* Posts by Arctor

1 post • joined 11 Dec 2010

Stealing credit card details via NFC is easy/pointless



As other have pointed out this is not that much of a problem as reading the card is allowed.

Each time you perform a transaction the card generate a unique cryptogram based on information from the reader so having read the data is no use unless you have the secure keys.

As to the other information without the CVV2 code on the back of the card it shouldn't work for offline and with out the CVV/iCVV it won't work for mag stripe or chip. The track 2 mag stripe contains a CVV code which is different from the one on the back and cryptographically generated and designed to stop people making track2 data out of a PAN and expiry date.

Where it could be a concern is if the 'card' present is actually acting a passthrough and then reading someone elses card like the person behind you. In this scenario the 'card' will connect (probably through some wireless tech like bluetooth) through to a unit in your pocket and then pass those details on to another card (like the person behind you.) This becomes a lot easier if the NFC chip is not a card but a mobile phone , like what google would like.

PIN's and one time passwords can stop this but a PIN / password goes against the convience factor that is promised by NFC. I'm also unsure how succesful PIN will be given there is a good chance that the contact will break when someone needs to put the card down to key in a PIN.


Biting the hand that feeds IT © 1998–2020