Russian POS Pickpocket Generates New Interest In RFID-Blocking Wallets

An anonymous reader writes: A Facebook post depicting a man apparently stealing from commuters by tapping a POS reader against them unobserved on public transport caused a sensation on Facebook before being removed earlier today. The provenance of the photo is uncertain, but unnamed authorities have said that it was taken in Russia. Since this type of opportunistic street theft requires a merchant business account through which any transactions would be easily traceable, the question arises as to how such acts of fraud are being made profitable. Comments on the matter have brought up anew the topic of RFID-blocking wallets as necessary everyday security.

I have long known about this one

[EmperorOfCanada]

This attack is actually quite easy. The "Pickpocket" has one end of a transmitter not a POS system. The other end of the transmitter is waiting at cashier to make a payment. Effectively the system is fantastically dumb, just relaying the transaction requests back and fourth between the the checkout and the person's card.

The "getaway" is that they are leaving with the goods. If the store doesn't get paid, it doesn't matter.

This completely end runs the entire smart card encryption and every other security measure on the card. It is just a pair of repeaters that are extending the range of the card from 3cm to potentially miles.

I suspect that there are timeouts on the cards but if the repeaters don't induce much lag the speed of light should not add much. Still, depending on how generous these timeouts have been set, it may be possible to fire these signals through an LTE pair of phones giving the pickpockets an international range.

In theory a pickpocket could be having the signals relayed in a nice message queue fashion to a series of people waiting at automated checkouts. So the pickpocket could walk down a train while a small group of purchasers ring transaction after transaction through. Assuming a $100 limit per purchase not only could the pickpocket feed an easy 20 cards from a single train, but he could wait a few minutes before returning for a second pass down the train making it appear that the users were making a second purchase, and then a third and a fourth.

Doing the math that could net $2,000 per pass with maybe 3 possible passes before the pinless swipe limit were hit.

Then step out and do the next train car. Now we are looking at no less than $10,000 in goods per hour during rush hour.

This is assuming that it isn't one long train. If it is a train where you can walk the length of a crowded train it could potentially be 100 cards in a single run if the queuing system is properly organized.

When I first saw someone swipe a card without a pin this scheme popped into my head. I have just been waiting the years since for it to become public.

I suspect the fix won't be that easy because merely being less generous with the timeouts will probably exceed the capabilities of many cards and many machines, causing them to become unreliable.