Who'd-a-thunk it? Contactless cards being read 'contactlessly' pose a security risk? The attack vector is obvious.
Exactly why I immediately sent my contactless debit card back and demanded a standard one.
Visa Europe has downplayed a new attack that could steal hundreds of thousands in foreign currency over the air from contactless credit cards. The electronic robbery was devised by researchers at Newcastle University in the UK, but the banking giant claims the techniques used aren't feasible in the real world. The researchers …
Or just keep it inside one of the readily available card carriers that block the reader when you're not using it.
Search for "RFID blocking" on eBay and there are lots of options from complete card wallets to things that you can put in your existing card carrier.
In reality, "New security measure" != "100% effective" does not mean that "Old security measure" > "New security measure".
Seatbelts don't prevent all injuries, but for real world examples they are generally better than no seatbelt.
"Or just keep it inside one of the readily available card carriers that block the reader when you're not using it."
...which defeats the object of the system, ie quick and convenient. Now it's about as convenient as getting cash out in the first place.
The best option IMO is to simply ask your card issuer to disable NFC payments. Co-Op bank will certainly do it.
Banks and payment processors are once again in denial - they said the same about Chip & Pin even though the flaws are being actively exploited by criminals.
Visa are focusing on the headline 999,999.99 figure in this case and saying their systems will spot it which spectacularly misses the point as criminals are hardly likely to be so stupid as to go for the jackpot each time when they can take hundreds or maybe thousands at a time without risking detection.
I suppose the next step is a live, public demonstration. Keep up the good work, Newcastle!
"Banks and payment processors are once again in denial - they said the same about Chip & Pin even though the flaws are being actively exploited by criminals."
Yeah - but there is a benefit with fraud committed with contactless payments: With Chip & PIN, the card issuers could try to argue that the punter was the weak link, and somehow allowed his or her PIN to be known to others - but with contactless payments, they don't have anything to try to hide behind.
They would have to state that clearly with every card sent out and probably provide the secure wallet or shield as well.
which means that they should provide such protection at no charge when they send the cards out... if they go the cheap way, then a new one with each card... but that's going to be more costly in the long run as it is with everything else cheap...
eg: i'd rather pay $120 for a pair of boots that last 2 or 3 years than $10 a month for a new pair of cheap boots... once you pass 12 months, you're spending more... sadly way too many folks can't fathom that...
Visa's reassuring response would be a lot more reassuring if the banks didn't do it every single time a security flaw ir reported, until they are eventually forced to admit that there really is a problem.
They have been known to have their customers jailed for fraud rather than admit they have a problem.
"Visa Europe told The Register it spends €100m (£78m) a year on security"
So? Without a context on comparable costs etc etc etc this is just the usual meaningless PR drivel. Is the money effectively spent on preventing fraud that affects users? Or is it hoovered up with regulatory box ticking exercises and extensive research into loopholes allowing Visa to push liability back to the user more often?
Personally I have more faith in parliaments ability to write good law (ha!) than card company's security prowess.
"We spent £78m on security so we're safe" said some mouthpiece who clearly knows nothing about Security.
It's not what you spend that counts, it's what you implement. Some of the most secure systems on the planet are dirt cheap, just not particular convenient to use. And there in lies the rub. Contactless is about convenience at the expense of some of the security controls.
"Contactless is about convenience at the expense of some of the security controls." but it's only convenient when you only have one (including Oyster cards for London Transport). As soon as there's more than one in your wallet, it becomes equally inconvenient to chip and pin, as you still have to remove the card from the wallet to make sure you're using the right one.
At that point the only remaining advantage is not having to key in the PIN number - something that could easily have been done via the existing chip-and-PIN system, simply modifying it not to require a PIN for purchases less than £20. Modifying the chip-and-PIN system this way wouldn't have introduced the security vulnerabilities of contact-less, or the inconvenience of card-clash with Oyster.
Surely any criminal would need to bank account to receive all these fraudulent payments. That bank account would be part of the sign up process to receive contactless payments (like receiving CC payments). OK, a criminal might be able to skim a few hundred pounds before all the complaints came in, but that's it.
This is my industry, so pardon me if I remain AC.
There are so many holes in this I don't know where to start. So maybe I'll address the most glaring ones.
This "new attack" or "vulnerability" is not new at all, and maybe it's a weakness at most. But have any of you bedroom geniuses paused to think how it can be rectified?
The fact is it can't. As the article points out, the whole point of contactless is to operate, as best can be achieved, independently. In order to calculate the foreign currency equivalent of £20 the chip on the card would need a foreign exchange system on-board AND constant access to the continually-changing values of the exchange rates. Which ain't gonna happen.
When we engage with a bank on a project to issue contactless cards, we discuss this with them. The bank not only has to design the pretty pattern on the plastic, it ALSO has to design the way it wants the chip to "function"; this is called a profile (which must be certified by Visa/Mastercard), and JUST ONE of the parameters in this profile is what to do with these foreign currency transactions. They can choose not to allow them at all. Or they can limit them to a certain number a day, but what they cannot do is limit them to an amount, say 30. Because as the article quite rightly points out, 30 Euros may be acceptable but you won't get much for 30 Zim Dollars.
This is a decision for the bank's risk department - and you may be surprised to hear that banks actually quite like the idea of prioritising customer convenience and so they will often decide to allow some foreign currency transactions, because the benefit of this to the cardholder outweighs the risk involved.
Now did you all notice something? When the Newcastle students did all these transactions, they didn't mention their pockets filling up with money did they? No, because these all have to be "offline" transactions and "We have not yet tested the back end of the system, and we appreciate that banks will have a number of security systems in place to prevent fraud".
Well maybe they should tested that have before getting all excited with this bollocks. Because programming "a handheld gadget to act as a pay-by-wave shopping till" is one thing, but setting it up as belonging to a live merchant, who then has to get those transactions through an acquiring bank (who run checks) and then through Visa or MasterCard (who run checks) and then through the card-issuing banks (who run checks) is another thing entirely.
And there's the point, because now the issue is not whether these are big foreign-currency transactions, or smaller sterling transactions, the point is how you get the money out of the cardholder's accounts and into your filthy swindling hands. (Let's face it, it doesn't matter if you're spending an hour at the airport "pinching" foreign currency transactions or 20 minutes walking up and down Oxford Street around Xmas stealing sterling - you've still got nothing unless you can get the harvested transactions cleared by the issuer).
And even if this DID actually happen - and cardholders notice money gone missing - the chargeback liabilities will not be with the cardholder, or the Network - they will be at the merchant or the acquiring bank - because that's where the security breakdown actually happens. (How did the swindler manage to set themselves up as a valid merchant?)
I could go on, but I have work to do. In summary - there's nothing to see here. Students should spend more time studying and less time playing with toys.
What is your industry? Contactless tech manager? Sales? Marketing? One thing is certian, it's not security if you think that being AC hides your identity.
As for the rest of your 50 lines of verbiage, every "issue" was addressed in the article, which you obviously did not read.