Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second (softpedia.com)

Posted by BeauHD on from the crowded-shopping-center dept.

An anonymous reader writes from a report via Softpedia: "A criminal group going under the name of The CC Buddies is selling a hi-tech device on the Dark Web that's capable of copying details from contactless debit cards if held as close as eight centimeters away from a victim's card," reports Softpedia. The device, named Contactless Infusion X5, is extremely dangerous because it can copy up to 15 bank cards per second, something that may come in handy if a crook is going through a crowd at a concert or through a crowded subway cart. The device can collect data such as the card's number and expiration date. If the debit card's RFID chip stores information such as the card holder's name, home address, and a mini statement, X5 can steal that data as well. The X5 is sold on the Dark Web for only 1.2 Bitcoin (~$825), and its creators say that each buyer will receive the X5 device, a USB cable for charging and data transfers, and 20 blank plastic cards.

6 of 193 comments (clear)

  1. In other news the sun is hot. by Anonymous Coward · · Score: 5, Informative

    My initial reaction is duh. I have software on my phone for security audits that allow me to do the exact same thing. Only it's not meant to do 15 cards a sec. This is how contactless cards work. Maybe the PCI should just start listening to security professionals and do away with these things?

    1. Re:In other news the sun is hot. by tlhIngan · · Score: 5, Informative

      Well, what really happens is this.

      When you read the card, you get the card number and expiry date. It's not good enough to actually do a chip/contact payment, but the information is enough to do a swipe transaction. If you can print a card, and have an old enough store that still uses a mechanical imprinter (the big thing that you put the card in, a slip and slide the slider back and forth that imprints the slip). Or of course, you use it for online shopping.

      What happens then is up to the merchant and hits bank - if the bank is smart, they will realize the card used supports chip or contactless, and the terminal supports it, and rejects the transation wanting a chip or contactless.

      Online stores and even in-person transactions often require the CVV if you swipe them, as well. (The CVV value is not stored on chip or in the magstripe - it's designed to verify that you have physical access to the card).

      Actual payments require a challenge-response - the chip contains a secret only known to it and the bank which never leaves the card.

      So you likely can use it for a few transactions which still do swipes and don't check CVVs, but that's about it.

  2. Nice Of Them To Include The Charging Cord.... by Shakrai · · Score: 4, Funny

    its creators say that each buyer will receive the X5 device, a USB cable for charging and data transfers, and 20 blank plastic cards.

    My last smartphone didn't come with a cable OR a charger. Fuck you HTC. ;)

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  3. Uh-huh. by Anonymous Coward · · Score: 5, Funny

    Sure.

    Just send the bitcoin, and you'll get the completely illegal and fraud inducing device sent by random strangers to a street address of your choice.

      This in no way is a honeypot OR a scam. I mean, why would it be, right?

  4. Re:Contactless payment ! by ewibble · · Score: 4, Funny

    Since my bank refused to disable it on my card, I used the high tech solution of hole punch through the antenna

  5. perfectly secure! by green1 · · Score: 5, Informative

    Don't worry, the banks are working hard to solve this security hole... by telling anyone who will listen that these cards are secure, and sticking their fingers in their ears any time anyone says any different.

    My bank graciously offered to turn off the feature on my card, from their end, not mine. Which, if you know anything about how these hacks work, means that they're willing to take away all the convenience of the feature, while carefully maintaining the security risks on my card. I declined and cut the antenna instead.

    Right now in Canada it is almost impossible to get a credit card without this security hole baked in. They all have it, they brag about it. And worse yet, if someone does manage to clone the card, the bank will insist that it's not possible to do so, and hold you liable for all the fraudulent transactions, after all, the security on the cards is perfect, so you must have authorized it.