Slashdot Mirror
Flaw in New Visa Cards Would Let Hackers Steal $1M Per Card
New submitter biomass writes with news about a flaw in Visa's contactless card that lets anyone charge $999,999 to it. According to researchers at Newcastle University in the UK, the card system developed by VISA for use in the United Kingdom fails to recognize transactions made in non-UK foreign currencies and can therefore be tricked into approving any transaction up to 999,999.99. "With just a mobile phone we created a POS terminal that could read a card through a wallet," Martin Emms, lead researcher of the project that uncovered the flaw, noted in a statement about the findings. "All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction."
fails to recognize transactions made in non-UK foreign currencies and can therefore be tricked into approving any transaction up to 999,999.99
Motherfucker, you can't read a fucking sentence into the SUMMARY!?
At least the way I read the article, the flaw allows a charge of 999,999.99 in ANY unit of currency, not specifically US dollars, or UK pounds, or Euros, or Dinars, or Rubles, or whatever.
Give me my freedom, and I'll take care of my own security, thank you.
Up to. Meaning $0-$999,999.
Script a repeated transaction preload for $5 on a device then go wait at a chokepoint to any high traffic area. Subway, airport, shopping center, sports stadium, ect...
You could rake in quite a lot in a short timeframe doing that.
I don't suffer from insanity, I enjoy every minute of it!
The problem is that no one wants to do a touch technique that also integrates a chip-and-pin setup. They want either mag-stripe (ie, US-style) or radio chip and pin (Europe, probably elsewhere).
If it's any consolation I'm a little bummed about the use of RFID in so many things that really should be secure, like passports. Fortunately I got mine issued in those last couple of months before they went RFID, but my wife's renewal is RFID-equipped so we had to get a faraday cage sleeve for it. Mine will expire soon enough that I'll probably also have to get a faraday cage sleeve soon.
I'd love to get one of those stainless-steel woven wallets, but I expect they're a pain in the ass to travel with, as they'll probably be searched every time they go through the X-ray machine.
Do not look into laser with remaining eye.
Yes, and Visa will totally let the 'merchant' keep their gains too, oh wait, wasn't Visa reversible? It sucks and is embarrising, but is there any material harm done here (besides having the hassle of disputing charges) for the consumer?
Bye!
Even if the transaction is 999,999.00 euros, the point remains: in all likelihood that transaction would be over the limit of 99.999% of all credit cards out there.
Also:
"Since the transaction is done offline without going through a retailer’s point-of-sale system, no other security checks are done."
How do they get at the money, however much it is, without passing it through the payment network at one point or another? It's not like there's only one check done when the card is tapped.
True, but how is that any different to the normal situation where the maximum amount is £20? If that were a realistic attack people would be doing it already, but there is no evidence that they are. More over the cards have been in use for over a decade in Japan, and such an attack has never happened.
The whole point of TFA is that they can get $1,000,000 in a single hit, but in reality they can't. So maybe, at worst, they can up the game a bit by doing a few hundred bucks instead of the previous £20 limit, except that no-one has every demonstrated a practical secret-transaction attack anyway.
To top it all off the source is the Daily Fail, so it's guaranteed that the story is just fear-mongering bullshit. Wouldn't surprise me if they somehow managed claim immigrant criminals were behind it all.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
a card without the NFC chip, then any transaction needs to be verified by PIN and physically placed into the POS card reader. The idea that these NFC cards are faster somehow is a fallacy. You still have to take the individual card out of your wallet, as inevitably you will end up with more than one card with NFC capabilities. Either the wrong card will be billed or the transaction will fail. At this point you might as well stick it in the reader and put in the PIN anyway.
I got used to bumping my wallet when making underground or bus journeys using an Oyster card. Just pulling out a wallet when passing through an underground station gate or getting on a bus is much more convenient than paying for my lunch 10 seconds quicker.
Wannabe nerd.
Woven steel passport wallet here - dump it on the x-ray belt regularly in jacket and all sorts. Been asked to walk thru with passport/boarding pass on odd occassion but just slip them out of metal sleeve for that. Wallet itself has never been a burden.
No. You didn't read TFA. The target is a contactless credit/debit card carried in the victim's wallet. The phone is used by the thief, who installs basic point-of-sale software on and then bumps it against a wallet in an attempt to relieve the victim of funds. The card is a passive device which is never 'turned off'.
Modest doubt is called the beacon of the wise. - William Shakespeare
A good majority of small transactions are never caught or challenged. Credit card thieves figured this out a long time ago when card skimmers and the internet came about. People don't really pay attention like they should.
There are 90.5 credit cards in the UK, with Visa owning about 49.6 percent market share.
Given your 99.999% figure, that means there are 288 (or fewer) cards out there that are authorized for over $1000000.
There are 104 billionaires in the UK, and 10,000 multi-millionaires. It seems, then, that 288 is actually a pretty reasonable number. Nice job.
Sounds like if you can find a store that is currently offline (which is rare) you can rip off the store for goods purchased, and that's about it.
It's useless for the thief to directly charge a card unless the thief also has a merchant account, which are not exactly trivial to sign up for, what with credit checks and all.
And these people obviously have no clue how offline transactions actually work. They're held in the POS station until they get uploaded, where they get all the normal verifications before they are processed and the money deposited in the merchant's account.
Other than ripping off a merchant in some way (and that would require a coordinated effort on the part of someone with a portable card reader and someone else at the cash register), there is no risk here whatsoever. Nothing but FUD, deliberately fostering hysteria to sell advertising. In other words, in the world of "journalism", it's a day that ends in "y".
I'm not sure why this is news... if you swipe the mag stripe at an untrustworthy place, they can charge up to $999,999.99 too.... the system limit for a Visa/Mastercard transaction. What they're saying is a RFID chip gets to close to an scamming receiver they create a charge. Thing is, if a charge that big hits your account, your cell phone can scream "BIG TRANSACTION DETECTED!" and then you can have the charge reversed. Remember, we live in the era of "$0 liability"... as long as you can tell them it's wrong fast enough, you don't pay.
You do realise that the information on the RFID chip in your passport is the same information that is in the passport, encrypted, and to decrypt it, you need the passport number and name, so you're going to need to have seen the inside of the passport already?
Right here. My new driver's license came with one.
Yeah... or, just putting the damn card in the card reader.
Not sure about the state of payment cards in the US, but in France (and likely most of Europe) we've had smart cards that actually discuss with the payment terminal. While not that secure at times, you needed an actual/intended physical interaction between the card reader and the card.
Fast forward to nowadays, we've introduced contactless cards, so anyone with an NFC phone can read your card info through your pocket. Like reading the magnetic track. Except there's no physical interaction needed. All of this for what? So it could be easier. Why didn't they *simply* use *existing technology* and implemented a protocol that allowed fast payment (without entering a PIN code) through traditional readers instead?
I'm not saying that these new "vulnerabilities" related to contactless/NFC cards are not a problem: the protocols should've been secure from the start. But they actually had something that prevented all these loopholes, and said "nah, let's go with NFC even though it don't speed-up the payment process in the least." What a joke.
Arguably it could make the attack more worthwhile. The effort and hit rate involved might not make it worthwhile at low ticket amount (might as well have a real job) but could be worthwhile as the money starts going up.
Realistically though it sounds like the attacker needs a merchant account to benefit (and presumably enough legitimate volume to hide the fraudulent transactions in without raising suspicions). From the sounds of it the biggest problem would occur if you were actually overseas and you were using your card in cafes and the like. Then perhaps an unscrupulous vendor might be able to get close enough to charge your card without you noticing and you might not notice it as fraudulent when you got your statement.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
To be 100% fair, the RFID is easy to disable, you just have to cut the induction loop.
To be even more fair, the data on a passport are somewhat encrypted, so it's not as easy as reading a card number ;)
However the biggest issue with RFID cards is the fact they send your card number, name and expiry date out in an easily decrypted format... So you can now use RFID to harvest CC numbers and rip them off the old fashioned way (in Russia so even if you're identified you can never be caught).
That is the thing I find the most infuriating with these contactless payment systems. We *have* the technology to produce contactless smartcards, and yet their new big thing is just sending all data in plaintext to whatever reader is available. When my mother got her new credit card, I put it on the back of my phone, and on screen popped all the informations needed to use the card on any website not using stuff like 3DSecure (and there are still a fair number of them).
Feels like banks actually want to help pickpocket: now when they bump into you, they won't need to get your wallet.
Assuming you're an American, your passport's cover is built with a mesh that is already RF dampening. It can't be read unless it's open. Even a fairly narrow crack can permit reading, so carry it someplace that will keep it closed.
The good thing about RFID readers is that the readers are very reliable. They don't have fragile electrical contacts that can get corroded, mechanically damaged, or electronically damaged by static electricity. They don't require a scanner that can get dirty and fail to read. They don't require a mag stripe head that can pick up embedded abrasives causing it to scratch following stripes. They don't have any moving parts that might break. The reason you might care about that lower maintenance costs us taxpayers less, and means fewer "out-of-order" lines at the border.
John
That's why even if you have a Near Field Communications equipped card like Chase Freedom, you don't want to use it directly. Scan it once, into Apple Pay, and then use that implementation of the NFC standard to present the card to merchants without having them see your card. Apple's security is added to whatever security the credit card has, and your fingerprint is required to complete the transaction.
The lucky sod with the 0.5 VISA card is probably immune to this scam.
$
You do realize that this is easy to find.
heh, I explained the exact same thing to someone on Twitter.
You would need either:
a) A portable POS with a Merchant account or
b) A portable skimmer and an accomplice in the same store from which to rip off that could make such a transaction.
c) An accomplice working for the store from which to rip off to intentionally make such charges happen.
It comes back to you're not buying a million dollars in hotdogs. At best a would-be thief could probably rip off some fast food, coffee and 7-11 type stores in broad daylight. The attack in the article would only rip off people using offline PoS, which is basically nobody except Taxi drivers and some food-cart type of kiosks.
The relay attack is more sophisticated and basically records and plays back both ends of the NFC transaction. One person picks up some stuff, and the accomplice gets in another line somewhere near the target (standing behind someone else in another checkout line) when the recording end senses a NFC card, the person with the playback end readies their "tap to pay" phone and starts the transaction, which is relayed to the recording phone, and conducts relays all the data across. Then the thieves make their get away, and the victim notices two charges from their grocery store on their bill and doesn't think too much of it, or disputes it, but would need the bank to produce the receipt to prove they didn't make the other purchase.
Or a card owner could knowingly do this, to rip off the card company. People do this all the time with online payments. The risk however is the cashier recognizing you the next time, because I assure you that any business ripped off will blame it on the cashier not paying attention and thus "retrain" everyone to look for you and have you escorted off the premises.
At the end of the day, the Apple Pay solution starts looking more attractive than ever.
Its via the "contactless" chip system - which doesn't need to do online authentication. Its all done in the card for transactions under £20 (or hack foreign currencies). The card generates a transaction key which is passed to the bank when the shop communicates with the bank.
Using the foreign currency hack - you can ask the card for upto 999,999.99 in a foreign currency (not the default currency for the card). No one is going to use the hack to pull the full amount over - you'll use it for something like $50.00 or $49.99 so it looks less obvious on the statement. You scam cards in a tourist location where many vendors offer transactions in multiple currencies. I know a number of stores in Ireland offered me transactions in Euro, GBP or USD
The poster obviously doesn't understand how credit cards word. Sure, we can do an offline transaction for whatever value we want, provided the merchant doesn't fall into any of the various restricted merchant category codes, like gambling companies and so forth. Even then, you've got an offline authorisation for almost a million dollars... you think you've stolen a million dollars? Nope! Firstly the point of sale system must upload a file containing the authorisations it's performed. The bank takes this, and generally a night, through a process called settlement, moves the appropriate funds around. A lot of the settlement processes are still performed with ALOT of human supervision. For one company I used to work at, which processed billions in credit card payments every year, there were 3 hardy engineers, ensuring the process went off without a hitch. Catching large or fraudulent transaction happens at this stage too. Most cards have an upper transaction value also, so when submitting a file containing a value over this, the entire batch would be rejected, and an engineer would have to regenerate a new file, minus the transactions and submit. The file submitter would get an automated report of what transactions failed to settle correctly, and from there they could investigate fraud...