
Awww blesss
I see the naive "hands over the ears, eyes closed, chanting 'La La La' repeatedly, while thinking all is well, nothing bad will happen" method of security is alive and flourishing.
Fraudsters will not be able to extract confidential information from a person's contactless bank card or other compatible technology as the type of data held on such cards will be restricted, Will Judge, head of future ticketing at Transport for London (TfL) has said. Giving evidence to the London assembly transport committee …
Though he does deserve ridicule for the "100% security" claim. Nobody who actually understands security dares honestly claim any such thing. So either he's clueless or he's dishonest.
Though this system appears to be a grade better than the (newer!) system about to be deployed nationwide over in the Netherlands, so it might well prove a shade more resistant to attack, but even so such declarations also amount to a challenge. If the card itself doesn't contain all the info needed to conduct transactions, then how will the original card work? Let's see if the things aren't functionally clonable anyway, or whether you can proxy payments, or fake upping the balance on a card, whatnot. It'll be interesting to see people with less conviction in the system's infallability will manage to come up with.
The card DOES contain all the data, but it is encrypted inside it.
The card will (in theory) only reply to a challenge, and each time the card will get a different challenge that only that card (because of the shared key) will be able to reply.
The theory is that the card will never release the key.. only the correct answers.
Of course, you can always sit near your victim in a restaurant and flood his cards with requests... and "harvest" his cards for an hour.. and know a huge pile of correct answers. An then steal his car.. that is how Beckham got his car stolen some 500m (about 600 yd for you;) ) from where I sit right now.
You'd have to sit pretty close to harvest in the manner you describe because NFC only works over about 10-20cm if you /really/ ramp it up.
Also Beckham's car is hardly comparable, it's an entirely different system to NFC bank cards, that's like saying I broke into a Windows machine, so Linux must be insecure.
You'll have exactly the same defense now as you have with debit or credit cards. Er, none....
"It must be your fault sir/madam. We've told you, our systems are infallible. Now go away.... while we tell the same story to the other 100 people waiting behind you..."
Please will you and everyone else who keeps bringing this up stop it.
It's been written into law for something like two years now that the banks have the burden of proof and that the customer is considered a victim, until proven that they gave their data away/took out their own cash and reported it stolen. It's also worth noting that a pin auth'd transaction doesn't count as proof because it could have been shoulder surfed.
In a less spin crazy world you'd hope people would have the guts to stand up and say
"of course its not 100% safe, nothing is. But over 5,000 people a year have their pockets picked on London Underground every year, so our best reckoning at the moment is that its no more unsafe than cash".
I dunno, maybe I'm getting too old...
If it is 100% safe, the first poor sods who get ripped off *must* be lying, because its 100% safe. Even if they buy two tickets at exactly the same time in two different stations, that must have been what actually happened, because its 100% safe, so there is no other explanation.
Remember when ATMs were offline, so your PIN was on the mag strip in plain text, and crooks could read it off a stolen card with a cassette recorder? Took ages for the banks to admit it.
Going back a while, mid 80s when there was only one ATM in the whole of Milton Keynes, and AFAIK they were not connected to anything so they had to verify the PIN without phoning home. I seem to remember reading about a scam which involved reading the stripe with a cassette recorder, and retrieving enough info to clone and use it.
Wasn't there a case of the same card being used in two far apart cities at more or less the same time, with the bank still insisting that their system was unbreakable?
You can't create a magstripe with a tape recorder, I have heard that one, but considering you've always been able to buy (albeit not always as easily as it is now) magnetic card writers, why would you even try? The alignment of the tracks is different to that of a tape recorder's write head and IIRC there is also a strobe track to align everything up.
As I mentioned, magstripe cards can authorise their use in a cash machine without a pin verification (ie: It's offline) I'm not sure if this was used, but it's certainly possible.
It would be very unusual to put an ATM into a location without it being linked up by a leased line. This was one of the reasons that they used to always be in a bank's wall, as there was already a leased line there.
Yes, there were cases of cards being used in cities far apart and the banks involved didn't exactly cover themselves with glory over that, this is really before card cloning was known. This sort of thing doesn't happen any more.
A chip and pin card does store the pin and has a much more sophisticated method of allowing (or not) authorisation if no online transaction verification is available. (It boils down to: If you're rich you get to buy stuff, if you're poor or in and out of overdraft you don't.)
"You cannot extract enough information from a card to spend someone else's money," he stressed"
How can you spend your own money then? at the very least someone could grab whatever information IS available , put it on a blank rfrid chip and use it for free london transport.
Because the card (which is more than an RFID chip, but contains secure storage and processor including cryptographic accelerators) contains information on it (keys) which it will never disclose. It uses the keys to encrypt data provided by both the card and the terminal. That data (along with some other static data) IS disclosed to the reader, which then sends it to the bank for verification. Effectively, the returned data is a one-time password that the bank can re-create to check that it was generated by the real card.
Without the keys (i.e. somehow 'put it on a blank rfrid chip'), the bank will just see the same 'one-time-password' popping up (and rejecting the transaction). If wrong keys are used, then the bank won't verify the 'one time password' (and reject the transaction).
Yes, this all depends on the cards not disclosing their private keys. This is one of the main focus for security evaluations of cards and operating systems on cards involving lasers, x-rays and other interesting kit to attempt to extract keys from these cards. And whilst as people have said, security can never be 100% - to even begin to attempt to get keys out of cards required physical access to the card, removing the chip from the plastic card itself, stripping the top off the chip before being attacked by some very very expensive kit. It's by a guy standing next to you on the tube whilst the card remains in your pocket!
Ross Anderson will say something along the lines of "It's totally broken, we've had people writing to us about it, we've even proven that it doesn't work".
He will also miss out the bits about the proof being limited to a very specific lab environment and that the people complaining to them are not necessarily the most reliable.
That said, should I end up with fraudulent transactions on my card and a bank not refunding it, I'd probably go to Ross because he is good at what he does, he just tends to oversell it a bit to publicise him/his department.
This post has been deleted by its author
It never has been. The whole point of this isn't even convenience.
There is only one reason that actually explains and justifies their existence (not for us, the consumer, but for the financial institutions implementing these), and that is the increased shift in liability.
We all know that using signature to validate cards wasn't ever that great, assuming shop assistants ever checked them in the first place, which they generally didn't/don't.
So the banks introduced Chip and PIN, which is 'more secure' but at the same time it puts less of the liability on them if there is a case of fraudulent use.
With this, how the hell do you prove that you didn't use your card? Answer: you can't. You can't prove you didn't use your card with Chip & PIN, but at least there you had to physically insert something into a reader and enter something. Getting a PIN requires either doctoring the pad, or observation of the user - and you still need the chip's details.
This is contactless, which means that accessing the data doesn't require putting it in a reader, meaning skimming is going to be an issue - you don't have to doctor anything, you just have to have a standalone reader unit in your hand and boom.
As it happens, my other half paid for some stuff in a Londis near here and they have a contactless terminal (and she, unfortunately, has a contactless card from LTSB) - and that authorised a £7.50 transaction without asking for any details... she promptly said she wasn't going in there again, and I swear I hadn't done anything to convince her how iffy the whole idea was...
Firstly due to transactions being limited to small amounts, a rogue merchant would have to defraud a lot of people to make a living, and would get caught within a week. Hopefully the banks do actually know who the merchants are?
A corner shop could extract the odd unauthorised payment and hope nobody noticed, but that's a lot of risk for little reward.
But shouldn't Card Not Present rules apply here - if the customers says the transaction didn't happen, the bank essentially believes them (unless they do it to often)?
Yes, if you were skimming £1 a time, you would need to hit a lot of people to make it worthwhile but when you have a few million targets this is a bit more of a possibility.
How would they get caught?
Only if people noticed the transactions, were aware they were fraudulent and could prove that this was the case. It may be considered by some people that its worth the risk to get a lot of small payments and hope that people dont notice them...
Not for me personally, but then criminals have a different risk / reward assessment.
I think if you scammed 10p each off 5000 people a day, some of them would notice. And most people aren't going to ignore a dodgy transaction just because it is a small amount - they would be worried in case it is much more next month.
I'm not saying nobody would be stupid enough to try, but they wouldn't get away with it very long.
One thing just came to mind and is probably a load of unworkable tosh but hear me out:
PIN-less transactions for under £10-£15 are now becoming more available. Some places, like restaurants use wireless terminals so they can serve people are their tables. What's to stop someone walking around the street with a wireless terminal prepped with a £10 transaction brushing past people in the street?
It still happens.
Also, if somebody was skimming £1.99* off every 10th passer by, how many would actually notice, how many would notice and complain, and how many would complain enough to get the amount refunded?
I suspect that somebody could get away with doing that for quite a long time.
The real question is whether someone could do it for long enough for it to be worthwhile, but it's certainly plausible - I suspect that the first thing a bank would do is ask the trader to be more careful, which is a nice big 'heads up, you're being spotted' to the attacker.
*Or some other 'pretty common' transaction amount.
...apart from the obvious "I'll get a reader and stand in a crowded tube to make a fortune" option, it'll only be a matter of time before your bank gains an advertising arm to provide targeted advertising as you wander about the streets a la "Minority Report" but without the eyeball bit.
Oh and I suppose for our "comfort and security" the police will be able to track us within an inch or two of our lives rather than the "near enough" mobile network.
Mind you it'll stop rioting...try legging it out of JD sports with an armful of trainers without paying!
Bet I can stand less than 20cm away from someone's pocket at rush hour....
Can I either have a card that makes a loud sound when being read or a wallet that is screened until I open the flap?
And if they bring in "free-flow Walk-through" systems, then I definitely DON'T want my cash linked to the same card.
Verma said: "TfL never sells personal data, we don't share or sell personal data unless required by law."
Lies! I FoIA'd TFL a few years ago and asked about this. All the police have to do is ask for travel details and they get them - no warrant required (back then, they'd been asked something like 246 times, and only once had they refused). Last time I checked, just because a policeman asks you for something doesn't make his request "required by law".
"Because the card [...] contains information on it (keys) which it will never disclose."
And following best security practice I'm pretty sure there's a backup of said private keys safely stored on a USB memory stick in PKCS format without password protection going round the Circle line.