Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second (softpedia.com)

Posted by BeauHD on from the crowded-shopping-center dept.

An anonymous reader writes from a report via Softpedia: "A criminal group going under the name of The CC Buddies is selling a hi-tech device on the Dark Web that's capable of copying details from contactless debit cards if held as close as eight centimeters away from a victim's card," reports Softpedia. The device, named Contactless Infusion X5, is extremely dangerous because it can copy up to 15 bank cards per second, something that may come in handy if a crook is going through a crowd at a concert or through a crowded subway cart. The device can collect data such as the card's number and expiration date. If the debit card's RFID chip stores information such as the card holder's name, home address, and a mini statement, X5 can steal that data as well. The X5 is sold on the Dark Web for only 1.2 Bitcoin (~$825), and its creators say that each buyer will receive the X5 device, a USB cable for charging and data transfers, and 20 blank plastic cards.

20 of 193 comments (clear)

  1. In other news the sun is hot. by Anonymous Coward · · Score: 5, Informative

    My initial reaction is duh. I have software on my phone for security audits that allow me to do the exact same thing. Only it's not meant to do 15 cards a sec. This is how contactless cards work. Maybe the PCI should just start listening to security professionals and do away with these things?

    1. Re:In other news the sun is hot. by Anonymous Coward · · Score: 2, Informative

      Except apparently for the fact that there are still quite a number of transactions which you can do with just the card number today. So no point in cloning it apart from the tens of millions of pounds you can get in your bank account if you have a gang of people doing it for you. Apart from that, no point at all. Let's move on to something important like the latest hack for WoW or some photo "accidentally" leaked from some Kardasian phone or something.

      Just as a random plug, I have a Koruma RFID blocking wallet which I got years ago and it's still going fine. They were some tiny company when I bought it and now seem to have really succeeded. The "Koruma I", which they don't seem to push for some reason, and is pretty much the cheapest wallet they have, is excellent because it has an external shielded pocket which you can use for the travel card you are using right now whilst keeping everything else shielded. They also have passport shields. N.B. no relationship other than happy customer.

    2. Re:In other news the sun is hot. by tlhIngan · · Score: 5, Informative

      Well, what really happens is this.

      When you read the card, you get the card number and expiry date. It's not good enough to actually do a chip/contact payment, but the information is enough to do a swipe transaction. If you can print a card, and have an old enough store that still uses a mechanical imprinter (the big thing that you put the card in, a slip and slide the slider back and forth that imprints the slip). Or of course, you use it for online shopping.

      What happens then is up to the merchant and hits bank - if the bank is smart, they will realize the card used supports chip or contactless, and the terminal supports it, and rejects the transation wanting a chip or contactless.

      Online stores and even in-person transactions often require the CVV if you swipe them, as well. (The CVV value is not stored on chip or in the magstripe - it's designed to verify that you have physical access to the card).

      Actual payments require a challenge-response - the chip contains a secret only known to it and the bank which never leaves the card.

      So you likely can use it for a few transactions which still do swipes and don't check CVVs, but that's about it.

    3. Re:In other news the sun is hot. by Bob_Who · · Score: 2

      Maybe the PCI should just start listening to security professionals and do away with these things?

      And why wouldn't they? Because they figured that when the technology did fail that they could pawn the losses off onto somebody else. As long as we pass laws that make it impossible for these losses to ever be passed off onto the victims (i.e. the customers and the merchants) and be sure that there is swift and effective remedy for any fraud, then the banks and credit cards will make damn sure they listen to security experts in the future.

      Our problem is not a deficiency in technology and know how, its a deficiency in our society in properly punishing criminals and not victims. In the old days, when a bank got robbed it never cost an account holder a dime. We need to be vigilant in maintaining this standard for all financial transaction crime. It only costs the banks. Suddenly, the problem will be solved efficiently...and not until then.

    4. Re:In other news the sun is hot. by Anonymous Coward · · Score: 3, Informative

      OK. Few things

      1. There are lots of CVVs. There are several places cards store a few extra digits. In each case at first they were the same digits, and then banks realised "Oh crap" the digits from one place can be copied to elsewhere. So a modern card _should_ use different values for each CVV. In particular, there's the CVV physically printed on the outside of the card for a human operator (sometimes called CVV2 and used to verify Card Not Present e.g. over the phone or Internet) and a CVV stored on the mag stripe and another CVV (sometimes called iCVV) stored inside an EMV chip card.

      2. There are different grades of security for EMV cards. The smarter the card, the more expensive it is to make. Security is, as ever, a trade-off, and banks want to pay as little as possible for these cards. The cheapest way to make the cards work, SDA has them almost completely static, they "know" how to hand over some fixed data, but they aren't actually doing a full-blown public key crypto session each time you use them. An SDA card could definitely be "cloned" using some relatively affordable technology, recording it making a legit transaction like the one you want to fake. DDA, dynamic cards have individual private keys baked into them so they do public key crypto to authenticate every transaction. To "clone" the DDA card you need to steal its private key, which the hardware makers should have gone to great trouble to make difficult. The next step beyond that is CDA, in which the card proves to both the terminal AND the bank that it is genuine, which prevents certain "offline" attacks where a payment wouldn't have been accepted (if the bank is competent) but it looks OK to a terminal which can't talk to the bank. Most cards issued today seem to be SDA. Your bank will almost certainly decline to specify which yours is, and of course the frontline customer services people have no idea.

      3. Customer Verification is selective. The bank, terminal and card all get to help choose what's an acceptable verification. For contactless the answer is often "No verification". This might seem crazy, but then remember that for the first decade or more of their existence all credit cards worked on this "trust and ask questions later" basis.

    5. Re:In other news the sun is hot. by LiENUS · · Score: 2

      Doesn't contain the CVV number and most websites require that.

  2. Nice Of Them To Include The Charging Cord.... by Shakrai · · Score: 4, Funny

    its creators say that each buyer will receive the X5 device, a USB cable for charging and data transfers, and 20 blank plastic cards.

    My last smartphone didn't come with a cable OR a charger. Fuck you HTC. ;)

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  3. Re:antenna by Gussington · · Score: 2

    8cm is enough if that's all you require to get free money.
    Bus, train, bar, concert, elevator, I'm in plenty of situations where I get closer than 8cms to others. If everyone of those people I could scam $99 from, I'll be a millionaire by the end of the month.

  4. Uh-huh. by Anonymous Coward · · Score: 5, Funny

    Sure.

    Just send the bitcoin, and you'll get the completely illegal and fraud inducing device sent by random strangers to a street address of your choice.

      This in no way is a honeypot OR a scam. I mean, why would it be, right?

  5. Re:I bought mine by Camel+Pilot · · Score: 2

    What is to worry... they have a money back guarantee

  6. Re:Contactless payment ! by ewibble · · Score: 4, Funny

    Since my bank refused to disable it on my card, I used the high tech solution of hole punch through the antenna

  7. perfectly secure! by green1 · · Score: 5, Informative

    Don't worry, the banks are working hard to solve this security hole... by telling anyone who will listen that these cards are secure, and sticking their fingers in their ears any time anyone says any different.

    My bank graciously offered to turn off the feature on my card, from their end, not mine. Which, if you know anything about how these hacks work, means that they're willing to take away all the convenience of the feature, while carefully maintaining the security risks on my card. I declined and cut the antenna instead.

    Right now in Canada it is almost impossible to get a credit card without this security hole baked in. They all have it, they brag about it. And worse yet, if someone does manage to clone the card, the bank will insist that it's not possible to do so, and hold you liable for all the fraudulent transactions, after all, the security on the cards is perfect, so you must have authorized it.

  8. Re:Sorry but... by hcs_$reboot · · Score: 2

    I guess the point is that de device can copy a single card in 1/15 second (0.07 second).

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  9. This problem has created an entirely new line of by dav1dc · · Score: 2

    products: https://www.google.ca/#q=rfid+...

    QED.

  10. Re:I bought mine by NotQuiteReal · · Score: 2

    Yeah, but the fine print says you have to get your money back the old fashioned way - by stealing it, using the device!

    --
    This issue is a bit more complicated than you think.
  11. Re:Chip and Pin by Eugene · · Score: 2

    it's impossible to read the secret keys over any interface of the card. So those cloning devices at most is reading what normally a contactless terminal can read from a card. meaning those cloned cards will fail all the offline and online CAM (card authentication method) since none of the relevant keys (ICC Private Key, nor the Application Cryptogram secret key) can be read.

    Unlike traditional magnetic stripe cards, chip cards has robust security build-in, most of the security breach are not from counterfeit cards, (since you can't clone the relavent data from EMV cards)

  12. almost got one but... by Gravis+Zero · · Score: 2

    Operating System compatibility:
    -Microsoft WHQL 2000, XP, Vista, 7, 8, 10, Server 2003, Server 2008, Server 2008 R2, Server 2012

    I'll wait for the linux port. ;)

    --
    Anons need not reply. Questions end with a question mark.
  13. Re: antenna by Dr_Barnowl · · Score: 2

    You can, the protocols include collision avoidance.

    It's more likely down to the inverse square law - every time you double the range, you need to quadruple the output of your transmitter to maintain the same signal intensity.

  14. Clone is an exagerration by DrXym · · Score: 3, Interesting

    An NFC chip would be extremely difficult to clone. The might be able to scrape some information off the NFC that is made public but it is highly doubtful that includes the PIN, the CVV2, the address or possibly even the name of the person. The NFC itself would implement challenge response so that wouldn't be much use either. It's not even obvious to me why point of sale terminals would even need to see what's on the magstripe but perhaps there is a reason. The obvious fix is if a payment card exposes this info then it should obfuscate it, or better yet not expose it at all. Whatever edge case requires it might not be a sufficient reason given any potential for theft.

    1. Re: Clone is an exagerration by jittles · · Score: 2

      Maybe. Maybe not.

      Remember that these chips are extremely low power low speed.

      They have to perform usually a cryptograhic hash of some input they are passed with their secret key. The algorithm used is not a fully secure algorithm like what would be used in https, it's not NIST approved etc. They are custom algorithms designed to be done by a very simple processor very quickly and are orders of magnitude easier than AES or SHA.

      All of the previous chips have so far been cracked after researchers studied the chip, and reverse engineered the encryption algorithm, which are then studied by cryptographers.

      A huge part of the security is that no one except one company, actually knows the encryption algorithm and it's extremely difficult for anyone to figure it out, as they would have to somehow view and reverse engineer the silicon circuit by physical inspection.

      Hmmmm why are none of these encryption attacks listed by the research team at Cambridge then? There are certainly attacks but none based on the cryptography that I know of. Do you have links? And you know that these smart cards have circuits designed for cryptography and that the latest chips actually do 2048 bit RSA encryption used by the terminal to validate that the card has not been cloned? But you're right, they can't even do basic 3DES or AES or even SHA on those cards...