back to article Aussie builds contactless card cloner app, shops at Woolies with fake card

Money hacker Peter Fillmore has created an Android app that can clone some of Australia's most popular contactless credit cards. In attacks that slipped beneath banks' and credit card providers' radars, the Aussie boffin probed the protocols behind Visa and Mastercard payment cards and proved the viability of an attack by …

  1. Sanctimonious Prick


    You could almost see this coming!

    1. dan1980

      Re: Boom!

      Yep. I remember last time I travelled I saw special travel wallets that were designed to protect against people electronically cloning/reading your passport and credit cards.

      It's my - perhaps old-fashioned - opinion that everything convenient is insecure. (Well, within the given sphere.)

      The problem is that the convenience and 'innovation' is seen as more important than security, so we have things deployed before they are really ready to be. Better to get a product to market sooner with flaws than to wait and get it right, it seems.

    2. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward


    Ummm... this has been known for a number of years. Last year at Ruxcon I meet 3 "researchers" who all had done this. Yes, all on Android phones, and all making claims about stealing tramfuls of credit cards.

    When questioned about the actual mechanics - i.e. the antenae and the signal processing required to manage multiple signals and paths, they all just responded "that's just engineering - someone will work it out". Seriously - this was their answer. Needless to say, none of them had a grasp of how RF works.

    So yes, it is a proof of concept. Why does everyone think that (1) the banks are unaware of this, (2) they have not considered this, and (3) they have no controls in place. Every security manager and professional in banks that I have spoken with are well aware of this problem.

    So this is simple just another self-aggrandising person looking for security work.

    Anonymous (naturally)

    1. Intractable Potsherd Silver badge

      Re: YAWN!!!!

      Anecdote isn't evidence. If these Ruxcon l33t haxors had actually done it, how come Fillmore is the first one to publish? Either there is some untruth, or the people you refer to are dishonest in a more criminal way.

    2. PeterFillmore

      Re: YAWN!!!!

      Maximum read length of a passive NFC is listed at 20cm (without any signal processing, could be more with bigger antenna, more power)

      no multiple signals are required, iso14443 provides support for multiple tags in 1 field (not commonly supported on commercial readers, but not too difficult to implement) read the Iso14443-3 spec.

      Card brands were not aware that banks were setting the random number requirement this low. Additionally bad RNGs are prevalent in EMV readers and kernels, making attacks like this easier (EMVco do not mandate an RNG, or test the RNGs)

      Happy to take some extra security work ;) unfortunately I agree that I'm totally self-agrandizing,

      Micheal Roland deserves the credit

      I just rolled my own implementation of his awesome work.


      Peter Fillmore

  3. Winkypop Silver badge

    A Sting no doubt!

    Don't stand, don't stand so

    Don't stand so close to me

    Better call the, erm,...Police!

    1. Anonymous Coward
      Anonymous Coward

      Re: A Sting no doubt!

      Now I've got Roxanne stuck in my head…

      Probably appropriate since we (collectively) are going to get shafted by this one way or the other.

  4. Adam 1

    Are opal cards vulnerable to the same class of attacks?

    1. dan1980

      @Adam 1

      More annoyingly, however, they are prone to not working, cost more than most people were paying for their monthly or multi ticket, are a pain to recharge anonymously and track you if you link it to your credit card.

      They are also thicker in the wallet, take longer to register at the gate and - at my station - one of the readers seems to be broken every other week.

      I imagine they are vulnerable to this attack as well so you can add that to the list.

  5. Medixstiff

    Well this was more than expected, considering when the Galaxy S5 came out, we were scanning cards with the NFC feature and having no problems getting info off the cards, it was only a matter of time for a clever cookie to do something like this.

  6. Bradley

    The attack, where the criminal can actually make a payment on your account, comes via mag stripe. EMV needs to be 100% authoritative with no fall-back. Period.

  7. Anonymous Coward
    Anonymous Coward


    Or he'll end up in jail like the last major CC security whistle blower: Serge Humpich.

  8. Walt Augustinowicz

    We did a similar test in April 2013

    In the US we were able to scan a MSD contactless card with a Vivopay 4500 using a blue tooth serial communications with an NFC cell phone. We transmitted typical queries to the card and we saved the answers to the cell phones memory then went to a contactless terminal at a merchant and just played back the same answers to each question from the reader. The news anchors kind of mixed two different attacks in this news piece but you can see us paying with our own payment app at the merchant.

  9. dhcp pump


    The tool hopefully approached the banks or disclosed correctly to the authorites before he disclosed publicly,what does he want a friggin job with the crims ! or a medal ,its not new except he did it on new hardware.

    Lock the prick up till he finds the solution,no foil hat for this wank.

    Rin Tin Tin foil bloddy hat for my cards now.

    Your tapped now buddy ,watch those packets !.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021