Slashdot Mirror
Smartphone Used To Scan Data From Chip-Enabled Credit Cards
An anonymous reader sends this news from the CBC:
"Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card. And it could be done through wallets, pockets and purses. ... Although the NFC antennas in current smartphones need to be very close to a card in order to work — no farther than 10 cm — that could change with the next generation of Android smartphones. Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced driving licenses and passports."
This NFC technology must be stopped. Why should anyone's life be any more convenient than it already is.
Why back in my day a phone was attached to the wall with wires. It made phone calls and only phone calls and we liked it.
You youngsters and all your fancy gewgaws. Get off my lawn!
"Kittens give Morbo gas!"
Without the CVV (verification code) you cannot do anything usefull...
Bullshit. It will allow you to clone the card and make "swipe" based purchases. You can also use any online or phone retailer who doesn't ask for the CVV, and many of them don't ask.
I'm pretty sure I proposed "cardsnarfing" many years ago, trying to find the post now...
"When information is power, privacy is freedom" - Jah-Wren Ryel
I've always thought those tap-to-pay things were really a bad idea from a security perspective, as your card can be used without you even knowing it and without any form of authentication.
The fact that it will broadcast all of that information to just about anything tells me it's something which retailers and credit card companies like -- but it's mostly bad for security, but great for convenience.
I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.
I've always thought this was massively insecure, and it looks like I was right.
Lost at C:>. Found at C.
The credit card industry is staffed by morons that wouldn't know security from their own asshole. Really, it's that simple.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Given how close you need to get to do this, more like wargrinding.
Testing with my GS3 and Interac Flash-enabled debit card, the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.
upon the advice of my lawyer, i have no sig at this time
A solution looking for a problem. I love how we invent all this crap and then have to invent more crap to make the crap barely usable. If you have to put the card in a faraday wallet then how is it any better than...say...SWIPING IT?
We seem to be able to introduce NFC, but we can't implement chip and pin. I can does security! Herp de derp...
Yes, but this provides opportunities for people you don't hand your card to to be able to get the same information.
So anybody on the street with a phone potentially has access to your information. And if some schmuck walked up to me on the street and asked me for my card number, name, and expiry date I wouldn't give it to them -- this makes it possible for people who you have no intention of giving this information to able to get it without you even knowing.
If NFC is so horribly broken that any random person with a free app from Google Play can access your credit card information without you knowing it, it's defective from the get go. Something I've always believed anyway. It's goal is to be convenient and spur people to use this as a payment option; it has never been designed with security and privacy in mind.
Lost at C:>. Found at C.
Forget tinfoil; woven stainless steel is the in thing for wallets. I got mine more for the durability, but blocking RFID readers is a nice bonus.
There's no point in questioning authority if you aren't going to listen to the answers.
They do however employ very good lawyers and lobbyists who probably ensure that any liability ends with the consumer or the store not them.
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
The data on a passport is encrypted with a key derived from the "machine readable zone" that's inside the book. To decrypt the data available via NFC you have to actually optically scan the open page. In addition US passports have a shielded chip so the book has to be open to be readable.
I'd be intrigued to know what app they're using that's returning the code and expiry date.. that information is encrypted on the card and none of the free nfc tag readers I've tried even attempt to decrypt it (I don't trust the banking system to use half decent encryption so not discounting the possibility entirely).
Of course it could just be the typical bullshit scare story that newspapers come out with..
Here in Chile PIN is mandatory... but cloning is still being done (a hidden camera usually captures your PIN)
News flash! Now they are cloning - and altering - the swipe machines, to capture everything including PIN and sending it through hi intensity bluetooth. The machines (GPRS -EDGE) are being switched without the merchant's knowledge.
Surprised isn't the right word. Appalled, sure. Surprised? No.
Then again, people still fall for spam, phishing, and those fake tech support calls from "the Windows provider" which people fall for.
Critical reasoning is a surprisingly uncommon thing. It depresses me, but it doesn't surprise me.
Lost at C:>. Found at C.
Says the AC running a business from his/her own asshole.....
Solving Unix problems since 1989...
Tell that to the criminals who were spending money in gas stations and restaurants in central California using a clone of my wife's card a couple of years ago.
The real "Libtards" are the Libertarians!
The credit card industry is staffed by morons that wouldn't know security from their own asshole. Really, it's that simple.
Yes and no... a few years ago when I got my first RFID card from Mastercard, I had to threaten to cancel the card if they didn't send me one without it. Two years later, when I got one from Visa, it was a 5 minute phone call and the new card (minus RFID) was in my inbox 3 days later.
That says it all, I think. And TFA says that I was right, and I will be quite smug all day about it. ;) (and will continue to insist on having cards without the RFID).
I was very much against them, in fact swearing I would smash my passport's smart chip when I got a new passport that had one.
But having read it with my phone, I'm impressed. You need key data from the printed page to make the NFC work and as you mention, the passports are unreadable when closed.
I think it's really well done. I'm a bit unsure quite what it's good for since it is slower than swiping it, I can only figure it was done just because putting that much info in a barcode was infeasible.
Now let me submit my pic as a link to a PNG or whatever instead of printing out a picture, having them scan it back in and turn it into a JPEG2000.
http://lkml.org/lkml/2005/8/20/95
How fast does it read the card?
Using the TagInfo app from NXP (Who apparently made the NFC chip in my card), takes about 1.5 seconds to read it.
upon the advice of my lawyer, i have no sig at this time
...what we need is tinfoil wallets!
(all joking aside, when I got my RFID enhanced driver's license I went out and got an RFID shielded wallet).
All joking aside, when I got my RFID "enhanced" VISA card, I got a hammer and hole punch and punched through the chip.
Problem solved.
It must have been something you assimilated. . . .
Yeah, and the FUD comment that "omg phones MIGHT have greatly increased NFC range in the future" is bullshit.
Increasing range would require:
1) More power (eats battery)
2) More antenna surface area. To get a range of about 6-10 inches, you need an antenna that is more than a foot on each side. (I need to hold my badge within 6-10 inches of the reader when badging into the largest readers at my workplace - which are over a foot in both width and height.) Oh yeah, that's with a fixed reader that has all the power it could ever want.
retrorocket.o not found, launch anyway?
Hai! "Expert" here (And by "expert" I mean I work in the industry, my company has a hand in testing everything from the cards themselves right up to the host in your Bank's basement).
Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about. It takes no time at all to clone a magstripe card. It can be done using a $10 reader off ebay. It's easy to do and has been a direct cause of so much fraud you wouldn't believe.
Chip cards, on the other hand, work completely differently. They use the same technology that's in the SIM card of most GSM phones, the chip isn't just a static bank of data but an actual miniature computer (likely running a cut-down version of Java). It doesn't just hand over your card details upon request, it actually uses a lot of cryptogeraphy, using public/private keypairs (Amongst other things) to ensure that no two transactions are ever the same. Cryptograms are used to ensure that data being sent and received is valid, it's impossible to change any data without breaking this. Even a compromised terminal can, at best, record an existing transaction and nothing more - it can't change amounts or anything like that without breaking it. If EITHER the card or the terminal suspects anything is up, it'll either decline or force the transaction "online" - to your bank, where they have the final say.
Contactless chip cards are nothing more than a wireless standard that compliments the above. Similar to Wi-fi versus ethernet, it's only the transmission medium that actually differs here, the same sorts of cryptograms and hashes are done here. The net result? Yes, you can skim some data using any NFC equipped smartphone, but it's useless to you because you cannot even replay a transaction because you don't have any of the private keys.
Yes, you can use the information to clone the magstripe on a card - the card gives you enough information in the clear to do this, but you'll find that the magstripe is largely useless to you as it's only used as a fallback. These days, even magstripe transactions are used "online" - that is, the terminal WILL contact the host to veryify it, a side effect of the rampant card fraud that goes on. The host will question why a chip-enabled terminal is doing magstripe with a card it knows is chip-enabled. The result? Transaction voided. Terminal prompts you to use the chip, because the terminal knows there's nothing wrong.
As for online shops - those shops that DON'T ask for the CVN are liable for the fraud, so few are left out there that don't. What's more, most cards these days have a secure online payment page requiring you to type in a password before continuing.
Sum total? This is a non-issue, there is nothing new in this article and anything else you hear is scaremongering. You cannot clone a chip card, it's physically impossible.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Not necessarily. You said the new card was a replacement for the old card - often those replacements don't change the card number, so really all that will have changed is the expiry date and the CVV. It's possible that the online systems thought you were still using your old card and thus accepted the CVV because the "new" card had never been activated. So it's not the CVV they don't necessarily check, but rather the expiry date (Because hey it's in the future and that's good enough).
It's not ideal though, it should be much stricter than that.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
of course you could just use the cloned magstripe on a terminal that does not have a wierless or chip reader. Maybe they are commen where you are from but in the midwest USA i think i have only ever seen wireless readers at McD's and I have never seen a chip reading terminal. So that kind of blows a whole in a large part of your secuirty... and makes your "non-issue" into a big issue
Ah, well, see here's the thing - the USA is supposed to be moving entirely over to chip technology soon.
Of course, it isn't and nobody's in any position to move over because this takes a long time to roll out and a huge amount of the industry isn't as prepared for it as perhaps they should be.
But here's the good news! You're not liable for card fraud, the bank is. At least, the bank is for a short period of time, then that liability will switch over to the merchant because he hasn't upgraded to chip technology yet. That happens in 2015 and oh boy is it going to be a fun one to watch out for!
So anyway, getting back to my point - most of the rest of the world is already on Chip technology (known as EMV, by the way) - the US is the last of the G20 countries to move over to it. Canada did it years ago, the UK did it in the 1990's, etc.
However, as I mentioned above in the USA card fraud is already rampant, it's incredibly trivial to clone a magstripe card and there are already measures in place to fight against that (not quite as effective as moving to chip, of course, but it's there). The point is, there aren't many chip cards in the US so it isn't worth even trying to skim people's wallets for the odd one that DOES have a chip card, just so you can clone said card - it's far more efficient to tackle the magstripe swiping directly as every card has one. Then when the USA finally starts to switch to EMV and chip cards become more prevelant, the magstripe terminals will be mostly replaced and the ones that aren't - as I said earlier - you aren't liable for, the merchant is.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
A minor point, but one that people on Slashdot don't seem to understand, is that you don't actually get your cards from Visa or MasterCard at all.
They are payment processors and they pass payments from one bank to another. They ensure that the X banks in the world don't have to build connectiors to X-1 other banks just to let you buy something at a shop or online. Instead each bank just connects into Visa or MasterCard (or sometimes both) and then calls it a day.
The relationship you have is actually with your bank (in industry speak, your card issuer). They are the ones that decide what payment scheme to use and issue you a card for that scheme. They are also the ones that would decide whether or not to make available to you the option to have a non-contactless card. Visa and MasterCard have no say in what they give you.
Hopefully that clears things up a bit.
Avantslash - View Slashdot cleanly on your mobile phone.
Canada, actually... most credit cards being issued here have RFID and Chip/PIN together. You have to ask them to send you one without RFID... they won't send you one without Chip/PIN because they're in the process of upgrading bank machines to require it. We've had Chip/PIN longer than Europe.
WarGroping . . .
We are Dead Stars looking back Up at the Sky