Sophos Cloud Optix
Your mission, should you choose to accept it, is to intercept contactless payment data at distances of up to 90cm using a backpack, shopping trolley, and a small antenna.
Mission: Impossible?
Apparently not, according to a paper published by the Institute of Engineering and Technology on Tuesday.
University of Surrey researcher, Thomas P Diakos, created an inexpensive receiver, small enough to fit into a backpack, using the above items along with other off-the-shelf electronics. Using this equipment he was able to eavesdrop on cards at distances of 20 – 90 centimetres, maintaining good reception at up to 45cm – despite the fact that one of the main security features of contactless cards is a requirement not to transfer payment data in excess of 10cm from a reader.
Lead academic supervisor Dr Johann Briffa said:
The results we found have an impact on how much we can rely on physical proximity as a security feature. The intended short range of the channel is no defence against a determined eavesdropper.
Contactless payments, utilising Near Field Communication (NFC) technology, are becoming increasingly popular in many parts of the world.
They allow consumers to make low-value purchases (up to £20 in the UK, for example) merely by holding their card near to a reader.
By eliminating the need for a PIN number to be entered, such a payment method allows for extremely quick purchases, something that those with hectic lifestyles undoubtedly appreciate.
There are, however, some security concerns about contactless payments, with ‘skimming‘ being an obvious mode of attack.
In April a survey showed that 45% of the respondents were either totally against the introduction of NFC or, at the least, unsure about using it as a payment method.
Of those who did not want the technology to be introduced, 59% cited security concerns. Such results may have been influenced by a Channel 4 report in March which showed a standard mobile phone could be easily adapted to acquire a limited data set by simply coming into close proximity with a bank card.
Even with this small amount of data – the cardholder’s name, the long card number and expiry date – a criminal could still make fraudulent purchases from some companies, though a UK Cards Association spokesman did tell Naked Security that:
There are already additional layers of security in place to prevent the use of a card number and expiry date, such as PIN and the card security code (the three-digit number found on the back of cards), which cannot be harvested electronically. The vast majority of online retailers require the card security code, along with the cardholder's address, and all have robust security checks in place to protect both their business and their customers from fraud.
Fraud related to contactless card payments appears to be small in comparison to their non-contact counterparts though. The UK Cards Association said that at the end of 2012 the levels of fraud on contactless cards were negligible at just £13,700. This compares with non-contactless losses of £55m.
The association also highlighted how cardholders are protected should the worst happen:
In the case of any fraud using a contactless card, consumers are protected against loss - they will not be liable for any fraudulent use.
The trade association for the card payments industry in the UK also played down the University of Surrey’s findings, saying that:
Instances of fraud on contactless cards are extremely rare. Although the sort of contactless card reader built by the University of Surrey might be able to interrogate a card, any data obtained would be limited to the card number and expiry date that can be seen on the front of the card. A fraudster would find it very difficult to make a fraudulent transaction using this information - and it certainly could not be used to make a cloned card.
Meanwhile, those at the University of Surrey are set to continue their work, saying that future experiments will look into how ‘wave-and-go’ cards can be cracked and how the uncovered data could be used by criminals.
Image of credit card courtesy of Shutterstock.
Limited in impact and frequency due to the fact that the card issuers restrict non-contact charges over $50. So, if you are a criminal, is it really worth your effort to skulk about (yes, I used the word 'skulk') snapping up card partial card data off NFC enabled cards, or would you focus on the good old reliable method of collecting all card data from the mag stripe? Keep in mind, that the data available to via the NFC interface is not complete card data, so anyone who intercepts information off the card will not be able to recreate a duplicate card.
And this is why the card issuers are not too worried about the vulnerabilities of NFC…. the effort outweighs the potential gains..
Do you really think that criminals won't be able to figure out a way to circumvent the non-contact charge limit? Just because the white hats haven't come up with a way doesn't mean there isn't a way.
Security needs to be built-in for every step, no matter how small.
Skulk in a train station or any other venue where lots of people pass through, wander around collecting $10 a pop. You can make several thousand dollars extremely quickly with very little risk
Yes, criminals _WILL_ do this.
A NFC antenna (12.5MHz loop antenna) is easy to scale up for ranges beyond that which the researchers tried for. The problem becomes keeping multiple cards out of the results.
This is becoming a compulsory technology. My bank will not issue a non-contactless debit card, so I have had to go back to drawing cash by cheque. I get a new credit card in a few months – and that will be contactless.
I don’t want this technology.
[edited for brevity]
Anyone know a reliable way to disable the technology? My banks says they cannot rig a card account to required pin confirmation for every transaction. I am tempted to put a hacksaw through the first 5mm of one of the edges (avoiding the mag strip and the chip and pin chip) and hope to disable the loop aerial, and then fill the gap with epoxy glue and suitably coloured ink. Will ATMs detect this tampering?
Distrustful
I believe you need one layer of kitchen foil to mask the chip.
I tried this with my travel payment card (Oyster) and it worked.
So foil in your wallet or purchase an RFID wallet (passport holders also available), then you only need to worry about people around you when you use the card with the PIN.
I’d heard that my bank (Barclays) instructed its customer services staff to try to talk you out of it, but would permit them to issue non-contactless cards if you were sufficiently determined. So after a few minutes’ polite discussion, my Connect debit card was cancelled and a new non-contactless card arrived through the post a week or two later.
Distrustful, just crack it's antennae, it will be enough and your card will be good old magstripe or chip card. More to worry about is USA using ancient technologies – magnetic stripe, it prevents the technologically advanced other countries to move on. Skimming on magstripe accounts for many many hundreds of millions losses around the world.
This has been a problem for some time. In London, the Underground has been using contactless payments, called an Oyster Card, and several people have complained that although they did not pass through the turnstile and activate the payment their account had been debited with an amount sent to the train operator!
In the UK there is no restriction on payment amounts as many new credit cards are now contactless.
I consider the whole technology to be dangerous and open to abuse. With no requirement for any authorisation check at the point of transaction it exposes the system to infiltration and misuse at the customer's expense. It was said that 'chip and pin' was safe until it was proven otherwise. They tell us contactless is 'safe' buy it has already been shown to be seriously flawed (some shop customers [notably at Marks and Spencer and others] had money debited from the card account even though they proffered a different method of payment – that the contactless card was close enough to the till was enough to trigger the payment from that card with no authorisation being requested!).
The whole principle is unsafe. It is only used to speed up transactions, not make them safer nor more secure.
Interesting read along with the comments. I’m a Yank from across the water and hadn’t realized that you folks are almost entirely contactless-based. People over in my neck of the woods freak out when I pass my phone over a contactless terminal and a receipt starts printing. Most people have never seen it before.
Honestly, I’m surprised that the card doesn’t get enough juice from the emitter to power an RSA chip.