Smartphone Used To Scan Data From Chip-Enabled Credit Cards

An anonymous reader sends this news from the CBC: "Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card. And it could be done through wallets, pockets and purses. ... Although the NFC antennas in current smartphones need to be very close to a card in order to work — no farther than 10 cm — that could change with the next generation of Android smartphones. Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced driving licenses and passports."

Re:Almost useless

Without the CVV (verification code) you cannot do anything usefull...

Bullshit. It will allow you to clone the card and make "swipe" based purchases. You can also use any online or phone retailer who doesn't ask for the CVV, and many of them don't ask.

Did anybody not see this coming?

[gstoddart]

I've always thought those tap-to-pay things were really a bad idea from a security perspective, as your card can be used without you even knowing it and without any form of authentication.

The fact that it will broadcast all of that information to just about anything tells me it's something which retailers and credit card companies like -- but it's mostly bad for security, but great for convenience.

I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.

I've always thought this was massively insecure, and it looks like I was right.

Re:Almost useless

[GameboyRMH]

The credit card industry is staffed by morons that wouldn't know security from their own asshole. Really, it's that simple.

Re:What are we going to call this?

[compro01]

Given how close you need to get to do this, more like wargrinding.

Testing with my GS3 and Interac Flash-enabled debit card, the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.

Re:What are we going to call this?

[compro01]

How fast does it read the card?

Using the TagInfo app from NXP (Who apparently made the NFC chip in my card), takes about 1.5 seconds to read it.

Re:Almost useless

[neokushan]

Hai! "Expert" here (And by "expert" I mean I work in the industry, my company has a hand in testing everything from the cards themselves right up to the host in your Bank's basement).

Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about. It takes no time at all to clone a magstripe card. It can be done using a $10 reader off ebay. It's easy to do and has been a direct cause of so much fraud you wouldn't believe.

Chip cards, on the other hand, work completely differently. They use the same technology that's in the SIM card of most GSM phones, the chip isn't just a static bank of data but an actual miniature computer (likely running a cut-down version of Java). It doesn't just hand over your card details upon request, it actually uses a lot of cryptogeraphy, using public/private keypairs (Amongst other things) to ensure that no two transactions are ever the same. Cryptograms are used to ensure that data being sent and received is valid, it's impossible to change any data without breaking this. Even a compromised terminal can, at best, record an existing transaction and nothing more - it can't change amounts or anything like that without breaking it. If EITHER the card or the terminal suspects anything is up, it'll either decline or force the transaction "online" - to your bank, where they have the final say.

Contactless chip cards are nothing more than a wireless standard that compliments the above. Similar to Wi-fi versus ethernet, it's only the transmission medium that actually differs here, the same sorts of cryptograms and hashes are done here. The net result? Yes, you can skim some data using any NFC equipped smartphone, but it's useless to you because you cannot even replay a transaction because you don't have any of the private keys.

Yes, you can use the information to clone the magstripe on a card - the card gives you enough information in the clear to do this, but you'll find that the magstripe is largely useless to you as it's only used as a fallback. These days, even magstripe transactions are used "online" - that is, the terminal WILL contact the host to veryify it, a side effect of the rampant card fraud that goes on. The host will question why a chip-enabled terminal is doing magstripe with a card it knows is chip-enabled. The result? Transaction voided. Terminal prompts you to use the chip, because the terminal knows there's nothing wrong.

As for online shops - those shops that DON'T ask for the CVN are liable for the fraud, so few are left out there that don't. What's more, most cards these days have a secure online payment page requiring you to type in a password before continuing.

Sum total? This is a non-issue, there is nothing new in this article and anything else you hear is scaremongering. You cannot clone a chip card, it's physically impossible.