Posted on

Stopping identity fraud with quantum tunnelling

Even as far back as 2008 it was known that RFID contactless payment fraud was possible and that there was a way to protect RFID data, unfortunately this wasn’t implemented and bank cards are able to be scanned without the users knowledge and the data captured. It is easy to then reuse that data to make payments.

Original article Materials World magazine 1st Oct 2008

RFID, epassport, personal data, identify theft
Standard British EU passport with identity details stored on RFID chip within the page

The risk of fraudsters or terrorists hacking into our personal data will reduce if novel ultrathin switches are incorporated into biometric passports and contactless credit cards, says the team at Peratech in Richmond, UK. The technology, made from quantum tunnelling composites (QTCs), would allow the owner to restrict when sensitive information contained in radio frequency identification (RFID) microchips is read by pressing the control as and when needed.

Biometric passports and contactless credit cards are still being rolled out in the UK, but they are increasingly in use elsewhere in the world, such as the USA. The RFID chips and antennae within them hold and disseminate data on detecting a radio signal from a reader. The aim is to eliminate mechanical contacts or magnetic strips that wear away or fail. However, there have been reports that information can be accessed from RFID tags without the owner knowing.

On 8 August, UK national newspaper The Times reported on a test that it had conducted where a computer expert had cloned the microchips in two British passports.

‘Your identity and financial information could be stolen by the person behind you [with a handheld scanner] on the bus, train, in a queue – even walking down the street,’ explains David Lussey, CEO of Peratech.

Philip Taysom, a Director of the company, adds, ‘The American passports are shielded but the British ones are not. [Even then], because of their stiff nature, they open up’.

Under pressure

Quantum tunnelling composites are metal-filled polymeric insulating materials that turn to conductors upon loading or mechanical deformation, such as compression, twisting or stretching. David Lussey discovered this by overloading a polymer. Peratech was born in 1996 to manufacture, explore and commercialise QTCs in a range of applications, from electronic garments to switches in mobile phones.

‘If you look at the [range] of polymers and fillers, we have the ability to choose the formulation,’ explains Taysom. ‘We look at the electromechanical, environmental [behavioural use] and manufacturing requirements.’

In this case, the science has been exploited to formulate a material that only responds to the localised pressure of a finger or thumb. When pressed, it completes the circuit and allows the data to be read. Credits cards, for example, cannot be accidentally ‘switched on’ through pressure applied in a stack of cards in a purse or wallet. The drop in electrical resistance to below one ohm is proportional to the load applied.

To incorporate the material and antennae inside the laminate layer of a card, the QTC has been optimised to withstand heat and pressure during lamination, and ensure flexural toughness for everyday use.

Unlike mechanical switches that rely on parts making contact can get stuck in ATMs, the QTC does not have individual components. The entire material is a switch. Instead, Taysom explains, the composite is ‘thinner than paper’. Switches down to 20µm thick are possible.

The lack of air gaps means the composite does not ingress moisture or liquid, inhibiting damage caused by spillages and extending the device’s operational life.

Ready to roll?

The question now is whether QTCs will be exploited in a range of RFID-based goods. Taysom says that the material is ‘low cost’, but acknowledges there has been ‘resistance’ from manufacturers. ‘I don’t know why’, he says.

A possible answer may be that the designs of the new passports and credit cards have been finalised with billions of pounds invested in them and assurances from the authorities that they cannot be cloned. Peratech says, however, it wants to raise awareness and show that there is a problem with RFID solutions and that it has the solution. ‘We have a material that could give control back to the user,’ insists Taysom.

Further information


Posted on

Nearly One In Five Sales Now Use Contactless Payment

Figures have revealed contactless payments now account for 18% of sales – up from 7% a year ago.

A report by the UK Cards Association said that contactless transactions were higher in the six months to June than they were for the whole of last year.

The average transaction cost £8.60, the report added.

Shopper makes a contactless payment using a terminal
Making a payment with a contactless payment, RFID, NFC bank card

“Contactless cards are firmly entrenched as the preferred way to pay for millions of consumers, who expect to be able to use them for everyday purchases,” said Richard Koch, head of policy at UK Cards Association.

“We anticipate the use of contactless cars will continue to increase, particularly as charities and transport operators outside London recognise the benefits this technology can bring,” he added.

The use of contactless has been boosted by small retail purchases such as food and drink purchases and public transport.

Cash still remains the most common method of payment.

In the first six months of the year, 1.1 billion transactions were made using contactless cards, up from 1.05 billion in 2015.

Many retailers do not accept contactless payments, despite the one-off spending limit being raised from £20 to £30 last September.

Posted on

Do you know what you’re paying for? How contactless cards are still vulnerable to relay attack

Contactless card payments are fast and convenient, but convenience comes at a price: they are vulnerable to fraud. Some of these vulnerabilities are unique to contactless payment cards, and others are shared with the Chip and PIN cards – those that must be plugged into a card reader – upon which they’re based. Both are vulnerable to what’s called a relay attack. The risk for contactless cards, however, is far higher because no PIN number is required to complete the transaction. Consequently, the card payments industry has been working on ways to solve this problem.

The relay attack is also known as the “chess grandmaster attack”, by analogy to the ruse in which someone who doesn’t know how to play chess can beat an expert: the player simultaneously challenges two grandmasters to an online game of chess, and uses the moves chosen by the first grandmaster in the game against the second grandmaster, and vice versa. By relaying the opponents moves between the games, the player appears to be a formidable opponent to both grandmasters, and will win (or at least force a draw) in one match.

Similarly, in a relay attack the fraudster’s fake card doesn’t know how to respond properly to the payment terminal because, unlike a genuine card, it doesn’t contain the cryptographic key known only to the card and the bank that verifies the card is genuine. But like the fake chess grandmaster, the fraudster can relay the communication of the genuine card in place of the fake card.

For example, the victim’s card (Alice, in the diagram below) would be in a fake or hacked card payment terminal (Bob) and the criminal would use the fake card (Carol) to attempt a purchase in a genuine terminal (Dave). The bank would challenge the fake card to prove its identity, this challenge is then relayed to the genuine card in the hacked terminal, and the genuine card’s response is relayed back on behalf of the fake card to the bank for verification. The end result is that the terminal used for the real purchase sees the fake card as genuine, and the victim later finds an unexpected and expensive purchase on their statement.

Demonstrating the grandmaster attack

I first demonstrated that this vulnerability was real with my colleague Saar Drimer at Cambridge, showing on television how the attack could work in Britain in 2007 and (Play video) in the Netherlands in 2009.

In our scenario, the victim put their card in a fake terminal thinking they were buying a coffee when in fact their card details were relayed by a radio link to another shop, where the criminal used a fake card to buy something far more expensive. The fake terminal showed the victim only the price of a cup of coffee, but when the bank statement arrives later the victim has an unpleasant surprise.

At the time, the banking industry agreed that the vulnerability was real, but argued that as it was difficult to carry out in practice it was not a serious risk. It’s true that, to avoid suspicion, the fraudulent purchase must take place within a few tens of seconds of the victim putting their card into the fake terminal. But this restriction only applies to the Chip and PIN contact cards available at the time. The same vulnerability applies to today’s contactless cards, only now the fraudster need only be physically near the victim at the time – contactless cards can communicate at a distance, even while the card is in the victim’s pocket or bag.

While we had to build hardware ourselves (from off-the-shelf components) to demonstrate the relay attack, today it can be carried out with any modern smartphone equipped with near-field communication chips, which can read or imitate contactless cards. All a criminal needs is two cheap smartphones and some software – which could be sold on the black market, if it is not already available. This change is likely the reason why, years after our demonstration, the industry has developed a defence against the relay attack, but only for contactless cards.

Closing the loophole

The industry’s defence is based on a design that Saar and I developed at the same time that we demonstrated the vulnerability, called distance bounding. When the terminal challenges the card to prove its identity, it measures how long the card takes to respond. During a genuine transaction there should be very little delay, but a fake card will take longer to respond because it is relaying the response of the genuine card, located much further away. The terminal will notice this delay, and cancel the transaction.

We set the maximum delay to 20 nanoseconds – the time it takes a radio signal to travel six metres; this would guarantee the genuine card is no further away than this from the terminal. However, the contactless card designers made some compromises in order to be compatible with the hundreds of thousands of terminals already in use, which allows far less precise timing. The card specification sets the maximum delay the terminal allows at two milliseconds: that’s 2m nanoseconds, during which a radio signal could travel 600 kilometres.

Clearly this doesn’t offer the same guarantees as our design, but it would still represent a substantial obstacle to criminals. While it’s enough time for the radio signal to travel far, it’s still a very short window for the software to process the transaction. When we demonstrated the relay attack it regularly introduced delays of hundreds or even thousands of milliseconds.

It will be years before the new secure cards reach customers, and even then only some: there is only one Chip and PIN specification, but there are seven specifications for contactless cards, and only the MasterCard variant includes this defence. It’s not perfect, but it makes pragmatic compromises that should prevent smartphones being used by fraudsters as tools for the relay attack. The sort of custom-designed hardware that could still defeat this protection would require expertise and expense to build – and the banks will hope that they can stay ahead of the criminals until the arrival of whatever replaces contactless cards in the future.

Steven J. Murdoch is a member of The Tor Project and employee of VASCO.


Posted on

This is why you should never hand your card over when paying with contactless

Many have handed their card over to a bartender or shop keeper to tap the machine when paying, but you really shouldn’t

Paying for goods is even easier with contactless pay. A tap and away you go. But if you are asked to pass your card over to the bartender or shopkeeper should refuse.

Payment being made with barclay card RFID bank card
You shouldn’t let someone else use your contactless card

Andrew Goodwill, the founder of the Goodwill Group against CNP (card not present) fraud, shared his advice with our sister title Mirror Online .

He said: “There is an unwritten code of good practice which is that when paying by either contactless card or by any other card, that the card should always be in the sight of the customer.

“If the card reader is not brought

to you for the transaction to take place then you should challenge why not and refuse to let the card out of your sight.

“The waiter or waitress may be all smiles and maybe served you very well, but do they have a card reader behind the counter? You just don’t know.”

You can now use Android Pay on your mobile as Google launches system in UK

The Mirror reported in February there is an app that could turn a phone into a card reader and pulled the details of several cards within seconds.

Mr Goodwill also warned of the dangers of keeping contactless cards on your person in general.

“Contactless cards have a security issue when they are in your purse or wallet and should be protected by using a Metal Card Holder wallet with RFID blocking technology

“Fraudsters can come up close to you and by using a card reader they can read your card details even if it is in your bag or wallet.”

Mirror Money performed an investigation into these claims in February and found card details could be pulled easily.

Phones could replace cash in nine years

It took the team less than a minute to search for an app that turns a smartphone into a card reader, download it then drop the phone next to a wallet to see if the card could be read while inside.

It could. Not just on one person, and not just with one wallet. In less than five minutes they had pulled seven people’s card details, all from different wallets and purses, just using a phone.

It even worked when the card was inside someone’s wallet, inside someone’s pocket.

And despite warnings about the danger of card clash , when the Mirror tried it with a wallet that had three different contactless cards in it, it still worked. All that happened was that the reader picked one and took its details, ignoring the rest.

The Mirror team stress that they used a simple, legal, app and could pull card details such as the long card number, the provider and expiry date.

Posted on

Criminals Planting Keyloggers On Smartphones

Iphone Lock Screen
Locking screen on Apple iPhone

Smartphones will become the number one target for cyber criminals within five years, according to police and security experts.

Sky News has been shown how hackers are developing viruses to by-pass a phone’s security, including the latest biometric systems.

The malware ‘Trojan horse’ gives cyber-criminals undetected access to a phone’s internal systems, where they can see every key stroke entered by a user.

This has serious implications for those who use their phones to access bank accounts and apps that hold sensitive, personal information.

:: Crime Agency Loses Fight Against Alleged Hacker

Roughly a quarter of the world’s population own smartphones and the United Kingdom is top of the list with six out of 10 people owning a device.

Keiron Shepherd, senior security engineer at the world leading cyber security company F5 Networks, has been monitoring the targeting of mobile devices by hackers.

He told Sky News: “If you just consider the amount of smartphones and the number of people, it’s a great surface area for attackers to go for.

“Windows was the predominate system, it was the path of least resistance for the malware writers. Devices and operating systems which were considered not an issue to be worried about in the past have now become a target for the malware writers.”

:: HSBC Online Banking Hit By Cyber Attack

One virus monitored by F5 Networks imbeds in an innocent-looking advert on a website. When clicked, the virus infiltrates their device and monitors every key stroke, even when the user accesses their bank accounts.

Keiron Shepherd said: “The way this virus can insert itself between the applications you’re using before it accesses the internet gives it a chance to extract critical data such as credit card numbers, bank accounts; anything that’s of high value.

“It really is a numbers game. They’ll throw enough malware out there and hope it returns a good investment.”

Police are monitoring an increase in complaints of fraud committed against smartphone users.

City of London Police Commander Chris Greany, the national police lead for cyber protection, said: “People who carry a mobile phone are actually carrying a mobile computer.

“It’s not a phone with a computer attached. It’s a computer with a phone attached and it is as risky using this as it is using the desktop at home.”

Posted on

Contactless card theft: Users warned to watch out for ‘digital pickpockets’

A viral Facebook post which claims to show a man using a contactless card reader to steal from unsuspecting victims has got some people worried.

Original article from the

RFID scanner terminal used illegally
A man on a train appears to be scanning for contactless payment bank cards to make payment under £30 unauthorised.

A Facebook post which claims to show a man using a contactless card reader to steal money from members of the public has got some people worried about the security of their bank accounts.

The image, which first appeared in Russian media, shows a man standing on public transport holding a mobile card reader in his hand.

It is claimed that by keying an amount into the terminal and holding it against the pockets of unsuspecting targets, he could steal money out of their accounts via their contactless cards.

There’s not much context to the picture, and there’s nothing to suggest the man is a new kind of ‘digital pickpocket’. But it’s theoretically possible to steal money in this way, and it’s got some people worried.

Some card machines in shops, cafes and restaurants need to be connected to a landline terminal to work. More advanced devices, which are common across the country, use GPRS to make a connection – allowing merchants to take card payments almost anywhere.

If a thief had one of these GPRS-enabled machines, they would be able to ‘skim’ victims’ contactless cards almost anywhere, without them knowing.

However, most banks require their customers to have a business bank account if they want to take card payments – starting one of these accounts naturally involves handing over personal information to the bank, making the criminal traceable if a victim noticed the transaction on their statement.

Customers could get a refund from the bank if they spotted the fraudulent activity, and if the bank traced the theft to the criminal’s account, they could get shut down. But by that point, it might be too late.


Read more…

Posted on

Why you don’t need an RFID-blocking wallet – Not true

The article below appeared on written by Roger A. Grimes — Columnist. RFID Cloaked don’t agree, we have seen examples of cloning and scanning attacks and have duplicated a hacked RFID scanner to prove the concept works.

RFID contactless cards can be scanned copied and cloned and unauthorised payments made. Check out some of our other posts. Comments on the original article also disagree and people have posted real life examples of contactless payment fraud.



Wallet with bank cards
Credit debit RFID payment cards wallet

You don’t need a tinfoil hat, either. Opportunists have exploited consumer fears to create an industry that doesn’t need to exist

Because I’m a computer security guy, I have friends who like to show off their new RFID-blocking wallets and purses. “Look what I got for Christmas!” they say. My lack of response should be telling, but they don’t seem to pick up on it.

They’ve seen the TV ads about malicious hackers who can “stand on any street corner” and wirelessly steal their credit card and other identity information. I’ve seen similar demonstrations at Black Hat and other computer security conferences for nearly a decade now. They never fail to wow the audience.

An entire, multi-billion-dollar RFID-blocking industry has emerged. You can get RFID blocking for almost any object you own. Some of my friends have so much faith in RFID-blocking products that they buy expensive, customized purses and wallets. These are the same people who drive extra miles to save a few cents on gas.

It goes to show that humans don’t evaluate risk very well.

The RFID fallacy

RFID technologies have been around for a long time, and they’re now included in more and more items. Yes, your RFID products can possibly be read from a distance. Yes, a hacker might be able to read your credit card information remotely as you pass by. But before you buy an RFID-blocking product, ask yourself if you’re worrying about the right things.

First and foremost, does your credit card actually have an RFID transmitter? The vast majority does not. Have you ever been told you can hold up your credit card to a wireless payment terminal, and without inserting your card, pay for something? For most of my friends, and the world in general, the answer is no.

Most RFID-enabled credit cards are heavily marketed as capable of being used wirelessly. They have names that imply wireless payment: PayPass, Blink, PayWave, Express Pay, and so on. Usually they bear a little RFID/contactless payment logo.

Hint: The new little golden metallic square on your new credit card does not indicate RFID. Also, many new contactless payment cards will have chip-and-PIN protection — or will use the chip to securely protect even RFID communications.

If you look at the number of credit cards with RFID, you can’t even represent it statistically. It’s not 0 percent, but it’s so far below 1 percent that it might as well be 0 percent. Part of the problem is that every major credit card vendor came out with its own version, so vendors and merchants had to physically support the same standards. Most people don’t want to have to figure out which vendors support which wireless cards and go get that specific card type.

On top of that, most of the world is going to wireless payments using your mobile device. Apple Pay had more users and adopters in its first day in the market than all active users of RFID credit card products combined. Apple Pay works with every credit card you have, as long as your vendor supports Apple Pay. Did I mention that Apple Pay is far more secure in almost every way?

RFID cards are coming with chip-and-PIN protections, and the lessons learned from Apple Pay (and other mobile phone wireless payment solutions) are migrating to credit cards. The days when a bad guy can sit on a corner and sniff your credit card information out of thin air are numbered.

Entertainment for the paranoid

But did that bad guy ever sit on the corner in the first place? Sure, I’ve seen the demos, but I’ve yet to hear of one criminal who was caught using an RFID sniffer or who admitted to stealing credit card info wirelessly. We know about all sorts of cyber crime. Why not the theft of RFID credit card information if the risk is so high?

Here’s why: It would be a lousy use of a criminal mastermind’s time. Today’s smart criminals break into websites and steal hundreds of thousands to tens of millions of credit cards at a time. Why would a criminal go to the effort and expense of stealing credit card info one card at a time when you can steal a million in one shot?

If a criminal wants a credit card or even your specific credit card, he or she can buy it for a few bucks from several places on the Internet. In fact, it’s significantly cheaper than buying all the necessary RFID attack equipment and sitting in a public square (which is likely to have one or more security cameras trained on it these days).

Still worried? If you actually have an RFID-enabled credit card, it turns out aluminum foil does the same job, if not better, than an expensive RFID-blocking sleeve. I know I’m going to get email from RFID-blocking vendors saying their products protect better than aluminum foil. No doubt that’s true in some cases.

But if you’re worried about that, you should also be wrapping your car keys in aluminum foil. Now we’re in the paranoid zone. I’ve heard from readers who have — I’m not making this up — removed every electronic product in their house due to hacking fears. They’ve sold their new cars with embedded computers and gone back to older models without any. I can’t tell if I’m dealing with regular paranoid people or true paranoid schizophrenics.

If you have a credit card, there’s a huge risk it will be hacked, but not by a guy sitting on a corner sniffing for your card as you walk by. The former is a fact of life. In the latter case, you might have a better chance of winning the lottery.


Tamera Selhaver 
I think the author is clueless. My husband and I had all of our debit card numbers stolen while shopping together. He rarely carries his wallet as I always have my purse so it was easy to figure out exactly what location we were at when we got “scanned.” All our debit cards except one credit card (already had smart chip technology) were stolen. Of course now all of our debit cards have smart chips so this is “supposedly” a moot point. But 4 years ago I was first in line for a protective wallet after getting tired of tinfoil. Never had another issue but was super careful about even taking a card out to slide and pay. I don’t see it taking that long before they figure out how to get around the chip. Nothing is foolproof.
Koruma Wallets
Sooner or later all cards will be contactless with RFID feature. In Europe this kind of cards is more and more popular. Sometimes people like it and sometimes hate.Our answer to this article is “Better safe than sorry”.John Smith
Nice how the author has zero response to any of these comments!! Someone is wrong here and he wont even debate or defend this article.

American Express notified me that someone tried to charge a $404.00 meal in Las Vegas. They denied it and cancelled my card. I had been to a shopping mall but had not used my card. Only used my card at CostCo.

Ryan Swan
Your card was probably cloned. Happens all the time. You probably inserted your card into a reader with a skimmer. If that isnt the case then someone randomly got your cards 16 digits by chance. They recycle the numbers because they have all been used by now.

Rockinon Ldn
Lots and lots of cards in Canada are RFID enabled. Once my wife’s card was read from more than a foot away by a more powerful than usual card reader at a cashier’s counter. My inexpensive wallet, purchased at Costco, is RFID proof. After seeing my wife’s card read from some distance, I’m pleased to have my RFID proof wallet. And do we use the RFID feature? All the time!

Ryan J
Use a faraday bag for your phone when traveling, or in risky areas. Use them when you’re on the move if you feel like you’re being tracked. These used to be “paranoid” concerns but not so much these days. They offer a level of assurance that provides peace of mind. Yes, you can’t receive calls when the phone is inside the bag, but you’re only using the bag when you feel you may be at risk. Attending a large conference? Good time to use a faraday bag. Think about it people, all the data you possess is on that little device just begging to be taken. Make sure you don’t buy a tin foil piece of crap anti-static bag though, I’ve tried those and they don’t work. They’re marketed as “faraday bags” but they most certainly are not. Buy a dual paired seam forensic faraday bag and you will be safe.

Nate Abshire
Wow, you’re terribly misinformed. Your article is practically a joke. In Canada yes, most major credit cards DO in fact transmit. It’s never been more important to secure your cards in an RFID transmission blocking case than these days. Do some research before laying down a couple grand worth of useless words.

Ray Croft
Just because i am paranoid, that does not mean that they are not after me!

Gage Merrell
Is this guy joking? Almost everyone in Canada has an RFID enabled card now… It’s the easiest way to way for our Tim Hortons after all. Are the RFID blockers the only way to protect your credit card? Of course not. Is it a terrible idea to have one built in anyways? Again, of course not. It is difficult for me to agree any additional protection is meaningless. I also understand that the USA is significantly behind in payment security, I work with payment security equipment everyday, but here in Canada, contactless pay has become very popular.

Bek O’Toole
I work in a small country town bag shop and we sell RFID protection in most of our wallets/purses etc. In the last 3 days I have had 2 customers who’s money has been stolen in this way. One poor bloke had $2000 an the other nearly $300. I get customers all the time coming in BECAUSE their money has been stolen in this way. It is a small country town as well, not a city and it still happens all the time. Where is he getting his evidence from?

Gethin Hill
Haha is this guy for real? Security Adviser? If you hired this guy for your security, i’d be very worried.. 40 computer certifications and eight books and he’s giving this kind of advice?

Gertjan Assies
That’s a pretty ignorant point of view, since 2008 it is possible to wirelessly do small payments without using a pin. so a mobile device with a amount less then 25 euro/dollar/pound entered and a busy public transport system is all it takes.

Dean Oliffe
Totally disagree with this article and it sounds like a editorial piece for the industry pushing this payment method. Personally anything to do with security of users banking accounts (access etc) should be secured with a PIN. Then if the user wishes to Opt in to Paywave or paypass etc then that should be their choice alone. The two vendors and the banks should be focused on the security of our funds and not half arsed implementations when all the required functionality, trust and user understanding for PIN’s exists already. It’s articles like this that get me going. We can of course agree to disagree, but as I can see from the other comments this article doesn’t get much in real world support.

Adam Bruce
You need to check your statistics mate, “If you look at the number of credit cards with RFID, you can’t even represent it statistically. It’s not 0 percent, but it’s so far below 1 percent that it might as well be 0 percent ”

In the UK these cards are becoming widely adopted, If you look at the UK card associatoin website you will see that there are currently almost 80 million contactless card in use in the UK, meaining most people have more than one.

Sharon Johnson
My debit card doesn’t have an RFID chip. It has the strip on the back. My card was read while out and $2000 was stolen out of my bank. The card was never out of my possession. It happened just hours after using it at Walmart.

Eric Shook
Your card was likely cloned when you paid, not read by an rfid scanner…

Pete Dee
The main reason that the secure chips on the credit cards were that the pay phones were being pried open by the immigrants in France to get any coins in the pay phones. These chips are so secure now the US Military ID’s have these chips on them. What does that say for security. My new Mastercard has that chip and 99% of the places i shop don’t use the chip feature. Walmart is the only company I know that has their cash registers chip readers enabled. this secure chip is the wave of the future Recently in Paris France the parking spots were chip credit cards only so finding a parking spot and paying for it is a lot more difficult with out the credit card with the chip

Sarah West
With such a low adoption level in the USA, it’s hardly surprising there won’t have been many reports of problems. That doesn’t mean that things can’t go wrong.

Here in the UK, it’s now very difficult to get a new bank card without contactless payment enabled. Many banks simply don’t do them and contactless readers are everywhere now. The UK Cards Association released statistics showing that in November 2015, there were 78.3 million contactless payment cards in circulation in the UK. That’s in a country with a population below 70 million. See

With such widespread use, there have been a number of problems. Accidental payments are reported to have taken place more than once at one of the UK’s leading retailers, Marks & Spencer (

Only two days ago, Roi Perez, a community manager for SC computer security magazine was featured in my local newspaper after having discovered an unauthorized debit from his card. Read the article at

Roger Gong
All my credit cards are wireless payment enabled, as the wireless payment won’t require the user to key in PIN or any identification secret, I’m sure the bad guys are able to steal your money by using a device functionally similar to the wireless payment terminal when you don’t have some kind of signal blocking wallet.

David Brodbeck
In theory they could do that, but the RFID payment system is generally limited to small transactions, and each transaction is a one-time challenge-response exchange where the card has to be present (you can’t just store the info and use it again later). So our theoretical thief would have to sit there making small transactions as people walked by. He’d be better off getting a job as a waiter and just taking a picture of every card he was handed.
Also, consumers don’t have to pay for fraudulent charges — the bank or merchant has to eat the cost. They’re the ones who stand to lose the most from theft, so if they’re issuing these cards, it clearly isn’t a concern for them.

Lee Adkins
Maximum charge in the UK is £30, unskilled workers probably average £45 a day after tax so with just two swipes you’re up £15. Get 5-6 and you are close to not having to work for a week.

I don’t believe its going to be a really prevalent form of attack however I wouldn’t discount desperate people attempting it. I agree with you that the banks are pretty good at refunding fraudulent activity as I’ve had it happen myself (I suspect from a large database hack as I’m careful where I use it) and if it did become an epidemic of sorts they would soon do something about it.

I now really would like to know how far away one has to be in order to steal the card infos? Are we talking about meters or centimeters?
Here in Austria one could get away with 80Euros, when using the card 4times until we have to put in our PIN again.

You don’t want to tell me that it is enough to have a photo of a card with RFID in order for everyone using it for payments? This really would be scary!

Cliff Crabtree
Putting a Faraday cage around your smart phone would be far more effective. You could not make or receive phone calls until it was removed though. The RFID blocking products would probably not have gotten any kind of a foothold on the market if smart phone payment systems had been widely deployed first.

Posted on

Kempston man’s contactless card warning after thieves’ £300 spending spree – Bedford News

This bank card was stolen, but shows that payments up to £30 can be made without any checks on identity of the person or the contactless payment card.

With modern hacking and cloning techniques this can easily be achieved without even losing your payment cards or them ever leaving your wallet/purse.

A MAN who managed to track down the teens he suspects stole his wallet by tracing their declined purchases is warning people about the risk of contactless cards.

Tony Milioti, 33 from Kempston, had his card stolen from McDonalds in Bedford on Monday, November 23, the day before his birthday, but could not get through to his bank to cancel all of his debit cards.

As it turned out, this enabled him to track the two young men suspected of pinching his card through their attempts to purchase items across Bedford.

Tony told BoS: “The next day I got a text from Santander asking if a number of purchases that had been made on the card were mine, so I replied no, and they told me the card had been blocked.

“I was happy to receive the text, but it made me wonder where the previous purchases were so I tracked them down and went to see if I could find out who stole my cards.”

He went to a newsagents in Greyfriars and requested to see the CCTV footage of the attempted purchase, which he was given permission to do, and downloaded the footage to his phone.

With this he went to the police and was told they would investigate it, which he was happy with, but he later received a text from Barclays bank telling him purchases had been made on another of his cards in an Indian restaurant and a Londis store.


Tony said: “A lot of people don’t realise just how easy it is for this to happen, especially older people.

“I want everyone out there to realise that they are at risk through this, as even though there are spend and daily card limits, this can mount up to a lot.


Read more:
Follow us: @bedfordnews on Twitter | bedfordnews on Facebook

Posted on

▶ RFID – The Risk inside your credit card – YouTube

Watch this YouTube video regarding RFID thefts and how easy a security expert clones, copies and makes payments using easy to buy and make scanners. This information is not hard to find and easily make you understand why you should be using RFID shielding. The video also talks about using aluminium foil, this works but only for some frequencies and does not protect all cards. Please read our other post on aluminium foil and why it doesn’t work

via ▶ RFID – The Risk inside your credit card – – YouTube.

Posted on

How 30million ‘wi-fi’ credit cards can be plundered by cyber identity thieves exploiting contactless payment technology – Daily Mail

Article on the the Mail Online showing how contactless payment cards can be copied and cloned in a mater of minutes, including some real life examples of where this has been used to defraud customers or stores out of money. Even some accidental use of these cards meaning some customers are even being charged more than once for payments intended for the customers Oyster cards on London buses.

  • Modified mobile phones can strip card details in seconds
  • Card-holders could be ‘robbed’ by people next to them on train
  • Oyster readers on buses mistakenly charge bank cards