It could have been just another one of those jostlings that happen on the train: a man bumped into a writer for SC Magazine.
Except, as Roi Perez tells it, it all seemed a bit deliberate: the guy slowly bumped into him – and his pocket – for a bit too long.
He said that it took him a minute to realize what had happened.
But when it did dawn on him, he called his bank, only to find out that he’d been e-pickpocketed.
That slow bump had apparently enabled the presumptive thief to get close to Perez’s contactless card payment: there’d been an unauthorized £20 snorted from his card to make a transaction on the train.
His bank promptly reimbursed the charge, leaving him to ponder how, technologically speaking, this had happened.
Contactless bank payments usually rely on RFID or on Near Field Communication (NFC) – the same sort of electronics used in public transit cards such as London’s Oyster or Sydney’s Opal.
The cards enable fast, low-value payments, typically with no signature or PIN required, merely by holding a card near a reader – obviously appealing to harried shoppers with hectic lifestyles.
There are, however, some security concerns about contactless payments.
Research from a couple of years ago showed that card data could be intercepted from up to a meter away (about 3.25 feet).
In 2013, University of Surrey researcher Thomas P Diakos created an inexpensive receiver, small enough to fit into a backpack, using a shopping trolley and a small antenna.
This, in spite of the fact that one of the main security features of contactless cards is a requirement not to transfer payment data in excess of 10cm (about 4 inches) from a reader.
Then, about a year ago, researchers at Newcastle University in the UK figured out another way to attack contactless payments.
The tl;dr version: their attack is what Paul Ducklin described as a special sort of Man in the Middle (MitM) attack that could, at least in theory, be used to trick the owners of contactless payment cards into spending enormous sums of money without realizing it.
There were two problems that made it possible.
First problem: the “must enter PIN for more than £20” restriction at the time could be ignored by a card if the transaction was requested in a foreign currency.
Second problem: an additional safeguard prohibiting offline transactions for more than £100 could also be ignored.
How can you keep e-fingers out of your e-wallet?
There are plenty of people who believe in RFID-blocking sleeves, pouches, and wallets, including Altoid tins, metal cigarette cases, Aluma Wallets, Tyvek credit card sleeves, or a leaf of heavy-duty aluminum foil slipped into your wallet.
While they can help somewhat, don’t put too much faith in any of them. Some supposedly RFID-shielding wallets simply don’t work at all, regardless of marketing claims.
Ultimately, the most important thing you can do is to always keep an eye on your bank statements. If you notice anything that doesn’t look right, contact your bank immediately.
Image of contactless bank card courtesy of Shutterstock.com
22 comments on “Train rider has his contactless card e-pickpocketed”
‘…So where does that leave us when it comes to shielding our contactless cards.?
Well, there’s always the option of buying clothes with pockets, and then sticking some cash in there!…’
While I realize your answer was a tongue-in-cheek response I am more than a little disappointed that a company (Sophos) that takes security so seriously could not offer a more practical and effective reply to their own question. The vulnerabilities obviously present some serious concerns
Thanks for the feedback. While it was tongue-in-cheek, we’ve now removed the reference.
It gets worse with cash.
Several countries have toyed with putting RFIDs in banknotes.
This seems like a nice antiforgery method, but it also means a savvy criminal can know exactly how much any passer-by is carrying and decide if they’re worth robbing or not.
So the alternate is to carry cash and increase the attack vector? At least you get your money back on an un-authorised transaction as opposed to going to the bank and saying “I need my money back, I have been pick pocketed.” A better way would be to ask your bank for cards that are not contactless as many of the contactless readers doesn’t seem to work anyway.
I prefer the alternative of using a digital wallet and my phone’s NFC. The phone has to be unlocked before responding.
That’s actually a good point, and one I hadn’t thought of regarding services such as Android Pay.
Some banks unfortunately do not give us the option of non-contactless cards – nor will they set the “random interval PIN request” to “one transaction” (thereby requiring a PIN for every transaction).
Nor is my bank happy for me to take a hacksaw to my card and cut a 6mm slot in the middle of either end (thereby rendering the aerial ineffective) – threatening to confiscate a card that has been “tampered with”.
“… appealing to harried shoppers with hectic lifestyles.” Perhaps our lifestyles should be less hectic? Perhaps we should not be harried as shoppers? But I am forgetting that to show GDP growth we must all spend more- irrespective of whether we have the money or whether we really need all these “sub £20” impulse purchases. I don’t spend £5 “on impulse” – but then I guess I am not making my contribution to re-inflating the consumerist bubble. So, the banks are making it “easier” for us to make uncontrolled spending – tap and go and never mind keeping receipts or count of what is being spent.
And they keep on insisting that it is secure, and we keep on hearing stories such as this one!
While most banks will “force” customers to have a contactless card, most banks state you have to activate it for contactless payments before they will work. So if a customer does not want to use the contactless feature, they should not activate it. (Activation is using the service, and typing in their pin on first use)
Drill a hole thru the chip, use the magnetic strip only.
The visible chip on my (European style) cards relates to the “chip and pin” functionality. The RFID chip is not visible, so you need to know where it is to drill the hole right – else you might disable chip and pin!
Time for aluminum foil lined wallets!
>Well, there’s always the option of buying clothes with pockets, and then sticking some cash in there!
I think you’ll find that in many places, it is increasingly difficult to pay public transport fares in cash. In the Netherlands paper tickets are out and one *must* use a contactless card. For occasional travellers single journey or fixed price time/distance limited cards are available but these always carry a cost penalty.
NFC enabled smartphones can read contactless payment cards (using an app), it’s a good way to check if your RFID-blocking sleeve actually works…
I always said they were unsafe and refuse to have anything to do with them. You can refuse to accept such a card if your bank issues one to you.
The best protection is to use the known effects of a ‘Faraday Cage’, named after Michael Faraday who was head of the Royal Institution in London many years ago. He discovered that shielding an electronic device could be done with a metal mesh totally surrounding the device, the holes being smaller than the wavelength of the RF radiation to be shielded – it works both ways as well. With your card within the shield no one can read or write to it – but the shielding has to be appropriate for the signals. A complete wrap in an unperforated conductive film would block all RF signals. The trouble with retail products that claim to protect is that you have no way of telling, short of dismantling it entirely, just what level of protection they migh, or might not, provide. I use a small metal cigarette case for all my cards, just in case someone tries and a card is NFC capable without my knowledge.
The most simple solution for this problem is to never activate the feature (which requires your PIN) in the first place. Seems like an unreasonable risk to take for the sake of 10 seconds of your time per card transaction.
That means you can’t use the card at all and are carrying round a useless rectangle of plastic. The contactless feature on a new card is activated by making a chip and pin transaction, ie contactless can’t be used by someone who has just stolen a new and unused card. But as soon as you use it, contactless is activated.
If your bank insists on contactless cards, then the bank should provide a RFID sleeve that works. If the bank refuses to provide a sleeve, then get the government to require banks to provide them.
When I get my NEXUS pass sent to me by mail the US government includes a RFID blocking sleeve with it. And they tell me to keep the card in the sleeve except when using it to cross the US/Canada border.
Squall Lee Loire said: “The most simple solution for this problem is to never activate the feature (which requires your PIN) in the first place.”
— That means you can’t use the card at all and are carrying round a useless rectangle of plastic. The contactless feature on a new card is activated by making a chip and pin transaction, ie contactless can’t be used by someone who has just stolen a new and unused card. But as soon as you use it, contactless is activated.
It always surprises me how far behind the USA is on the use of technology. In Australia we’ve had payWave RFID credit cards for a number of years. You can buy simple metallised pouches to keep them in. Modern handbags and wallets do it too. You need to use similar larger pouches for your passport as well. That is a much higher risk and contains a lot more private information.
So… in order to receive payments you have to be a registered merchant with the credit card companies and a bank. Can I assume that the owner of that account is not waiting to be sent to jail for helping the crooks?
One thing you CAN do, take matters into your own hands. Drill (or cut) your contactless card along the secondary antenna that starts at the chip and circles your card. You can also cut it, but I prefer finding the antenna, and disabling it by drilling a hole. You can find the antenna by using a bright light (used a 200 lumen headlamp) to find the antenna, mark it then drill. If you’re successful the RFID chip will be disabled.
I have done this to all but 1 card in my wallet. Should someone decide to swipe my card, they will only get one card/ transaction. I did this for two reasons. I may live a hurried lifestyle, but I’d rather take precautions security takes an extra 5-15 seconds. Second is practical, the less people loose money, the lower my fees will be.