Slashdot Mirror
Smartphone Used To Scan Data From Chip-Enabled Credit Cards
An anonymous reader sends this news from the CBC:
"Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card. And it could be done through wallets, pockets and purses. ... Although the NFC antennas in current smartphones need to be very close to a card in order to work — no farther than 10 cm — that could change with the next generation of Android smartphones. Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced driving licenses and passports."
This NFC technology must be stopped. Why should anyone's life be any more convenient than it already is.
Why back in my day a phone was attached to the wall with wires. It made phone calls and only phone calls and we liked it.
You youngsters and all your fancy gewgaws. Get off my lawn!
"Kittens give Morbo gas!"
...what we need is tinfoil wallets!
(all joking aside, when I got my RFID enhanced driver's license I went out and got an RFID shielded wallet).
Without the CVV (verification code) you cannot do anything usefull...
Bullshit. It will allow you to clone the card and make "swipe" based purchases. You can also use any online or phone retailer who doesn't ask for the CVV, and many of them don't ask.
Faraday Wallet. It's like a tinfoil hat in your pants! http://www.amazon.com/Travelon-Blocking-Travel-Wallets-Black/dp/B001HZBA2E/ref=sr_1_12?ie=UTF8&qid=1366832426&sr=8-12&keywords=rfid+wallet
I'm pretty sure I proposed "cardsnarfing" many years ago, trying to find the post now...
"When information is power, privacy is freedom" - Jah-Wren Ryel
Seriously, didn't anyone see this coming? "Swipe" the card and bam -- the purchase is done. How can that be considered secure? No signature, no PIN, no CVV, nothing; just pass it, and it's done. How the fuck was this even considered for adoption? Now, what everybody with half a brain imagined is happening.
I've always thought those tap-to-pay things were really a bad idea from a security perspective, as your card can be used without you even knowing it and without any form of authentication.
The fact that it will broadcast all of that information to just about anything tells me it's something which retailers and credit card companies like -- but it's mostly bad for security, but great for convenience.
I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.
I've always thought this was massively insecure, and it looks like I was right.
Lost at C:>. Found at C.
It will allow you to clone the card and make "swipe" based purchases.
Are you also going to fake the look and design of a bank card, including, possibly, raised numbering/lettering? Or are you just going to clone it on an old library card?
All this is is a slightly easier way to obtain credit card information from a limited number of NFC enabled cards... but getting that information wasn't particularly hard in the first place...
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
these information are available on the card in TEXT FORM anyways.... it is easy to be "stolen" everytime you whip it out with the wonderful technology we call "EYES".... this is why pin number exist, this is why the 3 digit security code exist.... and without those information, any transaction processed on the card can be easily reverted by calling your credit card company.... non-issue... technically this makes phone payment more secure since it does not have card number, expiry date and name written in plain text, you don't need to worry about people reading it when you whip it out and NFC can be easily disabled and only enable by button press using apps such as tasker.... as long as you don't lose your phone (even if you do, google wallet for example has pin number and can be remotely disabled in google accounts)
The credit card industry is staffed by morons that wouldn't know security from their own asshole. Really, it's that simple.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Given how close you need to get to do this, more like wargrinding.
Testing with my GS3 and Interac Flash-enabled debit card, the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.
upon the advice of my lawyer, i have no sig at this time
Does that CVV really matter if a thief got everything he/she needs but merely 3-digit (or 4-digit) number? Is it impossible for someone to implement a way (even brute-force) to get those 3 (or 4) digit numbers? I highly doubt that there is NO way to obtain a card's CVV number. Think out of the box please...
Yes, but this provides opportunities for people you don't hand your card to to be able to get the same information.
So anybody on the street with a phone potentially has access to your information. And if some schmuck walked up to me on the street and asked me for my card number, name, and expiry date I wouldn't give it to them -- this makes it possible for people who you have no intention of giving this information to able to get it without you even knowing.
If NFC is so horribly broken that any random person with a free app from Google Play can access your credit card information without you knowing it, it's defective from the get go. Something I've always believed anyway. It's goal is to be convenient and spur people to use this as a payment option; it has never been designed with security and privacy in mind.
Lost at C:>. Found at C.
Look and design - Blank magstripe cards are the same shape and size, the face design can be printed:
http://pvc.idcardgroup.com/productdetails.aspx?item=800059-106-01
Raised lettering - using a set of letter stamps intended for metalwork.
"When information is power, privacy is freedom" - Jah-Wren Ryel
They do however employ very good lawyers and lobbyists who probably ensure that any liability ends with the consumer or the store not them.
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
The point is not that it cannot be done - I have cloned magstripe cards myself. The point is that there are hurdles to jump before you have a card you can actually use in person, and other hurdles for card not present transactions.
If you are willing to print on the card face and do the raised lettering for each card's information, good for you - what is the time and cost involved in doing that, versus the value of the fraudulent purchase you can make, versus the risk of the fraud being traced back to you?
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Same with a Nexus 4. Even a thick case causes problems. I'd actually like to have a bit more range for reading NFC tags.
was that the summary says that more capable antennas could improve reading distance, while in reality the tecnology was desinged for very short ranges, with a practically working distance of less than 10 cm. This is I belive because most tags are passive, have no energy and most be powered by the reading device with magnetic induction.
The data on a passport is encrypted with a key derived from the "machine readable zone" that's inside the book. To decrypt the data available via NFC you have to actually optically scan the open page. In addition US passports have a shielded chip so the book has to be open to be readable.
You'd be surprised how many people will give you that info if you just walk up to them and tell them you are a credit card technician from MC/Visa/etc while wearing a jacket with the logo badly sewn on it.
Is it impossible for someone to implement a way (even brute-force) to get those 3 (or 4) digit numbers?
Sure, you might even get 4 or 5 attempts before you get locked out.
upon the advice of my lawyer, i have no sig at this time
Most of the fear, FUD and panic will go away if the card requires some form of semi-prolonged contact with the reading device in order to activate or unmask the magnetic data. Then unsolicited reading will be more or less the same as swiping, but without the dedicated hardware.
And if some schmuck walked up to me on the street and asked me for my card number, name, and expiry date I wouldn't give it to them -- this makes it possible for people who you have no intention of giving this information to able to get it without you even knowing.
At which point, they face the same hurdles of using credit card information fraudulently that every other fraudster does.
I'm not saying this doesn't make it easier to get the information - it clearly does. However, you typically need to put in more effort than just getting that information before you can perpetrate the fraud, which the article ignores. I also don't care for the insinuation that Google should ban NFC apps.
They probably shouldn't put NFC chips in cards - there's little benefit to be had from tapping your wallet versus swiping a card. NFC payment via phone makes more sense, since you could toggle availability of the information. And NFC for automation of other tasks is great.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
I have a VISA card with NFC and multiple tag readers for my phone and none of the tag readers can get any info like that out of the card. I've got apps that can read fare cards, passports, etc. but I can't find anything on my credit card.
What am I missing?
http://lkml.org/lkml/2005/8/20/95
I could simply take my old expired card and write the copied data onto it. No one would notice that the numbers on the check don't match the visible ones on the card.
I'd be intrigued to know what app they're using that's returning the code and expiry date.. that information is encrypted on the card and none of the free nfc tag readers I've tried even attempt to decrypt it (I don't trust the banking system to use half decent encryption so not discounting the possibility entirely).
Of course it could just be the typical bullshit scare story that newspapers come out with..
Here in Chile PIN is mandatory... but cloning is still being done (a hidden camera usually captures your PIN)
News flash! Now they are cloning - and altering - the swipe machines, to capture everything including PIN and sending it through hi intensity bluetooth. The machines (GPRS -EDGE) are being switched without the merchant's knowledge.
Surprised isn't the right word. Appalled, sure. Surprised? No.
Then again, people still fall for spam, phishing, and those fake tech support calls from "the Windows provider" which people fall for.
Critical reasoning is a surprisingly uncommon thing. It depresses me, but it doesn't surprise me.
Lost at C:>. Found at C.
almost every retailer has cameras
unless you use the card for small purchases the real owner won't notice, the cops will go after you
Seriously, didn't anyone see this coming? "Swipe" the card and bam -- the purchase is done. How can that be considered secure? No signature, no PIN, no CVV, nothing; just pass it, and it's done. How the fuck was this even considered for adoption? Now, what everybody with half a brain imagined is happening.
Sure they all saw it coming. And "smart chip" credit cards that would hold biometric authentication have been teased for a decade. Problem is, security doesn't *sell*. Not when you can just tell the merchant that fraudulent use is their problem, and then give them no viable way to increase security aside from asking tellers to ask for ID (and we know how well that works).
Says the AC running a business from his/her own asshole.....
Solving Unix problems since 1989...
Of the three, only lack of security can bleed a company dry of funds in milliseconds.
... whatever
Tell that to the criminals who were spending money in gas stations and restaurants in central California using a clone of my wife's card a couple of years ago.
The real "Libtards" are the Libertarians!
the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.
Typical real-world vs. "guy" measurement. (right girls?)
It must have been something you assimilated. . . .
The credit card industry is staffed by morons that wouldn't know security from their own asshole. Really, it's that simple.
Yes and no... a few years ago when I got my first RFID card from Mastercard, I had to threaten to cancel the card if they didn't send me one without it. Two years later, when I got one from Visa, it was a 5 minute phone call and the new card (minus RFID) was in my inbox 3 days later.
That says it all, I think. And TFA says that I was right, and I will be quite smug all day about it. ;) (and will continue to insist on having cards without the RFID).
I was very much against them, in fact swearing I would smash my passport's smart chip when I got a new passport that had one.
But having read it with my phone, I'm impressed. You need key data from the printed page to make the NFC work and as you mention, the passports are unreadable when closed.
I think it's really well done. I'm a bit unsure quite what it's good for since it is slower than swiping it, I can only figure it was done just because putting that much info in a barcode was infeasible.
Now let me submit my pic as a link to a PNG or whatever instead of printing out a picture, having them scan it back in and turn it into a JPEG2000.
http://lkml.org/lkml/2005/8/20/95
I keep all my credit cards and smart chip embedded driving lincens in my hat. And my hat is actually a Faraday's cage constructed using a product from Reynolds. I understand the product is made by electrolysis of bauxite. So no one can read anything from it from a distance.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I'm sure they're aware it's insecure, it just a level of insecurity they are comfortable with. They don't want to change to a new (more secure) system because that means replacing legacy equipment. And, most importantly, the credit card companies that make the decision are not the people who lose money from fraud (except for the small second-order effect of people not using credit cards due to fear of fraud).
...and every grocery store, which has never, ever, checked my ID.
ABout 2 years ago, I got a new credit card. I started making online purchases. A year later, I had a purchase rejected. Turns out that I used the wrong CVV- I used the CVV from the old card it replaced. I'd been using that CVV the whole time. I'd been using the wrong CVV for over a year, and this was the first time it had stopped the transaction.
Basically, almost no merchants check it.
I still have more fans than freaks. WTF is wrong with you people?
I've got a hot news story for you - everyone person you hand your credit card to is able to access your card number, name, and expiration date!
With the advent of chip/pin cards, I can't remember the last time I actually had to hand my credit card to somebody in order to complete a transaction. It was many years and multiple cards ago.
the same can't be said for RFID cards: they can be read with a suitably powerful antenna from 50 feet away.
How fast does it read the card?
Using the TagInfo app from NXP (Who apparently made the NFC chip in my card), takes about 1.5 seconds to read it.
upon the advice of my lawyer, i have no sig at this time
Raised lettering is no longer required. Which is fine, because basically nobody has a manual imprinter these days. Which is terrible at the drive-through when the machines are down...again.
Yeah, and the FUD comment that "omg phones MIGHT have greatly increased NFC range in the future" is bullshit.
Increasing range would require:
1) More power (eats battery)
2) More antenna surface area. To get a range of about 6-10 inches, you need an antenna that is more than a foot on each side. (I need to hold my badge within 6-10 inches of the reader when badging into the largest readers at my workplace - which are over a foot in both width and height.) Oh yeah, that's with a fixed reader that has all the power it could ever want.
retrorocket.o not found, launch anyway?
Wal-Mart, Best Buy, grocery stores....? Plenty of brick & mortar stores with big ticket items. Most of them let you swipe the card yourself, so it doesn't even have to look very real.
Really? I don't know anyone with one. It's all flip-phones, HTC and iPhones where I live. And I'm in Canada.
Get free satoshi (Bitcoin) and Dogecoins
In RF land the concept of placing object A near object B means very little. The big question is antenna gain/directionality and reciever gain and the ability of both to reject out of band noise and not create in band noise.
If a cell phone can read a signal from your credit card over a 2" gap then an antenna in a van can do it from across the street and Jodrell Bank can do it from the other side of the planet.
Dedicated thieves don't go the route most people think to make money. They may also have plenty of time in their hand and no need to make it obvious. Besides, What would they lose if they really try and got locked out? Unless they are not that sophisticated thieves and associate their real identity to the attempt.
I think they just checked how much lack of security cost vs reducing the cost of security. IE, like a 1000$ system to protect a 10$ book is overkill, maybe that's the same kind of issue. If being a moron was the road to make money, I guess we would know by then.
Hai! "Expert" here (And by "expert" I mean I work in the industry, my company has a hand in testing everything from the cards themselves right up to the host in your Bank's basement).
Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about. It takes no time at all to clone a magstripe card. It can be done using a $10 reader off ebay. It's easy to do and has been a direct cause of so much fraud you wouldn't believe.
Chip cards, on the other hand, work completely differently. They use the same technology that's in the SIM card of most GSM phones, the chip isn't just a static bank of data but an actual miniature computer (likely running a cut-down version of Java). It doesn't just hand over your card details upon request, it actually uses a lot of cryptogeraphy, using public/private keypairs (Amongst other things) to ensure that no two transactions are ever the same. Cryptograms are used to ensure that data being sent and received is valid, it's impossible to change any data without breaking this. Even a compromised terminal can, at best, record an existing transaction and nothing more - it can't change amounts or anything like that without breaking it. If EITHER the card or the terminal suspects anything is up, it'll either decline or force the transaction "online" - to your bank, where they have the final say.
Contactless chip cards are nothing more than a wireless standard that compliments the above. Similar to Wi-fi versus ethernet, it's only the transmission medium that actually differs here, the same sorts of cryptograms and hashes are done here. The net result? Yes, you can skim some data using any NFC equipped smartphone, but it's useless to you because you cannot even replay a transaction because you don't have any of the private keys.
Yes, you can use the information to clone the magstripe on a card - the card gives you enough information in the clear to do this, but you'll find that the magstripe is largely useless to you as it's only used as a fallback. These days, even magstripe transactions are used "online" - that is, the terminal WILL contact the host to veryify it, a side effect of the rampant card fraud that goes on. The host will question why a chip-enabled terminal is doing magstripe with a card it knows is chip-enabled. The result? Transaction voided. Terminal prompts you to use the chip, because the terminal knows there's nothing wrong.
As for online shops - those shops that DON'T ask for the CVN are liable for the fraud, so few are left out there that don't. What's more, most cards these days have a secure online payment page requiring you to type in a password before continuing.
Sum total? This is a non-issue, there is nothing new in this article and anything else you hear is scaremongering. You cannot clone a chip card, it's physically impossible.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
I was gonna suggest lawyers and lobbyists that ensure the government picks up the liablity.
That way the consumer's still happy, and keeps using the card, no matter how many times it gets stolen.
21st Century Renaissance Man
Not necessarily. You said the new card was a replacement for the old card - often those replacements don't change the card number, so really all that will have changed is the expiry date and the CVV. It's possible that the online systems thought you were still using your old card and thus accepted the CVV because the "new" card had never been activated. So it's not the CVV they don't necessarily check, but rather the expiry date (Because hey it's in the future and that's good enough).
It's not ideal though, it should be much stricter than that.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
I don't think you know how NFC works. Tell me, how is this extended antenna going to power the card?
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Just like the IT staffers are morons who wouldn't know how to run a successful business from their own asshole. Really, it's that simple. Fuck convenience, usabilty, and all that other crap customers want! I KNOW that SECURITY is the most important thing.
And that's how you just bought someone who stood next to you on the subway a couple of new iPhones.
Wasn't that convenient?
Chip-pin is standard in Europe (and maybe elsewhere too) but practically non-existent in the U.S. Everywhere here is still swipe with the magstripe. Sometimes you swipe on your own, but just as often you hand the card to someone else for them to swipe (or at restaurants, for them to take away to the terminal, swipe there, and bring back).
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Raised lettering is no longer required.
I know, but the vast majority of cards still have it, which means that cards without it get more scrutiny... so if your cloned card with fake printing doesn't have raised lettering, it might get a second look, at which point the person swiping it might notice that something's a bit off.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Chip and PIN != NFC
That's what it is all about. If the data on the chip doesn't match the data printed on the passport, they know a forgery has taken place.
of course you could just use the cloned magstripe on a terminal that does not have a wierless or chip reader. Maybe they are commen where you are from but in the midwest USA i think i have only ever seen wireless readers at McD's and I have never seen a chip reading terminal. So that kind of blows a whole in a large part of your secuirty... and makes your "non-issue" into a big issue
How is something as arbitrary as a "signature" considered secure either? Anyone can make a random squiggle on a bit of paper. That provides absolutely no authentication whatsoever.
A PIN is about the best option available at the moment, since stealing or cloning the card won't get you that.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
If I swipe my chip enabled card on a chip capable pinpad my bank declines it. Even if I enter the correct pin. I have to use the chip if the pinpad supports chip.
Since when do employees at the average retailer ever bother to check that the raised lettering actually corresponds to the data on the magstrip?
You could just need to create one realistic looking card and then you could keep rewriting it with fraudulent details whenever you liked.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Ah, well, see here's the thing - the USA is supposed to be moving entirely over to chip technology soon.
Of course, it isn't and nobody's in any position to move over because this takes a long time to roll out and a huge amount of the industry isn't as prepared for it as perhaps they should be.
But here's the good news! You're not liable for card fraud, the bank is. At least, the bank is for a short period of time, then that liability will switch over to the merchant because he hasn't upgraded to chip technology yet. That happens in 2015 and oh boy is it going to be a fun one to watch out for!
So anyway, getting back to my point - most of the rest of the world is already on Chip technology (known as EMV, by the way) - the US is the last of the G20 countries to move over to it. Canada did it years ago, the UK did it in the 1990's, etc.
However, as I mentioned above in the USA card fraud is already rampant, it's incredibly trivial to clone a magstripe card and there are already measures in place to fight against that (not quite as effective as moving to chip, of course, but it's there). The point is, there aren't many chip cards in the US so it isn't worth even trying to skim people's wallets for the odd one that DOES have a chip card, just so you can clone said card - it's far more efficient to tackle the magstripe swiping directly as every card has one. Then when the USA finally starts to switch to EMV and chip cards become more prevelant, the magstripe terminals will be mostly replaced and the ones that aren't - as I said earlier - you aren't liable for, the merchant is.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Don't know where you shop, but I frequently observe employees asking for the card, then keying in the last four digits by reading them from the card, and this after swiping.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
I had a course several years ago with a high lead counsel of a very well known company in the e-payments business. I ended up writing a final paper for them called "Security through Obscurity" basically explaining why their credit cards were incredibly insecure and detailing the existing cheap tech that was already accessible to average consumers. The card companies concept of security generally revolves around the idea that if they keep their security methods in a black box, no one will be able to crack it. Which works great until the first person looks in the box... then its all over. The card companies also employ thousands and subcontract to even more. They didn't like the paper. 6 months after the class was over, his company had a problem with their card system effectively taken verbatim from my paper. I sent them the news article and said he should revise my grade. I was disappointed I never heard back.
Or do away with the idea of pull based transactions completely...
Instead of giving the retailer access to your card, where they could pull any amount from it, rather operate a push system whereby they give you an address (lets say via qr code), you scan the code, approve the amount and your bank then sends that amount (and only that amount) to the retailers account. The retailer is not in control, you are.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
So you have to rub against the card - warfrotting?
I found my GS3 could actually read a card with less than 1cm overlapping between the card and the phone's back.
Also it will easily go through my wallet. I can get about 2-4cm of range.
A minor point, but one that people on Slashdot don't seem to understand, is that you don't actually get your cards from Visa or MasterCard at all.
They are payment processors and they pass payments from one bank to another. They ensure that the X banks in the world don't have to build connectiors to X-1 other banks just to let you buy something at a shop or online. Instead each bank just connects into Visa or MasterCard (or sometimes both) and then calls it a day.
The relationship you have is actually with your bank (in industry speak, your card issuer). They are the ones that decide what payment scheme to use and issue you a card for that scheme. They are also the ones that would decide whether or not to make available to you the option to have a non-contactless card. Visa and MasterCard have no say in what they give you.
Hopefully that clears things up a bit.
Avantslash - View Slashdot cleanly on your mobile phone.
Hopefully Adria Richards will not read your comment.
CC.
TaijiQuan (Huang, 5 loosenings)
That's basically the design model behind Square and PayPal's wallet apps (which exist but are relatively new and not supported by many vendors): you walk into a merchant, open the app and use it to announce your presence (probably using GPS to give you a list of merchant locations you might be in), then the merchant sees your name/photo on their screen and can select you as a person to charge items to, and when you are done purchasing items, you hit the pay button on your own phone. Then all the actual communication is over the internet with the identification via photo ID + physical presence of the smart phone logged into your account (and possibly the unlock code for your smart phone if you want to get all three factors of authenication).
One of the research scientists here at the UW actually found it works with the ID cards everyone gets, and you can download all your bus trips from the added bus pass we have.
Don't you love not having privacy?
-- Tigger warning: This post may contain tiggers! --
Its all about creating as many debacles and crises that it will become relatively imperative that all people have chips implanted into their bodies. The day is coming when the chip in my fist will meet the phone in your nose..
Given how close you need to get to do this, more like wargrinding.
So... get CC data AND make a new friend!
Is that a smart phone in your pocket or are you just mildly pleased to see me?
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
They do however employ very good lawyers and lobbyists who probably ensure that any liability ends with the consumer or the store not them.
I don't think any cards with personal liability exist. Every card I have has zero liability for fraud--of course, that's kind of a scam, since they just charge me the cost of fraud in my interest rate.
You realize that prostitution IS big business, right?
Typical real-world vs. "guy" measurement. (right girls?)
Hopefully Adria Richards will not read your comment.
Although, I could be implying the example, "I caught a fish this big..."
As for Ms. Richards... She has many valid points, but often seems to choose the wrong battles and/or focus on things that, while apparently important to her, are actually rather trivial and/or harmless in reality. Many jokes may be inappropriate, but finding offense is a task for the small minded and/or insecure. Perhaps she doth protest way too much. My heart goes out to her for standing up for what she believes and suffering the consequences, but in her methods, she's also demonstrated some jerky behavior herself. Perhaps she feels the ends justify the means (that usually doesn't end well for anyone).
It must have been something you assimilated. . . .
In the UK (and probably other places) chip and PIN was brought in by the banks so they could push liability onto the customer. They argue that because chip and PIN is "secure" then you MUST have given your PIN to a third party, ending their liability.
Then again, people still fall for spam, phishing, and those fake tech support calls from "the Windows provider" which people fall for.
What the hell. You mean that *wasn't* microsoft calling me, to let me know that my 'nix system was compromised. Son of a...
Om, nomnomnom...
Canada, actually... most credit cards being issued here have RFID and Chip/PIN together. You have to ask them to send you one without RFID... they won't send you one without Chip/PIN because they're in the process of upgrading bank machines to require it. We've had Chip/PIN longer than Europe.
My wallet is made of stainless steel. Good luck with that.
You cannot clone a chip card, it's physically impossible.
Who cares about cloning when you can just use contactless interface and forward your purchases to another card. It is only a matter of time until RF payments will work like this,
1. scammer has a fake CC - puts it next to terminal
2. fake CC communicates with terminal + another device (phone, laptop, whatever)
3. the other device then interrogates all the cards around a 5m or 10m radius
4. once it finds another card, it forwards the transaction through the 3rd party.
scam card TO another device TO directional antenna TO scammed individual's CC
all contactless. All secured. All without cloning anything. And with advancement of directional solid state antennas, soon it will not even be necessary to carry anything bulky.
RF is *inherently* insecure to MITM, *always*, even when the MITM can't decrypt the info. The entire point of "safety of CC RF" is you need for proximity. Well, that is bullshit and any RF engineer knows that.
CC.
TaijiQuan (Huang, 5 loosenings)
It's the CVV. Not all websites even ask for it, which is proof that it isn't needed.
I still have more fans than freaks. WTF is wrong with you people?
I had an ATM have trouble reading my card, so it resorted to using the magstripe. However, when in magstripe mode I was limited to withdrawing only $20. So the magstripe is pretty much useless nowadays, at least up here in Canuckistan.
I do not fail; I succeed at finding out what does not work.
Yes, exactly. I didn't see anything in neokushan's posts to counter this problem, other than that eventually maybe everything will be on the chip terminals, which are supposedly immune to this problem.
But then my question is, how do we buy things online without having a chip reader hooked up to my PC?
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
It's funny to think that even Africa or Latin Amercan issuers issue more EMV cards then US, but sadly that's true. What's worse is people's groundless fear about using contactless technology for payments. Seriously, the biggest security problem in the credit card itself is the magnetic stripe itself.
WarGroping . . .
We are Dead Stars looking back Up at the Sky
Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about.
'Secure' and 'better than magstripe' are two different things, and as you acknowledge, it is the second of them that is most accurate. Nevertheless, it is a valid point that chip technology is much more secure than magnetic stripe.
Three things bother me, however. The first is that while the security is better, it has not, so far, been state-of-the-art. There is a team at Cambridge University that has found a number of exploits of the British chip 'n pin system, and good evidence that these exploits are being exploited by criminals. Some of the poor design decisions that opened the way for these exploits fall in the 'what were they thinking' class. A change of this magnitude only happens once in a couple of decades, and it is in something that matters a great deal. Is it unreasonable to expect that a great deal of care should be taken to make sure it is done as well as possible, such as by employing and paying attention to people who are at least as competent as the researchers (and the criminals, for that matter) who have been able to break these schemes? We cannot expect or demand perfection, but a significant reduction in gratuitous and easily avoided mistakes appears to be achievable and reasonable to expect.
The second thing (which may also be particular to the British experience) is that the banks have lobbied successfully to change the law so that the cost of fraud is transferred to the merchants and the cardholders. It has been revealed that this transfer was a major motivation for the banks to make the change in the first place (they would prefer to be secure than not, but what they really care about is not paying for fraud.) The lobbying for these changes included what turned out to be unjustified claims about the level of security the system provided. One particular aspect of this liability transfer is that they have been able to do it without producing the log files that might have exonerated those on whom the cost was being transferred.
The third thing is that these security blunders keep on happening - we have seen the same sort of complacent mediocrity (or outright incompetence) in electronic locks and voting machines, to pick just a couple of examples. What is it going to take for security to be taken seriously? For all I know, the chip card system being developed for the US may be better than that in the UK, but past experience makes me skeptical.
http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
http://en.wikipedia.org/wiki/Chip_Authentication_Program
EMV card is not as simple as that.. you have layers of security, such as Offline Card Authentication (Offline CAM), Cardholder Verification (PIN, Signautere..) and online CAM (where that MAC happens), unless you have means to obtain the private/secret keys required for transaction, it's going to be extremely hard to calculate
But here's the good news! You're not liable for card fraud, the bank is. At least, the bank is for a short period of time, then that liability will switch over to the merchant because he hasn't upgraded to chip technology yet.
So, after the 'short period of time', who is liable for fraud when the merchant has upgraded to to chip technology? There seems to be an assumption that with the technology in place, fraud will be impossible, at least without the collusion of the cardholder. That was the assumption in Britain, and on that basis, liability was legally transferred to the cardholder. It turned out, however, that fraud (without the cardholder's participation) was both definitely still possible and almost certainly happening, but as far as I know, the cardholder is still legally on the hook.
http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
The particular error covered here may not be repeated in the US (though I would not automatically assume that), but perfection is unlikely. It looks to me that the banks have themselves a deal whereby, for continuing to bear the cost of fraud for a short time, they get the new system rolled out beyond the point of no return, after which they transfer the liability for whatever happens from then on to the merchants and cardholders. I'm not celebrating yet.
That's because generally these merchants have a "card-present" contract with the card company. This is cheaper than a "card-not-present" scheme, which requires a CVV. This is mostly just a wind and nod agreement, though.
They use the same technology that's in the SIM card of most GSM phones, the chip isn't just a static bank of data but an actual miniature computer (likely running a cut-down version of Java)
Wow, what a relief, It's a good thing they haven't figuring out some kind of "SIM cloning" yet.
Realize that any "miniature computer" you can fit in a SIM (which you've claimed is the same that is found in credit cards) is not capable of the kind of secure, decent length keyed, challenge-response type system necessary to do this right. Certainly, the implicit claim it could do it in the time an average ATM withdrawal takes is laughable. I highly doubt we even need to get into the MITM arguments others are bringing up (are you honestly claiming that all third party ATMs are vetted and assigned independent certificates?) to demolish your claims.
You cannot clone a chip card, it's physically impossible.
Uh huh. By the way, you didn't specify what field you're in. I'm guessing marketing?
Most chip and pin (or magstrip ) terminals don't provide that information to the retailer, or at least in Australia they don't.
A standard terminal will go through: enter amount>swipe w/ amount displayed>check savings credit>print customer receipt all of these screens have no personal data related to the card user on them.
null
Lots of people arguing with the expert that there are still security holes.
Of course there are security holes with the chip and NFC. It's kind of like DRM: in the end, you need to be able to access the content. This means that, ultimately, the content must be decrypted into a usable form. It is at least good news that the card companies are finally - at the speed of a slow snail - adding something resembling security.
Enjoy life! This is not a dress rehearsal.
And you have a place to swipe the card there :)
Time to install the NFC reader in the butt/vagina.
This is the sig that says NI (again)
I have worked in information security for 25 years and am always amused when people say something is "physically impossible". There is almost always a way. I have worked on forensic engineering for chip manufacturers, finding production faults by etching off layers using warm nitric acid and reading the secrets out of the circuit using a microscope. That technique can be used to make many copies of a card but nobody bothers because it's too time expensive and there are easier ways.
Ross Anderson's group in Cambridge are real experts in the chip and pin technology, they know that security implementation flaws often make cards vulnerable, for example see http://www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/
Many parts of the world still use only the magnetic strip. For years while Europe waited for the US to deploy chip and pin we saw European CC numbers being used in the US. Now NFC will make it easier for US based cloners to get just enough data from your cards to send to their cousins in other countries.
That's what the 3-digits on the back of the card are for. They are NOT stored on the magstripe in any way.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Yes, but the point that perhaps I'm not making clear enough is that any vulnerability is due to the OLD systems, the magstripe stuff that should have been replaced years ago. The issue lies with the legacy system, not the new system.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
That particular paper is well known and if you read it, the vulnerability lies with the terminal and the entering of the PIN. You still need the physical card there, which you cannot clone. If your card is stolen, online fraud is much more likely and dangerous than someone using a dodgy terminal (or a shim of some kind inserted into the terminal to perform a MITM attack).
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
By all means, show me a paper or something that shows how it's possible. The technology isn't new, it dates back to the 80's and is similar to the SIM technology used in mobile phones - show me a device capable of cloning any technology even remotely similar to that, then.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Just because the transaction is contactless does not mean that you don't still have to occasionally enter a PIN to approve of the transaction. As for the latter, there are floor and ceiling limits to both contact and contactless transactions - $1 you'd get away with, but $100 would require a much more involved process due to the terminal going online and such.
Still, you're right, the terminal could display an incorrect amount however there's literally nothing you can do against this other than watch your receipts - however this is no different than magstripe today. The chip card is still secure and this kind of fraud would be extremely easy to trace straight back to the merchant. You still wouldn't be liable.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Yes, this is a vulnerability in older cards that had a somewhat predictable "unpredictable number". However, it still doesn't allow you to clone a card in a meaningful way and later cards (I can't give you a timeframe as it depends entirely on your issuer, your country, etc.) aren't susceptible to such things, even when the unpredictable number is, er, predictable, due to a thing called CDA.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Yes, read the article carefully...
The vulnerable cards have not been properly designed for a start. What's more, this doesn't affect all cards (even if the unpredictable number is guessable) due to different authorisation methods.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Yes, but the point that perhaps I'm not making clear enough is that any vulnerability is due to the OLD systems, the magstripe stuff that should have been replaced years ago. The issue lies with the legacy system, not the new system.
The point I have been making is that experience elsewhere is that the new systems have, in practice, been found to be vulnerable, and it is naive to adopt policies that are predicated on an unjustified and unrealistic assumption of invulnerability.
That particular paper is well known and if you read it, the vulnerability lies with the terminal and the entering of the PIN. You still need the physical card there, which you cannot clone. If your card is stolen, online fraud is much more likely and dangerous than someone using a dodgy terminal (or a shim of some kind inserted into the terminal to perform a MITM attack).
And if you were to objectively read it and other papers on the topic you would see that there is good evidence that these or similar attacks have been used to commit fraud without the collusion of the cardholder. Furthermore, when one case of a poor design decision is found, we can reasonably assume it is not the only one, and that poor decision-making was pervasive.
As you are a self-proclaimed expert deeply involved in the testing of this system, I find your attitude deeply disturbing. You write, and presumably act, as an advocate for the system rather than as an impartial analyst and investigator, and I would not be surprised if that attitude is widespread in the organization you work for. Bruce Schneier, among others, has written about the necessity for people working on security to think like an attacker.
a shielded wallet then.
I can assure you this is not uncommon scenario in public transport.
In my city the monthly tickets contain RFID tag and are recharged. The automats that validate single-ride tickets can be used to check expiry date of your monthly ticket. I found it quite startling when the automat I was leaning on suddenly went "beep" and displayed my ticket data after it read it through my thick jacket and wallet.
Yes, read the article carefully...
The vulnerable cards have not been properly designed for a start. What's more, this doesn't affect all cards (even if the unpredictable number is guessable) due to different authorisation methods.
Leaving the implementation open for banks and card manufacturers to screw up was one of the bad decisions that indicate that the people who developed this system were not quite up to the job. in security, half a fence is no fence: you have to control everything.
All these responses that say 'that problem has been fixed' ignore the point that when you see one bad decision, it is almost certainly a sign that there are others that have just not surfaced. To give an example where lives were at risk, when it was found during the construction of the Los Angeles class submarines that a faulty weld on a torpedo rack had passed multiple inspections, it immediately threw doubt on every weld on every ship constructed under the program, because the inspection process for hull and reactor welds was not substantively different from the one that failed.
In addition, your use of non-sequiturs in your arguments, such as "this doesn't affect all cards", indicates that you are unwilling or unable properly evaluate the significance of the evidence.
Maybe this time it is better, but I am deeply concerned by how you, as someone involved in testing these systems, doesn't get these points and writes as an advocate for the thing you are supposed to be testing.
In other words, a chip reader hooked up to his PC.
The truth is that all men having power ought to be mistrusted. James Madison
fixed antennas in a doorway, or stuck behind a poster on a wall and lightpost. Wire them into some batteries and you are good to go.
Cheap storage VM.
Are you also going to fake the look and design of a bank card, including, possibly, raised numbering/lettering? Or are you just going to clone it on an old library card?
First, I have a legitimate bank card in my wallet which has no raised lettering/etc.
Second, lots of terminals let you swipe the card yourself.
Third, you could just clone it onto an old credit card.
So, *you* personally haven't experienced fraud, therefore Chip and Pin is now magically safer?
Have you not been reading, on slashdot even, all the stories about chip and pins being broken? Multiple times? The last one was so broken that there's no way to fix it?
This is wrong, or misleading at best. Two of my credit cards are known by their issuer to have chips; both have been used hundreds of times on chip-capable terminals with only the magstripe (because the chip is missing from both cards) with zero complaints or problems; both have had their magstripes copied by restaurant employees and used to illegally purchase goods. If any retailers are treating magstrip info as second-class I've yet to run into one, QED. So the big problem with the chips is that you can reconstruct the magstripe info from quite a distance. And you only need the magstripe info to clone a card well enough to go buy something at your local Wal-Mart or any of the other thousands of shops that don't ask for the CVN2/CVV2 (which, around here, only Sears does ask).
So tell me again why I'd want to use this insecure contactless system when it saves me perhaps a second or two, tops?
I'm pretty sure I proposed "cardsnarfing" many years ago, trying to find the post now...
I've known about this application for six months. On the play store it's called Card Test and blanks out the middle 10 numbers from scanned cards. But this application is based on the source code developed by someone else that doesn't blank out the numbers.
On my Visa it got the full card number, expiry date and name. Enough to make a purchase online. On my MasterCard it didn't get the name, but I'm sure that's only because the application was made for Visa's specifications instead of MasterCard's. The only thing stopping card sniffing on mobile phones is the fact that NFC on most phones is limited to a centimetre at most (certainly is on my Galaxy Nexus). But this is just a matter of getting better hardware, NFC has a theoretical range of 5 metres so imagine how many cards could get skimmed just by sitting in your average shopping centre (mall) for an hour or two.
If you want to disable NFC, you just need to sever the induction loop. If you dont want to damage the chip, the best place is usually right above the chip where the induction loop connects to it, make a cut there with a scalpel or stanley knife but be careful not to cut through the mag stripe. Other suggestions have been to drill though the card lining up the chip with the Visa/Mastercard logo (just above the last quartet of numbers) but this is hit and miss as I cant say where the induction loop is exactly.
Calling someone a "hater" only means you can not rationally rebut their argument.
Given how close you need to get to do this, more like wargrinding.
Testing with my GS3 and Interac Flash-enabled debit card, the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.
This is only because phones have incredibly low powered NFC transmitters.
NFC has a theoretical range of 5 metres, so it's just a matter of having a better hardware platform and yes, you can buy them off the shelf. I've had an NFC device in my car that can communicate with a garage door receiver 2 metres away for years. It sat on my dashboard and I never had to move it to get the door to open (well it was meant to work this way). The range of NFC is determined by the power of the hardware, phones deliberately keep NFC power low in order to conserve battery, other NFC systems (like the garage door pass) which have a transmitter connected to mains have no such restrictions.
So maybe you wont be able to do this with a Galaxy S3 or my Galaxy Nexus. But you'll be able to do it with other off the shelf hardware.
Calling someone a "hater" only means you can not rationally rebut their argument.
Yeah, and the FUD comment that "omg phones MIGHT have greatly increased NFC range in the future" is bullshit.
Forget about phones, you can already buy off the shelf NFC devices that have more range than phones.
Increasing range would require:
1) More power (eats battery)
2) More antenna surface area. To get a range of about 6-10 inches, you need an antenna that is more than a foot on each side. (I need to hold my badge within 6-10 inches of the reader when badging into the largest readers at my workplace - which are over a foot in both width and height.) Oh yeah, that's with a fixed reader that has all the power it could ever want.
More power yes, but a 60 CM wide antenna is utter bollocks. Even if you do have a 60 CM antenna, it will be so incredibly easy to get it into public places without being noticed it's not funny.
If I walked into a shopping centre wearing a high visibility vest with a ladder, a tool kit and my antenna, who the hell would question what I'm doing?
Never underestimate where you can get with only a high vis jacket and a clipboard.
Calling someone a "hater" only means you can not rationally rebut their argument.
My first response too was to wonder how fine a Faraday cage I'd need. Or whether it'd be better to just leave the cards at home and go back from 80% cash transactions to 99% cash transactions.
Time for a little Googling ...
Not exactly a new idea - it's been touted (to the extent of respectable corporations making product available for purchase - which implies that to some degree the product is fit for purpose, at least in this country) since 2006, as far as the first page of Google results goes. Including, unsurprisingly, here.
Carbon fibre or woven copper mesh would probably look classier, to my eye at least.
Looks credible at a first glance.
What frequency ranges does NFC operate in? "NFC operates at 13.56 MHz " ... so wavelength would be around 20m ; if the conductivity is reasonable, then anything that is a "fabric" on a human scale should be an effective block, unless there's a gross leak (which is one of the reasons I seized on the tubing - fewer gaps.
Copper woven fabric ... what a surprise - there's a non-trivial marketplace for such, e.g. http://www.lessemf.com/fabric.html
It all sounds very do-able. What might be more of an issue would be testing the design - I'd need to have access to a phone (or whatever device) that had a known-good reading hardware. Which might be a bigger expense than is worth the effort, compared to leaving the cards at home and carrying cash.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"