New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second (softpedia.com)

← Back to Stories (view on slashdot.org)

New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second (softpedia.com)

Posted by BeauHD on Monday June 13, 2016 @01:50PM from the crowded-shopping-center dept.

An anonymous reader writes from a report via Softpedia: "A criminal group going under the name of The CC Buddies is selling a hi-tech device on the Dark Web that's capable of copying details from contactless debit cards if held as close as eight centimeters away from a victim's card," reports Softpedia. The device, named Contactless Infusion X5, is extremely dangerous because it can copy up to 15 bank cards per second, something that may come in handy if a crook is going through a crowd at a concert or through a crowded subway cart. The device can collect data such as the card's number and expiration date. If the debit card's RFID chip stores information such as the card holder's name, home address, and a mini statement, X5 can steal that data as well. The X5 is sold on the Dark Web for only 1.2 Bitcoin (~$825), and its creators say that each buyer will receive the X5 device, a USB cable for charging and data transfers, and 20 blank plastic cards.

124 of 193 comments (clear)

Min score:

Reason:

Sort:

antenna by phantomfive · 2016-06-13 13:53 · Score: 1

Is there a way to increase the range with an antenna or something? 8cm is kind of a short range, even at a concert........

--
"First they came for the slanderers and i said nothing."
1. Re:antenna by phantomfive · 2016-06-13 14:10 · Score: 1
  
  You could hide an antenna in a backpack or something, doesn't need to be super-obvious
  
  --
  "First they came for the slanderers and i said nothing."
2. Re: antenna by WarJolt · 2016-06-13 14:29 · Score: 1
  
  Or put it somewhere people often open their wallets.
3. Re: antenna by rayjaymor85 · 2016-06-13 14:34 · Score: 1
  
  The short range is deliberate. You can't isolate the RFID signal. Same result as holding to PayPass cards over the reader: neither will work. The machine can probably clone the cards... wether those cards will keep working is another question however .
4. Re:antenna by Gussington · 2016-06-13 14:41 · Score: 2
  
  8cm is enough if that's all you require to get free money.
  Bus, train, bar, concert, elevator, I'm in plenty of situations where I get closer than 8cms to others. If everyone of those people I could scam $99 from, I'll be a millionaire by the end of the month.
5. Re: antenna by phantomfive · 2016-06-13 15:45 · Score: 1
  
  You can't isolate the RFID signal.
  Why not?
  
  --
  "First they came for the slanderers and i said nothing."
6. Re:antenna by breeze95 · 2016-06-13 17:57 · Score: 1
  
  8cm is enough if that's all you require to get free money. Bus, train, bar, concert, elevator, I'm in plenty of situations where I get closer than 8cms to others. If everyone of those people I could scam $99 from, I'll be a millionaire by the end of the month.
  8cm = 3.15 inches. You would literally have to be standing nose to nose with someone to be that close. The only way that 8 cm range would work is if the device is hand held and you are in a crowded environment, preferably a bar where everyone is tipsy, where you can get the device 3 inches from people pockets or handbags. It's not easy but doable I guess.
7. Re:antenna by Opportunist · 2016-06-13 18:34 · Score: 1
  
  Umm... public transport? Just get into a subway in a moderately important city during early morning rush. Plenty of targets.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
8. Re:antenna by sys64764 · 2016-06-13 21:04 · Score: 1
  
  Dress up as a security guard and scan people. They won't suspect a thing because security!
9. Re: antenna by Dr_Barnowl · 2016-06-13 22:45 · Score: 1
  
  Same result as holding to PayPass cards over the reader: neither will work.
  That's just a poor implementation, or a deliberate decision on the part of PayPass to avoid confusion over which card is used. The protocols for contactless smartcards include collision avoidance, you should in theory be able to present a whole stack of them and only read the one you want, or read all of them sequentially.
10. Re: antenna by Dr_Barnowl · 2016-06-13 22:48 · Score: 2
  
  You can, the protocols include collision avoidance.
  It's more likely down to the inverse square law - every time you double the range, you need to quadruple the output of your transmitter to maintain the same signal intensity.
11. Re: antenna by omnichad · 2016-06-14 01:51 · Score: 1
  
  and only read the one you want
  And how is the machine supposed to know which one you want?
12. Re:antenna by Gussington · 2016-06-14 22:17 · Score: 1
  
  8cm = 3.15 inches. You would literally have to be standing nose to nose with someone to be that close.
  
  You mean just like any bus, train, bar or elevator in any large city?
  Mostly you aren't nose to nose, you're generally all facing the same way, so a scanner in your front pocket brushed up against a wallet in someone's back pocket would be trivial.
  
  The only way that 8 cm range would work is if the device is hand held and you are in a crowded environment, preferably a bar
  or bus, train or elevator.
In other news the sun is hot. by Anonymous Coward · 2016-06-13 13:56 · Score: 5, Informative

My initial reaction is duh. I have software on my phone for security audits that allow me to do the exact same thing. Only it's not meant to do 15 cards a sec. This is how contactless cards work. Maybe the PCI should just start listening to security professionals and do away with these things?
1. Re:In other news the sun is hot. by Anonymous Coward · 2016-06-13 14:49 · Score: 1
  
  It can't pull the tokens it just pulls the card number, which it was a boneheaded move to put on the smart portion anyway but its being phased out so not much point in clonining it.
2. Re:In other news the sun is hot. by AmiMoJo · 2016-06-13 17:07 · Score: 1, Interesting
  
  Or maybe we should start listening to security professionals and understand the threat model. We had this same brown pants moment with RFID passports.
  The data you can read wirelessly is not supposed to be secure. You might like it to be, but it's not designed that way. Only the payment part is secure, and this device doesn't clone that.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
3. Re:In other news the sun is hot. by Cyberax · 2016-06-13 17:29 · Score: 1
  
  No, you can't do it with bank cards. They actually do challenge-response authentication with the bank with the secret key sealed inside the cheap, so simply listening or getting public info gets you nothing. You _might_ be able to clone insecure RFID access cards as used by turnstiles at various locations, but that's it.
  
  There are several possibilities:
  1) This device simply initiates up to 15 purchases per second from nearby cards. Totally possible but mostly harmless.
  2) It's a scam.
  The latter is most likely.
4. Re:In other news the sun is hot. by Anonymous Coward · 2016-06-13 18:21 · Score: 2, Informative
  
  Except apparently for the fact that there are still quite a number of transactions which you can do with just the card number today. So no point in cloning it apart from the tens of millions of pounds you can get in your bank account if you have a gang of people doing it for you. Apart from that, no point at all. Let's move on to something important like the latest hack for WoW or some photo "accidentally" leaked from some Kardasian phone or something.
  Just as a random plug, I have a Koruma RFID blocking wallet which I got years ago and it's still going fine. They were some tiny company when I bought it and now seem to have really succeeded. The "Koruma I", which they don't seem to push for some reason, and is pretty much the cheapest wallet they have, is excellent because it has an external shielded pocket which you can use for the travel card you are using right now whilst keeping everything else shielded. They also have passport shields. N.B. no relationship other than happy customer.
5. Re:In other news the sun is hot. by tlhIngan · 2016-06-13 18:30 · Score: 5, Informative
  
  Well, what really happens is this.
  When you read the card, you get the card number and expiry date. It's not good enough to actually do a chip/contact payment, but the information is enough to do a swipe transaction. If you can print a card, and have an old enough store that still uses a mechanical imprinter (the big thing that you put the card in, a slip and slide the slider back and forth that imprints the slip). Or of course, you use it for online shopping.
  What happens then is up to the merchant and hits bank - if the bank is smart, they will realize the card used supports chip or contactless, and the terminal supports it, and rejects the transation wanting a chip or contactless.
  Online stores and even in-person transactions often require the CVV if you swipe them, as well. (The CVV value is not stored on chip or in the magstripe - it's designed to verify that you have physical access to the card).
  Actual payments require a challenge-response - the chip contains a secret only known to it and the bank which never leaves the card.
  So you likely can use it for a few transactions which still do swipes and don't check CVVs, but that's about it.
6. Re:In other news the sun is hot. by johnw · 2016-06-13 19:08 · Score: 1
  
  Online stores and even in-person transactions often require the CVV if you swipe them, as well.
  On-line stores have to ask for the CVV. It's been a while since I ran my own business, but back then we were explicitly forbidden from capturing the CVV for in-person transactions. The idea is that nobody has it but the physical card holder.
  I do admit to being puzzled by this story though. If the wireless conversation between a contactless card and any kind of reader carries enough information for the card to be cloned, then the design is terminally broken. It's not as if the necessary crypto techniques are not very well known.
7. Re:In other news the sun is hot. by Trax3001BBS · 2016-06-13 19:52 · Score: 1
  
  Just as a random plug, I have a Koruma RFID blocking wallet which I got years ago and it's still going fine.
  I don't carry a wallet, not doing so cured my back pains when I was much younger. Just what's required in my back pocket.
  I've fallen for the hype of being scanned, not helping are the TV's commercialism of those type of wallets (scan blocking) - so just in case...
  I wrap my RFID chip embedded cards in an aluminum foil packet I made up. The trick is being able to access it quickly and not looking like a dork :).
8. Re:In other news the sun is hot. by Bob_Who · 2016-06-13 20:22 · Score: 2
  
  Maybe the PCI should just start listening to security professionals and do away with these things?
  And why wouldn't they? Because they figured that when the technology did fail that they could pawn the losses off onto somebody else. As long as we pass laws that make it impossible for these losses to ever be passed off onto the victims (i.e. the customers and the merchants) and be sure that there is swift and effective remedy for any fraud, then the banks and credit cards will make damn sure they listen to security experts in the future.
  Our problem is not a deficiency in technology and know how, its a deficiency in our society in properly punishing criminals and not victims. In the old days, when a bank got robbed it never cost an account holder a dime. We need to be vigilant in maintaining this standard for all financial transaction crime. It only costs the banks. Suddenly, the problem will be solved efficiently...and not until then.
9. Re:In other news the sun is hot. by Bob_Who · 2016-06-13 20:32 · Score: 1
  
  I don't carry a wallet, not doing so cured my back pains when I was much younger
  You're absolutely right about the wallet and back pain. Its a no brainer once you think about the fact we were not designed to sit on a tilt or else we would have started out tilted. But it took me years and years to discover the obvious. Now my back problems are all gone.
  As for the solution to these issues of cyber fraud, we just have to figure out what obvious thing that we are overlooking. And when we do, and stop it, it will be a problem solved.
10. Re:In other news the sun is hot. by Bob_Who · 2016-06-13 20:40 · Score: 1
  
  Also, I just gotta say, your tagline had me rolling on the floor. I am definitely putting it on my list of the truly hilarious. Perhaps, I'm twisted, but that's a real laugh.
11. Re:In other news the sun is hot. by complete+loony · 2016-06-13 20:50 · Score: 1
  
  In some cases you can get away with not having the card at all. Terminals have support for manually entering details if the card fails to swipe for some reason. You just need to convince the merchant to type the number in that you have memorized.
  Worked well enough for a local thief after obtaining a friends card number. The bank spotted the odd transactions, my friend searched online for the store's details and the idiot came back again trying to repeat his earlier success.
  Totally would have gotten away with it if he hadn't been greedy. It took ages for the cops to rock up and arrest him.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
12. Re:In other news the sun is hot. by cryptizard · 2016-06-13 21:10 · Score: 1
  
  Just... carry it in your side pocket? I never understood why people put it in their back pocket in the first place, it is so uncomfortable.
13. Re:In other news the sun is hot. by jareth-0205 · 2016-06-13 21:39 · Score: 1
  
  Maybe the PCI should just start listening to security professionals and do away with these things?
  Yeah, they should totally listen to an AC that hasn't actually looked up how these things really work.
14. Re:In other news the sun is hot. by Mr+D+from+63 · 2016-06-13 22:40 · Score: 1
  
  I'd like to see how they are going to get within 8 cm of 15 cards in one second. The author is stupid for making that the headline. The more important point is that it can scan a single card in 1/15th of a second.
15. Re:In other news the sun is hot. by Anonymous Coward · 2016-06-13 23:09 · Score: 3, Informative
  
  OK. Few things
  1. There are lots of CVVs. There are several places cards store a few extra digits. In each case at first they were the same digits, and then banks realised "Oh crap" the digits from one place can be copied to elsewhere. So a modern card _should_ use different values for each CVV. In particular, there's the CVV physically printed on the outside of the card for a human operator (sometimes called CVV2 and used to verify Card Not Present e.g. over the phone or Internet) and a CVV stored on the mag stripe and another CVV (sometimes called iCVV) stored inside an EMV chip card.
  2. There are different grades of security for EMV cards. The smarter the card, the more expensive it is to make. Security is, as ever, a trade-off, and banks want to pay as little as possible for these cards. The cheapest way to make the cards work, SDA has them almost completely static, they "know" how to hand over some fixed data, but they aren't actually doing a full-blown public key crypto session each time you use them. An SDA card could definitely be "cloned" using some relatively affordable technology, recording it making a legit transaction like the one you want to fake. DDA, dynamic cards have individual private keys baked into them so they do public key crypto to authenticate every transaction. To "clone" the DDA card you need to steal its private key, which the hardware makers should have gone to great trouble to make difficult. The next step beyond that is CDA, in which the card proves to both the terminal AND the bank that it is genuine, which prevents certain "offline" attacks where a payment wouldn't have been accepted (if the bank is competent) but it looks OK to a terminal which can't talk to the bank. Most cards issued today seem to be SDA. Your bank will almost certainly decline to specify which yours is, and of course the frontline customer services people have no idea.
  3. Customer Verification is selective. The bank, terminal and card all get to help choose what's an acceptable verification. For contactless the answer is often "No verification". This might seem crazy, but then remember that for the first decade or more of their existence all credit cards worked on this "trust and ask questions later" basis.
16. Re:In other news the sun is hot. by hjf · 2016-06-13 23:54 · Score: 1
  
  Here in Argentina my terminal (swipe, obviously card-present) always asks for CVV when using credit, and for some cards, it also asks for the last 4 digits on the front.
  Maestro debit only requires a PIN. Visa debit requires nothing.
  Chip cards haven't really been implemented even though for the last few years all terminals i've seen have a smartcard slot. Only a handful of clients (people with Platinum or Black cards) have cards with chip. My bank says this is because the only issue those cards upon request (indirectly: they ask if you travel abroad often, and if you do, they give you one of those cards. Gotta pinch those cents!)
17. Re:In other news the sun is hot. by fuzzyf · 2016-06-13 23:57 · Score: 1
  
  It's still used as backup.
  
  Basically if you disconnect a terminal it will go into offline mode, requiring manual authentication (id card + signature). If the unit completely breaks down then a manual imprinter can be used instead. Most stores have one (stored away someway), but people probably don't know how to use it any more.
18. Re:In other news the sun is hot. by hjf · 2016-06-13 23:59 · Score: 1
  
  My terminal allows for this, only for credit (because debit cards here don't have embossed digits). It's for when the magstripe fails to read. You have to enter the digits manually but the transaction is still done online (it will still dial up and connect to the bank). And you need the CVV.
  If the transaction is approved, it prints a much longer receipt which you have to put over the card and rub a with the side of a pencil or something over the digits so that they get transfered to the paper (no need for pencil or ink as it's thermal paper). Then the client needs to sign the receipt.
  Also, where I live, you're required by law to show ID when doing a card transaction. Annoying as fuck.
19. Re:In other news the sun is hot. by hjf · 2016-06-14 00:01 · Score: 1
  
  The PIN is the decryption key (or the key for the decription key, most likely). The chip will only unlock if you enter the right PIN. If you enter the wrong PIN too many times it will lock itself for good.
20. Re:In other news the sun is hot. by parkinglot777 · 2016-06-14 00:10 · Score: 1
  
  My initial reaction is duh. I have software on my phone for security audits that allow me to do the exact same thing. Only it's not meant to do 15 cards a sec. This is how contactless cards work. Maybe the PCI should just start listening to security professionals and do away with these things?
  Or envelopes for contactless cards, which advertise as preventing any card reading, will be booming soon. Another way to make money but from different vendors...
21. Re:In other news the sun is hot. by Z00L00K · 2016-06-14 00:14 · Score: 1
  
  It depends, some NFC cards are weakly protected. There are cards with better protection but I wouldn't be surprised if they are cracked as well.
  I did play around with a NFC reader once and was able to break into a weak card in the matter of seconds. It was one of the public transport fare cards.
  Many entry systems also uses the same technology, and cloning such a card would also be pretty simple.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
22. Re:In other news the sun is hot. by Z00L00K · 2016-06-14 00:16 · Score: 1
  
  The PIN is NOT stored on the card, it's in the back-end system.
  At least that's how the European cards works.
  Too many tries and the card is blocked by the back-end system so it's no idea to change to another terminal.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
23. Re:In other news the sun is hot. by cdrudge · 2016-06-14 00:38 · Score: 1
  
  On-line stores have to ask for the CVV. It's been a while since I ran my own business, but back then we were explicitly forbidden from capturing the CVV for in-person transactions. The idea is that nobody has it but the physical card holder.
  Depends on the implementation of the online or physical check out. I've checked out recently online where the CVV was not required. I've also checked out at local businesses, usually very small shops, restaurants, or doctors offices, where they looked at and entered the CVV must likely because they were using a virtual terminal.
24. Re:In other news the sun is hot. by Megane · 2016-06-14 00:51 · Score: 1
  
  In the US back in the late '90s when I was working with related stuff (automated pay systems for gas pumps), not only was the PIN not on the card, but debit terminals had to encrypt the PIN in the keypad. The keypad had an encryption key (and sometimes all its firmware too) injected into RAM by the bank or clearinghouse or whoever, and was potted to prevent tampering. If its battery ran out, too bad, get a new keypad.
  Apparently in those days, Europe must not have encrypted the PIN like that, because that was when PIN stealing was rampant over there.
  
  --
  #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
25. Re:In other news the sun is hot. by jittles · 2016-06-14 01:22 · Score: 1
  
  Well, what really happens is this.
  When you read the card, you get the card number and expiry date. It's not good enough to actually do a chip/contact payment, but the information is enough to do a swipe transaction. If you can print a card, and have an old enough store that still uses a mechanical imprinter (the big thing that you put the card in, a slip and slide the slider back and forth that imprints the slip).
  Yep, this would work if you found a store that did this, still. Or a store that runs its swipe transactions offline. In this day and age you'd be hard pressed to find someone who does offline auths. You could use it to buy free beer on a plane but it would get denied by the issuer once the auth is ran. EMV Capable contactless cards use a token for the card number and it would be obvious that the data was from a contactless interface.
  
  Or of course, you use it for online shopping.
  Nope. You cannot use it for online shopping. The track 2 equivalent data that comes across in a contactless transaction contains a CVV2 value but it is computed dynamically based on the unpredictable number used for that transaction as well as the card data. It is NOT the same CVV2 value that is printed on the back of the card and is unique per read. You must use the CVV2 value from the back of the card in order to get an auth as a Card Not Present transaction. This has been the case for all cards issued in the last 4 years and probably longer. Even the older contactless cards that return magnetic stripe data do not use the same CVV2 for contactless as they use for card not present.
  
  What happens then is up to the merchant and hits bank - if the bank is smart, they will realize the card used supports chip or contactless, and the terminal supports it, and rejects the transation wanting a chip or contactless.
  EMVCo certification requires you to use the chip (which is used in contactless as well, mind you, it just sends different data) when possible. The service code (again in the track 2 equivalent data) indicates whether or not the card supports EMV. If the service code indicates chip is available then the terminal cannot authorize a magnetic stripe transaction without attempting a chip transaction first. Of course, this assumes the terminal is EMV capable. The issuer knows what service code they set on the track so, again, modifying this would result in the issuer denying an authorization request. If you have a chip capable terminal and the card data comes from magnetic stripe, again the issuer will deny the transaction unless technical fallback is allowed in your region or the card application is unsupported by the acquiring bank network.
  
  Online stores and even in-person transactions often require the CVV if you swipe them, as well. (The CVV value is not stored on chip or in the magstripe - it's designed to verify that you have physical access to the card).
  That is incorrect. The card can provide the CVV in track 2 for swipe, contact and contactless. As I mentioned before, the CVV2 is dynamic in chip based (contact and contactless) transactions. A properly encrypted terminal should never return a CVV2 without encryption. I expect that most card issuers have stopped supplying the CVV2 in the magnetic track 2 data, just as they no longer supply an encrypted PIN or PVV. But the data can be included. There is a space for it.
  
  Actual payments require a challenge-response - the chip contains a secret only known to it and the bank which never leaves the card.
  So you likely can use it for a few transactions which still do swipes and don't check CVVs, but that's about it.
  Again if you can find a store that allows offline transactions, you may be able to use a cloned card. The card brands do not allow offline transactions in the North America region (perhaps excluding the Caribbean and Latin America). Offline trans
26. Re:In other news the sun is hot. by jittles · 2016-06-14 01:24 · Score: 1
  
  Here in Argentina my terminal (swipe, obviously card-present) always asks for CVV when using credit, and for some cards, it also asks for the last 4 digits on the front.
  Maestro debit only requires a PIN. Visa debit requires nothing.
  Chip cards haven't really been implemented even though for the last few years all terminals i've seen have a smartcard slot. Only a handful of clients (people with Platinum or Black cards) have cards with chip. My bank says this is because the only issue those cards upon request (indirectly: they ask if you travel abroad often, and if you do, they give you one of those cards. Gotta pinch those cents!)
  What I find amusing by this is that the Caribbean and Latin America was supposed to switch to chip based transactions only about 2-3 years ago. I don't know of any gateway in the region that actually uses chip, though.
27. Re:In other news the sun is hot. by jittles · 2016-06-14 01:28 · Score: 1
  
  On-line stores have to ask for the CVV. It's been a while since I ran my own business, but back then we were explicitly forbidden from capturing the CVV for in-person transactions. The idea is that nobody has it but the physical card holder.
  Depends on the implementation of the online or physical check out. I've checked out recently online where the CVV was not required. I've also checked out at local businesses, usually very small shops, restaurants, or doctors offices, where they looked at and entered the CVV must likely because they were using a virtual terminal.
  Amazon never asks for the CVV on a transaction. They assume extra risk by neglecting to ask for the CVV. There is no requirement per se, but there is a fraud liability shift if you do not ask for enough information to authenticate the user.
28. Re:In other news the sun is hot. by thegarbz · 2016-06-14 01:43 · Score: 1
  
  In the USA maybe. Some countries not only have support for manual entry if the mag stripe fails, but also no longer have provision for mag fallback. My most recent card doesn't even have a mag stripe on it anymore.
  The avenues for using copied cards are rapidly diminishing in much of the world ... except for the USA.
29. Re:In other news the sun is hot. by omnichad · 2016-06-14 01:54 · Score: 1
  
  The question is why is the card number and expiration date being broadcast free and clear? Especially with card companies actually saying that these cards "can't be cloned". It doesn't matter if the secure portion can't be cloned if you're handing out the rest like candy.
30. Re:In other news the sun is hot. by omnichad · 2016-06-14 01:55 · Score: 1
  
  On-line stores don't have to ask for the CVV.
  
  FTFY. They can to help eliminate fraud, but it's not required. I've implemented several online transaction systems. You can allow the payment to go through even if the CVV and address verification both fail - you're just a lot more likely to have to deal with fraud.
31. Re:In other news the sun is hot. by laughingskeptic · 2016-06-14 01:56 · Score: 1
  
  I'm not sure how they accomplish this, but I know there are hackers in Europe who have figured out how to determine CVVs of US credit cards. I suspect some sort of brute force against an improperly configured local cache somewhere in the validation system. The credit card processing systems we have were created before the internet and contain architectural elements and complexity that would be unnecessary if designed from scratch today.
32. Re:In other news the sun is hot. by jenningsthecat · 2016-06-14 02:34 · Score: 1
  
  ...The trick is being able to access it quickly and not looking like a dork :).
  If you're that worried about looking like a dork, then you're not a geek. Time to hand in your membership card. ;-)
  
  --
  'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
33. Re:In other news the sun is hot. by Yvan256 · 2016-06-14 02:55 · Score: 1
  
  Time to hand in your membership card.
  Don't do that, he's going to clone it!
34. Re:In other news the sun is hot. by LiENUS · 2016-06-14 03:32 · Score: 1
  
  Cheaper and easier to clone the cards with your eyes while standing behind someone in line.
35. Re:In other news the sun is hot. by tlhIngan · 2016-06-14 04:33 · Score: 1
  
  On-line stores have to ask for the CVV. It's been a while since I ran my own business, but back then we were explicitly forbidden from capturing the CVV for in-person transactions. The idea is that nobody has it but the physical card holder.
  I do admit to being puzzled by this story though. If the wireless conversation between a contactless card and any kind of reader carries enough information for the card to be cloned, then the design is terminally broken. It's not as if the necessary crypto techniques are not very well known.
  The last time I swiped (years ago) the cashier swiped it into the POS and then entered the CVV into the POS as well. Though I admit a few years before that they were entering the last 4 digits on the card (I guess to verify that it wasn't a card with a rewritten magstripe).
  Policies differ, I guess.
  As for the second part, the NFC reader is just capturing what is publicly available - the number and expiry which is plainly visible from the card. This you can capture with almost any NFC capable phone - there are apps that will read it and show you the credit card number and expiry date (plenty on Android).
  But transacting via contactless is similar to transacting via chip - the bank does a challenge and response code - it will not just read the numbers via NFC and assumed you swiped it. It reads the numbers to start the transaction with the bank, then the bank gives a challenge and the chip uses its secret to generate a response that the bank verifies (since it knows the secret).
  There is/was a program called "NFC Proxy" that with two phones connected together (over WiFi or 3G) and a custom ROM, could be used to charge a contactless payment to someone else. Basically one phone is used at the terminal and captures and forwards the NFC request to a second phone which is near a payment card, the second phone then sends the request via NFC to the card, captures the response and sends it back.
36. Re:In other news the sun is hot. by hjf · 2016-06-14 05:50 · Score: 1
  
  I can do transactions with chip. I tried swiping a chip card and it told me to put it in the chip reader. I use a Verifone VX520 and the service is provided by POSNET (owned by Mastercard). It also worked that way when I had LAPOS (owned by Visa).
37. Re:In other news the sun is hot. by jittles · 2016-06-14 06:53 · Score: 1
  
  I can do transactions with chip. I tried swiping a chip card and it told me to put it in the chip reader. I use a Verifone VX520 and the service is provided by POSNET (owned by Mastercard). It also worked that way when I had LAPOS (owned by Visa).
  Ahh I knew that FirstData had an EMV Capable processor for Latin America and the Caribbean and I see that POSNET is owned by FirstData (at least the website says that it is a FirstData company). Interesting. Thanks for the info.
38. Re:In other news the sun is hot. by LiENUS · 2016-06-14 06:57 · Score: 2
  
  Doesn't contain the CVV number and most websites require that.
39. Re: In other news the sun is hot. by brunes69 · 2016-06-14 13:26 · Score: 1
  
  It's already phased out. I haven't had a contactless card with a clear text card number in 3 or 4 years. It is ALWAYS encrypted.
  This is a non story. Next.
40. Re: In other news the sun is hot. by brunes69 · 2016-06-14 13:28 · Score: 1
  
  Modern (read:any card issued in the past 3 or 4 years) contactless cards most certainly DO. NOT transmit the card number and expiry date in the clear. Don't believe me? Scan one with your NFC phone.
41. Re:In other news the sun is hot. by Keybounce · 2016-06-15 04:33 · Score: 1
  
  Put the wallet in the *FRONT* pocket. Do you also tuck in your shirt, so that at the point where your skin naturally moves and stretches the most, you have the least actual flexibility and mobility? That will also mess up your body.
I bought mine by 110010001000 · 2016-06-13 14:00 · Score: 1

I bought mine here: https://nkna77c37nculpeh.onion... I'm sure they will ship it soon. Totally trustworthy.
1. Re:I bought mine by Camel+Pilot · 2016-06-13 14:55 · Score: 2
  
  What is to worry... they have a money back guarantee
2. Re:I bought mine by NotQuiteReal · 2016-06-13 16:04 · Score: 2
  
  Yeah, but the fine print says you have to get your money back the old fashioned way - by stealing it, using the device!
  
  --
  This issue is a bit more complicated than you think.
3. Re:I bought mine by martinfb · 2016-06-21 06:12 · Score: 1
  
  .... Totally trustworthy.
  Trustworthy?! Like you? I suppose you are looking to just make backup copies of your cards, Right?
  
  --
  
  Self-importance and self-indulgence is the root of ALL evil.
Contactless payment ! by invictusvoyd · 2016-06-13 14:02 · Score: 1

Without any authentication is in my opinion is a "technology waiting for misuse" . So, I'm not surprised.
1. Re: Contactless payment ! by jonnythan · 2016-06-13 14:27 · Score: 1
  
  Look for this logo:
  http://www.brandsoftheworld.co...
  With the move to chip cards, most companies are doing away with contactless, it seems.
2. Re: Contactless payment ! by Cley+Faye · 2016-06-13 14:54 · Score: 1
  
  I wouldn't be so sure.
  Disclaimer: this happens in France, I have no idea how the contactless ship is sailing anywhere else. But we have had chips for as long as I can remember, and contactless just got added recently. A bunch of people jumped on it: payment terminal slowly gets it, automated vending machines too.
  Of course, it is as secure as anywhere else (read: not) but that didn't stop the adoption. Thankfully by law banks are obligated to either provide a card without contactless payment or provide a way to disable it, but still it's growing.
  Now, they could probably change the contactless protocol to use the same protocol as actual contact payment, including PIN and EMV validation, but that would get in the way of usability, and between security and ease of use, it seems that even money isn't safe.
  
  We had a relatively secure thing: physically put the card in the reader, enter PIN. Takes a few seconds, opposed to... the few seconds it takes for contactless to kick in. But it's not shiny anymore I guess.
3. Re:Contactless payment ! by ewibble · 2016-06-13 14:58 · Score: 4, Funny
  
  Since my bank refused to disable it on my card, I used the high tech solution of hole punch through the antenna
4. Re:Contactless payment ! by Eugene · 2016-06-13 17:00 · Score: 1
  
  most of the contactless payment nowadays use one form of authentication or another using either secret keys and/or public/private keys. and those secret/private keys loaded on the card is not obtainable in normal means..
5. Re:Contactless payment ! by Anonymous Coward · 2016-06-13 22:22 · Score: 1
  
  Why doesn't the antenna have a hole in it that is gapped by placing you finger, or some other suitably conductive material on it?
  Other than stopping wallet waving (which doesn't work anyway if you have more than one of these cards), this would stop all of these problems while letting you do contactless payment.
  #1 Hold card here
  #2 Wave over device
6. Re:Contactless payment ! by Z00L00K · 2016-06-14 00:22 · Score: 1
  
  The best remedy would be to have a fake card in your wallet that gives away useless data when probed.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
7. Re: Contactless payment ! by jittles · 2016-06-14 01:31 · Score: 1
  
  I wouldn't be so sure. Disclaimer: this happens in France, I have no idea how the contactless ship is sailing anywhere else. But we have had chips for as long as I can remember, and contactless just got added recently. A bunch of people jumped on it: payment terminal slowly gets it, automated vending machines too. Of course, it is as secure as anywhere else (read: not) but that didn't stop the adoption. Thankfully by law banks are obligated to either provide a card without contactless payment or provide a way to disable it, but still it's growing. Now, they could probably change the contactless protocol to use the same protocol as actual contact payment, including PIN and EMV validation, but that would get in the way of usability, and between security and ease of use, it seems that even money isn't safe. We had a relatively secure thing: physically put the card in the reader, enter PIN. Takes a few seconds, opposed to... the few seconds it takes for contactless to kick in. But it's not shiny anymore I guess.
  They do use EMV for contactless these days. The card data is dynamic and generated on each transaction based on the unpredictable number supplied by the terminal at the time of the transaction. The problem is that there is no one standard for contactless EMV. Each brand has a slightly different implementation and the certification process is a nightmare compared to contact. You can use online PIN validation of contactless transactions, too. That is up to the merchant or acquiring bank to enable through the terminal. You cannot use offline PIN with contactless, however. Contactless should be secure against replay attacks and cloning so long as the merchant processes the transaction online
8. Re:Contactless payment ! by Agripa · 2016-06-14 03:09 · Score: 1
  
  A microwave oven works for this also.
9. Re: Contactless payment ! by InvalidError · 2016-06-14 06:15 · Score: 1
  
  Being contact-less does not systematically mean that the card relinquishes all data. NFC/RFID is able to wirelessly supply power to support a secure microcontroller and two-way secure authentication/encryption to prevent man-in-the-middle attacks. Companies simply chose not to implement it this way for some stupid reason.
  Plain wireless ((EE)P)ROM is fine for anti-theft tags and basic identification but not wireless payments or other applications that require intrinsic trust.
10. Re:Contactless payment ! by martinfb · 2016-06-21 06:20 · Score: 1
  
  Would someone explain to me what a non-misuse might be?
  
  --
  
  Self-importance and self-indulgence is the root of ALL evil.
Nice Of Them To Include The Charging Cord.... by Shakrai · 2016-06-13 14:09 · Score: 4, Funny

its creators say that each buyer will receive the X5 device, a USB cable for charging and data transfers, and 20 blank plastic cards.
My last smartphone didn't come with a cable OR a charger. Fuck you HTC. ;)

--
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
1. Re:Nice Of Them To Include The Charging Cord.... by invictusvoyd · 2016-06-13 14:43 · Score: 1
  
  My last smartphone didn't come with a cable OR a charger. Fuck you HTC. ;)
  Maybe your "smartphone" is too smart to use a charger.
2. Re:Nice Of Them To Include The Charging Cord.... by AmiMoJo · 2016-06-13 23:21 · Score: 1
  
  I'd rather phones didn't come with chargers, TBH. I have enough already and now USB is standard the only reason to get a new one is if there is some new feature like faster charging. I'll buy one if I need one.
  The ones they throw in just add to the cost and often suck anyway.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
3. Re:Nice Of Them To Include The Charging Cord.... by martinfb · 2016-06-21 06:19 · Score: 1
  
  Did you pay near $900 for it?
  
  --
  
  Self-importance and self-indulgence is the root of ALL evil.
Uh-huh. by Anonymous Coward · 2016-06-13 14:46 · Score: 5, Funny

Sure.
Just send the bitcoin, and you'll get the completely illegal and fraud inducing device sent by random strangers to a street address of your choice.
This in no way is a honeypot OR a scam. I mean, why would it be, right?
Are you sure ? by Anonymous Coward · 2016-06-13 14:55 · Score: 1

I'm in Australia where we have had chip cards for years.
Once they became commonplace, the banks then 'upgraded' to contactless cards.
I think that the risk associated with contactless smartcards will only increase as Banks work out how to transfer liability to their merchants and customers.
1. Re:Are you sure ? by PCM2 · 2016-06-14 11:44 · Score: 1
  
  I'm in Australia where we have had chip cards for years.
  Once they became commonplace, the banks then 'upgraded' to contactless cards.
  This seems to be how it's going in the US as well. Or actually, it's even stranger than that. Just recently, Bank of America let me know that I could now use its ATM machines ... with my NFC-enabled phone. This doesn't make a lot of sense to me because I still need to enter my card's PIN but I also need to unlock my phone, so I have to enter two separate PINs, making it half as convenient as just using the card. I can only assume the next step will be cards that can be used on the sensor, so you get the benefit of not having to put them into the machine (and possibly even not having to take them out of your wallet).
  
  --
  Breakfast served all day!
Too short by jtownatpunk.net · 2016-06-13 15:01 · Score: 1

The only person who gets within a penis length of my wallet is me.
1. Re:Too short by Icarium · 2016-06-14 00:52 · Score: 1
  
  You mean half a penis length?
perfectly secure! by green1 · 2016-06-13 15:07 · Score: 5, Informative

Don't worry, the banks are working hard to solve this security hole... by telling anyone who will listen that these cards are secure, and sticking their fingers in their ears any time anyone says any different.
My bank graciously offered to turn off the feature on my card, from their end, not mine. Which, if you know anything about how these hacks work, means that they're willing to take away all the convenience of the feature, while carefully maintaining the security risks on my card. I declined and cut the antenna instead.
Right now in Canada it is almost impossible to get a credit card without this security hole baked in. They all have it, they brag about it. And worse yet, if someone does manage to clone the card, the bank will insist that it's not possible to do so, and hold you liable for all the fraudulent transactions, after all, the security on the cards is perfect, so you must have authorized it.
1. Re:perfectly secure! by AmiMoJo · 2016-06-13 17:16 · Score: 1
  
  Because from the bank's point of view it is secure. These cloned cards can't be used to make transactions, only get your name and transaction history. If your bank is particularly dumb it might have your address too. They don't care about that though, it's not part of their threat model.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:perfectly secure! by jareth-0205 · 2016-06-13 21:37 · Score: 1
  
  They all have it, they brag about it. And worse yet, if someone does manage to clone the card, the bank will insist that it's not possible to do so, and hold you liable for all the fraudulent transactions, after all, the security on the cards is perfect, so you must have authorized it.
  So you actually have any examples of this or are you extrapolating from your imagination? The banks claim it to be secure because from your perspective it is, they cover the risk of it being used fraudulently because contactless is only available for small transactions and only by merchant accounts. If any silliness happens they can trace it exactly to the perpetrator, and pull the money back. Contactless cards been in active use in Europe for years now without the world ending like you imagine.
3. Re:perfectly secure! by CRC'99 · 2016-06-14 00:34 · Score: 1
  
  Don't worry, the banks are working hard to solve this security hole... by telling anyone who will listen that these cards are secure, and sticking their fingers in their ears any time anyone says any different.
  Yeah, its that much of a threat that I can't even remember a time in Australia that I owned a credit card that wasn't a tap & pay card.
  That's at least 14 years. It hasn't caused an explosion in fraud here.
  In fact, now my bank even has an NFC payment option baked into any system that also does Tap & Pay that uses NFC on my Android phone to pay without even having the card. I haven't carried a wallet for nearly 6 months now - all I need is a phone.
  
  --
  Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
4. Re:perfectly secure! by Sabriel · 2016-06-14 01:35 · Score: 1
  
  14 years? I didn't think it'd been quite that long? Some googling suggests that the first Australian bank to introduce contactless/tap payment was the CBA with a NSW trial in 2006. Still, wow, the years are flying by.
5. Re:perfectly secure! by thegarbz · 2016-06-14 01:47 · Score: 1
  
  the bank will insist that it's not possible to do so, and hold you liable for all the fraudulent transactions,
  I wasn't aware of any country in the west, even the arse backwards (as far as banking goes) USA where the bank can hold you liable for fraudulent transactions.
6. Re:perfectly secure! by green1 · 2016-06-14 04:54 · Score: 1
  
  Can't do that in Canada, chip cards must be used chip and pin. the chip does both contactless (ridiculously insecure) and chip & pin (the best security you can get on credit cards) destroying one destroys the other.
7. Re:perfectly secure! by green1 · 2016-06-14 04:56 · Score: 1
  
  Do you work for the bank? You're spreading their lies for them.
  There have been many proof of concepts showing making credit card transactions with the data from cloned cards. a simple google search will turn up news reports and plenty of videos.
8. Re:perfectly secure! by green1 · 2016-06-14 04:58 · Score: 1
  
  So it's ok if people steal $100 at a time from you? it's not ok if they steal it from me.
  And you don't need a merchant account to use a cloned card, you go to the store and buy things, only you use someone else's card.
  If you haven't heard of any examples, you haven't been paying attention. try a simple google search.
  I didn't say the world would end, just that fraud would be a problem. And it is.
9. Re:perfectly secure! by green1 · 2016-06-14 04:59 · Score: 1
  
  NFC on your phone is secure, because it's only active when the phone is in use.
  NFC on your credit card is a security hole you can drive an oceanliner through because the card is ALWAYS on and people don't even have to touch it, or you, to get a copy of your card.
10. Re:perfectly secure! by green1 · 2016-06-14 05:01 · Score: 1
  
  Just wait until they tell you that the transaction is not fraudulent because you made it and you're lying. Because after all, the card can not be cloned, so the only explanation is that you made the transactions.
  There was a news report out of somewhere in europe a few years back where this exact situation happened, and the victim of the fraud was actually arrested because the credit card company insisted the card was so secure that the only explanation was that he was complicit in the fraud.
11. Re:perfectly secure! by jareth-0205 · 2016-06-14 08:27 · Score: 1
  
  As has been said before in this thread, you can't meaningfully duplicate the card using this method, you're missing vital bits of information. So you can't take someone's card details this way and do any buying against it - you can't make another contactless card, and you can't do online stuff because you will fail CVV, address verification and VBV. You could, I suppose, make a swipable card. Nowhere in Europe takes that anymore, and it's considered very suspicious by the bank and will get your card blocked and queried pretty swiftly, at which point you'll get your money refunded.
  The best you can do as a "bad guy" is directly charge the card, but the only way you can do this is with a merchant account, which is tracable and reversable, and the banks will (and do) reverse the charge for mistakes (and probably send the police round to someone who's doing it systematically).
12. Re:perfectly secure! by green1 · 2016-06-14 08:47 · Score: 1
  
  Wrong again!
  There are many examples out there of exactly this. Duplicating cards using these scanners. It's been done many many times.
  You shilling for the banks doesn't do anyone any favours.
  The "bad guy" can, and has in the past, buy stuff with your card.
  The bank WILL NOT reverse the charge, because they believe the same lies that you do that it's not possible to duplicate the cards, and therefore claim that the fraud must be on the part of the cardholder. This too has happened already, with the fraud victim actually being arrested for fraud because someone copied his card.
13. Re:perfectly secure! by jareth-0205 · 2016-06-14 09:07 · Score: 1
  
  Well, you should really look up definitions for words like "shill" before you throw them around like that.
  I don't see how this is possible. Perhaps it is, but since you have provided no evidence, and searching I can see nothing credible, I'm gonna keep believing how I understand the system to work rather than believe someone random on the internet.
14. Re:perfectly secure! by thegarbz · 2016-06-14 09:55 · Score: 1
  
  Just wait until they tell you that the transaction is not fraudulent because you made it and you're lying. Because after all, the card can not be cloned, so the only explanation is that you made the transactions.
  I don't need to wait. I've been through the process. File a stat dec and then it's up to the other party to prove that you didn't make the charges. There are far more straight forward cases too where they are liable for. Heck in my last case I even ticked every box that sounds scary enough to be a case against you:
  - Did you lose the card? No
  - Do you have the card with you? Yes
  - Do you place purchased online? Yes
  and about 6 other ones. Even then you still get refunded, and frankly fraud is often child's play to spot after the fact.
15. Re:perfectly secure! by green1 · 2016-06-14 11:32 · Score: 1
  
  Glad you were lucky. Others have not been.
16. Re:perfectly secure! by green1 · 2016-06-14 11:33 · Score: 1
  
  You're not very good at searching.
17. Re:perfectly secure! by Toshito · 2016-06-15 05:23 · Score: 1
  
  My bank graciously offered to turn off the feature on my card, from their end, not mine. Which, if you know anything about how these hacks work, means that they're willing to take away all the convenience of the feature, while carefully maintaining the security risks on my card. I declined and cut the antenna instead.
  You clearly don't know anything about this, because if the bank flags your account with contactless disabled, since they're the ones who autorize EVERY transactions, they will decline any attempt at doing a contactless transaction with your card number.
  If the bad guys do get the information from your card, what can they do with it?
  Cloning the chip is not possible right now (and they would need a lot more than just the card number and expiration date, there's a lot of crypto on the chip with private and public keys), and the information broadcasted by the chip is not sufficient to mock up a magstripe.
  Most websites ask for the CVV (the number on the back of the card) which is not present on the chip, so can't be captured by this device.
  So they can't do any transaction with this information, where is the risk?
  
  --
  Try it! Library of Babel
18. Re:perfectly secure! by thegarbz · 2016-06-15 08:43 · Score: 1
  
  If it's "lucky" then my luck must have been codified in law. Or do you care to point to a citation of abusive palming of fraud onto the card user?
19. Re:perfectly secure! by delt0r · 2016-06-15 17:26 · Score: 1
  
  Citation required.
  
  --
  If information wants to be free, why does my internet connection cost so much?
Re:Sorry but... by hcs_$reboot · 2016-06-13 15:42 · Score: 2

I guess the point is that de device can copy a single card in 1/15 second (0.07 second).

--
Slashdot, fix the reply notifications... You won't get away with it...
This problem has created an entirely new line of by dav1dc · 2016-06-13 15:56 · Score: 2

products: https://www.google.ca/#q=rfid+...
QED.
Re:Chip and Pin by Eugene · 2016-06-13 16:33 · Score: 2

it's impossible to read the secret keys over any interface of the card. So those cloning devices at most is reading what normally a contactless terminal can read from a card. meaning those cloned cards will fail all the offline and online CAM (card authentication method) since none of the relevant keys (ICC Private Key, nor the Application Cryptogram secret key) can be read.
Unlike traditional magnetic stripe cards, chip cards has robust security build-in, most of the security breach are not from counterfeit cards, (since you can't clone the relavent data from EMV cards)
Simple Fix by EEPROMS · 2016-06-13 17:16 · Score: 1

I covered a piece of flexible plastic (your average office plastic folder and scissors does the trick) with some aluminium foil that is the same size as a paper note. Then insert the new rfi blocker in the walled like a note. Now the tap and go doesn't work while the card is in the wallet I have to take it out. You can also get special card covers that do the same thing but my solution is cheap and works fine.
1. Re:Simple Fix by KozmoStevnNaut · 2016-06-13 19:53 · Score: 1
  
  Yes, because you don't have to input the PIN for small amounts, at least around here the limit is ~$30 (200 DKK) before you have to type the pin. So it's still quicker, plus the contacts don't wear out.
  
  --
  Eat the rich.
2. Re:Simple Fix by KozmoStevnNaut · 2016-06-14 19:46 · Score: 1
  
  Sure, that is definitely a possibility. I don't see it happening anytime soon, though, as it's one of the hyped features of the contactless cards.
  
  --
  Eat the rich.
RFID sleeve? by irrational_design · 2016-06-13 17:56 · Score: 1

Will an RFID sleeve stop this from happening?
1. Re:RFID sleeve? by bzn · 2016-06-13 19:54 · Score: 1
  
  Well, yes.
2. Re:RFID sleeve? by jaseuk · 2016-06-14 04:29 · Score: 1
  
  It's the intelligence of the reader - our library scanner can read multiple cards simultaneously. - because it's only a one way transaction. So it's perfectly possible to read.
  The problem in a POS environment is they need to charge the transaction to one card only. Picking a random card in the customers wallet isn't appropriate.
  This whole thing is nonsense anyway.. The reader will only show the publically available info which is the 16 card number and expiry. No CCV and No customer name. It's of no use whatsoever for online or contactless transactions.
  About the only thing it could be good for is some casual analytics.
  Jason.
3. Re:RFID sleeve? by InvalidError · 2016-06-14 06:26 · Score: 1
  
  The RFID protocol has provisions to detect and mitigate collisions between multiple cards. If multiple cards try to respond at the same time, there is a random per-card delay before each card attempts to respond again and the reader can use that to enumerate cards that are within range until it finds the one it wants. Having multiple cards in range will merely slow down the enumeration process.
  In my wallet, I simply put a stainless steel eraser stencil in the card pocket between my bank and credit cards.
Re:Chip and Pin by EzInKy · 2016-06-13 19:43 · Score: 1

it's impossible to read the secret keys over any interface of the card.
For different degrees of "impossible" maybe.

--
Time is what keeps everything from happening all at once.
almost got one but... by Gravis+Zero · 2016-06-13 19:46 · Score: 2

Operating System compatibility:
-Microsoft WHQL 2000, XP, Vista, 7, 8, 10, Server 2003, Server 2008, Server 2008 R2, Server 2012
I'll wait for the linux port. ;)

--
Anons need not reply. Questions end with a question mark.
Re:Sorry but... by Trax3001BBS · 2016-06-13 20:14 · Score: 1

How can you arrange 15 cards on every second within a 8 cm radius?
When cell phones first came with Bluetooth, security required one to disable it.
It was possible to sit in a busy area of a mall and collect all the contacts of those with enabled bluetooth.
15 cards every second within a 8 cm radius, one would surely come across as supisious of doing something dubious.
Re:Chip and Pin by complete+loony · 2016-06-13 20:52 · Score: 1

True, though there have been a number of MITM attacks.

--
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Clone is an exagerration by DrXym · 2016-06-13 23:55 · Score: 3, Interesting

An NFC chip would be extremely difficult to clone. The might be able to scrape some information off the NFC that is made public but it is highly doubtful that includes the PIN, the CVV2, the address or possibly even the name of the person. The NFC itself would implement challenge response so that wouldn't be much use either. It's not even obvious to me why point of sale terminals would even need to see what's on the magstripe but perhaps there is a reason. The obvious fix is if a payment card exposes this info then it should obfuscate it, or better yet not expose it at all. Whatever edge case requires it might not be a sufficient reason given any potential for theft.
1. Re: Clone is an exagerration by jittles · 2016-06-14 01:38 · Score: 2
  
  Maybe. Maybe not.
  Remember that these chips are extremely low power low speed.
  They have to perform usually a cryptograhic hash of some input they are passed with their secret key. The algorithm used is not a fully secure algorithm like what would be used in https, it's not NIST approved etc. They are custom algorithms designed to be done by a very simple processor very quickly and are orders of magnitude easier than AES or SHA.
  All of the previous chips have so far been cracked after researchers studied the chip, and reverse engineered the encryption algorithm, which are then studied by cryptographers.
  A huge part of the security is that no one except one company, actually knows the encryption algorithm and it's extremely difficult for anyone to figure it out, as they would have to somehow view and reverse engineer the silicon circuit by physical inspection.
  Hmmmm why are none of these encryption attacks listed by the research team at Cambridge then? There are certainly attacks but none based on the cryptography that I know of. Do you have links? And you know that these smart cards have circuits designed for cryptography and that the latest chips actually do 2048 bit RSA encryption used by the terminal to validate that the card has not been cloned? But you're right, they can't even do basic 3DES or AES or even SHA on those cards...
2. Re:Clone is an exagerration by jittles · 2016-06-14 01:40 · Score: 1
  
  An NFC chip would be extremely difficult to clone. The might be able to scrape some information off the NFC that is made public but it is highly doubtful that includes the PIN, the CVV2, the address or possibly even the name of the person. The NFC itself would implement challenge response so that wouldn't be much use either. It's not even obvious to me why point of sale terminals would even need to see what's on the magstripe but perhaps there is a reason. The obvious fix is if a payment card exposes this info then it should obfuscate it, or better yet not expose it at all. Whatever edge case requires it might not be a sufficient reason given any potential for theft.
  With modern EMV capable NFC cards, the track 2 data is dynamic and generated every transaction based on an unpredictable number supplied by the terminal. You would not be able to replay a transaction unless your transaction was approved offline.
3. Re: Clone is an exagerration by swillden · 2016-06-14 04:30 · Score: 1
  
  Maybe. Maybe not.
  Remember that these chips are extremely low power low speed.
  They have to perform usually a cryptograhic hash of some input they are passed with their secret key. The algorithm used is not a fully secure algorithm like what would be used in https, it's not NIST approved etc. They are custom algorithms designed to be done by a very simple processor very quickly and are orders of magnitude easier than AES or SHA.
  Incorrect. Card cryptograms are generated with either 3DES or AES. You can see full details here: https://www.emvco.com/specific.... Specifically, you want to look at Annex A of EMV 4.3, Book 2, "Security and Key Management".
  Note that many of the card issuing networks define their own variations on the EMV specifications, but they all comply with the general framework, algorithms, etc.
  As for the nature of the processors, most contactless smart card chips today are 32-bit CPUs running at around 40 Mhz, with several KiB of RAM and a few hundred KiB to a MiB of flash. They're low powered in comparison to the desktops and laptops we use today, but they're far more powerful than the high end computers I started with. They're even orders of magnitude more powerful than their predecessors which were in use when the EMV specifications were written, and those earlier generations could handle it. So today's are clearly perfectly capable of executing AES or 3DES operations in a short period of time... particularly since they all include dedicated coprocessors for that purpose. The coprocessors aren't necessary from a performance or power consumption perspective, they're used to defeat side channel attacks, but they do make the cryptographic operations faster and cheaper.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
4. Re: Clone is an exagerration by InvalidError · 2016-06-14 06:40 · Score: 1
  
  To top that off, many modern security-oriented chips implement HMAC and AES in hardware, which uses even less power and is orders of magnitude faster still. Doing one complete round of AES3 takes thousands of cycles on a CPU but can be collapsed into a single step process in hardware using a fraction of the silicon of a 32bits CPU.
5. Re: Clone is an exagerration by swillden · 2016-06-14 10:25 · Score: 1
  
  I actually mentioned the coprocessors :-)
  Though... I'm not aware of any devices that have HMAC-SHA256 or similar in a coprocessor. That's part of the reason why many protocols use AES or 3DES for what amounts to hashing, because it's much, much faster.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
A decade late? by undefinedreference · 2016-06-14 02:59 · Score: 1

"RFID/NFC blocking" wallets are all the rage these days. That is a far bigger scam than this product, which is simply far too late. The only contactless payment method I have is my phone now, after my last contactless card expired a few years ago. I haven't seen a PayPass or payWave card in years, but average people see the chip in their card and believe it doesn't require contact for some reason (My parents and some older doctors I know went full on tinfoil hat when they first got them before I corrected them.)... Fear of the misunderstood or unknown severely affects a lot of people.
Mind you, this does have some potential abusive applications, they're just not really that lucrative. Most public transportation systems have started using contactless cards that have effectively zero protection. The most famous is the Oyster Card, but there are numerous branded versions out there. Toll passes are probably also subject to this kind of abuse. There is little incentive for these agencies to increase their security, too.
1. Re:A decade late? by jaseuk · 2016-06-14 04:32 · Score: 1
  
  From the VISA Website "If your card is lost or stolen you should notify your bank as soon as possible. If anyone has fraudulently used your contactless card to make a payment, providing you take reasonable precautions to protect your card and let your bank know as soon as you realise it’s gone, you will not be responsible for any losses incurred (subject to your bank’s terms and conditions)."
  In other words you are not responsible for any losses. Provided you report it lost as soon as you realise.
  They are very low value for any fraudster - the best they can hope is a few contactless transactions and probably each one runs the risk of being caught (and on CCTV).
  VISA seem prepared to take the hit - so what's the issue?
  Jason
Dark Web? Really? by kwerle · 2016-06-14 03:35 · Score: 1

Is there some reason we're now using this term? Maybe it's just me, but it really sounds entirely Hollywood.
Can we just say internet? Or web?
What we're seeing around here by Cute+Fuzzy+Bunny · 2016-06-14 04:20 · Score: 1

Around here we have people that will walk into a mall with a scanner and just stick it on peoples wallet pocket or purse. When security is alerted, they just leave. Security says they weren't doing anything illegal.
As far as I know, any US vendor taking a fraudulent swipe or imprint transaction owns the loss as the bank/cc company won't stand behind a non chip transaction. This scanner won't help anyone make a chipped card. Its rare to have information like the card holders name be accessible in this manner.
So basically small vendors and people working art and wine festivals that are using those stripe scanners you plug into a cell phone will be on the hook until they get stuck with a bunch of bogus transactions, wise up and get a chip based scanner.
Shark Tank by buck-yar · 2016-06-15 12:06 · Score: 1

So that guy selling wallet protectors on Shark Tank wasn't crazy after all?