Hacking RFID devices using NFC smartphones

Presentation showing the ease of access to data on RFID devices using standard NFC equipped smartphones.

RFID hacking exploits
What is possible using an NFC smartphone hacking RFID data cards

The presentation describes potential vulnerabilities in various RFID devices (Mifare, RFID biometric passports, Mastercard PayPass, VISA PayWave) and how to exploit them using NFC smartphones.

Accidental contactless payments – what you should do when it happens

With RFID contactless payment bank cards and travel cards like Oyster cards, accidental contactless payments can easily happen, just by having your purse or wallet within range of a card terminal or access gate, also known as “card clash”.  These type of convenient payment cards do not need the users to input or authorise the transaction with a pin, users are unable to stop this happening without already having bought RFID protection or shielding.

Easy to use contactless payment instructions, just as easy to make accidental contactless payments
Look , Touch, Confirm. It’s easy to use an RFID bank card and just as easy to make accidental contactless payments.

What you should do when  an accidental contactless payments happens

Make a note of date and time and location of the accidental contactless payment/transaction takes place, keep any used tickets and receipts incase the service refuses to refund.

Find your nearest member of staff or information point and ask for information about disputing the contactless transaction error. Not all members of staff may know what to do, if this happens ask for complaints or general enquiries telephone numbers and contact them.

If you are using a travel service in London like the bus, Tube, tram, DLR, London Overground, TfL Rail, Emirates Air Line, River Bus and National Rail and have an online account. Login and check to see if you have been incorrectly charged. Note the transaction and register the dispute with Transport for London online. Or alternatively contact them by telephone 0343 222 1234 (call charges apply)

If you are using Oyster card pay-as-you-go it is harder to prove ownership of the card when the transaction happened, so it is important you dispute the payment as soon as it happens with a member of staff.

If you are unable to resolve the issue with the retailer or travel service, contact your bank with full details of the contactless payment and why you dispute the contactless payment giving full information, the bank can look into accidental payments on your behalf with the retailer/service.

How to prevent accidental contactless payments using RFID bank cards

Most RFID contactless payment terminals work at short ranges, so keep your purse and wallets at least 20cm (8 inches) away from the terminal. Hacked or altered terminals and specialist readers can read up to 1.5m or further.

Banks can send out VISA /Mastercards without contactless payment RFID chip included, contact your bank and ask for one if you really do have concerns, but you will lose the convenience contactless payment brings.

Purchase a good quality RFID protected wallet or purse.
It must protect/shield 13.56 Mhz RF frequency, all contactless payment cards use this international standard, if you have security cards or keyless passes these typically use 125 khz. These are usually premium products and cost a bit more than a normal leather wallet or purse.

It is possible to render you bank card unable to use contactless payments by drilling through the chip inside the card. This is not recommended as you could damage the card so it is completely unusable, if you do this you will have to order another card from your bank and that could take time.

Faraday cage can block accidental contactless payments, and RFID payment cards. Conductive material such as aluminium foil, conductive paint, wire mesh, or any of a number of material can block radio frequencies, different materials are better and worse at blocking different frequencies, and the Faraday cage has to completely enclose the cards. So, no leaks or gaps, will mean no radio waves can get in or out, blocking the RFID signal. This method takes out the convenience out of contactless payment, it can work, but it’s not so easy to use.

How to get your money back

If you believe you have been a victim of card fraud always, contact your bank immediately and to quote the Payment Services Regulations. These say that you must be refunded immediately if you are a victim of fraud.

If the bank can show that you were careless with your card and PIN or password, you will be liable for a maximum of £50, although many banks and building societies will waive this.

If that doesn’t work, then you can complain to the Financial Ombudsman.

Contactless card owners warned against public transport scanner hack

Facebook post has gone viral, after a man, Paul Jarvis, saw a thief scamming people out of their money in a tech-savvy manner.

He was putting through payments of less than £30 in a wireless card reader and touching it on wallets of unsuspecting people.

Mr. Jarvis took a picture and posted it on Facebook, writing: “So this guy was spotted wandering round with a Point of Sale (POS) device. All he has to do is key in a price less than £30 and then touch the device on the pocket that contains your wallet.

“Ching! You’ve just been charged automatically on your touch pay enabled credit/debit card…. We just tried this in my local pub with their POS device and it worked…

“(I’ve actually shown people this using the NFC function on my mobile to read their card data through their wallet to freak them out but this is the first time I’ve seen someone doing it for real). Time to invest in a screened wallet I guess…”

And it’s true – some card readers can scan through wallets.

Contactless cards are now wildly popular, and used in one in seven sales.

While much of this increase came from the introduction of contactless fares on the Transport for London network in late 2014, Visa Europe said the technology had already spread far beyond the capital’s buses and trains.

“Sixty percent of contactless transactions now take place outside the M25, confirming this isn’t just a London phenomenon. At this rate, cash will be seen as a peculiar way of paying for things in as little as five years’ time,” said Kevin Jenkins, UK and Ireland managing director.

In numbers contactless payments

2008

Year Barclays introduced the first contactless cards

74.5 million

Contactless cards in circulation in the UK

£30

Spending limit per transaction (it was raised from £20 in September 2015)

1 in 3

Proportion of card transactions made using contactless payment in London in 2014

£8.26

Average amount spent in each contactless transaction by the end of 2014

Cashless payments overtook notes and coins last year, according to the Payments Council. While it took plastic cards 49 years from the first Barclaycard to become the dominant payment method, contactless technology has grown rapidly since the first UK transactions in 2007.

There have been security worries with contactless cards in the past.

The “tap and go” cards, which can be used for purchases under £30 without the need to enter a four-digit PIN or signature, do not require automatic authorisation from banks.

Purchases therefore may not appear on a customer’s account for some time after a card has been reported lost or stolen, leaving thieves free to keep using them at will.

The onus is then on the customer to check their statements and report any subsequent fraudulent activity to their bank in order to apply for a refund.

RBS and NatWest, admitted that “in theory a small number of contactless transactions could be made before the card is blocked.”

Barclaycard said: “When a customer reports a card lost or stolen, a block is applied to the card preventing all further activity. However, some contactless transactions are processed offline so may not appear on a customer’s account until after the block has been applied.”

“We offer a 100% fraud guarantee for anyone who is a victim of contactless fraud .”

 Originally posted

PCI DSS 3-2 Contactless data exposure – Surely not poor Governance

Is PCI DSS an incompatible truth with contactless payment cards and an inconvenient truth for Banks and card issuers ?

The following is an interpretation of the Payment Card Industry Data Security Standard version 3.2 (PCI DSSv3.2) against the data readily accessible from a contactless card.

It suggests that your card data is at risk, that this risk is identified as a concern for the #PCI (Payment Card Industry) such that they list it as a key concern. Yet contactless cards offer no protection of this data and the PCI does not seem to address this..

Bank card contactless payment
All the different data types stored on a bank card including chip, PAN, Cardholder name expiration date magnetic strip

First let’s understand what RISKY BEHAVIOR as identified by PCI is:

The PCI defines risky behaviour in the ‘PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.2’ as follows:

A survey of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk.

81% store payment card numbers.
73% store payment card expiration dates.
71% store payment card verification codes.
57% store customer data on the payment card magnetic strip.
16% store other personal data.

Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/ EMC)

And what are the PCI CONCERNS and it’s role?:

The goal of the PCI Data Security Standard (PCI DSS) is to #protectcardholderdata and sensitive authentication data wherever it is processed, stored or transmitted. The security controls and processes required by PCI DSS are vital for protecting all payment card account data, including the PAN – the primary account number printed on the front of a payment card.

What does the standard do? The PCI Data Security Standard (PCI DSS) sets out to Protect Cardholder Data:

#CardholderData refers to any information printed, processed, transmitted or stored in any form on a payment card. Entities accepting payment cards are expected to protect cardholder data and to prevent its unauthorized use – whether the data is printed or stored locally, or transmitted over an internal or public network to a remote server or service provider.

 …. 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits you may display), so that only authorized people with a legitimate business need can see more than the first six/last four digits of the PAN. This does not supersede stricter requirements that may be in place for displays of cardholder data, such as on a point-of-sale receipt.

3.4 Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography. (See PCI DSS Glossary for definition of strong cryptography.) ….

And yet the riskiest behaviour of all in comparison is surely the data revealed by access to the #RFID chip on the card, the contactless payment favoured by banks as the alternative to cash?

Why? Simply because all contactless payment cards natively and openly reveal basic information that should be protected, the PAN, and other data.

With a mobile phone application, currently available to download, it is very simple to access (without the cardholders knowledge or permission) the following data from #contactless enabled cards:

What data can be found reading a Credit card?

Results from a readily available “PHONE App” to read a credit card follow: (In the App the card number is revealed in full, but in line with PCI guidelines, only the first six and last four digits are revealed here.)

  • Track 1
  • Expire date : 1 Nov 2017
  • PAN Card number : 540463******8991
  • Format : B
  • Service : International interchange
  • Normal
  • No restrictions
  • None

 

  • Track 2
  • Expire date : 1 Nov 2017
  • PAN Card number : 540463******8991
  • Service : International interchange
  • Normal
  • No restrictions
  • None

 

  • AID : A0 00 ** ** ** 10 10
  • Label : MasterCard
  • Priority : 1
  • Pin try left : 3 Time(s)

 

Not only this, it is possible to view the recent transaction log of the card.

According to PCI’s DSS V3.2 none of this information should be accessible, transmissible, recordable or stored and yet all of it is. So when it comes to risky behaviour should not the guide address and highlight this as follows:

RISKY BEHAVIOR:

A survey of cards in Europe reveals activities that puts cardholder data at risk.

100% of Contactless cards reveal PAN and other sensitive customer data in breach of Payment Card Industry Data Security Standards version 3.2 when accessed.

81% store payment card numbers.
73% store payment card expiration dates.
71% store payment card verification codes.
57% store customer data on the payment card magnetic strip.
16% store other personal data.

What about the Governance?

All five payment card brands, along with Strategic Members, share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization.” And “PCI DSS applies to All entities involved in payment card processing

—Including merchants, processors, acquirers, issuers and service providers”

So one must surely ask where’s the excuse for this seemingly non compliance with DSS3-2?

How can a #merchant be held accountable to #DSS3-2 when the governing members appear not to be?

Ask yourself as a card user, are you fully satisfied that your contactless payment card is truly secure, that your data is not of use to fraudsters? – The PCI seem to think it is for their standards.

And what does this lack of security ultimately benefit. It would seem only the ease and speed of use of contactless transactions perhaps to ensure contactless payment uptake? #ComplyingwithPCI DS Standards, is that not the primary concern?

PCI quick guide to DSS V3-2 https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf

The PCI DSS V3-2 standard https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf

Stopping identity fraud with quantum tunnelling

Even as far back as 2008 it was known that RFID contactless payment fraud was possible and that there was a way to protect RFID data, unfortunately this wasn’t implemented and bank cards are able to be scanned without the users knowledge and the data captured. It is easy to then reuse that data to make payments.

Original article Materials World magazine 1st Oct 2008

RFID, epassport, personal data, identify theft
Standard British EU passport with identity details stored on RFID chip within the page

The risk of fraudsters or terrorists hacking into our personal data will reduce if novel ultrathin switches are incorporated into biometric passports and contactless credit cards, says the team at Peratech in Richmond, UK. The technology, made from quantum tunnelling composites (QTCs), would allow the owner to restrict when sensitive information contained in radio frequency identification (RFID) microchips is read by pressing the control as and when needed.

Biometric passports and contactless credit cards are still being rolled out in the UK, but they are increasingly in use elsewhere in the world, such as the USA. The RFID chips and antennae within them hold and disseminate data on detecting a radio signal from a reader. The aim is to eliminate mechanical contacts or magnetic strips that wear away or fail. However, there have been reports that information can be accessed from RFID tags without the owner knowing.

On 8 August, UK national newspaper The Times reported on a test that it had conducted where a computer expert had cloned the microchips in two British passports.

‘Your identity and financial information could be stolen by the person behind you [with a handheld scanner] on the bus, train, in a queue – even walking down the street,’ explains David Lussey, CEO of Peratech.

Philip Taysom, a Director of the company, adds, ‘The American passports are shielded but the British ones are not. [Even then], because of their stiff nature, they open up’.

Under pressure

Quantum tunnelling composites are metal-filled polymeric insulating materials that turn to conductors upon loading or mechanical deformation, such as compression, twisting or stretching. David Lussey discovered this by overloading a polymer. Peratech was born in 1996 to manufacture, explore and commercialise QTCs in a range of applications, from electronic garments to switches in mobile phones.

‘If you look at the [range] of polymers and fillers, we have the ability to choose the formulation,’ explains Taysom. ‘We look at the electromechanical, environmental [behavioural use] and manufacturing requirements.’

In this case, the science has been exploited to formulate a material that only responds to the localised pressure of a finger or thumb. When pressed, it completes the circuit and allows the data to be read. Credits cards, for example, cannot be accidentally ‘switched on’ through pressure applied in a stack of cards in a purse or wallet. The drop in electrical resistance to below one ohm is proportional to the load applied.

To incorporate the material and antennae inside the laminate layer of a card, the QTC has been optimised to withstand heat and pressure during lamination, and ensure flexural toughness for everyday use.

Unlike mechanical switches that rely on parts making contact can get stuck in ATMs, the QTC does not have individual components. The entire material is a switch. Instead, Taysom explains, the composite is ‘thinner than paper’. Switches down to 20µm thick are possible.

The lack of air gaps means the composite does not ingress moisture or liquid, inhibiting damage caused by spillages and extending the device’s operational life.

Ready to roll?

The question now is whether QTCs will be exploited in a range of RFID-based goods. Taysom says that the material is ‘low cost’, but acknowledges there has been ‘resistance’ from manufacturers. ‘I don’t know why’, he says.

A possible answer may be that the designs of the new passports and credit cards have been finalised with billions of pounds invested in them and assurances from the authorities that they cannot be cloned. Peratech says, however, it wants to raise awareness and show that there is a problem with RFID solutions and that it has the solution. ‘We have a material that could give control back to the user,’ insists Taysom.

Further information

Peratec

Nearly One In Five Sales Now Use Contactless Payment

Figures have revealed contactless payments now account for 18% of sales – up from 7% a year ago.

A report by the UK Cards Association said that contactless transactions were higher in the six months to June than they were for the whole of last year.

The average transaction cost £8.60, the report added.

Shopper makes a contactless payment using a terminal
Making a payment with a contactless payment, RFID, NFC bank card

“Contactless cards are firmly entrenched as the preferred way to pay for millions of consumers, who expect to be able to use them for everyday purchases,” said Richard Koch, head of policy at UK Cards Association.

“We anticipate the use of contactless cars will continue to increase, particularly as charities and transport operators outside London recognise the benefits this technology can bring,” he added.

The use of contactless has been boosted by small retail purchases such as food and drink purchases and public transport.

Cash still remains the most common method of payment.

In the first six months of the year, 1.1 billion transactions were made using contactless cards, up from 1.05 billion in 2015.

Many retailers do not accept contactless payments, despite the one-off spending limit being raised from £20 to £30 last September.

http://nr.news-republic.com/Web/ArticleWeb.aspx?regionid=4&articleid=71362552&source=viber

Do you know what you’re paying for? How contactless cards are still vulnerable to relay attack

Contactless card payments are fast and convenient, but convenience comes at a price: they are vulnerable to fraud. Some of these vulnerabilities are unique to contactless payment cards, and others are shared with the Chip and PIN cards – those that must be plugged into a card reader – upon which they’re based. Both are vulnerable to what’s called a relay attack. The risk for contactless cards, however, is far higher because no PIN number is required to complete the transaction. Consequently, the card payments industry has been working on ways to solve this problem.

The relay attack is also known as the “chess grandmaster attack”, by analogy to the ruse in which someone who doesn’t know how to play chess can beat an expert: the player simultaneously challenges two grandmasters to an online game of chess, and uses the moves chosen by the first grandmaster in the game against the second grandmaster, and vice versa. By relaying the opponents moves between the games, the player appears to be a formidable opponent to both grandmasters, and will win (or at least force a draw) in one match.

Similarly, in a relay attack the fraudster’s fake card doesn’t know how to respond properly to the payment terminal because, unlike a genuine card, it doesn’t contain the cryptographic key known only to the card and the bank that verifies the card is genuine. But like the fake chess grandmaster, the fraudster can relay the communication of the genuine card in place of the fake card.

For example, the victim’s card (Alice, in the diagram below) would be in a fake or hacked card payment terminal (Bob) and the criminal would use the fake card (Carol) to attempt a purchase in a genuine terminal (Dave). The bank would challenge the fake card to prove its identity, this challenge is then relayed to the genuine card in the hacked terminal, and the genuine card’s response is relayed back on behalf of the fake card to the bank for verification. The end result is that the terminal used for the real purchase sees the fake card as genuine, and the victim later finds an unexpected and expensive purchase on their statement.

Demonstrating the grandmaster attack

I first demonstrated that this vulnerability was real with my colleague Saar Drimer at Cambridge, showing on television how the attack could work in Britain in 2007 and (Play video) in the Netherlands in 2009.

In our scenario, the victim put their card in a fake terminal thinking they were buying a coffee when in fact their card details were relayed by a radio link to another shop, where the criminal used a fake card to buy something far more expensive. The fake terminal showed the victim only the price of a cup of coffee, but when the bank statement arrives later the victim has an unpleasant surprise.

At the time, the banking industry agreed that the vulnerability was real, but argued that as it was difficult to carry out in practice it was not a serious risk. It’s true that, to avoid suspicion, the fraudulent purchase must take place within a few tens of seconds of the victim putting their card into the fake terminal. But this restriction only applies to the Chip and PIN contact cards available at the time. The same vulnerability applies to today’s contactless cards, only now the fraudster need only be physically near the victim at the time – contactless cards can communicate at a distance, even while the card is in the victim’s pocket or bag.

While we had to build hardware ourselves (from off-the-shelf components) to demonstrate the relay attack, today it can be carried out with any modern smartphone equipped with near-field communication chips, which can read or imitate contactless cards. All a criminal needs is two cheap smartphones and some software – which could be sold on the black market, if it is not already available. This change is likely the reason why, years after our demonstration, the industry has developed a defence against the relay attack, but only for contactless cards.

Closing the loophole

The industry’s defence is based on a design that Saar and I developed at the same time that we demonstrated the vulnerability, called distance bounding. When the terminal challenges the card to prove its identity, it measures how long the card takes to respond. During a genuine transaction there should be very little delay, but a fake card will take longer to respond because it is relaying the response of the genuine card, located much further away. The terminal will notice this delay, and cancel the transaction.

We set the maximum delay to 20 nanoseconds – the time it takes a radio signal to travel six metres; this would guarantee the genuine card is no further away than this from the terminal. However, the contactless card designers made some compromises in order to be compatible with the hundreds of thousands of terminals already in use, which allows far less precise timing. The card specification sets the maximum delay the terminal allows at two milliseconds: that’s 2m nanoseconds, during which a radio signal could travel 600 kilometres.

Clearly this doesn’t offer the same guarantees as our design, but it would still represent a substantial obstacle to criminals. While it’s enough time for the radio signal to travel far, it’s still a very short window for the software to process the transaction. When we demonstrated the relay attack it regularly introduced delays of hundreds or even thousands of milliseconds.

It will be years before the new secure cards reach customers, and even then only some: there is only one Chip and PIN specification, but there are seven specifications for contactless cards, and only the MasterCard variant includes this defence. It’s not perfect, but it makes pragmatic compromises that should prevent smartphones being used by fraudsters as tools for the relay attack. The sort of custom-designed hardware that could still defeat this protection would require expertise and expense to build – and the banks will hope that they can stay ahead of the criminals until the arrival of whatever replaces contactless cards in the future.

Steven J. Murdoch is a member of The Tor Project and employee of VASCO.

http://nr.news-republic.com/Web/ArticleWeb.aspx?regionid=4&articleid=70003692&source=viber

 

This is why you should never hand your card over when paying with contactless

Many have handed their card over to a bartender or shop keeper to tap the machine when paying, but you really shouldn’t

Paying for goods is even easier with contactless pay. A tap and away you go. But if you are asked to pass your card over to the bartender or shopkeeper should refuse.

Payment being made with barclay card RFID bank card
You shouldn’t let someone else use your contactless card

Andrew Goodwill, the founder of the Goodwill Group against CNP (card not present) fraud, shared his advice with our sister title Mirror Online .

He said: “There is an unwritten code of good practice which is that when paying by either contactless card or by any other card, that the card should always be in the sight of the customer.

“If the card reader is not brought

to you for the transaction to take place then you should challenge why not and refuse to let the card out of your sight.

“The waiter or waitress may be all smiles and maybe served you very well, but do they have a card reader behind the counter? You just don’t know.”

You can now use Android Pay on your mobile as Google launches system in UK

The Mirror reported in February there is an app that could turn a phone into a card reader and pulled the details of several cards within seconds.

Mr Goodwill also warned of the dangers of keeping contactless cards on your person in general.

“Contactless cards have a security issue when they are in your purse or wallet and should be protected by using a Metal Card Holder wallet with RFID blocking technology

“Fraudsters can come up close to you and by using a card reader they can read your card details even if it is in your bag or wallet.”

Mirror Money performed an investigation into these claims in February and found card details could be pulled easily.

Phones could replace cash in nine years

It took the team less than a minute to search for an app that turns a smartphone into a card reader, download it then drop the phone next to a wallet to see if the card could be read while inside.

It could. Not just on one person, and not just with one wallet. In less than five minutes they had pulled seven people’s card details, all from different wallets and purses, just using a phone.

It even worked when the card was inside someone’s wallet, inside someone’s pocket.

And despite warnings about the danger of card clash , when the Mirror tried it with a wallet that had three different contactless cards in it, it still worked. All that happened was that the reader picked one and took its details, ignoring the rest.

The Mirror team stress that they used a simple, legal, app and could pull card details such as the long card number, the provider and expiry date.

 

http://nr.news-republic.com/Web/ArticleWeb.aspx?regionid=4&articleid=69925910&source=viber

Criminals Planting Keyloggers On Smartphones

Iphone Lock Screen
Locking screen on Apple iPhone

Smartphones will become the number one target for cyber criminals within five years, according to police and security experts.

Sky News has been shown how hackers are developing viruses to by-pass a phone’s security, including the latest biometric systems.

The malware ‘Trojan horse’ gives cyber-criminals undetected access to a phone’s internal systems, where they can see every key stroke entered by a user.

This has serious implications for those who use their phones to access bank accounts and apps that hold sensitive, personal information.

:: Crime Agency Loses Fight Against Alleged Hacker

Roughly a quarter of the world’s population own smartphones and the United Kingdom is top of the list with six out of 10 people owning a device.

Keiron Shepherd, senior security engineer at the world leading cyber security company F5 Networks, has been monitoring the targeting of mobile devices by hackers.

He told Sky News: “If you just consider the amount of smartphones and the number of people, it’s a great surface area for attackers to go for.

“Windows was the predominate system, it was the path of least resistance for the malware writers. Devices and operating systems which were considered not an issue to be worried about in the past have now become a target for the malware writers.”

:: HSBC Online Banking Hit By Cyber Attack

One virus monitored by F5 Networks imbeds in an innocent-looking advert on a website. When clicked, the virus infiltrates their device and monitors every key stroke, even when the user accesses their bank accounts.

Keiron Shepherd said: “The way this virus can insert itself between the applications you’re using before it accesses the internet gives it a chance to extract critical data such as credit card numbers, bank accounts; anything that’s of high value.

“It really is a numbers game. They’ll throw enough malware out there and hope it returns a good investment.”

Police are monitoring an increase in complaints of fraud committed against smartphone users.

City of London Police Commander Chris Greany, the national police lead for cyber protection, said: “People who carry a mobile phone are actually carrying a mobile computer.

“It’s not a phone with a computer attached. It’s a computer with a phone attached and it is as risky using this as it is using the desktop at home.”

http://nr.news-republic.com/Web/ArticleWeb.aspx?regionid=4&articleid=64373840&source=viber

Shielding and blocking RFID, NFC, contactless payment cards and security passes