Russian POS Pickpocket Generates New Interest In RFID-Blocking Wallets

An anonymous reader writes: A Facebook post depicting a man apparently stealing from commuters by tapping a POS reader against them unobserved on public transport caused a sensation on Facebook before being removed earlier today. The provenance of the photo is uncertain, but unnamed authorities have said that it was taken in Russia. Since this type of opportunistic street theft requires a merchant business account through which any transactions would be easily traceable, the question arises as to how such acts of fraud are being made profitable. Comments on the matter have brought up anew the topic of RFID-blocking wallets as necessary everyday security.

Russian POS?

A Russian piece of shit pickpocket? No need for attacking other countries today.... all pickpockets are pieces of shit.

Re:Russian POS?

[LifesABeach]

What a great idea! Invent a technology that makes theft easier. We've got DHS saying it's to protect children, and hinder the terrorists. Mean while, on the other side of the ponds, we hear the excuse of it's just the way we do commerce over here. What's amazing is that this weakness has been known for over 20 years. I remember when this shit came out in the early 1990's, others could remote read these chips then. What next? There's a App for that?

RFID

[NotInHere]

who said this is a good idea the first place?

Contact-less payments are dumb, and lead to precisely this kind of abuse. I mean it could be a simple confirmation, a single swipe on the screen or something (when talking about smartphone based payments). And contact-less keys can simply have a button you have to press before unlocking.

Re: RFID

That is the new standard coming to the us. All other countries that have it, say it is more secure. The change in law, made the business eat any other false charges. Not the credit card company. I expect to see fewer cards accepted by businesses as the false positives aggregate. After all, pay five ormore percent per transaction, and nothing for it? Or cash, check, with a 1% surcharge? Interesting. Or maybe a business could go back to a customer loyalty card, and start rewarding their customers instead of the banks.

Re:RFID

[binarylarry]

Actually this kind of protection (confirmation, fingerprint swipe, lock pattern, etc) are already used with NFC payments.

My Galaxy Note requires it for contactless purchases.

Re:RFID

[AmiMoJo]

The story is bullshit.

Look at the photo in TFA. The item in the guys hand is clearly not what they think it is. It's a phone. The button colours and shape don't match the POS terminal depicted.

In any case, even if it was real, it would be a really, really dumb way to steal money. For the POS terminal to work, you have to have an account set up. That means vetting (okay, might be weak in Russia) and a paper trail. The money has to go into an account somewhere. That's why you don't see many "fallen off a lorry" scammers using POS terminals.

Re:RFID

[wvmarle]

I've been using contactless payments for well over a decade now, and I love it. All buses, minibuses, trams, trains, ferries in Hong Kong take the contactless Octopus card for payment. No fuss with exact change (buses don't give change) or buying single ride tickets. Just swipe and move on, payment done in a fraction of a second. Use them for small payments in convenience stores and supermarkets, vending machines, etc. Many car parks are Octopus-only even.

I have also never heard about any (large scale) fraud with these cards. I really don't know the ins and outs on how fraud is prevented, but obviously it works well. These cards were introduced some 20 years ago and pretty much everyone has one. There have been several technology upgrades which all have been seamless from the user pov.

So I really can't say they're dumb. They're awesome. Wouldn't want it otherwise, it's just too big a big PITA to have to deal with all those small payments in cash.

Re:RFID

[rjforster]

Nope. The object in his hand looks just like the contactless payment (combined with chip and pin) devices that are all over the place (in the UK anyway). Granted it doesn't look like the telepower device on the right side of the picture but certainly DOES look like a contactless payment device.

This doesn't rule out the story being BS for all the other reasons you give like needing to be tied to a traceable account...

Re:RFID

[Apotekaren]

Please google "Pine Labs' iWL220", and compare to the picture from the subway. It's a GPRS-enabled POS-device.
Look familiar? Being a Daily Mail story should put up a red flag, "may contain shitty editing and journalism".

But yeah, getting such a setup probably isn't hard in Russia, using a fake identity and then shifting money around accounts.

Re:RFID

[AmiMoJo]

It's not an iWL220, the body colour and buttons below the screen are different. The buttons below the screen are the standard up/down scroll buttons on Nokia-clone brick phones.

Well, okay, to be fair the photo is crap so we can't be 100% sure either way.

I have long known about this one

[EmperorOfCanada]

This attack is actually quite easy. The "Pickpocket" has one end of a transmitter not a POS system. The other end of the transmitter is waiting at cashier to make a payment. Effectively the system is fantastically dumb, just relaying the transaction requests back and fourth between the the checkout and the person's card.

The "getaway" is that they are leaving with the goods. If the store doesn't get paid, it doesn't matter.

This completely end runs the entire smart card encryption and every other security measure on the card. It is just a pair of repeaters that are extending the range of the card from 3cm to potentially miles.

I suspect that there are timeouts on the cards but if the repeaters don't induce much lag the speed of light should not add much. Still, depending on how generous these timeouts have been set, it may be possible to fire these signals through an LTE pair of phones giving the pickpockets an international range.

In theory a pickpocket could be having the signals relayed in a nice message queue fashion to a series of people waiting at automated checkouts. So the pickpocket could walk down a train while a small group of purchasers ring transaction after transaction through. Assuming a $100 limit per purchase not only could the pickpocket feed an easy 20 cards from a single train, but he could wait a few minutes before returning for a second pass down the train making it appear that the users were making a second purchase, and then a third and a fourth.

Doing the math that could net $2,000 per pass with maybe 3 possible passes before the pinless swipe limit were hit.

Then step out and do the next train car. Now we are looking at no less than $10,000 in goods per hour during rush hour.

This is assuming that it isn't one long train. If it is a train where you can walk the length of a crowded train it could potentially be 100 cards in a single run if the queuing system is properly organized.

When I first saw someone swipe a card without a pin this scheme popped into my head. I have just been waiting the years since for it to become public.

I suspect the fix won't be that easy because merely being less generous with the timeouts will probably exceed the capabilities of many cards and many machines, causing them to become unreliable.

Re:I have long known about this one

[Gr8Apes]

The solution is even easier - require a PIN.

My solution .. USA based cards

[OzPeter]

I was in Australia over Christmas with my brand spanking new USA based credit cards (from major bank and CC companies) .. which have barely have chips in them. I was buying some stuff in a shop one day and handed over my credit card and the assistant took my card, looked at it, paused for a second and then finally said with an incredulous tone .. "Oh .. I have to swipe this, don't I".

Talk about an abject lesson in how backwards my CC was.

Re:Whats the news?

You brought up something that's been troubling me: this increasing desire by business to make all too easy for paying without thought. They want people impulse buy. Apple is the biggest offender. In order to create an Apple ID on an IOS device you must give a payment method - you have to use a desktop system via the web to create an ID without a payment option. Why? They want people to impulse buy songs and apps.

Roku does the same thing "for your convenience". I had their customer no-service people waive that requirement after having to listen to their bullshit how it's for "my convenience". It's idiotic that I even have to create an account with them to use the fucking thing since the streaming goes direct to the content provider.

And of course, if there's a mistaken billing or fraudulent (many channels on Roku's service say they're free by when you click on them, a message pops up saying that they are charging me - it's a great thing I did not give them my payment information!!), good luck getting the money back.

And unlike cash when you lose it, you just lost that, these electronic payment systems allow for thieves to clear you out and it takes weeks to get your money back or in the case of a credit card, you will find yourself SOL in case you're traveling.

Until the financial services industry cleans up it's act, these types of payment systems shouldn't be allowed or forced on us.

Re:Remove the chip

[Viol8]

Even easier - just cut horizontally into the card from the right hand side about 2-3cm. It severs the antenna but the card is still usable in all non contact devices.

Can we find another term for "POS"?

[mykepredko]

When I first read the headline it was "Russian Piece of Shit Pickpocket Generates Interest in RFID-Blocking Wallets"

I know it's "Point of Sale", but too many years of experience with the other version of the acronym has conditioned me to read it a certain way with often, as in this case, coming up with a different interpretation of a statement.

Correlation

[Thanshin]

"the question arises as to how such acts of fraud are being made profitable."
"Comments on the matter have brought up anew the topic of RFID-blocking wallets as necessary everyday security."

Seriously? You weren't able to see that relation?

Read your own text slowly. This time, try to think while you read.

Ok. I'm not sure you'll manage it. Let's try a simpler with the key words in bold:
"OMG! How will anyone make a profit out of this?!" followed by "It's time to buy an RFID-blocking wallet!"

Ooops

[Viol8]

That should read non contactless devices!

Re:Remove the chip

[rjforster]

The cards are just about translucent enough that a bright LED torch can show you just where the antenna loop goes so you can pinpoint exactly where to cut or drill. Make sure you have a NFC app on your smartphone to check that you could read the card details before you cut or drill the card and cannot do so afterwards. Probably best to avoid the mag stripe as well. I might suggest a 1 or 1.5 mm drill in the top right corner as you look at the front of the card, with the center point of the hole being about 2.5 to 3mm from the top and right edges.

Not advocating, you understand. Just talking possibilities.