Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second (softpedia.com)

Posted by BeauHD on from the crowded-shopping-center dept.

An anonymous reader writes from a report via Softpedia: "A criminal group going under the name of The CC Buddies is selling a hi-tech device on the Dark Web that's capable of copying details from contactless debit cards if held as close as eight centimeters away from a victim's card," reports Softpedia. The device, named Contactless Infusion X5, is extremely dangerous because it can copy up to 15 bank cards per second, something that may come in handy if a crook is going through a crowd at a concert or through a crowded subway cart. The device can collect data such as the card's number and expiration date. If the debit card's RFID chip stores information such as the card holder's name, home address, and a mini statement, X5 can steal that data as well. The X5 is sold on the Dark Web for only 1.2 Bitcoin (~$825), and its creators say that each buyer will receive the X5 device, a USB cable for charging and data transfers, and 20 blank plastic cards.

2 of 193 comments (clear)

  1. Re:In other news the sun is hot. by AmiMoJo · · Score: 1, Interesting

    Or maybe we should start listening to security professionals and understand the threat model. We had this same brown pants moment with RFID passports.

    The data you can read wirelessly is not supposed to be secure. You might like it to be, but it's not designed that way. Only the payment part is secure, and this device doesn't clone that.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Clone is an exagerration by DrXym · · Score: 3, Interesting

    An NFC chip would be extremely difficult to clone. The might be able to scrape some information off the NFC that is made public but it is highly doubtful that includes the PIN, the CVV2, the address or possibly even the name of the person. The NFC itself would implement challenge response so that wouldn't be much use either. It's not even obvious to me why point of sale terminals would even need to see what's on the magstripe but perhaps there is a reason. The obvious fix is if a payment card exposes this info then it should obfuscate it, or better yet not expose it at all. Whatever edge case requires it might not be a sufficient reason given any potential for theft.