back to article Fast-evolving Prilex POS malware can block contactless payments

The reasons businesses and consumers like contactless payment transactions – high security and speed – are what make those systems bad for cybercriminals. If miscreants want to get back to stealing data and committing fraud, they need to find a way to force transactions away from tap-to-pay systems like Apple Pay and Google …

  1. nematoad

    Not me.

    "The reasons businesses and consumers like contactless payment transactions – high security and speed..."

    I had to change my bank because they rolled out new debit cards and they were contactless only. When I went to my branch to ask if they could give me a non-contactless one they refused. I tried to explain that I had a habit of scattering my debit cards about the place like confetti. I have always been absent-minded and I have had to work around the failing as much as I can. With the contactless limit being £100 a time I would soon find myself out of funds if some dishonest person found it and started using it. I had no luck with my old bank so I went to Lloyds instead. They listened to my explanation and transferred my account within a week or so. They did warn me that I would first get a contactless card but not to use it, that was because of the way the system was set up. A non-contactless one followed shortly after.

    One size does not fit all and I am dreading the time when non-contactless debit cards are done away with, then I will really have no security.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not me.

      Have you considered using your phone instead? Phone payments are usually easier to set up to use biometric or PIN for an amount you can configure yourself.

      1. nematoad

        Re: Not me.

        I can't use my 'phone because I don't have one, I don't like them, trust them and having to keep charging the bloody thing all the time just puts me off. I'd probably forget to put it on charge anyway.

    2. anthonyhegedus Silver badge

      Re: Not me.

      A debit card that is contactless ONLY? So how do you buy things that cost more than £100?

      1. nematoad

        Re: Not me.

        No, not contactless only.

        I may have been unclear, you can of course use it with your PIN but because it does not need one to work I did not trust myself with one.

      2. Anonymous Coward
        Anonymous Coward

        Re: Not me.

        There have been some tests by card companies to do that, contactless-only payment devices devices. The idea was to allow other form factors than cards, like bracelets or stickers to put on the back of a phone (this was about a decade ago, before smartwatches or even phone payments).

        So the idea has been floating around, but as you point out, it had limitations...

    3. Emir Al Weeq

      Re: Not me.

      Nematoad: make a small cut (5mm) in the edge of the card. This will break the antenna and disable the contactless feature. I do two opposite cuts to be sure; it's something I've been doing for years. I've never found typing in a PIN a big inconvenience.

      I started because I knew two people who had their purses stolen and had the thieves go from shop to shop buying easily resellable goods (cigarettes and booze) with each card. They both got their money back, but it was a lot of hassle.

      Mind you, after reading this, I may have a rethink.

  2. Anonymous Coward
    Anonymous Coward

    This article is super light on why chip+pin is less secure. It also uses a unique transaction id, this is not specific to contactless, and fhat id is further confirmed by the chip once the right pin is entered. So that's not really an explanation.

    1. withQuietEyes

      Yeah that is an entirely new idea to me - I'm not very into cybersecurity, but like (probably) everyone else I assumed chip and pin was more secure

    2. Anonymous Coward
      Anonymous Coward

      I think the theory is, if the unique ID for chip and pin is validated mathematically by the pin, then if you can suss out the pin, and the maths behind the validation, then you're away.

      If it's a (supposedly) random id for contactless which is never re-used, it makes things harder (but not impossible).

      1. Anonymous Coward
        Anonymous Coward

        No, it's validated by the *chip*. The pin only authorizes the chip to do the validation, nothing else. The pin itself is not used directly, of course. it's like the passphrase to a PGP key.

        Otherwise, it'd be super easy to replicate a card with only the knowledge of its pin.

        As it is, it's practically impossible because the secret key inside the chip is designed to stay there, there's no way to extract it.

  3. sitta_europea Silver badge

    Once upon a time my wallet was stolen from work, although fortunately that was before contactless cards existed.

    I asked my bank for a non-contactless card because I too don't like the idea of anybody being able to spend thousands on my account if it's stolen or I lose it.

    The bank said that if I they issued a non-contactless card to me, because of the way their system worked I'd never again be able to have a contactless card on that account.

    I said "fine by me" and they sent a non-contactless card.

    Two years later they sent me a replacement. You know where this is going. It was contactless.

    So I gave up on them and now I simply cut through the antenna loop on all my cards.

    Theoretically they could be repaired but it would be a terribly fiddly job and probably easier just to steal a different card.

    I started cutting the antenna loops quite a few years ago, before I saw any of the many online articles about it which I've just found with a simple search. It seems that I was just lucky that I chose to cut all my cards in more or less the same way and it worked. It wouldn't actually have mattered if it hadn't worked, I'd just have made another cut in a different place, but if you're going to try it yourself I'd recommend doing a search to see some of the X-ray images online. From one card to another there can be big differences in the layout of the antenna wires.

    1. sgp

      Cutting the antenna loop as opposed to just disabling contactless payments on your online banking portal? Who are you, James Bond?

  4. Boolian

    Hmm. I was under the impression contactless had limited number of transactions before a PIN was required, and the contactless activated again for another period. Well, for certain UK accounts anyway.

    I generally use a 'Fintech' card for general and online purchases anyway (eg Revolut, Starling, Monzo etc) I'll load it with my 'pocket money' via phone app, and that's all anyone nefarious will get from it. When that runs out I load more, in perhaps £50+ increments.

    (I don't like phone out to use NFC payments, for reasons - dropping it and/or having it nicked for a start)

    The fact I can also generate a 'one-time' virtual card for online shopping, makes it a 'no-brainer' as our Trans-Atlantic cousins would say.

    My credit card/debit card is seldom used at all nowadays, and gathers dust in a 'faraday wallet'


    How does it get there?

    Well, that is what Prilex CAN do - impressive. But what's missing is step one: How does Prilex get into the POS system in the first place?

  6. Claptrap314 Silver badge

    Something smells & it ain't the fish...

    Tell me what exactly about chip & pin that _requires_ it to be less secure than contactless? There is no reason for a card to communicate more information just because it is inserted. None. In the mean time, contactless by definition requires some sort of EM wave interaction that can be intercepted FAR more easily than with the contats.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like