Russian POS Pickpocket Generates New Interest In RFID-Blocking Wallets

An anonymous reader writes: A Facebook post depicting a man apparently stealing from commuters by tapping a POS reader against them unobserved on public transport caused a sensation on Facebook before being removed earlier today. The provenance of the photo is uncertain, but unnamed authorities have said that it was taken in Russia. Since this type of opportunistic street theft requires a merchant business account through which any transactions would be easily traceable, the question arises as to how such acts of fraud are being made profitable. Comments on the matter have brought up anew the topic of RFID-blocking wallets as necessary everyday security.

Russian POS?

A Russian piece of shit pickpocket? No need for attacking other countries today.... all pickpockets are pieces of shit.

Re:Russian POS?

[Bob_Who]

A Russian piece of shit pickpocket? No need for attacking other countries today.... all pickpockets are pieces of shit.

Point of Sale.... piece of shit, that is.

Re:Russian POS?

[Big+Hairy+Ian]

Forget RFID blocking wallets I want RFID blocking trousers to go with my tin foil hat!

Re:Russian POS?

[LifesABeach]

What a great idea! Invent a technology that makes theft easier. We've got DHS saying it's to protect children, and hinder the terrorists. Mean while, on the other side of the ponds, we hear the excuse of it's just the way we do commerce over here. What's amazing is that this weakness has been known for over 20 years. I remember when this shit came out in the early 1990's, others could remote read these chips then. What next? There's a App for that?

Re:Russian POS?

[jfdavis668]

Every time I see POS I think the same thing. Then again, most software systems are really a piece of shit.

Re:Russian POS?

[Punko]

Every time I see POS and wonder how player owned stations from Eve Online have anything to do with the matter at hand

RFID

[NotInHere]

who said this is a good idea the first place?

Contact-less payments are dumb, and lead to precisely this kind of abuse. I mean it could be a simple confirmation, a single swipe on the screen or something (when talking about smartphone based payments). And contact-less keys can simply have a button you have to press before unlocking.

Re:RFID

[mwvdlee]

Banks, store owners, governments... pretty much anybody who isn't on the paying end of RFID.

Count of hands... who here did NOT see this coming?

Re: RFID

That is the new standard coming to the us. All other countries that have it, say it is more secure. The change in law, made the business eat any other false charges. Not the credit card company. I expect to see fewer cards accepted by businesses as the false positives aggregate. After all, pay five ormore percent per transaction, and nothing for it? Or cash, check, with a 1% surcharge? Interesting. Or maybe a business could go back to a customer loyalty card, and start rewarding their customers instead of the banks.

Re:RFID

[binarylarry]

Actually this kind of protection (confirmation, fingerprint swipe, lock pattern, etc) are already used with NFC payments.

My Galaxy Note requires it for contactless purchases.

Re:RFID

[AmiMoJo]

The story is bullshit.

Look at the photo in TFA. The item in the guys hand is clearly not what they think it is. It's a phone. The button colours and shape don't match the POS terminal depicted.

In any case, even if it was real, it would be a really, really dumb way to steal money. For the POS terminal to work, you have to have an account set up. That means vetting (okay, might be weak in Russia) and a paper trail. The money has to go into an account somewhere. That's why you don't see many "fallen off a lorry" scammers using POS terminals.

Re:RFID

[wvmarle]

I've been using contactless payments for well over a decade now, and I love it. All buses, minibuses, trams, trains, ferries in Hong Kong take the contactless Octopus card for payment. No fuss with exact change (buses don't give change) or buying single ride tickets. Just swipe and move on, payment done in a fraction of a second. Use them for small payments in convenience stores and supermarkets, vending machines, etc. Many car parks are Octopus-only even.

I have also never heard about any (large scale) fraud with these cards. I really don't know the ins and outs on how fraud is prevented, but obviously it works well. These cards were introduced some 20 years ago and pretty much everyone has one. There have been several technology upgrades which all have been seamless from the user pov.

So I really can't say they're dumb. They're awesome. Wouldn't want it otherwise, it's just too big a big PITA to have to deal with all those small payments in cash.

Re: RFID

[LifesABeach]

And it works really great in Russia? Hell, if it sucks there, it won't suck else where? Ya, right.

Re:RFID

[The-Ixian]

But.... but... the convenience! My freedom for CONVENIENCE!

Re:RFID

[110010001000]

Um, almost every city with mass transit has something like the Octopus. That isn't what this article is about. They are talking about credit cards.

Re:RFID

[wvmarle]

OP was talking about "contactless payments" in general. That's what I responded to - just to show that it can work, and can work really well and securely.

Re:RFID

[rjforster]

Nope. The object in his hand looks just like the contactless payment (combined with chip and pin) devices that are all over the place (in the UK anyway). Granted it doesn't look like the telepower device on the right side of the picture but certainly DOES look like a contactless payment device.

This doesn't rule out the story being BS for all the other reasons you give like needing to be tied to a traceable account...

Re:RFID

[AmiMoJo]

The reason there isn't much fraud is that to receive the money you have to have a merchant account. Getting a merchant account means going through various security checks. There is a big paper trail so the risk of being caught if very high. Much easier to just steal cash or card details to be used online.

It's worth noting that there are two separate systems in use here. You have stored value cards that you load up and they store the current balance. They are commonly used on public transport systems (Suica/EDY in Japan, Oyster in the UK etc.) Then there are debit and credit cards, which transfer funds from one account to another similar to traditional card payments.

Re:RFID

[Apotekaren]

Please google "Pine Labs' iWL220", and compare to the picture from the subway. It's a GPRS-enabled POS-device.
Look familiar? Being a Daily Mail story should put up a red flag, "may contain shitty editing and journalism".

But yeah, getting such a setup probably isn't hard in Russia, using a fake identity and then shifting money around accounts.

Re:RFID

[unrtst]

I really don't know the ins and outs on how fraud is prevented, ...

Awesome.

So I really can't say they're dumb.

Nor can you say they're smart, since you (admittedly) have no idea what you're talking about.

it's just too big a big PITA to have to deal with all those small payments in cash.

This has NOTHING to do with the questions at hand. Contactless versus something-that-requires-contact-or-verification. Mag stripes would fulfill your requirements.

Skimming a contactless card via RFID can (more-or-less**) obtain all the same information they would get from swiping the mag stripe, but they don't need to touch your card. That is one of the larger problems with that setup.

Please note, this has little to do with NFC enabled phones. The majority (if not all) of those require some confirmation before they'll disclose anything (ex. swipe of your finger, pattern unlock, etc).

** for credit cards, I'm fairly certain this requires some bidirectional communication, thus the POS (point of sale) terminal in the summary. Other RFID devices require none of that, such as your license or passport.

Re:RFID

[wvmarle]

Octopus is stored value - which may be linked to a credit card for automatic recharges.

Other possible forms of fraud would be to change the balance on the card (and travel for free) or to create fake cards altogether. None seems to happen.

Re:RFID

[AmiMoJo]

It's not an iWL220, the body colour and buttons below the screen are different. The buttons below the screen are the standard up/down scroll buttons on Nokia-clone brick phones.

Well, okay, to be fair the photo is crap so we can't be 100% sure either way.

Re: RFID

Another point of view. Ever seen near field sales. Or using a phone as a sales device. To record a transaction. To initiate a sale or complete a sale? All it takes is an app. And a merchant number. Oh shucks, how would that be done? Its on all cc transactions. Your name, card, merchant number, and a bunch of other stuff. Nowadays, that phone rivals any computer. And has a secondary function, a two way device. Built in.

Re:RFID

[wvmarle]

You obviously don't know what you're talking about, at all. At least I admit I don't know HOW fraud is prevented, but I do know THAT IT IS prevented.

Magnetic strips (as indeed used before the contactless) is too slow and cumbersome. Way too slow. Now I walk through the gate without stopping, instead of having to stop and fiddle with the card. Instead I just leave it in my wallet and swipe the whole thing (or what others do is swiping a hand bag, or mobile phone pouch, or a watch with built-in Octopus chip, or indeed using a mobile phone's NFC capabilities but that one is quite new). The 20 or so entry gates at the station I use most (not a particularly busy one) now can only just handle traffic; it'd need several times that number gates if working with magnetic strips. A transaction now takes some 0.3 seconds, that's slow enough.

Furthermore, magnetic strips lack write options. The amount charged, transaction time and remaining balance are written back to your Octopus card. The station you get in is stored on the card, including a first class upgrade if you opt for this, so correct payment can be processed when you get out. Bus-bus interchange discounts are based on reading the previous journey. Sometimes they have second journey discounts. All not possible with basic magnetic strips.

Re:RFID

[jareth-0205]

Hate to break it to you but this system has been in wide use for years now without any real issues - the bank takes the risk because they know that anyone taking payments has to have a merchant account and are tracable if they start acting up. It's a very stupid criminal that tries to steal this way, it's doomed to end in trouble for them.

Re: RFID

Sorry, but it does, security. How secure do you want it. How long it takes to clear, and how much you are willing to lose. It dont matter if its a card or nfc device? I make sure nfc is off on my devices. They are connected to my mini computers. Another way to enter into my gaming and pictures. There are apps, that change the radio frequencies, so you can ping cards, thats not hard to find. Then to ping to activate a nearby card, thats happened since the late 90's. Then they had breifcase sized devices, so now, remember how small a micro computer has gotten now.

Re:RFID

I think you are a little too optimistic about security. https://www.youtube.com/watch?v=DLwqCla7ntg

Re:RFID

The decryption is done at the reader. There is no need to use a merchant account to collect data. https://youtu.be/vmajlKJlT3U?t=52

Re:RFID

[amicusNYCL]

The item in the guys hand is clearly not what they think it is. It's a phone.

Right, one of those phones with red, yellow, and green buttons on the bottom that I see everyone carrying.

Re:RFID

Some differences:

- The travel cards can be used only with the specific systems, and generally you cannot get money out.
- There usually are random checks in the vehicle for people who skip the payment. These checks would catch even those who did pay but did it fraudulently.

Re:RFID

[jareth-0205]

Banks, store owners, governments... pretty much anybody who isn't on the paying end of RFID.

Count of hands... who here did NOT see this coming?

The bank / store owners eat the payment errors, not the user. If they think it's a good idea and will take the risk then presumably they think it is secure enough.

Re:RFID

[Applehu+Akbar]

"Contact-less payments are dumb, and lead to precisely this kind of abuse. "

Obligatory Fanboy Neener: If you're going to carry around a contactless payment device, make sure it's one that requires a fingerprint for authorization and that not even the FBI and the NSA can hack.

Re:RFID

[mjwx]

who said this is a good idea the first place?

Contact-less payments are dumb, and lead to precisely this kind of abuse. I mean it could be a simple confirmation, a single swipe on the screen or something (when talking about smartphone based payments). And contact-less keys can simply have a button you have to press before unlocking.

If contactless payments were using a unique GUID just for contactless then it would merely be dumb.

However it actually sends your card number, expiry date and name (everything on the front of the card and all you need to start making transactions online) so it's actually the heir to the throne of the kingdom of stupid.

In a few years, contactless will be a thing of the past because the cost of fraud will be so high they'll be forced to replace everyone's card.

The whole contactless thing originated with Visa and Mastercard (no collusion in this industry what so ever) as a way to kill the EFTPOS networks in various countries and force customers to use credit networks, even with debit cards. They did this because EFTPOS does not charge a percentage of each transaction to the merchant which the credit networks do. This means the credit networks are missing out on all the merchant service fees on purchases that dont go through their networks.

Re:RFID

[mjwx]

Nope. The object in his hand looks just like the contactless payment (combined with chip and pin) devices that are all over the place (in the UK anyway). Granted it doesn't look like the telepower device on the right side of the picture but certainly DOES look like a contactless payment device.

This doesn't rule out the story being BS for all the other reasons you give like needing to be tied to a traceable account...

You dont need a card reader, you just need any NFC enabled device. Here's an app for any NFC enabled Android phone that reads card information, its censored because it's a demonstration, but the source code is available, or you could just follow the spec's available on Visa and Mastercards websites.

The problem is that the information sent wirelessly isn't unique to contactless payment schemes. In fact it's everything on the front of your card (name, exp date and card number) which is all you need to make online transactions. So walking around a shopping centre with an antenna is an ideal way to anonymously collect card numbers.

But NFC in my phone is limited to a few CM I hear you say. This is entirely due to the antenna design and power limits. NFC's wavelength has a maximum theoretical range of 22 metres, OK that's theoretical. In reality if you had a large enough antenna and enough power you could easily get 2-3 metres, however that would create a problem with the number of responses you'll get, an antenna that reaches 0.5 to 1 metre would really be all you'd need to go on a fishing trip for card numbers... And no one is going to look at you twice with your strange device as long as you're wearing a high visibility vest and carrying a clip board.

Re:RFID

[mjwx]

I have also never heard about any (large scale) fraud with these cards.

Thats because a single standard has never been widely deployed. Nor has it had direct access to credit card numbers.

Paypaas/wave are the same the world over. Unlike Oyster/Octopus and other schemes that use a GUID as an identifier, Paypass/wave use the card number, name and expiry date... So basically everything you need to make transactions on the internet. Theives are not interested in making $30 transactions in person (that's a great way to get caught)... They're interested in harvesting card numbers en mass. This is now easier than ever because it transmits all the info you need wirelessly.

So I really can't say they're dumb.

I cant say their dumb either. Dumb is when you stub your toe or accidentally get the wrong type of bread.

Contactless payments are not merely dumb, the implementation is the heir to the throne of the kingdom of stupid.

Re:RFID

[mwvdlee]

As a user you have to spot the error and report it. If the amount of money stolen is small enough, you likely won't notice.

They eat the error only AFTER damage has been done.
It's little consolation if you get your money back after a few months, meanwhile being unable to make purchases.
Lots of people life on a budget that fluctuates around zero.
Correcting a mistake afterwards is not the same as now allowing mistakes in the first place.

It's like being the victim of burglary; the insurance company will "eat the error", but meanwhile you have no use of what should have still been your property.

Re:RFID

[jareth-0205]

1. One (or maybe two) person needs to notice this type of crime to reverse all the charges. Once they;ve identified a dodgy actor the whole account is stopped.
2. If the amount is so small that you dont notice chances are you're not on the edge
3. It takes one phone call and the charge is immediately reversed.
4. The amount you can take contactless is limited to relatively small, I think it's less than £20.
5. (most importantly) This system is already in widespread use. You're not critiquing a probable future disaster, you're decideing something is broken that already is in use by millions of people for years, and *is not showing the problems that you imagine*.

None of your concerns are wrong exactly, but they're all already mitigated in practise.

Re:RFID

[DarenN]

The odder thing about this is kind of attempted fraud is the question - where does the money go?
It can't go to an arbitrary account because the POS device is tied to a merchant. You need a merchant account at the bank (you can't just use your retail account for this). So the first time this is noticed, everyone involved should be trivially identifiable. The money HAS to go through the merchant's account.

Re:RFID

[jareth-0205]

Yeah, this is why it's the stupidest fraud possible. It *will* get noticed and the person is easy to track down.

Re:RFID

[DarenN]

The problem is that the information sent wirelessly isn't unique to contactless payment schemes. In fact it's everything on the front of your card (name, exp date and card number) which is all you need to make online transactions. So walking around a shopping centre with an antenna is an ideal way to anonymously collect card numbers.

This, while true, is also mostly irrelevant The NFC card will still generate an ARQC that uniquely validates the transaction based on a key present on the chip which the attacker cannot gain without gaining the card.
The data can only be used online if the attacker has the CVV2 from the back of the card, which is never transmitted.
That card could be cloned and used via magnetic stripe but again you don't have the CVV1 (which is on the magnetic stripe and won't be transmitted via NFC because it uses another validation method) and chip card cloning still hasn't happened, again thanks to the key on the chip.

And, as pointed out, using a Point of Sale device like this makes it trivial to trace the recipient of the funds.

Re:RFID

4. The amount you can take contactless is limited to relatively small, I think it's less than £20.

They increased it to £30 a few months ago.

Re:RFID

[nanoflower]

Depending on how hard it is to set up that merchant account they can do the same thing that is done with other similar crimes. Hire some person in need of money to set up the merchant account, funnel the money through that account and then leave that person holding the proverbial bag while the real criminals are far away by the time law enforcement tracks down the merchant account owner.

Whats the news?

[AHuxley]

Contactless cards: how to avoid paying twice
"Credit cards that you simply wave at a reader save time and are a boon for visitors to London. But they can also raid your bank account invisibly" (11 Nov 2014)
http://www.telegraph.co.uk/fin...
or from slashdot back in 2012 "Android App Lets You Steal Contactless Credit Card Data" (June 21, 2012 )
http://it.slashdot.org/story/1...
Whats the new news AC? The risks of some of the newer cards and bank services have been in the tech media for years and been reported by the media too.

Re: Whats the news?

This, is the news, coming to you by the businesses you trust the most. Remember *@$#% has your best interest in their pocket because of buying scalia.

Re:Whats the news?

You brought up something that's been troubling me: this increasing desire by business to make all too easy for paying without thought. They want people impulse buy. Apple is the biggest offender. In order to create an Apple ID on an IOS device you must give a payment method - you have to use a desktop system via the web to create an ID without a payment option. Why? They want people to impulse buy songs and apps.

Roku does the same thing "for your convenience". I had their customer no-service people waive that requirement after having to listen to their bullshit how it's for "my convenience". It's idiotic that I even have to create an account with them to use the fucking thing since the streaming goes direct to the content provider.

And of course, if there's a mistaken billing or fraudulent (many channels on Roku's service say they're free by when you click on them, a message pops up saying that they are charging me - it's a great thing I did not give them my payment information!!), good luck getting the money back.

And unlike cash when you lose it, you just lost that, these electronic payment systems allow for thieves to clear you out and it takes weeks to get your money back or in the case of a credit card, you will find yourself SOL in case you're traveling.

Until the financial services industry cleans up it's act, these types of payment systems shouldn't be allowed or forced on us.

Re:Whats the news?

[houghi]

I have one and it is advertised to make payments for small amounts easier. This means till 25EUR.

1) For some people 25 is a large amount
2) It means that people can steal 25EUR multiple times
3) The ease of use is very limited in my opinion. As I am in Europe, I just put the card in the machine, enter my pin and take my card out. Same procedure in restaurant.

So where is the gain? Taking it out of my wallet, putting back into my wallet. Entering the pin code.
To be secure, you need to keep your card in a RFID secure wallet, so all that is left is putting the card into a machine and entering the pin vs. holding the card somewhere.

That difference vs the risk is not worth it.

Re:Whats the news?

[Red+Flayer]

How about back in 2006?

Re:Whats the news?

The transaction with contactless is a lot quicker. When you've spent several minutes putting your shopping through a till at the supermarket an extra 10 seconds is no big deal, but when getting on public transport during rush hour, an extra 10 seconds per passenger is a big deal. Not having to carry an extra card (which I have to keep topped up) to use for public transport makes it worthwhile for me. The rest of the time I use it because its there and it is quicker, even if only by a matter of seconds.

2 Cards are Better than One

If you have two RFID cards in your wallet the device will not be able to read them... cheaper to get extra cards than a new wallet

I have long known about this one

[EmperorOfCanada]

This attack is actually quite easy. The "Pickpocket" has one end of a transmitter not a POS system. The other end of the transmitter is waiting at cashier to make a payment. Effectively the system is fantastically dumb, just relaying the transaction requests back and fourth between the the checkout and the person's card.

The "getaway" is that they are leaving with the goods. If the store doesn't get paid, it doesn't matter.

This completely end runs the entire smart card encryption and every other security measure on the card. It is just a pair of repeaters that are extending the range of the card from 3cm to potentially miles.

I suspect that there are timeouts on the cards but if the repeaters don't induce much lag the speed of light should not add much. Still, depending on how generous these timeouts have been set, it may be possible to fire these signals through an LTE pair of phones giving the pickpockets an international range.

In theory a pickpocket could be having the signals relayed in a nice message queue fashion to a series of people waiting at automated checkouts. So the pickpocket could walk down a train while a small group of purchasers ring transaction after transaction through. Assuming a $100 limit per purchase not only could the pickpocket feed an easy 20 cards from a single train, but he could wait a few minutes before returning for a second pass down the train making it appear that the users were making a second purchase, and then a third and a fourth.

Doing the math that could net $2,000 per pass with maybe 3 possible passes before the pinless swipe limit were hit.

Then step out and do the next train car. Now we are looking at no less than $10,000 in goods per hour during rush hour.

This is assuming that it isn't one long train. If it is a train where you can walk the length of a crowded train it could potentially be 100 cards in a single run if the queuing system is properly organized.

When I first saw someone swipe a card without a pin this scheme popped into my head. I have just been waiting the years since for it to become public.

I suspect the fix won't be that easy because merely being less generous with the timeouts will probably exceed the capabilities of many cards and many machines, causing them to become unreliable.

Re:I have long known about this one

[Gr8Apes]

The solution is even easier - require a PIN.

Re:I have long known about this one

[AmiMoJo]

This has been demonstrated with mobile phones that have NFC, reading cards in the US and making transactions in the UK.

Re:I have long known about this one

It's actually really difficult to run relay attacks over any kind of distance due to latency. There's a few papers on it, I found one with a brief google: https://eprint.iacr.org/2010/228.pdf. The technology they used was Bluetooth, they considered and discarded SMS and GPRS/3G as having too high a latency to meet the NFC spec.

Australian banks rolled out contactless payments years ago, there's been concern on and off since, but no major incidents reported. The kind of attack pictured in the photoshopped article is technically possible though difficult (about as difficult as physical pickpocketing - you have to get within a couple of centimeters and hold still for 2-3 seconds).

However, even if they can pull it off, there's a couple of other issues. Firstly, the charges are easily reversible and the merchant account will get canned well before settlement, it's unlikely they can receive any money from the effort. There's a good chance that if they've stolen or "borrowed" a machine serviced by a bank or larger payment processor, they will simply pause payments and notify the AFP, and they'll be able to track the machine's location when it connects for online processing or offline batch.

Secondly, contactless payment readers don't like it when more than one card is in range. I've had various NFC/RFID library cards, public transport passes, health insurance, student IDs, driver's licenses, etc in my wallet for at least 12 years (just looking at the issue dates for cards in there right now). Most adults would have at least 2. I only realised my bank had issued a contactless card (about 7 years ago now) when my GO card (public transport) stopped working when I slapped my whole wallet against the reader.

I personally have a nice-looking NFC-shielded leather wallet because it really doesn't cost anything extra to be sure. You can reduce your no-verification payment limit down to $1 if you want, and some banks will remove the option altogether. I actually really like the convenience. Plus, the card is rarely out of my hand during a transaction, I'm more likely to notice a missing/stolen card than someone copying a stripe under the desk and eyeballing my PIN.

AU processors no longer accept signature verification, so it's all swipe & PIN, chip & PIN or contactless (no PIN $100 by default).

Re:I have long known about this one

[EmperorOfCanada]

They will make money if they are making actual purchases. Holding my bag against someone's pocket for 2-3 seconds wouldn't be hard in a crowded train. Also my entire bag could be one huge pickup or set up pickups. The multiple card issue would certainly be a problem except that I could see some really good hackers actually doing a better job of reading cards than then original designers; plus the thief could have his hardware give him a red light and he would move on. Also bluetooth sucks when it comes to latency unless you use it very well and would be the last technology I would use for this sort of transmission. I might even go analog if I were doing it in a short range. And as for meeting spec, that is a question. How much have the readers stuck with spec if spec wasn't enough. I know that when I am programming RF stuff I often set the hardware to the maximum number of retries with the longest delay that the hardware's built in code will allow. If I were building a contactless payment system I could see actually going into the RF hardware and redoing its firmware to allow for even longer delays and timeouts if that would improve the system. For instance I use one Canadian bank where my contactless payment doesn't seem to work very reliably. When it doesn't work the teller says, "Oh you must bank with ..." So either my bank has stuck to spec and some readers have figured out a way to accommodate such silliness or other readers have been badly programmed.

This last might not be all readers but it is something where a gang of thieves would readily identify any hardware that "cooperated" with them.

Re:I have long known about this one

The logistics of this alone are kind of mind boggling. He would have to tap the other person's card the same time the receiver taps the POS terminal at the store. You can't "re-use" a transmission because all contactless payments use rolling code and authentication...

I'd be very interested to see a real live working example of this...

Remove the chip

In most cases the chip can be removed. It often bulges enough to cut it out with a razor. If not, slice into the card, find where the chip is, then call the card company to request a new card from which the chip can then be easily removed. There are also phone apps (I've used a free one on Android) that can read RFID chips, so that the card can be tested to be sure it's clean after chip removal.

Re:Remove the chip

[Viol8]

Even easier - just cut horizontally into the card from the right hand side about 2-3cm. It severs the antenna but the card is still usable in all non contact devices.

Re:Remove the chip

[rjforster]

The cards are just about translucent enough that a bright LED torch can show you just where the antenna loop goes so you can pinpoint exactly where to cut or drill. Make sure you have a NFC app on your smartphone to check that you could read the card details before you cut or drill the card and cannot do so afterwards. Probably best to avoid the mag stripe as well. I might suggest a 1 or 1.5 mm drill in the top right corner as you look at the front of the card, with the center point of the hole being about 2.5 to 3mm from the top and right edges.

Not advocating, you understand. Just talking possibilities.

Re:Remove the chip

[AmiMoJo]

Microwave on high for 10 seconds, works like a charm. You can even throw your iPhone in for a quick charge too!

My solution .. USA based cards

[OzPeter]

I was in Australia over Christmas with my brand spanking new USA based credit cards (from major bank and CC companies) .. which have barely have chips in them. I was buying some stuff in a shop one day and handed over my credit card and the assistant took my card, looked at it, paused for a second and then finally said with an incredulous tone .. "Oh .. I have to swipe this, don't I".

Talk about an abject lesson in how backwards my CC was.

Re:My solution .. USA based cards

[110010001000]

What US bank doesn't have chips in them by now? I don't know of any. Plus RFID has nothing to do with chip cards.

Re:My solution .. USA based cards

My debit card still lacks a chip. My credit card has had one for nearly a year now and the issuer keeps reminding us to use the chip instead of the strip but so far only ONE store I've shopped at has had the chip reader enabled so far. After a while they all started putting tape over that slot to stop people from wasting time trying to use it, apparently many stores are way behind on getting their POS software updated to be able to use the hardware already present in their terminals.

Re:My solution .. USA based cards

[houghi]

Where I live (Belgium) we have pre-paid cards that do not even have a magnetic strip, nor any embossing, so chip, Internet or no payment.

When I was in the states, I was so confused with the system that when I came home I saw that I wrote the tip for the restaurants on the tickets I took home with me. Sorry, I really wanted to tip, but I was as confused as Florida voter.

Re:My solution .. USA based cards

[amRadioHed]

My local credit union just sent me a new card a month ago and it doesn't have a chip in it.

But but .. its contactless!

[Viol8]

It must be good because it saves Joe Dumbfuck from having to remember his PIN and spending 5 secs entering it!

Seriously , if the banks and stores had suddenly suggested bring out a system whereby you just shove your card in the slot but don't need to bother to enter your PIN any more for the shop syphons off your cash there would have been an outcry. But because its contactless - Oooo! Magic! - no one seems to Get It.

Re:But but .. its contactless!

Actually in the USA, it is being switched to chip and sign not chip and pin. So in the USA you actually do just shove your card in the slot and don't have to enter a pin.*

* For credit cards, debit cards will ask for a pin

Disable the 'tap'

[roman_mir]

Those tap transactions are insane, I disabled that functionality on all my cards the moment I found out that it became possible to tap my debit cars and have money taken from my debit account. Had to call the banks for that.

As to how this guy does it, I don't know for sure, if I was doing it I suppose I would use stolen merchant accounts to run purchase transactions that would end up buying bitcoins or something, cannot come up with anything better on the spot, I have to deal with merchant accounts and payment processors, it is not trivial to set everything up, in case of purchases made with stolen credit cards, merchant ends up on the hook not only for the initial amount but also for a charge back fee (25usd per incident), so it is not very easy but apparently possible after all to get away with stealing this way.

Re:Disable the 'tap'

[wonkey_monkey]

An idea from a few posts above:

His co-conspirator is in a store about to pay for something. Their phones are linked to relay the RFID communications from the POS terminal between them. The terminal thinks it's communicating with the phone (or a modified card, linked to a phone) in the shopper's hand, but it's actually communicating with a card at a remote location.

I have no idea if this would actually work. I would hope that the terminals at least enforce a minimum communication time delay but there probably has to be some leeway in it.

Can we find another term for "POS"?

[mykepredko]

When I first read the headline it was "Russian Piece of Shit Pickpocket Generates Interest in RFID-Blocking Wallets"

I know it's "Point of Sale", but too many years of experience with the other version of the acronym has conditioned me to read it a certain way with often, as in this case, coming up with a different interpretation of a statement.

Re:Can we find another term for "POS"?

If you've ever worked on "Point of Sale" software you'll know that there really is no difference.

Re:Can we find another term for "POS"?

[mykepredko]

:^)

Re:Can we find another term for "POS"?

[Carewolf]

If you've ever worked on "Point of Sale" software you'll know that there really is no difference.

Real shit is usually fresher.

Re:Can we find another term for "POS"?

[Bender+Unit+22]

When I started working in the head office of a supermarket chain the first few meetings were quite confusing with the bullet point presentation mentioning POS transactions etc. :D

Re:Can we find another term for "POS"?

[roman_mir]

Sure, why not, how about Payment Integration Terminal Apparatus?

So tired

[PopeRatzo]

Swiping a little piece of plastic to get my big gulp and bag of funyums is just too difficult and time-consuming for me. Thank god these benevolent companies have given me a way I can save 0.8 seconds in my important, busy day. Because you know, all those little 0.8 seconds whenever I want to buy something in my day add up and drain my life away. Why, if you add up all the time I waste by having to swipe my card, it could add up to as much as maybe three or four seconds a day.

Now excuse me while I go check my Twitter account for three hours and watch The Bachelor.

Re:So tired

Swiping a little piece of plastic to get my big gulp and bag of funyums is just too difficult and time-consuming for me. Thank god these benevolent companies have given me a way I can save 0.8 seconds in my important, busy day. Because you know, all those little 0.8 seconds whenever I want to buy something in my day add up and drain my life away. Why, if you add up all the time I waste by having to swipe my card, it could add up to as much as maybe three or four seconds a day.

Now excuse me while I go check my Twitter account for three hours and watch The Bachelor.

You can pay for stuff by only swiping your card? With no pin or signature required? What is to stop people from using card readers to get your card information and instead of charging that amount to your bank, store the information and use it to purchase higher amounts? I am sure that a supplying a big gulp and funyums for free would be nothing compared to the amount of money that they could steal using the details gleaned from the card reader. At least chip and pin has a one time key system (or challenge/response?) to make sure that the information gathered from the machine cannot be used for more purchases...

I'm from the government

[NotDrWho]

I'm here to help you.

Correlation

[Thanshin]

"the question arises as to how such acts of fraud are being made profitable."
"Comments on the matter have brought up anew the topic of RFID-blocking wallets as necessary everyday security."

Seriously? You weren't able to see that relation?

Read your own text slowly. This time, try to think while you read.

Ok. I'm not sure you'll manage it. Let's try a simpler with the key words in bold:
"OMG! How will anyone make a profit out of this?!" followed by "It's time to buy an RFID-blocking wallet!"

Russians sure make

...good criminals.

RFID protection for wallets?

[drolli]

Saw these a lot since around 2009 in Japan.

Re:RFID protection for wallets?

I have one - otherwise known as a business card holder. Comfortably holds 5 plastic cards, minimal pocket fill, blocks RFID (at least when I tested it on a card reader in the self checkout at the supermarket). Fold a few notes around it, put some coins in your coin pocket and you're good to go.

What, you imagine you actually *need* all the useless shit you have crammed into your oversized wallet? Whatever for?

Re:RFID protection for wallets?

I don't need the useless shit. I just need the useful shit. Toothpicks (that reminds me to visit the dentist), bandaids (wish I were less clumsy), lottery ticket (yes, I'm a sucker), car insurance, stolen IKEA paper metre measurer (so many times I want to know how big something is), receipts for mail in rebates (fortunately rare now). 5 cards doesn't cut it:

  - Driver's License
  - Debit Card
  - Visa
  - M/C
  - Health Card (Required for free health care in my country, don't have it? You're gonna pay if you can't get it shortly...)
  - Auto Club
  - Discount club cards (3 of them, all used regularly)
  - RFID entry card for work (guess I'd tape that to the outside of an RFID wallet?)

how such acts of fraud are being made profitable?

[dunkelfalke]

easy. set up a company and a merchant account with the passport data of some homeless guy or from a stolen passport (takes only a few days), grab as much money as you can and disappear.

this is how most russian scams are operated.

I never understood this

[JustAnotherOldGuy]

I never understood the "need" for contactless payments....is it so hard to buy stuff without pressing a confirmation button? Do you buy so much stuff that the time saved not pressing a button or whatever would really benefit you?

Seriously, I never understood this...yes, I know that at its heart it's meant to make it easier to buy something in the hopes that you'll buy more useless shit, but do people really see this as some truly beneficial feature?

Re:I never understood this

[110010001000]

The credit card companies are pushing this. The easier you make credit card transactions, the more of them will be made, and the more money the credit card companies will make. It is worth the increase in fraud as the increase in transactions outwiegh the increase in fraudulent refunds.

Re:I never understood this

As someone pointed it out to me. You are not the customer here. You are the product.
Process the products faster and both the customer & supplier (shop and bank) are happier.

Re:I never understood this

[jareth-0205]

Sure, it is a benefit, (clearly, arguable how big it is but it's obviously easier) and since the risk isn't on your end, it's with the banks why should you care?

The payment-taker has to have a merchant account so as soon as they are caught, all the payments are reversed, and then boys are sent around his house to sort-'im-out. There is minimal risk and this has been running quite successfully in EU countries for *years* now.

How to quickly blow the RFID chip?

[cayenne8]

Can one *pop* the RFID chips in ones cards with a quick trip in the microwave...10-15 seconds to blow the chip, but not harm the plastic card?

Re:How to quickly blow the RFID chip?

Can one *pop* the RFID chips in ones cards with a quick trip in the microwave...10-15 seconds to blow the chip, but not harm the plastic card?

Hole puncher is a better solution. Be careful no to damage the chip or the magnetic strip. Only cut the antenna. You can find it using a small flashlight shining through the plastic.

Re:How to quickly blow the RFID chip?

An icepick is what I used when I had a card like that. A ball peen hammer might do less exterior damage.

Re:How to quickly blow the RFID chip?

[bhv]

The local Walmart's card slide reader won't even read the strip on chipped cards. They only work in the chip slot. I don't know if the teller has some sort of override available, maybe.

If it's at Wally World it will be everywhere eventually.

Re:How to quickly blow the RFID chip?

Card with chip is NOT the same as RFID

Re:How to quickly blow the RFID chip?

[Applehu+Akbar]

An icepick is what I used when I had a card like that. A ball peen hammer might do less exterior damage.

The ballpeen hammer is for use on the pickpocket.

Re:How to quickly blow the RFID chip?

[cwsumner]

Card with chip is NOT the same as RFID

Bump this up, it's important!

Why aren't all wallets RFID blocking now?

[Zen]

Why aren't standard wallets RFID blocking now? I got snagged on an out of state trip around 3 or 4 years ago. I don't know exactly how, but I assume it was someone with a scanner in the TSA line at the airport. Ever since I used one of those hard plastic RFID blocking wallets when I travel or go somewhere with long security lines. A few months ago I switched to an everyday leather RFID blocking wallet. I got one from Hammer Anvil on Amazon, but there's other brands out there too. The thing is smaller than my old leather wallet. The shielding adds almost nothing.

Question - does anyone know of a website that tests these wallets against all common credit card chip types? The hammer anvil one says it blocks a certain type of frequency, but not all RFID. I got the impression that it would block credit card chips, but maybe not building security RFID chips. But that leaves a question of whether or not they block all credit cards. I think most of the slim type wallets are the same - the shielding is thin, so it only blocks certain types.

Anyone have a definitive source for testing?

Ooops

[Viol8]

That should read non contactless devices!

that's a bit harsh

[Jaegs]

Look, I know pickpockets are not the nicest of people--they are petty criminals, after all--but to call them a POS is a bit harsh, isn't it?

Can this work without PIN?

[technomom]

For phones, at least they require some kind of authentication first. Don't chip & PIN cards require at least the PIN?

Re:Can this work without PIN?

Chip & PIN is not the same as RFID

Re:Can this work without PIN?

No. For small payments you can use tap-and-go, which requires no pin or even physical contact - you just put your card next to the reader and the payment goes through. My credit card has this in addition to a chip (which only requires a pin if the payment is above a threshold amount) and a magnetic strip (that I haven't used in so long I can't honestly say what the deal is - the old magnetic stripe only cards required a pin for all transactions, but I haven't had one of those for at least 10 years).

I do worry a little about the security implications of this despite the convenience. Which is partly why I carry my cards in a metal business card holder (which my tests indicate does block tap and go quite effectively). The other reason I do this is that it is damn convenient and doesn't bulge your pocket nearly as much as a wallet does. Then again I rarely carry more than 5 or so cards, which is the limit in terms of storage, so ymmv.

Apparently Global Entry thinks there's a threat

[PeeAitchPee]

My Global Entry card came in a foil-lined envelope (like this) that says on the outside, "Protect your card's sensitive electronics -- and your privacy. Keep the card in this sleeve when not in use." If the US Gov't thinks a Global Entry card could potentially be sniffed from a similar vector, why think this would be much different?

A merchant account is easy

It's a bit naive to think "but there is an obstacle so it wouldn't work" this scam https://fakeletters.org/job-offers/excellent-job-opportunity-for-freshers-and-professionals has been used to get victims to sign up for an easily traceable merchant account in the past. Why would it not be used by a piece of shit with a POS?

Merchants R Us

[TaidghC]

It's a bit naive to think "but there is an obstacle so it wouldn't work" this scam https://fakeletters.org/job-of... has been used to get victims to sign up for an easily traceable merchant account in the past. Why would it not be used by a piece of shit with a POS?

Cost benifit, and convenience cost

You have to remember that fraud of this sort is something done on a cost benefit analysis basis. For single city transport and small purchase cards the limitations in geographic terms, per transaction limits, and the limited total number of sellers who can cash in the points for money, increase the costs of getting money back from fake transactions reduce the benefit per act of fraud, and increase risk. This means that it is less worthwhile to break but does not mean it can not be done. The more universal a system is the less fussy they can be with the vendors and the less conspicuous actions to cash in the fraud in other ways (eg. buy and resell expensive items) have to be, deceasing the risk. Larger limits on the new chips increase the per transaction profit, and the usage of more widely available hardware as well as greater number of victims reduces per action costs. Does not happen with current system does not mean can not happen with new systems, the economics make this sort of scam inevitable if we use more contactless cards, so long as security is not perfect.

Not only are re-writeable magnetic stripes real the hardware for at least some chip based cards can store info too, leaving you with only the slight at gate delay which is a different issue. If half a second per passenger delay breaks your station then you have other issues and will see bottlenecks elsewhere, or you don't have enough gates, for pretty much any other purchase slot in and out or swipe is to trivial a component of the time taken to even register. You seem to care far more about the trivial convince than the risks but this trade off is the real question, what is the real world cost of both systems, in convenience and money, and the less limited contactless gets the more costly they will become.

How well do they work?

[RDW]

The last wallet I bought claims to block RFID. I tested it at work and found that it blocked the POS reader in the coffee bar, but not the entry card reader on the door, which doesn't exactly inspire confidence. Perhaps the sort of low-powered device 'pickpockets' are likely to use would also be blocked, but there's no way to be sure. Do the manufacturers actually test these things?

I think frequency and amount matters

As a cash user, and a subway rider for a year, your post made me think for a while. I think subway and bus RFID is handy, because I will make multiple transactions on the go for a single trip, it will be for only a few dollars at each transaction, and I will be dressed up to handle the weather. When buying something, like food, I will be inside, waiting in a line, and the transaction amount will be ten to sixty dollars. The advantages of RFID (speed) are reduced, and the downside, (amount of money getting stolen) are greater. My transit smart card will have up to 20 or 40 dollars on it, and I can refill it at a machine at a subway stop. My ATM card will have several hundred dollars on it.

Merchant Accounts are as disposable as any other

If you are a fraudster and you want a merchant bank account then you can acquire one just as easily as any other type of account... surprisingly enough by being fraudulent. As long as you pay your setup fee and whatever identity the fraudster is using passes a basic credit check then you can get a bank account like that from pretty much any bank. If you plan on using it to steal money then its not like your next months merchant fees are going to be an issue - you're going to just dump the account as soon as it's generated a profit for you..

It's easy to transfer cash from the merchant account to a pre-paid debit card or even to willing accessories to fraud and just spend it as you want. Sure, your merchant account will eventually get flagged and locked out, but by that point the fraudster could easily have emptied it and moved on to the next one.

On a related subject: I destroy the RFID features on my cards by cutting through the antennae.

Lots of RFID wallets around

[megalo99]

I tried a few of those RFID blocking wallets, and although they block the signals and are cheap, they're still poorly made. The one I settled on has been tested by a few independent labs, and is every bit as high quality leather as my old wallet - yet has a faraday cage built into it. From the few basic tests I've been able to do on my own, it seems to do what it's marketed to do. http://silent-pocket.com/colle...

One in three payments? I doubt it.

[RockDoctor]

TFA claims that "one in three payments made in London are contact-less" ; I can only think that they get that number by counting every use of the "Oyster" card on the underground and buses. (I don't live in London and avoid the place if at all possible, but I don't think that there is any other use for this card.

One of my banks sent me a contactless card last year. But that's OK, because that account I only ever use for online purchases, and the card never leaves the living room. I'm not even sure how you'd actually perform a contactless payment. And I don't feel any particular reason to learn.