Horses for courses
Potentially handy for American diplomats at the UN then?
A US TV station has demonstrated how easy it is to lift credit card details from proximity-payment cards, though in the process showing just how pointless the activity is. The video does a nice job of demonstrating just how close you have to be to read a card, which are induction-powered so have very limited range; you needn't …
Surely if an NFC card can be used to make payments then a payment can be sucked out of it by the bloke next to you in the tube... They said Chip&Pin couldn't be hacked only to be proven wrong.
Obvious methods are:
1) Copy details from as many cards as possible and process them en-masse through a broken/modified NFC till, small amount x many transactions = big number.
2) Duplicate cards and sell them 'in the pub' - punter beware but seller long since gone.
Sounds like tech best avoided!
There was something in the press recently about a gang that raised a lot of money by making very small (maybe < $0.50?) transactions to various credit cards. Most people didn't bother to contest the charge because it's too much hastle, hence they got away with it for a long time.
Now imagine that your credit card bill lists every transaction you make for a bus ticket or newspaper, at several transactions for a few pence every day. Probably very few people would even spot what you have done, let alone complain...
>>"Now imagine that your credit card bill lists every transaction you make for a bus ticket or newspaper, at several transactions for a few pence every day."
On the other hand, If there were online readers reporting transactions quickly, the trail could provide a record of where you are or have recently been, allow odd transactions to get rapidly flagged up, and maybe even get warnings/temporary blocks sent out, and so could make cloned details rapidly useless.
The details read from the card are there TO BE READ. It's actually part of the design! :) So someone being able to read them is nothing particularly amazing.
When you perform a transaction, the card generates a cryptogram using secret keys on the card that only the card issuer knows and the card never reveals. This cryptogram changes each time based on things like amounts, but also transaction counters.
An online transaction sends the cryptogram to the issuer for checking (basically, they perform the same calculation and compare the results). Without the correct keys, the cryptogram will not verify and the transaction is declined.
An offline transaction is where the cryptogram is sent later, in a batch with others. By the time this happens, the goods/service will have been provided and someone will have pocketed the profit.
Most transactions in the US are online transactions, so are well protected against making up fake cards.
Something else to note is that contactless cards can have 2 or 3 account numbers on them. Contact for Chip + PIN (printed on the front), mag stripe (possibly same as contact) and contactless (different from the others). If a contactless account number is read from the card, but submitted via a webpage (e.g. mail order), then it'll be declined. This stops people using the contactless account number for card not present transactions.
So the real risk is for offline transactions. However, in a dispute, it's very easy to check the cryptogram and see that it wasn't correct - so the card holder shouldn't need to prove they didn't perform the transaction.
I keep asking this question but no-one seems to have an answer;-
If i use the nearest of near field comms;- contact through putting coins in the shopkeep's hand then i do not need to be concerned about skimming in my pocket. Problem solved by keeping it simple, stupid.
No one seems to have done a cost benefit analysis on NFC or why i need it.
1. Visa makes no money at all when you use cash. When you use NFC, they can charge a handling fee...
2. Someone has to count all that cash and take it to the bank before someone else turns up with a cucumber in a carrier bag and asks for it instead.
3. The coins keep wearing holes in the pockets of my jeans.
4. Someone might use fake cash, and the shopkeeper will be out of pocket. NFC could never be used fraudulently.
Of course cards with contacts solve all these problems too!
There are quite a few cards giving you 1% cash back on all your transactions here in US; if you pay in full each month this is free money. I have no reason to carry cash with me - if I lose the card I have zero liability, while cash it is gone forever. In addition, there is a lot less bulk and weight to carry around compared to cash, and it is accepted everywhere.
Chase sent me a replacement card with RFID built-in and cash back; for now it is stored in a full metal jacket as I keep on using my old cards, with no RFID stuff built into them.
Reading the number and expiration date with off-the-shelf equipment makes the job easier for crooks; they need less work to figure out the rest. Now you need to worry if the guy who just walked with you for the past 30 minutes is following you home to get a name and an address to go with the CC number he just got in the bus or if he is just a new guy living in the area....
1) if very few people have more than spare change in their pockets, criminals have less incentive to rob people.
2) no trips to ATMs/banks to refill cash supply
3) sales tax gets paid 100% of the time (no under the table deals)
4) Receipt trail (a card number can be used to look up a lost receipt, no such luck for cash), so I can always get proof of warranty later if i loose a receipt, and return things without one too.
5) I pay the same price either way, but i get points using the card, extended warranties, theft protection, and I can stop payment if I think I git screwed or they refuse a product return.
6) lost card != lost money (especially most that have fraud/theft protections on plastic too)
7) Merchant can't be given counterfeit money (and even fraudulent transactions are guaranteed to be paid to him if Visa approved it).
8) No "crap, i don't have enough cash on me" moments what waste time and turn into no-sale with customers (and also no "sorry you made that pizza, but i only have $5, so, throw it out I guess." moments either)
9) Merchant can't get robbed for as big a loss since less cash is on hand.
10) less time counting down the till, and less mistakes too.
11) harder for cashiers to pocket a transaction instead of ringing it through. (charge customer cash, cancel transaction at last second, pocket money, no longer possible).
12) costs the same, roughly, as processing a check, but is more secure and comes with guarantees for the merchant.
I can easily go on.
"1) if very few people have more than spare change in their pockets, criminals have less incentive to rob people."
And more incentive to point a gun at you and direct you to the nearest ATM.
There's some advantages to plastic, but you'll never replace the instantness and convenience of cash. Plus the government can't stop you spending it, the US government in particular can't decide that you are unfriendly to their interests and bar your account (yay wikileaks), and you don't have every single transaction on a record.
Frankly I'd rather retain that level of control.
The only practical advantage NFC can have over existing chip 'n' pin readers is that the 'card' need not actually be a card. It could be a mobile phone. Japan already uses mobiles for this purpose, and you can link it in to your mobile billing to keep it topped up. It is quite neat and handy, you're never short of loose change.
Of course, that does nothing to prevent skimming. However the phone could act as a management app for the NFC payments. You could get a listing of all transactions anytime anywhere, so you might be able to rapidly spot dodgy transactions. Also the phone could turn off the NFC part whilst, for example, your phone keypad is locked. That would do a pretty good job of preventing skimming. I think that some of (if not all) of these possiblities are already on Japanese mobiles.
Personally speaking I agree with yourself - cash is straight forward and the worse that can happen is losing it. I don't see why a card needs to be NFC. We're quite good at putting cards in slots at the moment, so why does that aspect of their use need to change? The only true benefit of NFC is that something other than a card, like a mobile, can do the job instead.
I seem to remember demonstrations of reading contactless cards from a greater distance by using a much higher powered reader that could energise the card from further away?
All you need to do is transmit enough welly at the thing, which is trivial, and have a very sensitive receiver (which is harder, but where money is concerned, do-able).
It seems to me though that the problem is the same old one. The card gives up the magic number that is the 16 digit account number, and that same number can make unlimited transactions! Why is it that the rest of the world has moved on to one-time transaction codes and salted hashes / public-private keys, but the people who "look after" our money for us are still doing it the stone-aged way?
Nowadays even in batches of 1000 cards, a credit card will go for 2$ USD. An identity (DOB, name, surname, address, phone number), will instead go for 50$ USD. With an identity you can apply for many cards... with a stolen card you get a few free transactions, if any.
NFC strikes me as a solution in search of a problem. Yes it has benefits and in some cases such as tagging on & off of public transport perhaps NFC is justifiable. I don't think it is particularly handy for purchases either to the store or to the customer. If users are randomly challenged for a PIN, the system is going to be more of a pain in the arse than always being challenged.
People who say "it doesn't matter", or "thieves can't do anything with the data" don't get it. The point is that someone walking past me is able to obtain information without physically removing it from my person. By the time I check my card next there might be dozens of small payments on my card. Depending on what information leaks over NFC they may also be able to clone my card, or find out my name & details or other personal info. Perhaps stores and / or casinos could also create chokepoints where people must pass NFC readers which skim numbers (and RFIDs embedded in clothing etc.) to aid with tracking of particular people.
Let's hope the NFC code changes with each challenge and there is no obvious association between the NFC value and the card's name & number. At least that way, perhaps there is no way to clone a device or track someone or replay a code to simulate a transaction.
"People who say "it doesn't matter", or "thieves can't do anything with the data" don't get it."
Didn’t Jeremy Clarkson challenge anyone to try and do something with his bank account number and then regret the challenge? Why obscure the card details on receipts if the information is so innocuous?
"Didn’t Jeremy Clarkson challenge anyone to try and do something with his bank account number and then regret the challenge? "
Someone did. IIRC They put him down for a standing order to a charity. He didn't think preventing identity theft was that difficult.
Doesn't think that now though.
Very true, but this is more because the current system is inherently insecure, built before proper technological security maturity. If you can build an inherently secure system, then the need for "security through obscurity" - the current setup - is not needed. In that world, while I would certainly prefer my details remain private wherever possible, I would also be assured that their being public is not going to be harmful to me.
the real danger would be someone setting up a skimmer near a NFC payment contact point and collecting all the transactions. But people do that now with ATM's and magstripes so it's not really a new threat - it's just much easier to build a discreet skimmer for NFC than magstripes.
The main way in which sniffed 'NFC communications' from a credit card would be used would be to burn the data onto a goold old fashioned magstripe card. THen, just use the 'backward compatibility' features left around by the issuing connunity to commit good, old-style fraud. No need to worry about PIN or security code because of the good old excuse of "looks like the chip's broken"
Worrying ... especially the complacency of the payPass/SecureWave pushers.
I wonder... I suspect they have equally ingenious and malicious crims out there. If we feel we have more of it here, I suspect it's either due to us being careless, our implementations being poor or - most likely - we're being more worried about it because it's new and unknown.
But I reckon they have their fair share of crime out there but they manage it... much the same way we do with our current tech. The question is, would this change make it better or worse and, if worse, is the added convenience an acceptable tradeoff for it?
I am quite happy with pushing a card into a swipe machine and pushing in some numbers, I'd be even more happy if I can opt for a one time password the likes of which RSA provide.
However I really really dont see the need to make this activity, wireless. Other then reducing wear and tear on the cards which WE PAY FOR ANYWAY VIA CHARGES.
So contact-less payment monkey bothers, please turn your effort into what I want, not what you want.
cash, debit card, my problem
credit card, bank's problem
put a faraday cage around debit card*, only use credit card - let bank sort out fraud problems
*adapt a conductive film bag, like wot your memory stick came in, or do a deal with wallet manufacturer to create faraday section (while you're at it, make a passport holder too) share royalties with me...
I've seen online shops that require neither CVV or any AVS matches. So it's far from worthless - especially when the details are put on a card and used in America - where card security is so lax it's unbelievable. As merchants over here in Europe we get hassled constantly about PCI DSS and surcharges if they think a transaction went through without being PCI DSS compliant - yet in the good old US of A from what I've seen hardly any merchant is even 1% towards being PCI DSS - In some places you don't even have to sign for your transaction let alone use chip 'n' pin.
Indeed. I just did a lot of online holiday shopping last night, and several merchants did not ask for CVV. (The article incorrectly has "CCV", by the way - someone should fix that.) I think all the sites I used wanted either CVV or correct billing address, but I couldn't swear to it.
In any case, one comment claimed the NFC account number is different from the embossed / magstripe account number. If that's true, then the danger of NFC sniffing is NFC cloning. That's at least good enough for petty crime, and reason enough in my book to kill this pointless feature.
And no, I don't want to pay for things with my phone, either. I can see how that might be useful for some, but let's have it be an option that's off by default. That's how my phone treats Bluetooth, and it's the right approach. People who can't figure out how to turn it on probably shouldn't be using it anyway.
I got out to the US and it is ridiculous how poor the card security here is. I got a debit card a year ago and use it every day for transactions. I sign for almost everything (you can usually use a PIN but it's never mandatory). However, I've still not signed my card, which means not one of the thousands of transactions I have done has ever checked my identity. I could nab anyone's card and empty it in the shops before the victim could report it...
Online here you don't typically use the CVV, but usually need an address. Not sure if that's a hard rule though.
OK, for NFC cards, there are cards which work like current EMV cards in that they generate and transmit data as if the card is being read from a chip reader - For these, authentication is through ARQC/ARPC (uses dynamic data for each transaction therefore is extremely difficult to clone) with or without iCVV/CVC3.
The other NFC transmit "track2 equivalent data" as if the card has been read from a mag-stripe - But it's not done in the same way. Every time the card is used, whilst the PAN and expiry date will be the same, other bits of data within the track2 information will be different for every transaction - The card verification digits within the track2 are generated dynamically because a component of the algorithm now includes a transaction counter, which is incremented for each new transaction. The issuing bank keeps a track of the transaction counter, so you can't use it again, and it would take a long time to crack the keys used in the algorithm to generate the card verification digits.
So whilst you may be able to capture details from an NFC transaction, it's not going matter because:-
(a) You can't use the same track2 details again for a second transaction
(b) You don't know the encryption keys used to generate the card verification digits for the next counter.
(c) even if you did, you have to hope that the real cardholder hasn't used their card again in the meantime...
If they're random for small amounts, then why wouldn't criminals take that chance? If each time they charge $1 to a card there's a 1 in 4 (for the sake of argument) chance of needing the PIN then you've just made $3. Every time you're prompted for a PIN, just cancel the transaction. I'm guessing that the banks/credit card companies won't even notice since they likely only flag failed PIN entries, not transaction voiding (this may be incorrect, I honestly don't know).
Name this "business" cleverly ("[name of city] Convenience Shops" seems like a good choice) and walk around all day with a netbook, an NFC reader, and a WAN connection bumping into people. Even if they check their statements I doubt a tiny charge from something like that would raise an eyebrow.
So if you get a PIN request, you don't retry the same card. Walk around sniffing NFC details. Collect lots of accounts. Make small transactions. Don't use an account after you get a PIN prompt against it; don't use an account that's older than X hours.
Sure, it's not the crime of the century - just contactless pocket-picking. It's still a reason not to stick this pointless feature into credit and debit cards.
>>"Name this "business" cleverly ("[name of city] Convenience Shops" seems like a good choice) and walk around all day with a netbook, an NFC reader, and a WAN connection bumping into people."
If you're suggesting someone setting up a fake business to take the proceeds, doesn't that fail if there's a time-lag before a business (or at least, a newish business) can draw money they deposited from transactions?
Even a couple of days would likely be long enough for multiple people to spot and report a dodgy transaction, and for the receiving account to be frozen.
Stolen card numbers are available so cheaply online, in plentiful quantities, that it's hard to imagine anyone going to the trouble of stealing them this way. Besides, most of the people who fret about this sort of thing will happily let a waiter walk off with their card, or read the number out loud into a telephone.
Biting the hand that feeds IT © 1998–2020