Posted on

How safe is contactless payment? BBC – Rip Off Britain

What you should know about making a contactless payments

How easy is it to get at data stored on your contactless bank card, it’s easy than you think.

Card data scanned without authorisation

BBC Rip Off Britain investigate how easy it is to use your bank card data scanned using a smart phone, all this is possible with shocking results. The security expert makes an Amazon online payment using the scanned card data.


BBC Rip Off Britain

Posted on

Hacking RFID devices using NFC smartphones

Presentation showing the ease of access to data on RFID devices using standard NFC equipped smartphones.

RFID hacking exploits
What is possible using an NFC smartphone hacking RFID data cards

The presentation describes potential vulnerabilities in various RFID devices (Mifare, RFID biometric passports, Mastercard PayPass, VISA PayWave) and how to exploit them using NFC smartphones.

Posted on

Nearly One In Five Sales Now Use Contactless Payment

Figures have revealed contactless payments now account for 18% of sales – up from 7% a year ago.

A report by the UK Cards Association said that contactless transactions were higher in the six months to June than they were for the whole of last year.

The average transaction cost £8.60, the report added.

Shopper makes a contactless payment using a terminal
Making a payment with a contactless payment, RFID, NFC bank card

“Contactless cards are firmly entrenched as the preferred way to pay for millions of consumers, who expect to be able to use them for everyday purchases,” said Richard Koch, head of policy at UK Cards Association.

“We anticipate the use of contactless cars will continue to increase, particularly as charities and transport operators outside London recognise the benefits this technology can bring,” he added.

The use of contactless has been boosted by small retail purchases such as food and drink purchases and public transport.

Cash still remains the most common method of payment.

In the first six months of the year, 1.1 billion transactions were made using contactless cards, up from 1.05 billion in 2015.

Many retailers do not accept contactless payments, despite the one-off spending limit being raised from £20 to £30 last September.

http://nr.news-republic.com/Web/ArticleWeb.aspx?regionid=4&articleid=71362552&source=viber

Posted on

Do you know what you’re paying for? How contactless cards are still vulnerable to relay attack

Contactless card payments are fast and convenient, but convenience comes at a price: they are vulnerable to fraud. Some of these vulnerabilities are unique to contactless payment cards, and others are shared with the Chip and PIN cards – those that must be plugged into a card reader – upon which they’re based. Both are vulnerable to what’s called a relay attack. The risk for contactless cards, however, is far higher because no PIN number is required to complete the transaction. Consequently, the card payments industry has been working on ways to solve this problem.

The relay attack is also known as the “chess grandmaster attack”, by analogy to the ruse in which someone who doesn’t know how to play chess can beat an expert: the player simultaneously challenges two grandmasters to an online game of chess, and uses the moves chosen by the first grandmaster in the game against the second grandmaster, and vice versa. By relaying the opponents moves between the games, the player appears to be a formidable opponent to both grandmasters, and will win (or at least force a draw) in one match.

Similarly, in a relay attack the fraudster’s fake card doesn’t know how to respond properly to the payment terminal because, unlike a genuine card, it doesn’t contain the cryptographic key known only to the card and the bank that verifies the card is genuine. But like the fake chess grandmaster, the fraudster can relay the communication of the genuine card in place of the fake card.

For example, the victim’s card (Alice, in the diagram below) would be in a fake or hacked card payment terminal (Bob) and the criminal would use the fake card (Carol) to attempt a purchase in a genuine terminal (Dave). The bank would challenge the fake card to prove its identity, this challenge is then relayed to the genuine card in the hacked terminal, and the genuine card’s response is relayed back on behalf of the fake card to the bank for verification. The end result is that the terminal used for the real purchase sees the fake card as genuine, and the victim later finds an unexpected and expensive purchase on their statement.

Demonstrating the grandmaster attack

I first demonstrated that this vulnerability was real with my colleague Saar Drimer at Cambridge, showing on television how the attack could work in Britain in 2007 and (Play video) in the Netherlands in 2009.

In our scenario, the victim put their card in a fake terminal thinking they were buying a coffee when in fact their card details were relayed by a radio link to another shop, where the criminal used a fake card to buy something far more expensive. The fake terminal showed the victim only the price of a cup of coffee, but when the bank statement arrives later the victim has an unpleasant surprise.

At the time, the banking industry agreed that the vulnerability was real, but argued that as it was difficult to carry out in practice it was not a serious risk. It’s true that, to avoid suspicion, the fraudulent purchase must take place within a few tens of seconds of the victim putting their card into the fake terminal. But this restriction only applies to the Chip and PIN contact cards available at the time. The same vulnerability applies to today’s contactless cards, only now the fraudster need only be physically near the victim at the time – contactless cards can communicate at a distance, even while the card is in the victim’s pocket or bag.

While we had to build hardware ourselves (from off-the-shelf components) to demonstrate the relay attack, today it can be carried out with any modern smartphone equipped with near-field communication chips, which can read or imitate contactless cards. All a criminal needs is two cheap smartphones and some software – which could be sold on the black market, if it is not already available. This change is likely the reason why, years after our demonstration, the industry has developed a defence against the relay attack, but only for contactless cards.

Closing the loophole

The industry’s defence is based on a design that Saar and I developed at the same time that we demonstrated the vulnerability, called distance bounding. When the terminal challenges the card to prove its identity, it measures how long the card takes to respond. During a genuine transaction there should be very little delay, but a fake card will take longer to respond because it is relaying the response of the genuine card, located much further away. The terminal will notice this delay, and cancel the transaction.

We set the maximum delay to 20 nanoseconds – the time it takes a radio signal to travel six metres; this would guarantee the genuine card is no further away than this from the terminal. However, the contactless card designers made some compromises in order to be compatible with the hundreds of thousands of terminals already in use, which allows far less precise timing. The card specification sets the maximum delay the terminal allows at two milliseconds: that’s 2m nanoseconds, during which a radio signal could travel 600 kilometres.

Clearly this doesn’t offer the same guarantees as our design, but it would still represent a substantial obstacle to criminals. While it’s enough time for the radio signal to travel far, it’s still a very short window for the software to process the transaction. When we demonstrated the relay attack it regularly introduced delays of hundreds or even thousands of milliseconds.

It will be years before the new secure cards reach customers, and even then only some: there is only one Chip and PIN specification, but there are seven specifications for contactless cards, and only the MasterCard variant includes this defence. It’s not perfect, but it makes pragmatic compromises that should prevent smartphones being used by fraudsters as tools for the relay attack. The sort of custom-designed hardware that could still defeat this protection would require expertise and expense to build – and the banks will hope that they can stay ahead of the criminals until the arrival of whatever replaces contactless cards in the future.

Steven J. Murdoch is a member of The Tor Project and employee of VASCO.

http://nr.news-republic.com/Web/ArticleWeb.aspx?regionid=4&articleid=70003692&source=viber

 

Posted on

This is why you should never hand your card over when paying with contactless

Many have handed their card over to a bartender or shop keeper to tap the machine when paying, but you really shouldn’t

Paying for goods is even easier with contactless pay. A tap and away you go. But if you are asked to pass your card over to the bartender or shopkeeper should refuse.

Payment being made with barclay card RFID bank card
You shouldn’t let someone else use your contactless card

Andrew Goodwill, the founder of the Goodwill Group against CNP (card not present) fraud, shared his advice with our sister title Mirror Online .

He said: “There is an unwritten code of good practice which is that when paying by either contactless card or by any other card, that the card should always be in the sight of the customer.

“If the card reader is not brought

to you for the transaction to take place then you should challenge why not and refuse to let the card out of your sight.

“The waiter or waitress may be all smiles and maybe served you very well, but do they have a card reader behind the counter? You just don’t know.”

You can now use Android Pay on your mobile as Google launches system in UK

The Mirror reported in February there is an app that could turn a phone into a card reader and pulled the details of several cards within seconds.

Mr Goodwill also warned of the dangers of keeping contactless cards on your person in general.

“Contactless cards have a security issue when they are in your purse or wallet and should be protected by using a Metal Card Holder wallet with RFID blocking technology

“Fraudsters can come up close to you and by using a card reader they can read your card details even if it is in your bag or wallet.”

Mirror Money performed an investigation into these claims in February and found card details could be pulled easily.

Phones could replace cash in nine years

It took the team less than a minute to search for an app that turns a smartphone into a card reader, download it then drop the phone next to a wallet to see if the card could be read while inside.

It could. Not just on one person, and not just with one wallet. In less than five minutes they had pulled seven people’s card details, all from different wallets and purses, just using a phone.

It even worked when the card was inside someone’s wallet, inside someone’s pocket.

And despite warnings about the danger of card clash , when the Mirror tried it with a wallet that had three different contactless cards in it, it still worked. All that happened was that the reader picked one and took its details, ignoring the rest.

The Mirror team stress that they used a simple, legal, app and could pull card details such as the long card number, the provider and expiry date.

 

http://nr.news-republic.com/Web/ArticleWeb.aspx?regionid=4&articleid=69925910&source=viber

Posted on

▶ RFID – The Risk inside your credit card – YouTube

Watch this YouTube video regarding RFID thefts and how easy a security expert clones, copies and makes payments using easy to buy and make scanners. This information is not hard to find and easily make you understand why you should be using RFID shielding. The video also talks about using aluminium foil, this works but only for some frequencies and does not protect all cards. Please read our other post on aluminium foil and why it doesn’t work

via ▶ RFID – The Risk inside your credit card – – YouTube.