Slashdot Mirror
Smartphone Used To Scan Data From Chip-Enabled Credit Cards
An anonymous reader sends this news from the CBC:
"Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card. And it could be done through wallets, pockets and purses. ... Although the NFC antennas in current smartphones need to be very close to a card in order to work — no farther than 10 cm — that could change with the next generation of Android smartphones. Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced driving licenses and passports."
This NFC technology must be stopped. Why should anyone's life be any more convenient than it already is.
Why back in my day a phone was attached to the wall with wires. It made phone calls and only phone calls and we liked it.
You youngsters and all your fancy gewgaws. Get off my lawn!
"Kittens give Morbo gas!"
...what we need is tinfoil wallets!
(all joking aside, when I got my RFID enhanced driver's license I went out and got an RFID shielded wallet).
Without the CVV (verification code) you cannot do anything usefull...
Bullshit. It will allow you to clone the card and make "swipe" based purchases. You can also use any online or phone retailer who doesn't ask for the CVV, and many of them don't ask.
I'm pretty sure I proposed "cardsnarfing" many years ago, trying to find the post now...
"When information is power, privacy is freedom" - Jah-Wren Ryel
I've always thought those tap-to-pay things were really a bad idea from a security perspective, as your card can be used without you even knowing it and without any form of authentication.
The fact that it will broadcast all of that information to just about anything tells me it's something which retailers and credit card companies like -- but it's mostly bad for security, but great for convenience.
I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.
I've always thought this was massively insecure, and it looks like I was right.
Lost at C:>. Found at C.
The credit card industry is staffed by morons that wouldn't know security from their own asshole. Really, it's that simple.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Given how close you need to get to do this, more like wargrinding.
Testing with my GS3 and Interac Flash-enabled debit card, the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.
upon the advice of my lawyer, i have no sig at this time
A solution looking for a problem. I love how we invent all this crap and then have to invent more crap to make the crap barely usable. If you have to put the card in a faraday wallet then how is it any better than...say...SWIPING IT?
We seem to be able to introduce NFC, but we can't implement chip and pin. I can does security! Herp de derp...
Yes, but this provides opportunities for people you don't hand your card to to be able to get the same information.
So anybody on the street with a phone potentially has access to your information. And if some schmuck walked up to me on the street and asked me for my card number, name, and expiry date I wouldn't give it to them -- this makes it possible for people who you have no intention of giving this information to able to get it without you even knowing.
If NFC is so horribly broken that any random person with a free app from Google Play can access your credit card information without you knowing it, it's defective from the get go. Something I've always believed anyway. It's goal is to be convenient and spur people to use this as a payment option; it has never been designed with security and privacy in mind.
Lost at C:>. Found at C.
They do however employ very good lawyers and lobbyists who probably ensure that any liability ends with the consumer or the store not them.
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
The point is not that it cannot be done - I have cloned magstripe cards myself. The point is that there are hurdles to jump before you have a card you can actually use in person, and other hurdles for card not present transactions.
If you are willing to print on the card face and do the raised lettering for each card's information, good for you - what is the time and cost involved in doing that, versus the value of the fraudulent purchase you can make, versus the risk of the fraud being traced back to you?
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Same with a Nexus 4. Even a thick case causes problems. I'd actually like to have a bit more range for reading NFC tags.
was that the summary says that more capable antennas could improve reading distance, while in reality the tecnology was desinged for very short ranges, with a practically working distance of less than 10 cm. This is I belive because most tags are passive, have no energy and most be powered by the reading device with magnetic induction.
The data on a passport is encrypted with a key derived from the "machine readable zone" that's inside the book. To decrypt the data available via NFC you have to actually optically scan the open page. In addition US passports have a shielded chip so the book has to be open to be readable.
You'd be surprised how many people will give you that info if you just walk up to them and tell them you are a credit card technician from MC/Visa/etc while wearing a jacket with the logo badly sewn on it.
I have a VISA card with NFC and multiple tag readers for my phone and none of the tag readers can get any info like that out of the card. I've got apps that can read fare cards, passports, etc. but I can't find anything on my credit card.
What am I missing?
http://lkml.org/lkml/2005/8/20/95
I'd be intrigued to know what app they're using that's returning the code and expiry date.. that information is encrypted on the card and none of the free nfc tag readers I've tried even attempt to decrypt it (I don't trust the banking system to use half decent encryption so not discounting the possibility entirely).
Of course it could just be the typical bullshit scare story that newspapers come out with..
Here in Chile PIN is mandatory... but cloning is still being done (a hidden camera usually captures your PIN)
News flash! Now they are cloning - and altering - the swipe machines, to capture everything including PIN and sending it through hi intensity bluetooth. The machines (GPRS -EDGE) are being switched without the merchant's knowledge.
Surprised isn't the right word. Appalled, sure. Surprised? No.
Then again, people still fall for spam, phishing, and those fake tech support calls from "the Windows provider" which people fall for.
Critical reasoning is a surprisingly uncommon thing. It depresses me, but it doesn't surprise me.
Lost at C:>. Found at C.
Says the AC running a business from his/her own asshole.....
Solving Unix problems since 1989...
Tell that to the criminals who were spending money in gas stations and restaurants in central California using a clone of my wife's card a couple of years ago.
The real "Libtards" are the Libertarians!
the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.
Typical real-world vs. "guy" measurement. (right girls?)
It must have been something you assimilated. . . .
The credit card industry is staffed by morons that wouldn't know security from their own asshole. Really, it's that simple.
Yes and no... a few years ago when I got my first RFID card from Mastercard, I had to threaten to cancel the card if they didn't send me one without it. Two years later, when I got one from Visa, it was a 5 minute phone call and the new card (minus RFID) was in my inbox 3 days later.
That says it all, I think. And TFA says that I was right, and I will be quite smug all day about it. ;) (and will continue to insist on having cards without the RFID).
I was very much against them, in fact swearing I would smash my passport's smart chip when I got a new passport that had one.
But having read it with my phone, I'm impressed. You need key data from the printed page to make the NFC work and as you mention, the passports are unreadable when closed.
I think it's really well done. I'm a bit unsure quite what it's good for since it is slower than swiping it, I can only figure it was done just because putting that much info in a barcode was infeasible.
Now let me submit my pic as a link to a PNG or whatever instead of printing out a picture, having them scan it back in and turn it into a JPEG2000.
http://lkml.org/lkml/2005/8/20/95
I'm sure they're aware it's insecure, it just a level of insecurity they are comfortable with. They don't want to change to a new (more secure) system because that means replacing legacy equipment. And, most importantly, the credit card companies that make the decision are not the people who lose money from fraud (except for the small second-order effect of people not using credit cards due to fear of fraud).
ABout 2 years ago, I got a new credit card. I started making online purchases. A year later, I had a purchase rejected. Turns out that I used the wrong CVV- I used the CVV from the old card it replaced. I'd been using that CVV the whole time. I'd been using the wrong CVV for over a year, and this was the first time it had stopped the transaction.
Basically, almost no merchants check it.
I still have more fans than freaks. WTF is wrong with you people?
How fast does it read the card?
Using the TagInfo app from NXP (Who apparently made the NFC chip in my card), takes about 1.5 seconds to read it.
upon the advice of my lawyer, i have no sig at this time
Raised lettering is no longer required. Which is fine, because basically nobody has a manual imprinter these days. Which is terrible at the drive-through when the machines are down...again.
Yeah, and the FUD comment that "omg phones MIGHT have greatly increased NFC range in the future" is bullshit.
Increasing range would require:
1) More power (eats battery)
2) More antenna surface area. To get a range of about 6-10 inches, you need an antenna that is more than a foot on each side. (I need to hold my badge within 6-10 inches of the reader when badging into the largest readers at my workplace - which are over a foot in both width and height.) Oh yeah, that's with a fixed reader that has all the power it could ever want.
retrorocket.o not found, launch anyway?
Wal-Mart, Best Buy, grocery stores....? Plenty of brick & mortar stores with big ticket items. Most of them let you swipe the card yourself, so it doesn't even have to look very real.
Hai! "Expert" here (And by "expert" I mean I work in the industry, my company has a hand in testing everything from the cards themselves right up to the host in your Bank's basement).
Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about. It takes no time at all to clone a magstripe card. It can be done using a $10 reader off ebay. It's easy to do and has been a direct cause of so much fraud you wouldn't believe.
Chip cards, on the other hand, work completely differently. They use the same technology that's in the SIM card of most GSM phones, the chip isn't just a static bank of data but an actual miniature computer (likely running a cut-down version of Java). It doesn't just hand over your card details upon request, it actually uses a lot of cryptogeraphy, using public/private keypairs (Amongst other things) to ensure that no two transactions are ever the same. Cryptograms are used to ensure that data being sent and received is valid, it's impossible to change any data without breaking this. Even a compromised terminal can, at best, record an existing transaction and nothing more - it can't change amounts or anything like that without breaking it. If EITHER the card or the terminal suspects anything is up, it'll either decline or force the transaction "online" - to your bank, where they have the final say.
Contactless chip cards are nothing more than a wireless standard that compliments the above. Similar to Wi-fi versus ethernet, it's only the transmission medium that actually differs here, the same sorts of cryptograms and hashes are done here. The net result? Yes, you can skim some data using any NFC equipped smartphone, but it's useless to you because you cannot even replay a transaction because you don't have any of the private keys.
Yes, you can use the information to clone the magstripe on a card - the card gives you enough information in the clear to do this, but you'll find that the magstripe is largely useless to you as it's only used as a fallback. These days, even magstripe transactions are used "online" - that is, the terminal WILL contact the host to veryify it, a side effect of the rampant card fraud that goes on. The host will question why a chip-enabled terminal is doing magstripe with a card it knows is chip-enabled. The result? Transaction voided. Terminal prompts you to use the chip, because the terminal knows there's nothing wrong.
As for online shops - those shops that DON'T ask for the CVN are liable for the fraud, so few are left out there that don't. What's more, most cards these days have a secure online payment page requiring you to type in a password before continuing.
Sum total? This is a non-issue, there is nothing new in this article and anything else you hear is scaremongering. You cannot clone a chip card, it's physically impossible.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Not necessarily. You said the new card was a replacement for the old card - often those replacements don't change the card number, so really all that will have changed is the expiry date and the CVV. It's possible that the online systems thought you were still using your old card and thus accepted the CVV because the "new" card had never been activated. So it's not the CVV they don't necessarily check, but rather the expiry date (Because hey it's in the future and that's good enough).
It's not ideal though, it should be much stricter than that.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
of course you could just use the cloned magstripe on a terminal that does not have a wierless or chip reader. Maybe they are commen where you are from but in the midwest USA i think i have only ever seen wireless readers at McD's and I have never seen a chip reading terminal. So that kind of blows a whole in a large part of your secuirty... and makes your "non-issue" into a big issue
Ah, well, see here's the thing - the USA is supposed to be moving entirely over to chip technology soon.
Of course, it isn't and nobody's in any position to move over because this takes a long time to roll out and a huge amount of the industry isn't as prepared for it as perhaps they should be.
But here's the good news! You're not liable for card fraud, the bank is. At least, the bank is for a short period of time, then that liability will switch over to the merchant because he hasn't upgraded to chip technology yet. That happens in 2015 and oh boy is it going to be a fun one to watch out for!
So anyway, getting back to my point - most of the rest of the world is already on Chip technology (known as EMV, by the way) - the US is the last of the G20 countries to move over to it. Canada did it years ago, the UK did it in the 1990's, etc.
However, as I mentioned above in the USA card fraud is already rampant, it's incredibly trivial to clone a magstripe card and there are already measures in place to fight against that (not quite as effective as moving to chip, of course, but it's there). The point is, there aren't many chip cards in the US so it isn't worth even trying to skim people's wallets for the odd one that DOES have a chip card, just so you can clone said card - it's far more efficient to tackle the magstripe swiping directly as every card has one. Then when the USA finally starts to switch to EMV and chip cards become more prevelant, the magstripe terminals will be mostly replaced and the ones that aren't - as I said earlier - you aren't liable for, the merchant is.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
I had a course several years ago with a high lead counsel of a very well known company in the e-payments business. I ended up writing a final paper for them called "Security through Obscurity" basically explaining why their credit cards were incredibly insecure and detailing the existing cheap tech that was already accessible to average consumers. The card companies concept of security generally revolves around the idea that if they keep their security methods in a black box, no one will be able to crack it. Which works great until the first person looks in the box... then its all over. The card companies also employ thousands and subcontract to even more. They didn't like the paper. 6 months after the class was over, his company had a problem with their card system effectively taken verbatim from my paper. I sent them the news article and said he should revise my grade. I was disappointed I never heard back.
Or do away with the idea of pull based transactions completely...
Instead of giving the retailer access to your card, where they could pull any amount from it, rather operate a push system whereby they give you an address (lets say via qr code), you scan the code, approve the amount and your bank then sends that amount (and only that amount) to the retailers account. The retailer is not in control, you are.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
A minor point, but one that people on Slashdot don't seem to understand, is that you don't actually get your cards from Visa or MasterCard at all.
They are payment processors and they pass payments from one bank to another. They ensure that the X banks in the world don't have to build connectiors to X-1 other banks just to let you buy something at a shop or online. Instead each bank just connects into Visa or MasterCard (or sometimes both) and then calls it a day.
The relationship you have is actually with your bank (in industry speak, your card issuer). They are the ones that decide what payment scheme to use and issue you a card for that scheme. They are also the ones that would decide whether or not to make available to you the option to have a non-contactless card. Visa and MasterCard have no say in what they give you.
Hopefully that clears things up a bit.
Avantslash - View Slashdot cleanly on your mobile phone.
You realize that prostitution IS big business, right?
Typical real-world vs. "guy" measurement. (right girls?)
Hopefully Adria Richards will not read your comment.
Although, I could be implying the example, "I caught a fish this big..."
As for Ms. Richards... She has many valid points, but often seems to choose the wrong battles and/or focus on things that, while apparently important to her, are actually rather trivial and/or harmless in reality. Many jokes may be inappropriate, but finding offense is a task for the small minded and/or insecure. Perhaps she doth protest way too much. My heart goes out to her for standing up for what she believes and suffering the consequences, but in her methods, she's also demonstrated some jerky behavior herself. Perhaps she feels the ends justify the means (that usually doesn't end well for anyone).
It must have been something you assimilated. . . .
In the UK (and probably other places) chip and PIN was brought in by the banks so they could push liability onto the customer. They argue that because chip and PIN is "secure" then you MUST have given your PIN to a third party, ending their liability.
Canada, actually... most credit cards being issued here have RFID and Chip/PIN together. You have to ask them to send you one without RFID... they won't send you one without Chip/PIN because they're in the process of upgrading bank machines to require it. We've had Chip/PIN longer than Europe.
IANAL, but according to the all-wise Internet, card skimming is a part of card fraud, and is prosecuted accordingly - as an element of a larger crime (if the info was used) or a conspiracy to commit crime (if not.)
There is no legal reason why would one covertly copy the c/c information of someone else. Every use of that information would be illegal.
WarGroping . . .
We are Dead Stars looking back Up at the Sky
Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about.
'Secure' and 'better than magstripe' are two different things, and as you acknowledge, it is the second of them that is most accurate. Nevertheless, it is a valid point that chip technology is much more secure than magnetic stripe.
Three things bother me, however. The first is that while the security is better, it has not, so far, been state-of-the-art. There is a team at Cambridge University that has found a number of exploits of the British chip 'n pin system, and good evidence that these exploits are being exploited by criminals. Some of the poor design decisions that opened the way for these exploits fall in the 'what were they thinking' class. A change of this magnitude only happens once in a couple of decades, and it is in something that matters a great deal. Is it unreasonable to expect that a great deal of care should be taken to make sure it is done as well as possible, such as by employing and paying attention to people who are at least as competent as the researchers (and the criminals, for that matter) who have been able to break these schemes? We cannot expect or demand perfection, but a significant reduction in gratuitous and easily avoided mistakes appears to be achievable and reasonable to expect.
The second thing (which may also be particular to the British experience) is that the banks have lobbied successfully to change the law so that the cost of fraud is transferred to the merchants and the cardholders. It has been revealed that this transfer was a major motivation for the banks to make the change in the first place (they would prefer to be secure than not, but what they really care about is not paying for fraud.) The lobbying for these changes included what turned out to be unjustified claims about the level of security the system provided. One particular aspect of this liability transfer is that they have been able to do it without producing the log files that might have exonerated those on whom the cost was being transferred.
The third thing is that these security blunders keep on happening - we have seen the same sort of complacent mediocrity (or outright incompetence) in electronic locks and voting machines, to pick just a couple of examples. What is it going to take for security to be taken seriously? For all I know, the chip card system being developed for the US may be better than that in the UK, but past experience makes me skeptical.
http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
And you have a place to swipe the card there :)
Time to install the NFC reader in the butt/vagina.
This is the sig that says NI (again)
That particular paper is well known and if you read it, the vulnerability lies with the terminal and the entering of the PIN. You still need the physical card there, which you cannot clone. If your card is stolen, online fraud is much more likely and dangerous than someone using a dodgy terminal (or a shim of some kind inserted into the terminal to perform a MITM attack).
And if you were to objectively read it and other papers on the topic you would see that there is good evidence that these or similar attacks have been used to commit fraud without the collusion of the cardholder. Furthermore, when one case of a poor design decision is found, we can reasonably assume it is not the only one, and that poor decision-making was pervasive.
As you are a self-proclaimed expert deeply involved in the testing of this system, I find your attitude deeply disturbing. You write, and presumably act, as an advocate for the system rather than as an impartial analyst and investigator, and I would not be surprised if that attitude is widespread in the organization you work for. Bruce Schneier, among others, has written about the necessity for people working on security to think like an attacker.