Researchers at Newcastle University in the UK have come up with a surprising way of attacking contactless payments.
Their paper is ominously entitled Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN.
It will be presented on Wednesday 05 November 2014 at the 21st ACM Conference on Computer and Communications Security in Scottsdale, Arizona.
Very greatly simplified, it’s a special sort of Man in the Middle (MitM) attack that could, at least in theory, be used to trick the owners of contactless payment cards into spending enormous sums of money without realising it.
Paying without touching
Contactless bank payments usually rely on Near Field Communication (NFC) – the same sort of electronics used in public transport cards such as London’s Oyster or Sydney’s Opal.
These let you authorise payments simply by waving your card near a suitable payment terminal.
As you pass your card through an electromagnetic field generated by the terminal, a coiled-up antenna buried in your payment card produces a tiny electrical current.
That’s enough to wake up the card’s chip, which then reads in some data wirelessly, performs various cryptographic calculations on it, and sends back a reply.
The antenna functions as an electrical generator coil to start with, and then as a regular antenna for the rest of the process, which typically takes a fraction of a second.
→ Typically, you have to get your card very close indeed, perhaps even tapping your card onto the terminal, but you don’t have to slide or insert the card into any sort of slot. The data is received, processed and transmitted without any physical circuit between the card and the terminal.
In theory, then, a crook could work the payment the other way around, by waving a suitably rigged payment terminal near your card, telling your card it wanted to buy a Caffè Americano, getting it to approve the transaction, and pocketing the cash.
This works because, for small-value transactions, the card and the terminal agree that they won’t ask for your PIN.
The bank, the merchant and the cardholder (that’s you) effectively have a arrangement to forgo the second factor of authentication (i.e. typing in your PIN) when the amount you’re spending is below £20.
Managing the risks
In marketing jargon, the transaction is made frictionless for your convenience, with the risks kept in check because:
- The “Near” in NFC limits the range at which your card will work.
- The maximum value of any PINless transaction is deliberately kept low.
The idea is that the risk/reward odds for a crook with a portable “transaction harvesting” terminal should be stacked against him.
He’d have to risk bumping noticeably up against your pocket, or dipping his terminal right into your bag next to your wallet, with a maximum return on his risk of £20 each time.
Two tricky problems
However, at least in the case of VISA contactless payments, the Novocastrian researchers found two problems.
Firstly, the “must enter PIN for more than £20” restriction may be ignored by your card if the transaction is requested in a foreign currency.
Secondly, an additional safeguard prohibiting offline transactions for more than £100 may be ignored, too.
(In offline transactions, your card tells the terminal it is willing to spend the requested sum, and commits to the transaction without involving the bank; the terminal can submit the transaction for processing by the bank later on.)
In fact, the authors found, in some cases, that the limit on offline, PINless VISA transactions in foreign currencies isn’t limited to any equivalent value in your local currency.
It’s limited to eight digits’ worth of that currency, presumably to accomodate currencies where large numbers are needed to represent even a modest value.
Suddenly, the risk/reward is tipped in the favour of the crook.
In you’re in the UK, for example, he could ask your card to agree to pay up a whopping US$999,999.99, without having to go online and without you needing to enter your PIN.
That’s a million bucks, less a penny, no PIN required!
Later on, when the crook is safely clear of the area where he clocked up the fake purchases, he can connect to his accomplices and send them his fraudulent transaction agreements; they can then process those payments, unrestricted by the limits that would have applied if you had bought something in your own currency.
Only then will you receive any transaction notifications from your bank, for example via SMS.
As the researchers note, any crook attempting this sort of attack would be unlikely to try to hit that million-dollar jackpot.
That would most likely set alarm bells ringing.
But he could stretch the potential payout for each offline, PINless transaction from £20 to a few hundred pounds, “high enough to make each attack worthwhile,” as the authors put it.
One thing we don’t know is whether this vulnerability (collecting up transaction authorisations well above the usual maximum) can actually be exploited when the time comes to cash out.
“For obvious reasons,” the authors drily point out, “we were not willing or able to check against a real bank.”
This problem still needs attention, though: if £20 and £100 are considered suitable risk-related limits on PINless and offline transactions respectively, those limits should apply at all times.
If your card can’t reliably work out whether 999,999.99 Vietnamese Dong is worth more or less than 20 British Pounds right now, it should fail safe by assuming that it is worth more, and behave accordingly.
What to do?
Quick fixes for VISA are obvious, and are suggested by the authors in their paper:
- Always require a PIN for foreign currencies.
- Always require online transaction verification for foreign currencies.
And if you’re worried about this issue, you could try these workarounds:
- If you don’t travel overseas regularly, ask your bank if it offers an option to prevent transactions in foreign currencies.
- Keep your card in a wallet or cover that blocks electromagnetic radiation so it has to be taken out to be used.
- Do your low value payments with cash, so you don’t need contactless transactions enabled on your card at all.
Cash – remember that?
Image of price tag courtesy of Shutterstock.
24 comments on “How to steal a million dollars (actually, $999,999.99) – no PIN required”
Which banks offer to disable contactless transactions? Mine (First Direct) wouldn’t last time I asked – could be a deal maker for changing bank.
Interesting. We’re all getting the message to move towards 2FA, even in the USA, which is finally adopting Chip and PIN…but it seems your bank is insisting that you accept the risk of transactions that could require 2FA but deliberately suppress it. You’d think they were encouraging you to go out and spend 🙂
I wonder if it’s possible (and legal) to fry the NFC chip without frying the contactful chip at the same time?
I asked my bank if I could saw through the edge of the card to break the antennae loop (and refill the resulting slot with epoxy). “No , please don’t do that, it would invalidate the card”.
Would it invalidate the card? Could an ATM machine detect such tampering? If I was careful with the epoxy and put a bit of black ink in the mix the tampering might not be detected by a (human) teller or checkout operator who had to handle the card.
I have also read about people drilling the NFC chip (and refilling) – but you have to know where in the card it is (and this apparently varies between card issuers). Would going for the antenna be just as effective and more certain? I think a 1cm cut on the opposite side to the “normal” chip (and clear of the magnetic strip) should do it and would not be detectable by POS machines where you insert the normal chip into a slot.
I understood that the early cards would at random intervals require PIN confirmation of contactless payments. I asked my bank if they could set the interval on my card to “1” (i.e. every transaction) – no can do. I have not seen mention of random interval PIN confirmation in recent discussion – has this safeguard been quietly dropped?
Goes without saying – remember Barclaycard’s launch advert for these cards? Lots of impulse buying and no receipts to help you track your spending! Get us all on these cards, then lift the limit to £50, then £100?
And of course now when you pay by card at restaurants etc. there is yet another reason why you must not hand over your card and allow it to go out of sight!
Tamper detection? I once had a credit card of the magstripe sort, near the end of its validity, where the signature strip had worn away. As the strip erodes, it reveals more and more characters of a rather dramatic and hard to miss printed warning that looks something like VOIDV DVO OID.
People looked at the card with suspicion (but accepted it) until I carefully rubbed off all the remaining signature strip and cleaned it up nicely so that it no longer looked shabby.
Of course, instead of saying just VOIDV DVO OID, it now said VOIDVOIDVOIDVOIDVOID. But it no longer attracted suspicion, presumably because it looked presentable. Albeit VOID.
Couldn’t one hit the card in the spot where the chip is with a hammer?
I drilled a small hole, midway along the bottom edge of the card (Approx 4mm up from the edge) that cut the induction loop. Filled hole with blob of epoxy resin. The card still works for chip and pin and in the ATM.
not sure about the legality, but there is an instructable how to on how to disconnect the nfc chip.
Another idea might be to programme your own tags (perhaps to send a harvesting warning) and strategically place either side of your wallet as a firewall, coding your own nfc devices to not be triggers using a tag re-writer?
I had a weird experience with RFID cards a few years back. For a while, I kept two cards in my ID badge holder – my Sophos ID in front, and an access card tucked behind it. If I tapped my Sophos ID against the Sophos reader, it would almost always fail, because it would read the card behind instead. Vice versa for the access card. By presenting the cards with the one I *didn’t* want to use *closest* to the reader, I achieved a close to 100% success rate with both of them.
So you might want to check whether flanking your precious NFC card with your decoys actually has the desired effect 🙂
(I never did find anyone who could give me a convincing explanation. Soon, the badge holder broke – turns out it wasn’t made to hold two cards – and my need for an explanation went with it.)
That’s why your pants have TWO pockets. 🙂
Problem with keeping access cards in your pocket is that most readers are set slightly higher or lower than that, so you end up having to perform a rather unsightly “pelvic proxcard thrust” (or more than one, if at first you don’t succeed) towards the door.
If the door is made of glass, what feels unsightly from outside looks downright unseemly from inside…
Talk to me sometime and I’ll explain the mechanics behind why NFC cards behave in that way Paul 🙂
Short answer is that it’s due to the induction step in the process.
When making NFC card readers back in the day, it was quite an engineering problem to design our readers so that this phenomenon was minimized. We discovered that most commercial readers don’t bother.
Presumably this is why if you go through a London Underground ticket barrier, sod’s law says your fare gets taken off your RFID debit card and not your prepaid Oyster card!
Barclays offer cards without contactless transactions. when we first opened the account they sent us a contactless card. we then requested a card without this feature. they send replacement card and all subsequent cards have be with-out the contactless feature.
I would love the option to not have ‘tap and go’ on my card, but my bank does not offer this (that is, you have to have ‘tap and go’). If you lobby banks about security issues I suggest you let them know people want the option not to ‘tap and go.’ I think I have expressed this wish to my bank.
I’m curious as to whether that applies to electronic money chips, like Sony’s Felica (used widely in Japan) where you transfer an explicit amount of money to the chip itself rather than charging individual transactions to your credit card. I suspect that the maximum amount you’re likely to lose in that case is the total amount you carry on the chip at any one time, which for me is usually no more than US$100 on each of two accounts I have set-up on the chip.
Using NFC for payments is fairly new. Felica has been around for close to two decades.
Presumably, if you use a steel wallet, or use silver foil around your cards, it’s only when you hand them to someone else that there’s an unusual risk.
Even in restaurants, the waiter/waitress tends to bring the chip and PIN to me rather than take my card away, these days.
But it’s rare for me to carry cash around, and I do find contactless very convenient.
(But not as convenient as Amazon.co.uk)
I had a few emails with the UK Cards Association< about the use of screening wallets to prevent an RFID/EMV card being skimmed. The overall impression they gave was that a bad actor could not read my card in my pocket and transfer any money. I don't know if this helps, but here's their final answer to me:
You make it sound difficult to set up a Merchant Services Account–sufficiently difficult as to be an effective obstacle. Unfortunately that’s not the case, at least here in the USA.
I had bogus charges on my Visa card in both July and August this year to firms named something like 1-800-123-4567 and 1-877-765-4321, ceasing only when I cancelled the card. Searching the numbers on the internet assured me that I was not the only one so defrauded. (The funds were recompensed by the card issuer.)
No one has given me a satisfactory answer as to how these fraudulent merchant services accounts can be opened so easily. Apparently anyone can open a bank account and then a merchant services account without a background check.
As for how my card number was compromised, it’s hard to say. It could have been a waiter in a fancy (not pay-at-cashier) restaurant or an internet purchase. Probably not a skimmer as I am vigilant and an engineer by profession.
Your card number could have been acquired by malware on the cash register at a perfectly honest restaurant with perfectly honest staff, but with a perfectly shabby PoS service provider.
As happened in this case:
In many of the recent megabreaches of payment card data, e.g. Target and Home Depot, the merchants ended up finding that although almost every single in-store, card-present transaction was compromised during the breach period (thanks to RAM scraping malware), no online shoppers were affected at all.
An interesting about-face in threat compared to a few years ago, when shopping online was considered risky, while shopping in person was considered the safe option 🙂
The same protections existed against the abuse of dodgy slips in the days of zipzap machines.
If a taxi driver, say, could use the cover of darkness, your haste and an unfamiliar city to get you to sign an incorrectly completed slip that he’d run through his zizap machine, imprinting your card details but somehow leaving the amount and the merchant details blank, then he had the old-school equivalent of a “harvested transaction” in the diagram above.
Of course, in the zipzap machine scenario, “if a bad actor were to attempt to use a bogus [zipzap machine] to carry out transactions they would have to try and monetise the attack by setting up a merchant account through which the bogus transactions could be settled before any money could be paid. The risk of detection is extremely high and any transactions reported as bogus would be charged back to the account.”
So not a lot has changed since 1989, eh? Not sure about you, but I’m no longer feeling quite so reassured by the answer above 🙂
Some of the protections against “bad actors” in the post-zipzap-machine NFC era are those £20 and £100 limits on PINless and offline transactions. Those limits are not there by accident – they are there to increase the risk to the crook, and to limit your exposure. To take you for a thousand quid, a crook would have to “ping” your card *fifty times* without getting caught.
So why should that same crook be able to “ping” your card for a thousand quid in one go simply by asking for the money in Euros, dollars or rials instead?
It is IMO clearly a bug in the protocol that transaction limits should evaporate just because you’re paying in a different currency – especially when it is the crook who gets to choose what currency to use.
I can see why it’s convenient to “evaporate” the numeric protection, because, well, what numeric limit would you set? 30 would be a good enough approximation of £20 for US dollars. But for Polish Zloty you’d need a limit of 100; Indian Rupees would get as far as 2000 and in Vietnamese Dong you’d have to let the number go up to about 700,000.
Sadly, 700,000 Euros or US dollars is rather a lot more than 20 British Pounds 🙂 With that much potentially at stake, you’d think making the PIN mandatory would be a wise choice.
You can buy shielded wallets & purses on the internet to stop NFC from taking money accidently.
What I can’t find are any data on how effective these shields are – and I suspect some are worse than useless. They’re not that expensive, so may be worth a try – it’d be fairly easy to get a reasonable idea how effective they are.
Duck wrote “As you pass your card through an electromagnetic field generated by the terminal, a coiled-up antenna buried in your payment card produces a tiny electrical current.”
“That’s enough to wake up the card’s chip, which then reads in some data wirelessly, performs various cryptographic calculations on it, and sends back a reply.”
True for an unpowered “tag”, e.g., an RFID product tag. Not necessary for a battery-powered device. A low-power-consumption receiver like a Wi-Fi or Bluetooth receiver can continuously monitor for the polling signal using battery power.
An even more interesting facet is the way the unpowered RFID tags respond. The captured power from the antenna provides enough energy to operate the cryptography-and-controller chip but not enough to actually transmit data. Instead the chip alternately short-circuits and open-circuits the antenna. The host terminal continues transmitting a signal during the receive interval and detects the changes in load on the transmitter as received bits.
Of course, this also does not applied to powered NFC devices such as those in smartphones.
Normally the card would have to be in close range of the terminal but the proper application of a higher powered transmitter (fake/spoofed terminal) and high gain antenna in the hacker’s pocket could make it a moot point. He might be able to force a transaction from a distance of a couple feet or more.