New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second

An anonymous reader writes from a report via Softpedia: "A criminal group going under the name of The CC Buddies is selling a hi-tech device on the Dark Web that's capable of copying details from contactless debit cards if held as close as eight centimeters away from a victim's card," reports Softpedia. The device, named Contactless Infusion X5, is extremely dangerous because it can copy up to 15 bank cards per second, something that may come in handy if a crook is going through a crowd at a concert or through a crowded subway cart. The device can collect data such as the card's number and expiration date. If the debit card's RFID chip stores information such as the card holder's name, home address, and a mini statement, X5 can steal that data as well. The X5 is sold on the Dark Web for only 1.2 Bitcoin (~$825), and its creators say that each buyer will receive the X5 device, a USB cable for charging and data transfers, and 20 blank plastic cards.

In other news the sun is hot.

My initial reaction is duh. I have software on my phone for security audits that allow me to do the exact same thing. Only it's not meant to do 15 cards a sec. This is how contactless cards work. Maybe the PCI should just start listening to security professionals and do away with these things?

Re:In other news the sun is hot.

Except apparently for the fact that there are still quite a number of transactions which you can do with just the card number today. So no point in cloning it apart from the tens of millions of pounds you can get in your bank account if you have a gang of people doing it for you. Apart from that, no point at all. Let's move on to something important like the latest hack for WoW or some photo "accidentally" leaked from some Kardasian phone or something.

Just as a random plug, I have a Koruma RFID blocking wallet which I got years ago and it's still going fine. They were some tiny company when I bought it and now seem to have really succeeded. The "Koruma I", which they don't seem to push for some reason, and is pretty much the cheapest wallet they have, is excellent because it has an external shielded pocket which you can use for the travel card you are using right now whilst keeping everything else shielded. They also have passport shields. N.B. no relationship other than happy customer.

Re:In other news the sun is hot.

[tlhIngan]

Well, what really happens is this.

When you read the card, you get the card number and expiry date. It's not good enough to actually do a chip/contact payment, but the information is enough to do a swipe transaction. If you can print a card, and have an old enough store that still uses a mechanical imprinter (the big thing that you put the card in, a slip and slide the slider back and forth that imprints the slip). Or of course, you use it for online shopping.

What happens then is up to the merchant and hits bank - if the bank is smart, they will realize the card used supports chip or contactless, and the terminal supports it, and rejects the transation wanting a chip or contactless.

Online stores and even in-person transactions often require the CVV if you swipe them, as well. (The CVV value is not stored on chip or in the magstripe - it's designed to verify that you have physical access to the card).

Actual payments require a challenge-response - the chip contains a secret only known to it and the bank which never leaves the card.

So you likely can use it for a few transactions which still do swipes and don't check CVVs, but that's about it.

Re:In other news the sun is hot.

OK. Few things

1. There are lots of CVVs. There are several places cards store a few extra digits. In each case at first they were the same digits, and then banks realised "Oh crap" the digits from one place can be copied to elsewhere. So a modern card _should_ use different values for each CVV. In particular, there's the CVV physically printed on the outside of the card for a human operator (sometimes called CVV2 and used to verify Card Not Present e.g. over the phone or Internet) and a CVV stored on the mag stripe and another CVV (sometimes called iCVV) stored inside an EMV chip card.

2. There are different grades of security for EMV cards. The smarter the card, the more expensive it is to make. Security is, as ever, a trade-off, and banks want to pay as little as possible for these cards. The cheapest way to make the cards work, SDA has them almost completely static, they "know" how to hand over some fixed data, but they aren't actually doing a full-blown public key crypto session each time you use them. An SDA card could definitely be "cloned" using some relatively affordable technology, recording it making a legit transaction like the one you want to fake. DDA, dynamic cards have individual private keys baked into them so they do public key crypto to authenticate every transaction. To "clone" the DDA card you need to steal its private key, which the hardware makers should have gone to great trouble to make difficult. The next step beyond that is CDA, in which the card proves to both the terminal AND the bank that it is genuine, which prevents certain "offline" attacks where a payment wouldn't have been accepted (if the bank is competent) but it looks OK to a terminal which can't talk to the bank. Most cards issued today seem to be SDA. Your bank will almost certainly decline to specify which yours is, and of course the frontline customer services people have no idea.

3. Customer Verification is selective. The bank, terminal and card all get to help choose what's an acceptable verification. For contactless the answer is often "No verification". This might seem crazy, but then remember that for the first decade or more of their existence all credit cards worked on this "trust and ask questions later" basis.

perfectly secure!

[green1]

Don't worry, the banks are working hard to solve this security hole... by telling anyone who will listen that these cards are secure, and sticking their fingers in their ears any time anyone says any different.

My bank graciously offered to turn off the feature on my card, from their end, not mine. Which, if you know anything about how these hacks work, means that they're willing to take away all the convenience of the feature, while carefully maintaining the security risks on my card. I declined and cut the antenna instead.

Right now in Canada it is almost impossible to get a credit card without this security hole baked in. They all have it, they brag about it. And worse yet, if someone does manage to clone the card, the bank will insist that it's not possible to do so, and hold you liable for all the fraudulent transactions, after all, the security on the cards is perfect, so you must have authorized it.