of course there are security holes!

[Capt.Albatross]

Of course there are security holes with the chip and NFC.

The inevitability of flaws is not an excuse to foreclose on the question of whether the implementers of this system are trying hard enough to minimize them, and I belive the evidence shows they are not.

How to clone a chip card

[ei4anb]

I have worked in information security for 25 years and am always amused when people say something is "physically impossible". There is almost always a way. I have worked on forensic engineering for chip manufacturers, finding production faults by etching off layers using warm nitric acid and reading the secrets out of the circuit using a microscope. That technique can be used to make many copies of a card but nobody bothers because it's too time expensive and there are easier ways.

Ross Anderson's group in Cambridge are real experts in the chip and pin technology, they know that security implementation flaws often make cards vulnerable, for example see http://www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/

Many parts of the world still use only the magnetic strip. For years while Europe waited for the US to deploy chip and pin we saw European CC numbers being used in the US. Now NFC will make it easier for US based cloners to get just enough data from your cards to send to their cousins in other countries.

Time for...

[zwarte+piet]

a shielded wallet then.

What's the app they use in the picture?

I've tested cardtest and seen it fail on some cards, curious to know of other apps that do that.

Most Wallets Are Immune

If you carry a standard building access proxcard, such as one for an apartment or office building, you will have a tough time reading anything off the cards for the interference. I can't get the store terminals to read my card without it being out of my -TYVEK- wallet with my building access card in it and if you have several cards you'll get such a jumble of data...

That said, woven stainless-steel wallets are looking pretty nice; and durable...

CAPTCHA: Grayness

Re:Most Wallets Are Immune

[RockDoctor]

That said, woven stainless-steel wallets are looking pretty nice; and durable...

My first response too was to wonder how fine a Faraday cage I'd need. Or whether it'd be better to just leave the cards at home and go back from 80% cash transactions to 99% cash transactions.

Time for a little Googling ...

Not exactly a new idea - it's been touted (to the extent of respectable corporations making product available for purchase - which implies that to some degree the product is fit for purpose, at least in this country) since 2006, as far as the first page of Google results goes. Including, unsurprisingly, here.

Carbon fibre or woven copper mesh would probably look classier, to my eye at least.

"Carbon fibre braided sleeve made from a heavier 6k continuously woven 2/2 twill biaxial carbon fibre. With a nominal diameter of 80mm this sleeve can be used for tubing diameters of between 24mm and 104mm. [...] The braided sleeve is sold by the linear metre (1.1 yards). There is no minimum order quantity but several volume discounts are available for larger quantities.

£25.66 (ex VAT)"

Looks credible at a first glance.

What frequency ranges does NFC operate in? "NFC operates at 13.56 MHz " ... so wavelength would be around 20m ; if the conductivity is reasonable, then anything that is a "fabric" on a human scale should be an effective block, unless there's a gross leak (which is one of the reasons I seized on the tubing - fewer gaps.

Copper woven fabric ... what a surprise - there's a non-trivial marketplace for such, e.g. http://www.lessemf.com/fabric.html

It all sounds very do-able. What might be more of an issue would be testing the design - I'd need to have access to a phone (or whatever device) that had a known-good reading hardware. Which might be a bigger expense than is worth the effort, compared to leaving the cards at home and carrying cash.