Flaw in New Visa Cards Would Let Hackers Steal $1M Per Card

New submitter biomass writes with news about a flaw in Visa's contactless card that lets anyone charge $999,999 to it. According to researchers at Newcastle University in the UK, the card system developed by VISA for use in the United Kingdom fails to recognize transactions made in non-UK foreign currencies and can therefore be tricked into approving any transaction up to 999,999.99. "With just a mobile phone we created a POS terminal that could read a card through a wallet," Martin Emms, lead researcher of the project that uncovered the flaw, noted in a statement about the findings. "All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction."

Well... no.

[AmiMoJo]

Not many VISA cards are authorised for £1M transactions.

It's embarrassing and worrying, but the headline is bullshit.

Re:Well... no.

fails to recognize transactions made in non-UK foreign currencies and can therefore be tricked into approving any transaction up to 999,999.99

Motherfucker, you can't read a fucking sentence into the SUMMARY!?

Re:Well... no.

[Adriax]

Up to. Meaning $0-$999,999.
Script a repeated transaction preload for $5 on a device then go wait at a chokepoint to any high traffic area. Subway, airport, shopping center, sports stadium, ect...

You could rake in quite a lot in a short timeframe doing that.

Re:Well... no.

[ADRA]

Yes, and Visa will totally let the 'merchant' keep their gains too, oh wait, wasn't Visa reversible? It sucks and is embarrising, but is there any material harm done here (besides having the hassle of disputing charges) for the consumer?

Re:Well... no.

[bluemonq]

Even if the transaction is 999,999.00 euros, the point remains: in all likelihood that transaction would be over the limit of 99.999% of all credit cards out there.

Also:

"Since the transaction is done offline without going through a retailer’s point-of-sale system, no other security checks are done."

How do they get at the money, however much it is, without passing it through the payment network at one point or another? It's not like there's only one check done when the card is tapped.

Re:Well... no.

From the article that is linked at Wired:

"The EMV system in the UK limits the maximum value for a contactless transaction to £20, requiring a PIN for anything more than this.

But the researchers found that the system doesn’t recognize foreign currency transactions and therefore doesn’t require a PIN for these."

If it doesn't think the money is over their spending limit due to currency conversion screw ups, then they can't go over their limit with a $999,999.00USD charge. Make more sense now? Basically, if the amount is NOT in British Pounds then the transaction is approved no matter how big the number, up to 999,999.99 of any currency other than Pounds.

Re:Well... no.

[AmiMoJo]

True, but how is that any different to the normal situation where the maximum amount is £20? If that were a realistic attack people would be doing it already, but there is no evidence that they are. More over the cards have been in use for over a decade in Japan, and such an attack has never happened.

The whole point of TFA is that they can get $1,000,000 in a single hit, but in reality they can't. So maybe, at worst, they can up the game a bit by doing a few hundred bucks instead of the previous £20 limit, except that no-one has every demonstrated a practical secret-transaction attack anyway.

To top it all off the source is the Daily Fail, so it's guaranteed that the story is just fear-mongering bullshit. Wouldn't surprise me if they somehow managed claim immigrant criminals were behind it all.

Re:Well... no.

[sumdumass]

A good majority of small transactions are never caught or challenged. Credit card thieves figured this out a long time ago when card skimmers and the internet came about. People don't really pay attention like they should.

Re:Well... no.

There are 90.5 credit cards in the UK, with Visa owning about 49.6 percent market share.

Given your 99.999% figure, that means there are 288 (or fewer) cards out there that are authorized for over $1000000.

There are 104 billionaires in the UK, and 10,000 multi-millionaires. It seems, then, that 288 is actually a pretty reasonable number. Nice job.

Re:Well... no.

[taustin]

Sounds like if you can find a store that is currently offline (which is rare) you can rip off the store for goods purchased, and that's about it.

It's useless for the thief to directly charge a card unless the thief also has a merchant account, which are not exactly trivial to sign up for, what with credit checks and all.

And these people obviously have no clue how offline transactions actually work. They're held in the POS station until they get uploaded, where they get all the normal verifications before they are processed and the money deposited in the merchant's account.

Other than ripping off a merchant in some way (and that would require a coordinated effort on the part of someone with a portable card reader and someone else at the cash register), there is no risk here whatsoever. Nothing but FUD, deliberately fostering hysteria to sell advertising. In other words, in the world of "journalism", it's a day that ends in "y".

Re:Well... no.

[rtb61]

How long does it take, how important where you funds at the time. Needed to pay rent, buy medications, eat, awh shucks, you credit limit is exceeded no more credit for you and as a bonus they can screw with your credit history. The reality is credit card companies and banks do not want to pay for the extra expense of having you photo on the card and confirming of the purchase with a photo taken at the transaction point. For online purchases, the onus is truly in the hands of the merchant for what they will accept as the identity of the user and a credit card on it's own should never be enough but hey greed first.

There is no such thing as identity theft in credit charge transactions, it is credit fraud, firstly by the merchant making a false charge against your account and this should stand unless the merchant can prove in court that they were cheated by a another party. The merchant must provide proof of the person and what was done to substantiate their identity prior to the merchant making a fraudulent claim upon your account.

The merchant who makes a false claim on a persons credit card account should be charged with fraud.

Re:Well... no.

[Nethemas+the+Great]

Japan may have had these kind of cards for a while but I'm not sure they're a good example. The over whelming majority of transactions in Japan are with cash. Cards (mostly prepaid) have only recently started gaining popularity.

Re:Well... no.

[DigitAl56K]

Seems like something along the lines of Google Wallet or Apple Pay would be more secure, since they can require to be unlocked before processing NFC transactions. Something as simple as a pressure pad on a card (i.e. requiring it to be pressed while completing a transaction) could solve the vulnerability.

Re:Well... no.

[xaotikdesigns]

How long does it take to convert your ill-gotten gains into bitcoins and then dump the merchant account you created using a stolen ID?

Re: Well... no.

r/theydidthemath

Re:Well... no.

[Cley+Faye]

Yeah... or, just putting the damn card in the card reader.

Not sure about the state of payment cards in the US, but in France (and likely most of Europe) we've had smart cards that actually discuss with the payment terminal. While not that secure at times, you needed an actual/intended physical interaction between the card reader and the card.

Fast forward to nowadays, we've introduced contactless cards, so anyone with an NFC phone can read your card info through your pocket. Like reading the magnetic track. Except there's no physical interaction needed. All of this for what? So it could be easier. Why didn't they *simply* use *existing technology* and implemented a protocol that allowed fast payment (without entering a PIN code) through traditional readers instead?

I'm not saying that these new "vulnerabilities" related to contactless/NFC cards are not a problem: the protocols should've been secure from the start. But they actually had something that prevented all these loopholes, and said "nah, let's go with NFC even though it don't speed-up the payment process in the least." What a joke.

Re:Well... no.

[Chuck+Chunder]

True, but how is that any different to the normal situation where the maximum amount is £20?

Arguably it could make the attack more worthwhile. The effort and hit rate involved might not make it worthwhile at low ticket amount (might as well have a real job) but could be worthwhile as the money starts going up.

Realistically though it sounds like the attacker needs a merchant account to benefit (and presumably enough legitimate volume to hide the fraudulent transactions in without raising suspicions). From the sounds of it the biggest problem would occur if you were actually overseas and you were using your card in cafes and the like. Then perhaps an unscrupulous vendor might be able to get close enough to charge your card without you noticing and you might not notice it as fraudulent when you got your statement.

Re:Well... no.

[Applehu+Akbar]

That's why even if you have a Near Field Communications equipped card like Chase Freedom, you don't want to use it directly. Scan it once, into Apple Pay, and then use that implementation of the NFC standard to present the card to merchants without having them see your card. Apple's security is added to whatever security the credit card has, and your fingerprint is required to complete the transaction.

Re:Well... no.

[ne0n]

The lucky sod with the 0.5 VISA card is probably immune to this scam.

Re:Well... no.

I think it's between 30 and 90 days for funds to clear through your average merchant account (been a while since I looked).

Re:Well... no.

[eWarz]

It's not as easy as you think. When i set up my merchant account I had to have a credit report pulled. When the address I was using didn't match the one on my credit report, they made me send them a copy of a utility bill. All in all i had to give them: 2 different IDs Utility bill Lots of personal information In addition, if there was a fraud alert on my credit report or anything suspicious at all, things would get a lot more complicated. That's here in the US though. I have no idea how things work elsewhere.

Re:Well... no.

heh, I explained the exact same thing to someone on Twitter.

You would need either:
a) A portable POS with a Merchant account or
b) A portable skimmer and an accomplice in the same store from which to rip off that could make such a transaction.
c) An accomplice working for the store from which to rip off to intentionally make such charges happen.

It comes back to you're not buying a million dollars in hotdogs. At best a would-be thief could probably rip off some fast food, coffee and 7-11 type stores in broad daylight. The attack in the article would only rip off people using offline PoS, which is basically nobody except Taxi drivers and some food-cart type of kiosks.

The relay attack is more sophisticated and basically records and plays back both ends of the NFC transaction. One person picks up some stuff, and the accomplice gets in another line somewhere near the target (standing behind someone else in another checkout line) when the recording end senses a NFC card, the person with the playback end readies their "tap to pay" phone and starts the transaction, which is relayed to the recording phone, and conducts relays all the data across. Then the thieves make their get away, and the victim notices two charges from their grocery store on their bill and doesn't think too much of it, or disputes it, but would need the bank to produce the receipt to prove they didn't make the other purchase.

Or a card owner could knowingly do this, to rip off the card company. People do this all the time with online payments. The risk however is the cashier recognizing you the next time, because I assure you that any business ripped off will blame it on the cashier not paying attention and thus "retrain" everyone to look for you and have you escorted off the premises.

At the end of the day, the Apple Pay solution starts looking more attractive than ever.

Re:Well... no.

they're talking about smart cards where the balance/credit is stored on the card

Re:Well... no.

Sounds like if you can find a store that is currently offline (which is rare) you can rip off the store for goods purchased, and that's about it.

It's useless for the thief to directly charge a card unless the thief also has a merchant account, which are not exactly trivial to sign up for, what with credit checks and all.

They way most credit card "thefts" work is that someone working at a store is involved, typically in areas where there are tourists.
The idea is that when the tourists pays with a card you get all the information you need to perform transactions. The tourist is current out traveling in an unfamiliar country and will not be in touch with the world and his bank account the next couple of days.

It seems like it would be pretty trivial for someone working at a store to disconnect it from the internet at will.

Re:Well... no.

What in god's name are those? Related to VISA cards I mean

Re:Well... no.

[AmiMoJo]

anyone with an NFC phone can read your card info through your pocket

Do you have any evidence of this? It seems impractical because the transaction takes about a second at best, so someone would have to shove up against you and hold their reader against your pocket for the full second to make it work. That is assuming you only have one NFC card in your wallet, otherwise interference as multiple cards try to respond will scupper the attack anyway.

Tinfoil wallet time?

Re:Well... no.

[neokushan]

Because you're not going to try scamming everyone out of a £million, but rather you're going to contactlessly skim everyone for a more realistic sum - say £250 (I think most, if not all, cards here have at least that limit and often much higher).

In fact, you set up a coffee stand and charge £2 per cup. Instinctively people swipe their card, think they're paying £2 but is actually £200. It'll likely take days before anyone even notices and in that time you could have scammed tens of thousands.

Re:Well... no.

[sjames]

The problem is that the merchant has no good way to prove ID and yet gets left holding the bag. It is possible to make the transactions safe and secure for both parties, but the credit card companies have no incentive to do so because they have managed to push all liabilities off on the merchant (ultimately reflected in higher prices to everyone to cover losses).

Re:Well... no.

[Cley+Faye]

Ah, I get it you don't take the subway (or other crowded public transportations) too often...

Regarding the time needed for this, when I put my own card behind my phone, it really worked in roughly a single second. And it does work as fast through multiple layers of clothing as long as there's nothing metallic in the way. Now, in very crowded area, peoples get pushed on each others. If it was enough in the past for a skilled pickpocket to steal your wallet without you noticing, clearly it's enough promiscuity to do a contactless swipe over your pocket.

Now, the question of multiple NFC cards is real, but you assume that people who have multiple contactless cards hold them all in the same place. Unfortunately, for it to mitigate this "attack", all the card need to be on the same technology (for example, my transportation card doesn't talk NFC and don't seem to interfere with my phone NFC reading capabilities). And some people find it more convenient to "spread" their contactless card, so they can just push their wallet/handbag/whatever on the NFC reader instead of taking out the card itself. Again, convenience my very well be in the path of security.

So, all in all, yes, I have evidence that reading an NFC card through clothes can be done efficiently and go unnoticed. Also, since you mention tinfoil wallet time, for NFC it might be enough. I said it in another post, but a "simple" metallic card holder render my cards invisible as far as my phone NFC reader is concerned, so it might be a short term solution. But I also don't doubt that it's infaillible, as boosting the signal from the receiver side might be enough to get through that. YMMV.

Re:Well... no.

[stiggle]

Its via the "contactless" chip system - which doesn't need to do online authentication. Its all done in the card for transactions under £20 (or hack foreign currencies). The card generates a transaction key which is passed to the bank when the shop communicates with the bank.

Using the foreign currency hack - you can ask the card for upto 999,999.99 in a foreign currency (not the default currency for the card). No one is going to use the hack to pull the full amount over - you'll use it for something like $50.00 or $49.99 so it looks less obvious on the statement. You scam cards in a tourist location where many vendors offer transactions in multiple currencies. I know a number of stores in Ireland offered me transactions in Euro, GBP or USD

Re:Well... no.

[2fuf]

> Apple's security is added

Hmmmm, that's not exactly a selling point I'm afraid.
Scanning my Visa card into Apple's cloud just creates another possible point of security breach imho.

Re:Well... no.

You cannot rip off a merchant, because a merchant terminal will not do such a transaction. Legit terminals have a configured contactless transaction limit which prevents this.

Hacked terminals can do this (as is said in the article), but then where is the merchant you are ripping off?

Re:Well... no.

[AmiMoJo]

Contactless payment has been massive since the late 90s in Japan. Most people use Suica, Edy or some other contactless card or an e-wallet enabled smart phone to travel on public transport, for example.

Re: Well... no.

I'll comment on your be. This is a drive-by attack, with an "foreign bank", with automatic distribution to third party banks that are emptied daily to other markets. If just one attack or drive by is done daily, just cruise thru a neighborhood, with your tablet, set to ping every couple of seconds, whalla.
This was the third set of this type credit card to be hacked. By this proof of concept, no more secure then unnencripted WiFi. But this is the proof the companies are walmarting security. And not retaining knowledge that is useful.

Re:Well... no.

[Dr_Barnowl]

Screw that.

Keep the card in a foil lined sleeve. You can get a pack of five for a few dollars, or get a fancy shielded wallet. I quite like the look of the ones made of woven stainless steel thread. I tested the el-cheapo ones that are just card and foil and they prevent card reads from all the readers I tested.

Then your physical removal of the card from it's sleeve is required to complete any transaction, contactless or otherwise. No-one will have a reason to amputate your finger.

If you scan things into Apple Pay it's not a copy of your card (unless someone seriously fucked up when they designed the crypto schemes for your payment card). You have to trust Apple, who are no doubt greatly enjoying the information about your payment history.

Re:Well... no.

[Dr_Barnowl]

People are going to have to start accepting cryptographic signatures (maybe from keys signed by the government, like they have in Estonia).

Most of my utility bills are now via email.

Re:Well... no.

[FireFury03]

It seems impractical because the transaction takes about a second at best

Not true - I can't find the link at the moment, but the London Underground has been working with card issuers for a few years to ensure the cards are quick enough to be used to pay for journies during rush hour. ISTR they required transactions to complete in under about 300ms.

so someone would have to shove up against you and hold their reader against your pocket for the full second to make it work.

Not uncommon in a crowded place. The article suggested performing the attack at an airport since foreign currency transactions would not be unusual - if you've ever waited in line while going through airport security you'd realise that an attacker would have ample opportunity to stand right next to you for many seconds if not minutes.

That is assuming you only have one NFC card in your wallet, otherwise interference as multiple cards try to respond will scupper the attack anyway.

Untrue. The protocol allows the card reader to enumerate multiple cards at the same time, select which to talk to and to freely switch between them. Multiple cards are not an issue here.

Re:Well... no.

[Applehu+Akbar]

Unlike CurrentC, Apple Pay does not involve sending your card information to Apple. You set up cards whose issuing backs have joined the system. When you make a transaction, your phone synthesizes a one-time card number that is all the merchant sees.

Re:Well... no.

[2fuf]

But in facilitating this, two new points of access to your CC account have been created: the backend of Visa apparently allows Apple to connect and your phone becomes a second card next to the physical one. A hacker now sees more opportunities for access.

Re:Well... no.

[2fuf]

Example: once you loose your phone, you've now immediately also lost your CC

That's more risk instead of less

Re:Well... no.

[Grizzley9]

> Apple's security is added

Hmmmm, that's not exactly a selling point I'm afraid. Scanning my Visa card into Apple's cloud just creates another possible point of security breach imho.

You obviously know nothing how Apple's security with it's pay system works. Your card info is never in Apples cloud. Basically without too many details, an encrypted blob is initially passed via them to your bank and another encrypted blob comes back from your bank with your token and device ID. Apple never sees it or could see it. That's the only time its done is in the setup. After that all transactions are made via a one-time token via your phone to the reader along with your fingerprint, never going to Apple. It's not backed up to iCloud.

Re:Well... no.

Other than ripping off a merchant in some way (and that would require a coordinated effort on the part of someone with a portable card reader and someone else at the cash register)

That's obviously never going to happen, criminals are not that smart and coordinated.

Re:Well... no.

[Capt.Albatross]

If that's the only way to use a NFC card safely, then having NFC on a card seems to be a pointless additional security risk.

Re:Well... no.

[Capt.Albatross]

1) Even assuming you are right, just because it 'only' sucks wouldn't lead me to think this issue can be disregarded. Dealing with credit card fraud while travelling, especially in a foreign country, is not something to shrug off.

2) At least in the UK, credit card companies have used the alleged security of EMV to transfer some of the risk to the cardholder (see http://www.cl.cam.ac.uk/~sjm21... )

3) I don't think transferring the cost to the merchant is an acceptable solution. As explained in other posts here, the merchant who accepts the stolen funds is rarely the perpetrator of the fraud.

Re:Well... no.

[Capt.Albatross]

AmiMoJo makes a valid point (though not the most important one that could be made on the topic): the article's title is click bait.

Re:Well... no.

[tlhIngan]

It's useless for the thief to directly charge a card unless the thief also has a merchant account, which are not exactly trivial to sign up for, what with credit checks and all.

Merchant accounts are not only hard to get, but there's also a fundamental problem you missed - you need banking information. Just because you have a merchant account doesn't mean they cut you a cheque every month with the balance - no, they need bank information so they can transfer to your bank account, as well as handle recovery (chargebacks).

If you're getting money, the paper trail is fairly extensive because well, the banks have to send it to you and that requires a lot more personal information that generally has to be verified before the money is sent.

How long does it take, how important where you funds at the time. Needed to pay rent, buy medications, eat, awh shucks, you credit limit is exceeded no more credit for you and as a bonus they can screw with your credit history.

Uh, obviously you've never used a credit card, and are assuming they work like debit. No, they don't. If you get a fraudulent charge, you call them up, and find it, and they immediately cancel it and restore your credit. (Basically if it isn't fraudulent, they'll charge you again).

That's why credit cards are generally safer - you call them and everything's restored. You might be out a credit card for a few days as they reissue a new one to you, but no thief can hold your account hostage.

And no, your credit history is not impacted if you're hit with fraudulent charges.

Debit cards are governed by the fairness of your bank - many are offering the same protections as credit, but there's no legal requirement for them to do so. You have legal rights when you use a credit card, which include being able to report fraudulent usage, stolen cards (to which you're only liable for $50) and a host of other things.

Example: once you loose your phone, you've now immediately also lost your CC

That's more risk instead of less

If you lose your phone, you erase it. Doing so wipes the secure enclave and poof, goes all the tokens. Tokens represent credit cards, but cannot be linked to one (they're basically just 12-digit indices into a table at a bank - the last 4 digits is the same, but the first 12 are just an index the bank uses to look up the account).

And no, tokens are per-device - even if you hack it to get the token, the instant you move it to another device it'll fail because you need to fake the device IDs and other per-device identifiers as well.

Oh, and invalidating tokens is easy - you call your bank, and poof, the link between the token and your account is broken.

Re:Well... no.

[taustin]

The way that most credit card thefts work is that someone working in the store gets the card number to be used somewhere else to buy stuff that's easily fenced.

The chip cards prevent that (easily, anyway).

The only thing that "someone in the store" can do with this is get an offline transaction that will be rejected when uploaded, and if it isn't, the store gets the money, not the minimum wage employee who did the dirty deed. And it doesn't take very many challenged transactions before the store loses their merchant account.

Re:Well... no.

[taustin]

The bogus "transaction" is done offline. At that point, nothing has happened, no money has changed hands, and none will until it is uploaded.

When it is uploaded, it becomes an online transaction and goes through all the usual security checks, including card limits, and the money gets deposited in the bank account attached to the merchant account.

Contrary to what Hollywood might like you to believe, the cell phone used as an offline POS station cannot magically put money in to your bank account.

Re: Well... no.

[taustin]

"Cruise through a neighborhood"? Really? Dude, NFC has an effective range measured in millimeters, so to "cruise through the neighborhood scanning cards, you'd have to be cruising through people's living rooms.

And the transaction still have to be uploaded and processed by the merchant service. There is no magic money machine in your phone. Really.

Re:Well... no.

[taustin]

Stranger things have happened, but it's still a very small scale operation, and a big improvement over stealing a hundred million card numbers at a time from Target.

Re:Well... no.

[Applehu+Akbar]

Only if you lose your thumb at the same time. Otherwise the stolen phone cannot even be opened.

Re:Well... no.

remember to carry your tinfoil with you or one of the nfc blocker wallets to keep that card in. never carry it about. And foil the card when at home. I've read on some other sites, that the effective use range is 60 feet, about 20 meters without an amplifier. A good theft device is good for 600 feet, just cruise by the holder of the card, and wham, you got their life in your pocket.

Re:Well... no.

Don't have the exact year, about 2000, nfc and cars, Nfc hacking cars, NFC communication hacks, 2600 club, Seattle, one of the big confrences on nfc security, and nfc cards, there was the one at come and go nfc cracked, and thats just off the top of my mind, then 2001 come and go eliminated the nfc card reader at the gas pumps, same with 7-11 and phillips eliminating that type of card. Now we are back at square one again. NFC card being introduced? Those items showed a lack of security at the pos. Same now, but easier to find readers, we had to make them then.

Re:Well... no.

[kon23uk]

Where do dollars come into this (except, of course, as not being pounds stirling)? This kind of assumption that "they mean what I mean" looks like it's at the root of this problem.

And don't get get me started on apostrophes ;-)

Re:Well... no.

[DrXym]

It seems like it would be pretty trivial for someone working at a store to disconnect it from the internet at will.

And it would be pretty trivial for the credit card company and police to notice thefts all occurring from this one shop and rain fire down on their asses.

Re:Well... no.

That depends whether he got the half with the chip in it.

Re:Well... no.

Even if the transaction is 999,999.00 euros, the point remains: in all likelihood that transaction would be over the limit of 99.999% of all credit cards out there.

Also:

"Since the transaction is done offline without going through a retailer’s point-of-sale system, no other security checks are done."

How do they get at the money, however much it is, without passing it through the payment network at one point or another? It's not like there's only one check done when the card is tapped.

When the BBC covered this story, the expert they interviewed said that of course the crooks wouldn't actually bill 999,999.00 euros. Even if it did get through the system and the owner's credit limit was high enough, it would be very easy for the recipient to spot on their bill and cancel. The figure quoted is a theoretical maximum, not what would actually happen. More likely is that the crooks would set it to a lower figure that would be authorised and look less out of place on the bill. Even stealing £100 at a time could net you a lot of money if all you have to do is hang around in a crowded place and let the money fall out of people's pockets and into yours as they walk past you.

Re:Well... no.

Up to. Meaning $0-$999,999.
Script a repeated transaction preload for $5 on a device then go wait at a chokepoint to any high traffic area. Subway, airport, shopping center, sports stadium, ect...

You could rake in quite a lot in a short timeframe doing that.

In fact, the issue here is for values >£20. The cards already allow up to £20 to be transferred via contactless payment. The idea is to make low-value payments as easy on a card as with cash, and thus drive the remaining cash economy to plastic. There were already security concerns over this, with people being able to skim small amounts off people's cards.

The story here is that someone has figured out a way to bypass this £20 limit, to basically charge any amount up to the six figures that the system can handle. The hack is simple -- just charge it in a foreign currency, and blam, no limit check. One has to assume that the card companies will figure out a fix for this fairly rapidly; it sounds like the kind of loophole that should be relatively easy to close.

However the fundamental insecurity of contactless payment remains -- put the £20 limit back, and you still have the same issue for values £20, and yes, someone could still hang around a train station stealing £10 from everyone there. I for one will be avoiding contactless payment for as long as I can, at least until it's had sufficient public testing to iron out the quirks (like this one). This is one item of tech where I don't think I want to be a first adopter.

Re:Well... no.

[yacc143]

How does a niche payment system have to do with the flaw?

This makes no sense.

The card may say yes or no, but it's not a promise to the merchant, let alone a transfer of funds.

Re:This makes no sense.

[The+New+Guy+2.0]

Cards don't make decisions, they just carry bits/numbers that represent an account, and it's up to the bank whether to allow or send an error back. If the customer promises to pay, then it works. If the customer calls to say they didn't authorize it, then it comes off the statement.

Re:This makes no sense.

[kaur]

It's 10 years past I did anything in EMV, so my knowledge may be outdated, but cards DO make decisions. The terminal (merchant) and card have both a set of policies that they agree upon - which auth methods are acceptable, when to go online, what are the limits etc. Of course, issuer has the final say over transactions.

Btw, in the context of card payments, never use the word "bank" as this is massively ambiguous.

Good

Fuck these companies pushing contactless, NFC, whatever they want to call it. The risks are just too high. What is soooo hard about swiping a card that we can't do that anymore?

Re:Good

[TWX]

The problem is that no one wants to do a touch technique that also integrates a chip-and-pin setup. They want either mag-stripe (ie, US-style) or radio chip and pin (Europe, probably elsewhere).

If it's any consolation I'm a little bummed about the use of RFID in so many things that really should be secure, like passports. Fortunately I got mine issued in those last couple of months before they went RFID, but my wife's renewal is RFID-equipped so we had to get a faraday cage sleeve for it. Mine will expire soon enough that I'll probably also have to get a faraday cage sleeve soon.

I'd love to get one of those stainless-steel woven wallets, but I expect they're a pain in the ass to travel with, as they'll probably be searched every time they go through the X-ray machine.

Re: Good

Woven steel passport wallet here - dump it on the x-ray belt regularly in jacket and all sorts. Been asked to walk thru with passport/boarding pass on odd occassion but just slip them out of metal sleeve for that. Wallet itself has never been a burden.

Re:Good

[jrumney]

Fortunately I got mine issued in those last couple of months before they went RFID, but my wife's renewal is RFID-equipped so we had to get a faraday cage sleeve for it. Mine will expire soon enough that I'll probably also have to get a faraday cage sleeve soon.

You do realise that the information on the RFID chip in your passport is the same information that is in the passport, encrypted, and to decrypt it, you need the passport number and name, so you're going to need to have seen the inside of the passport already?

Re:Good

[mjwx]

If it's any consolation I'm a little bummed about the use of RFID in so many things that really should be secure

To be 100% fair, the RFID is easy to disable, you just have to cut the induction loop.

However the biggest issue with RFID cards is the fact they send your card number, name and expiry date out in an easily decrypted format... So you can now use RFID to harvest CC numbers and rip them off the old fashioned way (in Russia so even if you're identified you can never be caught).

They really should have used a unique identifier for wireless transactions that isn't able to be reverse engineered into your card details... but doing this is hard and just sending your card details in almost plain text is easy.

Re:Good

[PayPaI]

Decrypting the contents may not be necessary for nefarious uses
A more reasonable issue may be people targeting US passports for thefts.

Re:Good

[Cley+Faye]

To be 100% fair, the RFID is easy to disable, you just have to cut the induction loop.

To be even more fair, the data on a passport are somewhat encrypted, so it's not as easy as reading a card number ;)

However the biggest issue with RFID cards is the fact they send your card number, name and expiry date out in an easily decrypted format... So you can now use RFID to harvest CC numbers and rip them off the old fashioned way (in Russia so even if you're identified you can never be caught).

That is the thing I find the most infuriating with these contactless payment systems. We *have* the technology to produce contactless smartcards, and yet their new big thing is just sending all data in plaintext to whatever reader is available. When my mother got her new credit card, I put it on the back of my phone, and on screen popped all the informations needed to use the card on any website not using stuff like 3DSecure (and there are still a fair number of them).

Feels like banks actually want to help pickpocket: now when they bump into you, they won't need to get your wallet.

Re:Good

[plover]

Assuming you're an American, your passport's cover is built with a mesh that is already RF dampening. It can't be read unless it's open. Even a fairly narrow crack can permit reading, so carry it someplace that will keep it closed.

The good thing about RFID readers is that the readers are very reliable. They don't have fragile electrical contacts that can get corroded, mechanically damaged, or electronically damaged by static electricity. They don't require a scanner that can get dirty and fail to read. They don't require a mag stripe head that can pick up embedded abrasives causing it to scratch following stripes. They don't have any moving parts that might break. The reason you might care about that lower maintenance costs us taxpayers less, and means fewer "out-of-order" lines at the border.

Re:Good

[jrumney]

Sure, this is why the sale of old fashioned alarm clocks should be banned too. [For those who can't be bothered following the link: short version is OMG, terrists!, longer version is that someone thinks that RFID passports could be used to trigger a bomb.

Re:Good

[mjwx]

To be even more fair, the data on a passport are somewhat encrypted, so it's not as easy as reading a card number ;)

The data on credit cards is encrypted too, but the encryption was so poor it was broken years ago and new cards are still being issued with the same encryption.

The encryption is so weak it may as well be in plain text.

Re: Good

[BeaverCleaver]

I had a woven stainless steel wallet (for money) and be warned, their abrasive edges wear through your pockets really quickly.

There are Faraday cage wallets that are leather on the outside (presumably they have metal foil inside?) that will be kinder to your clothes.

I've traveled a lot with both kinds and never had any hassles.

Re:Good

[TheCastro1689]

Smash the chip with a hammer, problem solved.

Re:Good

[zlogic]

RFID in passports requires to enter some passport fields (like last name, date of birth, passport number etc.) in order to be unlocked. In order to "steal" RFID data, you need to open it and read data from the photo page.

That's 1M-0.01 in ANY currency

[Webmoth]

At least the way I read the article, the flaw allows a charge of 999,999.99 in ANY unit of currency, not specifically US dollars, or UK pounds, or Euros, or Dinars, or Rubles, or whatever.

Re:That's 1M-0.01 in ANY currency

[MichaelSmith]

I thought maybe the reader can tell the card give me 10^6 Zimbabwe dollars, and then tells the back end card has agreed to 10^6 UK pounds.

Re:That's 1M-0.01 in ANY currency

[Qzukk]

Without reading TFA, "fails to recognize transactions made in non-UK foreign currencies" sounds more like "ANY unit of currency except Pounds Sterling, which was used in development and testing".

Re:That's 1M-0.01 in ANY currency

1 million bitcoins... GG

Needs to be real money

[linear+a]

I'll be interested once they get the stealable amount up to something more than chump change.

Re:Needs to be real money

[Cley+Faye]

Don't have to. Bump into a person every few minutes in a crowded subway area, and get $20 out of any of them that have a card that happen to be close enough to the "bump".IF you do this every two minutes, and only 1 out of 5 person get you a result, a 7-hour day of work will yield 42 card details, or $840 of "chump change".

Now, think about this: this contactless payment system is not going away soon (I'm not even talking about the "vulnerabilities" exposed there). If you manage to get a channel for all these card numbers, it seems like you're running a very profiteable business. Only fixes are changing the contactless cards to something with actual security (not gonna happen soon), or putting them in some metal wallet to avoid unwanted readings (and people won't care for such small quantities of money).

I didn't RTFA (because this is slashdot after all) but if the topic is really about a way to bypass the small limit on contactless operations, even by a small amount, it can get huge very fast.

Re:Needs to be real money

[stiggle]

Don't even need to bump into people - Scanning terminal with a range of a few feet and just stand in a crowd with it in your backpack.
Do this at say a theme park or a major tourist destination with a high turnover of passing people (eg. Tower Hill tube station in London, Champ de Mars metro station in Paris) through a narrow choke point where your scanner can pick up everyone passing and you can yield a much higher number of cards.

Only hackers

Normal criminals, not so much. Gotta be superhooman, see. Only special people! People with hats!

Wouldn't the target phone need to be turned on

[Ichijo]

...and unlocked for this to work?

Re:Wouldn't the target phone need to be turned on

[ds_job]

Robber is the one with the phone. Victim is the one with the card.

Re:Wouldn't the target phone need to be turned on

[Chocolate+Teapot]

No. You didn't read TFA. The target is a contactless credit/debit card carried in the victim's wallet. The phone is used by the thief, who installs basic point-of-sale software on and then bumps it against a wallet in an attempt to relieve the victim of funds. The card is a passive device which is never 'turned off'.

Re:Wouldn't the target phone need to be turned on

The card is a passive device which is never 'turned off'.

Unless you store your card in a tinfoil sleeve.

Re:Wouldn't the target phone need to be turned on

[140Mandak262Jamuna]

Which the Sky Mall has been selling for ages and ages ...http://www.skymall.com/rfid-blocking-bill-fold---silver/SWD101.html#start=6

Re:Wouldn't the target phone need to be turned on

Haha. I was thinking of a less expensive approach (literally a piece of tinfoil wrapped around the card), but that wallet is almost obnoxious enough to replace my duct-tape wallet. :-D

Dr Evil Says:

[Irate+Engineer]

(puts pinkie to corner of mouth)... "999,999 Zimbabwean Dollars!" (cronies laugh uproariously in background)

Re:Dr Evil Says:

[antdude]

Nah, Iranian rial (IRR). ;)

Just ask your bank to send you

[twokay]

a card without the NFC chip, then any transaction needs to be verified by PIN and physically placed into the POS card reader. The idea that these NFC cards are faster somehow is a fallacy. You still have to take the individual card out of your wallet, as inevitably you will end up with more than one card with NFC capabilities. Either the wrong card will be billed or the transaction will fail. At this point you might as well stick it in the reader and put in the PIN anyway.

I got used to bumping my wallet when making underground or bus journeys using an Oyster card. Just pulling out a wallet when passing through an underground station gate or getting on a bus is much more convenient than paying for my lunch 10 seconds quicker.

Re:Just ask your bank to send you

[Nethemas+the+Great]

Pins can be read from the POS keypad with rather low tech, minimal effort, particularly the ones using metallic keys.

Re:Just ask your bank to send you

[green1]

Depends on your bank. I have credit cards with 2 different banks. At first both of them flat out refused to send me cards without NFC, and as the NFC chip is integrated in to the chip-and-pin setup you can't simply destroy the chip as many Americans can (swipe isn't the usual way of paying around here)

More recently though one of the banks has wisened up and has sent me a non-NFC card, the other one is still NFC enabled.

That said, I have modified my NFC card to significantly reduce it's effectiveness, I scored the edge of the card near the chip deeply enough to break the antenna wire that runs around the periphery of the card. I know I can't make it detect on any NFC pad anymore, so hopefully that makes it relatively secure.

As for people suggesting Faraday cage wallets and such, I'm unconvinced. A proper Faraday cage has to have no gaps, and most of these are not that tightly constructed. I would not be at all surprised if many of them provide only a feeling of security rather than actual security.

Re:Just ask your bank to send you

[l0n3s0m3phr34k]

"The idea that these NFC cards are faster somehow is a fallacy" this PROVES that it's faster! Faster at allowing thieves to rob you that is. Imagine, stress-less muggings...

Re:Just ask your bank to send you

[Cley+Faye]

As for people suggesting Faraday cage wallets and such, I'm unconvinced. A proper Faraday cage has to have no gaps, and most of these are not that tightly constructed. I would not be at all surprised if many of them provide only a feeling of security rather than actual security.

Don't know about "faraday cage" wallets, but I carry most of my cards in a simple metallic case that loosely close (it's not airtight or anything). It is enough for my phone to not pick up the card inside when I put them together, so I suppose it would be a severe hindrance to people trying to read an NFC card with a quick bump.

Still, some tweaked hardware to boost the signal on the receiver side might get through. Hmm I need to run some more tests...

Re:Just ask your bank to send you

[Minupla]

proper Faraday cage has to have no gaps,

Acutally not quite accurate - a faraday cage that blocks at all wavelengths would need to have a very small mesh. Rule of thumb is you want your mesh to be less then 1/4(c/freq) m.

Since freq in the case of NFC is 13.56 MHz, that will yield us with 22/4=5.5 meters (excuse the rounding, you get the point) so anything you can wrap around your wallet is going to do the trick.

Google NFC blocking wallets for some selections.

Source: I attend hacker conferences. All my credit cards are NFC enabled. I don't want to have conversations with my CC company that starts with "I was at Defcon when..." - those don't end well!

Re:Just ask your bank to send you

[manu0601]

Pins can be read from the POS keypad

That lets you use the card, but not clone it: you still need to have the chip which contains the secret key the PIN unlocks

Re:Just ask your bank to send you

No. You make the POS fail to read the chip. Then it falls back to swiping. And you can clone that and put a bad chip on a card. The PIN will be the same.

Tin Foil...

[WonkoS]

Where's my Tin Foil wallet when I need it!

Re:Tin Foil...

[danomac]

Right here. My new driver's license came with one.

Re:Tin Foil...

[El_Oscuro]

Right here.

Re:Tin Foil...

[Applehu+Akbar]

I actually have one of these, from REI.

FUD Dectected

[The+New+Guy+2.0]

I'm not sure why this is news... if you swipe the mag stripe at an untrustworthy place, they can charge up to $999,999.99 too.... the system limit for a Visa/Mastercard transaction. What they're saying is a RFID chip gets to close to an scamming receiver they create a charge. Thing is, if a charge that big hits your account, your cell phone can scream "BIG TRANSACTION DETECTED!" and then you can have the charge reversed. Remember, we live in the era of "$0 liability"... as long as you can tell them it's wrong fast enough, you don't pay.

Re:FUD Dectected

[Reason58]

As someone who has personally dealt with this issue, let me provide some insight. Every time you say "this isn't me!" they will cancel your card and issue you a new one. Now you have to wait a week or so for your new card, update every place where you use that number, hope they don't charge during that time, activate the new card, etc. It's a hassle. Now imagine a future where these scammers are all over the place.

Re:Base64

[Applehu+Akbar]

So this is what happens when you use an NFC card while there's a sunspot aimed at us.

Easy to find

[Roger+W+Moore]

You do realize that this is easy to find.

2-factor authentication

[JerryLove]

Even without this flaw, you could still steal up to a certain amount. The flaw just let's you bypass the limit (20 pounds in the UK).

This is an argument against allowing transactions without pins. Yes, it's convenient yo wave your card at something and not have to put in a pin; but it's also dangerous.

Better: I like the active "I won't share my information unless a code is manually entered on me" method of some speculative card systems and of a (configured to require a pin) google wallet.

Damn

[Trax3001BBS]

I''m a millionaire, Mom I did it!

Cell phones are going to screw you

[Trax3001BBS]

"you can bump your mobile against someone's pocket "

This is a feature I won't enable on my Samsung S5 (piss poor phone), it just doesn't sound secure.

Even Bluetooth has the same flaw it had when it first came out. The trick was pulled on me recently so know it's an apparent feature. They even added a contact to my phone via Bluetooth.

One can sit in a mall and collect others contacts (for one) just by having Bluetooth on and passing a "collector", I've disabled Bluetooth again.
Just like the first days of BlueTooth.

Re:Cell phones are going to screw you

[Neil+Boekend]

Nope. You can turn of BT. You can't turn off the NFC. You can only block it with a RFID blocking wallet, tin foil or something like it.

Disabling it on your phone changes nothing in the communication between your card and the thief's phone.

Re:Cell phones are going to screw you

[jabuzz]

I appear to be able to turn it off on my Z1 Compact. However you are correct that it will make no difference to having stuff stolen from a card in your wallet.

slashvertisement

And it just so happens that thinkGeek (TM) which is owned by the same company as /., happens to sell RFID wallets.

simple solution!!

[Pax681]

why not use on of these cheap and simple solutions?????

L2 brain

The *card* will approve $999,999, which is fucking meaningless, since the CC company servers wont. 'Hey', I can trick this card into telling me completely meaningless shit that doesn't benefit me in anyway!

Affects only contactless cards

[kaur]

From the article:
> "EMV cards don’t have to make contact with a reader to be used."

This is misleading. SOME EMV cards are contactless, but most normal (European) cards require a contact terminal and cannot be read / billed remotely.

The author somehow blames EMV itself on the vulnerability. EMV is a complex beast and there are many ways to get it wrong, but this here is something different.

Re:Affects only contactless cards

Mod parent up. It's a useless article that left me somewhat unclear what the actual flaw being exploited is but was full of inaccuracies. Similarly users commenters above were confusing the contactless transaction limit with the card transaction limit. So far as I understand it they trick the card into authorising a transaction it wouldn't otherwise authorise. However, when the transaction goes through, the banks computer systems will see "contactless" and "£x where x>limit" and hopefully block it. It's not really a security flaw with the cards, beyond the inherent risks of contactless. And that's a decision the card user can make themselves - if they don't like it all it takes is one phone call to their bank to have a non conctactless card sent.

Flaw by design (laziness and stupidity)

Who was the bright and clever designer (or boss) at Visa that came up with the idea to give their card holders a contact less card that can authorize a transaction without any approval or human input (can you hear the warning bells ringing?)

Regardless if there's an upper limit or not the idea is bad pure and simple since anybody with that type of card can be robbed by rouge card reader as described, the bad guys won't have any trouble passing the offline-transactions of to some fraudulent "store" on the other side of the planet and start cashing in.
Then you've got your common pick-pocket thief that suddenly can get their hands on a much bigger bounty, anybody had their wallet stolen lately? Guess what would happen with your Visa card that contains infinite 20£ (approx 30$) transactions that can be pulled from it at a transaction/second using a simple NFC smartphone... your account would be drained in no-time.

The only gain for the cardholder here is earning a few seconds that it takes to punch in the PIN (laziness) but the loss is much higher. There's a bigger gain for the venues having small transactions (buses, subways) who could make use of the higher throughput. Not hard to figure out why this idea came to mind and who's been lobbying for it, the credit card industry has never put it's end-users needs first.

Authorisation is only half the process....

[mysqlbytes]

The poster obviously doesn't understand how credit cards word. Sure, we can do an offline transaction for whatever value we want, provided the merchant doesn't fall into any of the various restricted merchant category codes, like gambling companies and so forth. Even then, you've got an offline authorisation for almost a million dollars... you think you've stolen a million dollars? Nope! Firstly the point of sale system must upload a file containing the authorisations it's performed. The bank takes this, and generally a night, through a process called settlement, moves the appropriate funds around. A lot of the settlement processes are still performed with ALOT of human supervision. For one company I used to work at, which processed billions in credit card payments every year, there were 3 hardy engineers, ensuring the process went off without a hitch. Catching large or fraudulent transaction happens at this stage too. Most cards have an upper transaction value also, so when submitting a file containing a value over this, the entire batch would be rejected, and an engineer would have to regenerate a new file, minus the transactions and submit. The file submitter would get an automated report of what transactions failed to settle correctly, and from there they could investigate fraud...

Situations like this make me laugh

laugh about POS meaning both Point-of-Sale and Piece-of-Shit....

Only non-UK foreign currencies?

[Optali]

And what about UK foreign currencies?