Forgot your password?
typodupeerror
Cellphones Security

Smartphone Used To Scan Data From Chip-Enabled Credit Cards 236

Posted by Soulskill
from the insufficient-forethought dept.
An anonymous reader sends this news from the CBC: "Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card. And it could be done through wallets, pockets and purses. ... Although the NFC antennas in current smartphones need to be very close to a card in order to work — no farther than 10 cm — that could change with the next generation of Android smartphones. Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced driving licenses and passports."
This discussion has been archived. No new comments can be posted.

Smartphone Used To Scan Data From Chip-Enabled Credit Cards

Comments Filter:
  • by gooman (709147) on Wednesday April 24, 2013 @03:37PM (#43539553) Journal

    This NFC technology must be stopped. Why should anyone's life be any more convenient than it already is.
    Why back in my day a phone was attached to the wall with wires. It made phone calls and only phone calls and we liked it.
    You youngsters and all your fancy gewgaws. Get off my lawn!

  • by Anonymous Coward

    ...what we need is tinfoil wallets!

    (all joking aside, when I got my RFID enhanced driver's license I went out and got an RFID shielded wallet).

  • by gstoddart (321705) on Wednesday April 24, 2013 @03:43PM (#43539623) Homepage

    I've always thought those tap-to-pay things were really a bad idea from a security perspective, as your card can be used without you even knowing it and without any form of authentication.

    The fact that it will broadcast all of that information to just about anything tells me it's something which retailers and credit card companies like -- but it's mostly bad for security, but great for convenience.

    I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.

    I've always thought this was massively insecure, and it looks like I was right.

    • I knew it was a terrible idea before it was cool. B-)

      (No, seriously, like back when Bush was president).

      • by gstoddart (321705)

        I remember when it first came out people telling me about it.

        My response at the time was "so, all you need to do is wave your card near the reader, and it takes your money ... how do you keep it safe?".

        Of course, I was dismissed as somewhat paranoid and got a lot of suggestions I was blowing it out of proportion. From the sounds of it, these things are just waiting to gladly spend your money without caring about your security.

        I may be somewhat on the paranoid side, but that doesn't mean this was a giant se

    • I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.

      It was a 5 minute phone call for me, when I wanted my Visa to send me a new card without RFID. They sent me the card, and added a flag on my account to not automatically "upgrade" me to RFID ever again.

      • It was a 5 minute phone call for me, when I wanted my Visa to send me a new card without RFID. They sent me the card, and added a flag on my account to not automatically "upgrade" me to RFID ever again

        It took me less than one minute with a center punch and a hammer, and none of my RFID cards give away my information. Ever.

    • by Andy Dodd (701)

      I am fairly certain the tap-to-pay systems add a capability not present in standard magstripe systems - a transaction counter within the card.

      Yes, failed cards will occasionally trigger a few extra counts, but you can safely assume that all transactions with a given card are going to be monotonically increasing.

      If a thief starts using your card, and then you use it - now the CC company is going to see cases where the transaction counter goes backwards, a sure sign that something is VERY WRONG. Easy fraud d

      • by neokushan (932374)

        You cannot clone a chip card. All you can do is record a transaction and replay it. as you've stated, there's a transaction counter that goes up, so this is useless to you as a thief. Furthermore, because of the way it works, cryptograms are used to verify that said data hasn't been tampered with.

        In other words, this whole story is scaremongering. You cannot do anything with this data.

    • by rastos1 (601318)

      I may need to call my bank and see if I can get that disabled on my cards.

      Last time I tried this, the clerk happily typed something to the terminal and told me: "done". It turned out that they only changed the limit for contact-less payments to 0. I told him: "look, the RFID chip is still in the card, knows nothing about what you typed into the computer and will happily answer any RF challenge that it receives. Can you reprogram/disable the chip itself?". I lost him on "RFID". They don't even issue non-co

    • by AmiMoJo (196126) *

      It doesn't send any of the really important stuff without authorization. So they can't get the PIN number or CCV that would be needed to clone the card or make fraudulent transactions online. This is a total non-story in that sense.

      Additionally the cards don't broadcast anything. They don't generate any signals themselves. They are powered by the RF field that is used for communication. The return signal relies on modulating the reader's RF field. You simply can't do that over more than at 20cm, no matter h

  • was that the summary says that more capable antennas could improve reading distance, while in reality the tecnology was desinged for very short ranges, with a practically working distance of less than 10 cm. This is I belive because most tags are passive, have no energy and most be powered by the reading device with magnetic induction.
    • 10 cm.

      Install one or two of these in rear seat of a taxi. How many can you snag during a typical shift?
  • by IamTheRealMike (537420) <mike@plan99.net> on Wednesday April 24, 2013 @03:59PM (#43539797) Homepage

    The data on a passport is encrypted with a key derived from the "machine readable zone" that's inside the book. To decrypt the data available via NFC you have to actually optically scan the open page. In addition US passports have a shielded chip so the book has to be open to be readable.

    • by YesIAmAScript (886271) on Wednesday April 24, 2013 @04:15PM (#43539935)

      I was very much against them, in fact swearing I would smash my passport's smart chip when I got a new passport that had one.

      But having read it with my phone, I'm impressed. You need key data from the printed page to make the NFC work and as you mention, the passports are unreadable when closed.

      I think it's really well done. I'm a bit unsure quite what it's good for since it is slower than swiping it, I can only figure it was done just because putting that much info in a barcode was infeasible.

      Now let me submit my pic as a link to a PNG or whatever instead of printing out a picture, having them scan it back in and turn it into a JPEG2000.

      • The data stored in the chip is signed using a new PKI. Modern chips can also do challenge/response. So it makes the passports impossible to forge. That's the reason for it.

      • That's what it is all about. If the data on the chip doesn't match the data printed on the passport, they know a forgery has taken place.

  • by YesIAmAScript (886271) on Wednesday April 24, 2013 @04:04PM (#43539851)

    I have a VISA card with NFC and multiple tag readers for my phone and none of the tag readers can get any info like that out of the card. I've got apps that can read fare cards, passports, etc. but I can't find anything on my credit card.

    What am I missing?

    • The power switch?

    • by omnichad (1198475)

      The data's probably encrypted. Of course in order to accept credit cards, a merchant needs the decryption key so this has probably leaked all over the place. An "App" is not going to have an illegal copy of the decryption key, but it's not hard to custom-program something for it.

  • by Tony Hoyle (11698) <tmh@nodomain.org> on Wednesday April 24, 2013 @04:04PM (#43539863) Homepage

    I'd be intrigued to know what app they're using that's returning the code and expiry date.. that information is encrypted on the card and none of the free nfc tag readers I've tried even attempt to decrypt it (I don't trust the banking system to use half decent encryption so not discounting the possibility entirely).

    Of course it could just be the typical bullshit scare story that newspapers come out with..

    • At the very least it's very much open to a Man in the Middle attack. All you have to do is store exactly what the card present and code that into your own chip for use at any place that takes NFC read cards. More likely though it's just obfuscated because the terminal reading it still uses a dialup connection to phone the bank and transmits those details for processing. Which means it will remain "encrypted" for exactly however long it takes to reverse engineer one of those NFC readers.
      • by tlhIngan (30335)

        At the very least it's very much open to a Man in the Middle attack. All you have to do is store exactly what the card present and code that into your own chip for use at any place that takes NFC read cards. More likely though it's just obfuscated because the terminal reading it still uses a dialup connection to phone the bank and transmits those details for processing. Which means it will remain "encrypted" for exactly however long it takes to reverse engineer one of those NFC readers.

        No need to reverse en

    • by AmiMoJo (196126) *

      It is bullshit. The chip doesn't even store the CCV - the whole point of it is that it can only be read by a human from the card, not from the chip or magnetic strip. The pin number cannot be read either, all you can do it send a PIN to the card and have to accept or decline it. Naturally the chip rate limits attempts to guess the pin, and locks you out after a certain number of failures.

      The information you can read via NFC isn't very useful. Same as the chip interface.

      • The information you can read via NFC isn't very useful. Same as the chip interface.

        You can read it and then replay it for a POS transaction a few minutes later. Since the data is a binary blob, you could have one person wandering a busy mall, and another person appearing to browse at an electronics store. Beep! And a minute later someone's standing in line ready to purchase a giant flat panel on your credit card.

        So... you were saying something about how it "isn't very useful"?

  • I keep all my credit cards and smart chip embedded driving lincens in my hat. And my hat is actually a Faraday's cage constructed using a product from Reynolds. I understand the product is made by electrolysis of bauxite. So no one can read anything from it from a distance.
  • Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada...

    Really? I don't know anyone with one. It's all flip-phones, HTC and iPhones where I live. And I'm in Canada.

  • In RF land the concept of placing object A near object B means very little. The big question is antenna gain/directionality and reciever gain and the ability of both to reject out of band noise and not create in band noise.

    If a cell phone can read a signal from your credit card over a 2" gap then an antenna in a van can do it from across the street and Jodrell Bank can do it from the other side of the planet.

  • I had a course several years ago with a high lead counsel of a very well known company in the e-payments business. I ended up writing a final paper for them called "Security through Obscurity" basically explaining why their credit cards were incredibly insecure and detailing the existing cheap tech that was already accessible to average consumers. The card companies concept of security generally revolves around the idea that if they keep their security methods in a black box, no one will be able to crack it
  • My wallet is made of stainless steel. Good luck with that.

Passwords are implemented as a result of insecurity.

Working...