back to article Not sure what RFID is? Can't hack? You can STILL be a card fraudster with this Android app

Cybercrooks have developed an Android app that makes it possible to hack RFID payment cards, researchers discovered after a Chilean transport system was defrauded. The app at the centre of the scam hacked into the user’s radio frequency ID (RFID) bus transit card in order to recharge credits. The fraud-enabling Android tool, …

  1. ZSn


    Wasn't this already the case for the Dutch bus cards. There wasn't an Android app but the principle was the same - about five years ago with the same dreadful mifare cards

    1. imanidiot Silver badge

      Re: Netherlands

      It was, though they have since updated said cards to a newer version of the mifare card which is not succeptible to the same exploits. I have no doubt someone somewhere has cracked the new version as well though.

      Because of the way the dutch system works, hacked cards are detectable though, so after a few uses they will probably be blocked from working with the system. (All the fixed checkpoints are networked to a central database system)

      1. JDoubler

        Re: Netherlands

        If you can hack one card, you can hack them all. The question is just when it gets discovered.


        "Don't fret, your contactless bank card is likely NOT susceptible"

        That is the biggest BS i have ever read, who is that brainless idiot?

        Every RFID chip can be hacked, that is as old as the RFID chip exists.

    2. Anonymous Coward
      Anonymous Coward

      Re: Netherlands

      and Swedish, in various regions. Also fake sms-tickets...

  2. Yugguy

    And they called me paranoid

    Cos I wrapped my new contactless Barclaycard in foil.


    1. illiad

      Re: And they called me paranoid

      guess what, I tried that!! It could STILL read the card, it must just increase the signal until it gets something... :O

      Of course, not all units worked, it depends on the bus I guess...

    2. Martin-73 Silver badge

      Re: And they called me paranoid

      Actually if you really want to disable the NFC, you just have to drill a hole partway into the card near the chip (holding it up to a bright light will show you where the NFC antenna coil connection wires are. Seeing as the bank are liable for any NFC transactions tho, doesn't really do much but inconvenience you, the user ;)

      1. Yugguy

        Re: And they called me paranoid

        Thanks for the tip.

        Now where's my Dremel?

  3. willish


    Surely this is a tool. Not malware

  4. This post has been deleted by a moderator

  5. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: meanwhile...

      Pop it in the microwave for a few seconds.

      "Contactless? No, that stopped working ages ago. No idea why..."

      1. Anonymous Coward
        Anonymous Coward

        Re: microwave

        which would also zap the chip needed for C&P.

      2. illiad

        Re: meanwhile...

        yes... but did it work in the ATM later???? ROFLMAO.... :)

      3. John Tserkezis

        Re: meanwhile...

        "Pop it in the microwave for a few seconds."

        As others have mentioned here (including other places), that would likely fry all the electroncs in your card, and depending, it could also damage your magnetic strip.

        I'll give you a clue - no-one does physical imprint credit card transactions anymore. May as well give them your cardboard business card for all the good it'll do.

        1. David Roberts

          Re: meanwhile...Noone does physical imprint

          So the carbon that I have I have from the Calmac ferry to Islay is a figment of my imagination?

          Granted that anything remembered from the return trip after visiting all is the distilleries may be open to interpretation.

    2. illiad

      Re: meanwhile...

      I talked to a very nice lady at Santander, who managed to get me a debit card *without* contactless, as I explained I had to keep it separate from my oyster, and therefore did not know I had lost the contactless one I had!!

      1. Anonymous Coward
        Anonymous Coward

        Re: meanwhile...

        Halifax will also issue a new debit card without contactless. On the other hand Co-op told me to take a running jump; ie if I didn't like contactless I have the option to close the account.

  6. Anonymous Coward
    Anonymous Coward

    I'm so glad it's "likely not susceptible": today.

    Darned world is going mad.

  7. Anonymous Coward
    Anonymous Coward

    what else to expect ?

    "“The Bip card is based on the MIFARE classic card," Miller explained. "This card is one of a range of RFID cards, each offering different levels of security for a relative cost.

    "This particular type is one of the lowest cost cards available, but is also one of the most insecure. Methods to exploit this type of card were shown as early as 2007," he added."

    The problem is, indeed, the lowest security cards are the cheapest. And NXP, of course, is not withdrawing lowest sec cards because of low cost and massive revenue (people don't understand security and of course buy the cheapest).

    So, unless any given state/organisation is putting law pressure onto the card provider for guarantied security, this situation will prevail. Shit security will be in every smart card product. Shame, but true.

    Anon, since I was involved in this problem ....

    PS: why am I not going black hat ? I'm dumb ...

  8. Skrrp

    Bank cards are not susceptible

    I work in this industry.

    It is true that Mifare classic has been broken for a long time and can easily be cracked with cheap readers and open source tools.

    What the payment card did wrong in this case is held the balance on the card protected only by the lock keys.

    If they had implemented some form of readback and check-at-base like I suspect my local bus company does* then they could match card IDs to wildly changing balances and invalidate the IDs of the cards that are being hacked.

    Another layer of security such as combining the current balance, the date/time of last transaction and using the card ID as a salt being pumped into a simple bcrypt routine to produce a validation hash would have also foiled this method.

    This sounds like sloppy implementation security around guarding the validity of the balance. Nothing to see here.

    Bank cards are a different matter. My bank card identifies itself to my phone as a simple Mifare Classic, with a lot of locked sectors. Nothing unusual. When presented to my cracking tool my bank card thinks about it then starts to return timeouts on the sector probes. On the second run, my bank card times out immediately and refuses to talk to the reader. While the chip structure of my bank card may well be a Classic inside, there is something else in there. There is a guard that is sitting between the RFID interface and the chip that is preventing the repeated probings needed to crack the keys. Your bank cards are safe for a while.

    *My local bus company uses Desfire cards, so I haven't been able to check their methods.

    1. djack

      Re: Bank cards are not susceptible

      I can't remember what variant of card is in my bank card, but a number of the newer mifare chips have the ability to emulate a classic but without the (same) flaws.

    2. Anonymous Coward
      Anonymous Coward

      Re: Bank cards are not susceptible

      What does the Dept of Transport mandated ITSO card use?

  9. Ogi

    I remember this from round 2005 or so

    There was a guy who made a microcontroller based mifare read/writer, which could emulate the oyster cards used on London transport. In addition to reading and writing the contents on the oyster card, he could clone the cards of others then use those accounts for travel.

    He never released the code and specs of what he did, but I remember there being a bit of a rukus a couple of years later about a large number of fraudulent oyster top-ups popping up, with TFL making changes to the system (Oyster is Mifare classic, from what I remember).

    Presumably now they don't store the balance on the card, but some sort of ID which is linked to a central account. Still possible to clone them, but not to just issue "free" top ups.

    It was deemed too expensive to rip out every single Oyster-enabled device and replace with a newer system, so I suspect that the above loophole is still viable, for those with the time and inclination for it.

  10. Cynicalmark

    I have it!!!

    just carry so many random cards they wont know which one is for real...encode rude words into assorted cards in your pockets and see the skimmers get really confused. Oh hang on i already have a wallet full of cards - bugger

  11. Martin H Watson

    i removed the chip from my card with a pair of scissors and glued it on to the end of a toy magic wand. Now everytime i need to pay for anything i just wave it and shout hey presto.

    1. Mr Templedene

      The temptation to do the same with a sonic screwdriver is high in this whovian :D

  12. Henry Wertz 1 Gold badge

    "The problem is, indeed, the lowest security cards are the cheapest. And NXP, of course, is not withdrawing lowest sec cards because of low cost and massive revenue (people don't understand security and of course buy the cheapest)."

    Maybe they *do* understand security. Given they're loading $16 on the card, and it's for an intangible asset (unauthorized use of the transit) rather than tangible (lifting $16 worth of items from a store or something), they may have gone in knowing they were not getting the highest security card, ran the numbers and figured the card cost savings outweighed the fraud risk. I wonder if it could be "fixed" on the back end like the Dutch system in a post above, so "Android reloaded" cards would be deactivated.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021