Smartphone Used To Scan Data From Chip-Enabled Credit Cards 236
An anonymous reader sends this news from the CBC:
"Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card. And it could be done through wallets, pockets and purses. ... Although the NFC antennas in current smartphones need to be very close to a card in order to work — no farther than 10 cm — that could change with the next generation of Android smartphones. Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced driving licenses and passports."
Re:Almost useless (Score:5, Informative)
Without the CVV (verification code) you cannot do anything usefull...
Bullshit. It will allow you to clone the card and make "swipe" based purchases. You can also use any online or phone retailer who doesn't ask for the CVV, and many of them don't ask.
Re:Forget tinfoil hats... (Score:4, Informative)
Re:Almost useless (Score:5, Informative)
News flash! Now they are cloning - and altering - the swipe machines, to capture everything including PIN and sending it through hi intensity bluetooth. The machines (GPRS -EDGE) are being switched without the merchant's knowledge.
Re:Almost useless (Score:5, Informative)
The credit card industry is staffed by morons that wouldn't know security from their own asshole. Really, it's that simple.
Yes and no... a few years ago when I got my first RFID card from Mastercard, I had to threaten to cancel the card if they didn't send me one without it. Two years later, when I got one from Visa, it was a 5 minute phone call and the new card (minus RFID) was in my inbox 3 days later.
That says it all, I think. And TFA says that I was right, and I will be quite smug all day about it. ;) (and will continue to insist on having cards without the RFID).
Re:What are we going to call this? (Score:5, Informative)
How fast does it read the card?
Using the TagInfo app from NXP (Who apparently made the NFC chip in my card), takes about 1.5 seconds to read it.
Re:Forget tinfoil hats... (Score:5, Informative)
...what we need is tinfoil wallets!
(all joking aside, when I got my RFID enhanced driver's license I went out and got an RFID shielded wallet).
All joking aside, when I got my RFID "enhanced" VISA card, I got a hammer and hole punch and punched through the chip.
Problem solved.
Re:What are we going to call this? (Score:4, Informative)
Yeah, and the FUD comment that "omg phones MIGHT have greatly increased NFC range in the future" is bullshit.
Increasing range would require:
1) More power (eats battery)
2) More antenna surface area. To get a range of about 6-10 inches, you need an antenna that is more than a foot on each side. (I need to hold my badge within 6-10 inches of the reader when badging into the largest readers at my workplace - which are over a foot in both width and height.) Oh yeah, that's with a fixed reader that has all the power it could ever want.
Re:Almost useless (Score:5, Informative)
Hai! "Expert" here (And by "expert" I mean I work in the industry, my company has a hand in testing everything from the cards themselves right up to the host in your Bank's basement).
Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about. It takes no time at all to clone a magstripe card. It can be done using a $10 reader off ebay. It's easy to do and has been a direct cause of so much fraud you wouldn't believe.
Chip cards, on the other hand, work completely differently. They use the same technology that's in the SIM card of most GSM phones, the chip isn't just a static bank of data but an actual miniature computer (likely running a cut-down version of Java). It doesn't just hand over your card details upon request, it actually uses a lot of cryptogeraphy, using public/private keypairs (Amongst other things) to ensure that no two transactions are ever the same. Cryptograms are used to ensure that data being sent and received is valid, it's impossible to change any data without breaking this. Even a compromised terminal can, at best, record an existing transaction and nothing more - it can't change amounts or anything like that without breaking it. If EITHER the card or the terminal suspects anything is up, it'll either decline or force the transaction "online" - to your bank, where they have the final say.
Contactless chip cards are nothing more than a wireless standard that compliments the above. Similar to Wi-fi versus ethernet, it's only the transmission medium that actually differs here, the same sorts of cryptograms and hashes are done here. The net result? Yes, you can skim some data using any NFC equipped smartphone, but it's useless to you because you cannot even replay a transaction because you don't have any of the private keys.
Yes, you can use the information to clone the magstripe on a card - the card gives you enough information in the clear to do this, but you'll find that the magstripe is largely useless to you as it's only used as a fallback. These days, even magstripe transactions are used "online" - that is, the terminal WILL contact the host to veryify it, a side effect of the rampant card fraud that goes on. The host will question why a chip-enabled terminal is doing magstripe with a card it knows is chip-enabled. The result? Transaction voided. Terminal prompts you to use the chip, because the terminal knows there's nothing wrong.
As for online shops - those shops that DON'T ask for the CVN are liable for the fraud, so few are left out there that don't. What's more, most cards these days have a secure online payment page requiring you to type in a password before continuing.
Sum total? This is a non-issue, there is nothing new in this article and anything else you hear is scaremongering. You cannot clone a chip card, it's physically impossible.
Re:Almost useless (Score:5, Informative)
A minor point, but one that people on Slashdot don't seem to understand, is that you don't actually get your cards from Visa or MasterCard at all.
They are payment processors and they pass payments from one bank to another. They ensure that the X banks in the world don't have to build connectiors to X-1 other banks just to let you buy something at a shop or online. Instead each bank just connects into Visa or MasterCard (or sometimes both) and then calls it a day.
The relationship you have is actually with your bank (in industry speak, your card issuer). They are the ones that decide what payment scheme to use and issue you a card for that scheme. They are also the ones that would decide whether or not to make available to you the option to have a non-contactless card. Visa and MasterCard have no say in what they give you.
Hopefully that clears things up a bit.
Re:Almost useless (Score:4, Informative)
Canada, actually... most credit cards being issued here have RFID and Chip/PIN together. You have to ask them to send you one without RFID... they won't send you one without Chip/PIN because they're in the process of upgrading bank machines to require it. We've had Chip/PIN longer than Europe.