Smartphone Used To Scan Data From Chip-Enabled Credit Cards

An anonymous reader sends this news from the CBC: "Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card. And it could be done through wallets, pockets and purses. ... Although the NFC antennas in current smartphones need to be very close to a card in order to work — no farther than 10 cm — that could change with the next generation of Android smartphones. Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced driving licenses and passports."

Re:What are we going to call this?

[compro01]

Given how close you need to get to do this, more like wargrinding.

Testing with my GS3 and Interac Flash-enabled debit card, the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.

Re:Almost useless

[click2005]

They do however employ very good lawyers and lobbyists who probably ensure that any liability ends with the consumer or the store not them.

Passports are encrypted

[IamTheRealMike]

The data on a passport is encrypted with a key derived from the "machine readable zone" that's inside the book. To decrypt the data available via NFC you have to actually optically scan the open page. In addition US passports have a shielded chip so the book has to be open to be readable.

Need a better source than some hack reporter

[Tony Hoyle]

I'd be intrigued to know what app they're using that's returning the code and expiry date.. that information is encrypted on the card and none of the free nfc tag readers I've tried even attempt to decrypt it (I don't trust the banking system to use half decent encryption so not discounting the possibility entirely).

Of course it could just be the typical bullshit scare story that newspapers come out with..

I'm pretty impressed with the passports

[YesIAmAScript]

I was very much against them, in fact swearing I would smash my passport's smart chip when I got a new passport that had one.

But having read it with my phone, I'm impressed. You need key data from the printed page to make the NFC work and as you mention, the passports are unreadable when closed.

I think it's really well done. I'm a bit unsure quite what it's good for since it is slower than swiping it, I can only figure it was done just because putting that much info in a barcode was infeasible.

Now let me submit my pic as a link to a PNG or whatever instead of printing out a picture, having them scan it back in and turn it into a JPEG2000.

Re:Almost useless

[Anonymous Coward]

I'm sure they're aware it's insecure, it just a level of insecurity they are comfortable with. They don't want to change to a new (more secure) system because that means replacing legacy equipment. And, most importantly, the credit card companies that make the decision are not the people who lose money from fraud (except for the small second-order effect of people not using credit cards due to fear of fraud).

Re:Almost useless

[neokushan]

Not necessarily. You said the new card was a replacement for the old card - often those replacements don't change the card number, so really all that will have changed is the expiry date and the CVV. It's possible that the online systems thought you were still using your old card and thus accepted the CVV because the "new" card had never been activated. So it's not the CVV they don't necessarily check, but rather the expiry date (Because hey it's in the future and that's good enough).

It's not ideal though, it should be much stricter than that.

Re:Almost useless

[neokushan]

Ah, well, see here's the thing - the USA is supposed to be moving entirely over to chip technology soon.

Of course, it isn't and nobody's in any position to move over because this takes a long time to roll out and a huge amount of the industry isn't as prepared for it as perhaps they should be.

But here's the good news! You're not liable for card fraud, the bank is. At least, the bank is for a short period of time, then that liability will switch over to the merchant because he hasn't upgraded to chip technology yet. That happens in 2015 and oh boy is it going to be a fun one to watch out for!

So anyway, getting back to my point - most of the rest of the world is already on Chip technology (known as EMV, by the way) - the US is the last of the G20 countries to move over to it. Canada did it years ago, the UK did it in the 1990's, etc.

However, as I mentioned above in the USA card fraud is already rampant, it's incredibly trivial to clone a magstripe card and there are already measures in place to fight against that (not quite as effective as moving to chip, of course, but it's there). The point is, there aren't many chip cards in the US so it isn't worth even trying to skim people's wallets for the odd one that DOES have a chip card, just so you can clone said card - it's far more efficient to tackle the magstripe swiping directly as every card has one. Then when the USA finally starts to switch to EMV and chip cards become more prevelant, the magstripe terminals will be mostly replaced and the ones that aren't - as I said earlier - you aren't liable for, the merchant is.