Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Android App Lets You Steal Contactless Credit Card Data

timothy posted more than 2 years ago | from the get-mugged-without-breaking-a-sweat dept.

Crime 221

mask.of.sanity writes "An Android application capable of siphoning credit card data from contactless bank cards has appeared on the Google Play store. The app was developed by a security penetration tester for research purposes and will steal card numbers and expiry dates, along with transactions and merchant IDs. It requires a near field device capable phone, or accessory."

cancel ×

221 comments

Sorry! There are no comments related to the filter you selected.

First (-1)

Anonymous Coward | more than 2 years ago | (#40397381)

First

Anyone surprised? (5, Interesting)

dyingtolive (1393037) | more than 2 years ago | (#40397397)

Really. Broadcast data can be intercepted by anyone with the ability to receive?

Re:Anyone surprised? (0)

Anonymous Coward | more than 2 years ago | (#40397439)

Posted Anonymously as, well, its a noob question, but can this data be played back to actually pay for something? Its one thing to be able to intercept data that as you say is broadcast publicly, its another for it to be usable...

Re:Anyone surprised? (0, Flamebait)

Anonymous Coward | more than 2 years ago | (#40397467)

and will steal card numbers and expiry dates, along with transactions and merchant IDs

couldn't even read the summary rtard?

Re:Anyone surprised? (2)

Inda (580031) | more than 2 years ago | (#40397531)

I'm not the AC.

Without the Card Security Code (CSC) on the back, all that information would be useless. The CSC is not stored digitally on the card.

Cloning wouldn't work either. My Chip 'n PIN would stop that.

Tard.

Re:Anyone surprised? (4, Informative)

oPless (63249) | more than 2 years ago | (#40397601)

Not entirely true.

Not all merchants in the world have Chip+Pin (which is terribly broken anyhow) and CSC is not taken by all merchants in the world either.

Card numbers and expiry dates are all you need.

Yes, outside Australia, the UK and (I think) the EU the uptake of CSC and Chip and Pin is rather low.

Re:Anyone surprised? (3, Insightful)

kelemvor4 (1980226) | more than 2 years ago | (#40397741)

Yes, outside Australia, the UK and (I think) the EU the uptake of CSC and Chip and Pin is rather low.

As are nfc capable phones.

Re:Anyone surprised? (4, Insightful)

petermgreen (876956) | more than 2 years ago | (#40397949)

The criminals don't have to use the stolen details in the country they stole them from.

Re:Anyone surprised? (1)

drunkennewfiemidget (712572) | more than 2 years ago | (#40397755)

Canada. We have chip & pin and it's pretty prevalent.

Re:Anyone surprised? (1)

gagol (583737) | more than 2 years ago | (#40397857)

You can add Canada to the list.

Re:Anyone surprised? (2)

History's Coming To (1059484) | more than 2 years ago | (#40398403)

Chip 'n PIN is easy to defeat anyway, steal the card, put a few volts through the chip to fry it, then it will automatically fall back on the signature, which is handily represented on the card so you can learn to copy it in an hour or so. It's almost as if the bank companies can make money from their customer's accounts being insecure.

Re:Anyone surprised? (1)

lucaq (208803) | more than 2 years ago | (#40397619)

yes it would, it is, and it has been demonstrated. I will look up a link for you.

Re:Anyone surprised? (4, Funny)

Anonymous Coward | more than 2 years ago | (#40397767)

Better yet send him the article and bill it to his card. Then he will be impressed.

Re:Anyone surprised? (1)

Anonymous Coward | more than 2 years ago | (#40397631)

Think about it- the data given in the contact-less credit card data is enough for someone to use the contact-less payment system. The only thing really protecting you would be how frequently you use the card.

Re:Anyone surprised? (1)

lucaq (208803) | more than 2 years ago | (#40397641)

http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/

Re:Anyone surprised? (1)

dyingtolive (1393037) | more than 2 years ago | (#40397493)

Without being quite so rude as the AC who responded, yeah, this, basically. I mean, I'm no expert. The only cards I've ever had are the good old fashioned magnetic strip variety, but I'm pretty sure that if you have that info, you're basically in.

Re:Anyone surprised? (0)

Bigby (659157) | more than 2 years ago | (#40397521)

You need the 3 digit "security code" for online purchases, so it wouldn't work online. And what do you do in person, just read them a credit card number?

I don't think you can do anything directly with the information, but it is one giant leap to having the information you need to do something...

Also, this is all to increase the ease of purchasing. The liability is all on the bank backing the credit card.

Re:Anyone surprised? (1)

DogDude (805747) | more than 2 years ago | (#40397585)

"You need the 3 digit "security code" for online purchases"

No, you don't.

Re:Anyone surprised? (1)

SJHillman (1966756) | more than 2 years ago | (#40397607)

Depends on the site. The vast majority of sites do require it.

Re:Anyone surprised? (1)

DogDude (805747) | more than 2 years ago | (#40397875)

That's irrelevant. Any credit card can be processed by anybody with a merchant account with just the number and the expiration date.

Test this (4, Interesting)

SmallFurryCreature (593017) | more than 2 years ago | (#40397893)

Because I have had to implement credit card payments where the field was marked as required but never checked or stored anywhere. So, if you didn't fill it in or put in a random value, it worked perfectly fine and this was on sites doing millions in transactions per year.

There is also nothing in the contracts with processors that this is required, it is recommended but not required.

A lot of web companies are terribly afraid to turn away any customer because they might have to think for a second while making a purchase.

Re:Test this (1)

cdrguru (88047) | more than 2 years ago | (#40398263)

It isn't required but you get dinged for a higher discount rate if you do not have it. So there is an incentive to process cards with this number.

Required? Heck no.

Re:Test this (2)

SJHillman (1966756) | more than 2 years ago | (#40398339)

I've had a few cases where a card went through even though I thought I made have typoed it, but wasn't sure. However, I have had more than a few cases where it was rected because I put in the wrong code.

Re:Anyone surprised? (1)

lucaq (208803) | more than 2 years ago | (#40397663)

Even if you did, that is included in what is skimmed, a one-time use CVV

Re:Anyone surprised? (4, Insightful)

dyingtolive (1393037) | more than 2 years ago | (#40397627)

Okay, you couldn't use it for online purchases, but at a brief glance, you can get magnetic card encoders for 150+ USD. Not sure about whatever tech they use for the contactless style ones, but here's what I'm thinking:

Step 1: Steal contactless CC data.
Step 2: Burn semi-realistic magnetic card with CC data. Emboss the number on the front. 99% of all retail employees will not look twice at the card.
Step 3: Profit.

You don't need the security code for purchases made in person, and if you're doing this in person, you can probably speculate what the zip code is for the few places that even ask for that. Granted, this requires making purchases in person, so you're subject to video surveilance for anyone who REALLY wants to come after you, but since you can repeat this process, it's essentially a use one, throwaway kind of thing.

Re:Anyone surprised? (3, Informative)

plate_o_shrimp (948271) | more than 2 years ago | (#40397769)

Okay, you couldn't use it for online purchases, but at a brief glance, you can get magnetic card encoders for 150+ USD. Not sure about whatever tech they use for the contactless style ones, but here's what I'm thinking:

Step 1: Steal contactless CC data.

Step 2: Burn semi-realistic magnetic card with CC data. Emboss the number on the front. 99% of all retail employees will not look twice at the card.

Step 3: Profit.

You don't need the security code for purchases made in person, and if you're doing this in person, you can probably speculate what the zip code is for the few places that even ask for that. Granted, this requires making purchases in person, so you're subject to video surveilance for anyone who REALLY wants to come after you, but since you can repeat this process, it's essentially a use one, throwaway kind of thing.

Or,
2a: Burn numbers into some other magnetic card (even a customer loyalty card will work, so I'm told). Use cloned card at self-checkout, gas pump, or other unattended POS system. No need to emboss or even disguise the card.
3: Profit!

I know this works, because my CC info has been stolen twice in the last year and used to make cloned cards (the cloned cards were used at a brick-and-mortar store which is how I know the card was physically cloned). The first time was February, the second time was yesterday. Still don't know where the breach is occurring. I don't shop anywhere sketchy....

Granted the numbers were probably not stolen via the mechanism this story is about, but once you have the numbers the procedure is the same.

Re:Anyone surprised? (0)

Anonymous Coward | more than 2 years ago | (#40398283)

[Posting AC, as I'd already moderated on this one]

Your most likely places for card-cloning - at least in the UK - are garages/filling-stations and restaurants.

For whatever reason, in the UK garages tend to be the worst places. Restaurants are good too, with sheer number of transactions, and customers handing cards to wait-staff, who can then skim/store/clone card numbers.

Chip/Pin is making the restaurant side harder - they bring the machine to you *most* of the time - but it's still a high prevalence.

Re:Anyone surprised? (4, Informative)

Joce640k (829181) | more than 2 years ago | (#40397785)

Here in Spain (and rest of Europe?) all physical stores require a PIN when you pay with plastic. Most online stores send a six digit code to my mobile phone which I have to enter on the web site to authorize the transaction.

Even if you find my card in the street it won't help you much. You need my PIN and/or cellphone too.

Re:Anyone surprised? (1)

dyingtolive (1393037) | more than 2 years ago | (#40397813)

That sounds like a step in the right direction. I've often wished that there was some sort of SecurID type thing you could get implemented for your credit card, but I often wonder if that's beyond the ability of the average person to use. Even then, it's still breakable, but it's much more difficult.

Re:Anyone surprised? (1)

L4t3r4lu5 (1216702) | more than 2 years ago | (#40398019)

I would swap to any bank which enabled OTP authentication for transactions.

Why can't you have an app / device into which you put your card number (or the card itself), the amount, and the merchant ID and have it output a code to give to the merchant? Date / time can be set by GSM signal, or by serial number and timing like RSA tokens. Hell, secure it with a PIN number as well if you must.

This idea seems so easy to implement, would work online and offline, and would make card fraud next to impossible without the card, the reader, and the pin number.

Re:Anyone surprised? (1)

Verunks (1000826) | more than 2 years ago | (#40398325)

obligatory http://xkcd.com/538/ [xkcd.com]

Re:Anyone surprised? (2, Informative)

cdrguru (88047) | more than 2 years ago | (#40398427)

In the US credit card fraud is essentially not prosecuted. Which means you can be in line next to a uniformed police officer and hand the clerk a card that the clerk is told (phone, terminal, cash register system, whatever) to confiscate the card. Nothing happens.

I suppose you could hand the clerk an obviously hand-forged credit card and again, nothing would happen. Video surveilance is meaningless for this because it is a non-prosecuted crime. Which is why there is so much of it.

But the important aspect of this is that it is pretty much a victimless crime today in the US. OK, so I drop my card on the street and some enterprising youth picks it up and decides to renew his five different World of Warcraft accounts. My credit card company sees this and flags it as fraud. Sorry, no renewals. Oh, Blizzard gets dinged for a chargeback but they have insurance for this or they just write it off. Same thing happens if the card gets used in a store and the person walks out with $1000 flat screen TV. The fraud might not get caught immediately, but it probably does. Even if it doesn't I can dispute the charge and it comes off immediately and is charged back. The merchant is out the TV (probably cost them $500) and the chargeback but again, they certainly have insurance for this or they have no business operating a retail store. The same insurance covers them when someone fakes a slip-and-fall and wants to sue for millions of dollars.

As far as I know, no card holder has ever had to pay for fraudulent use of a credit card or credit card number. Also, as far as I know nobody ever in the US has been charged with any crime using a credit card or credit card number in a fraudulent manner. Heck, I had a card stolen from a relative's house and the police refused to pursue it even when we knew who had the card and they were trying to buy stuff with it.

Couple this with the fact that you can sell credit card info for about $0.50 each today and you can see where this goes. I am not sure if the situation is the same in other countries - clearly with debit cards it is not - but the situation in the US is very much like the justification for bank robbery - you aren't stealing anything except some insurance money. And if insurance companies didn't have to pay out once in a while nobody would buy the insurance. So it is a win-win for everyone.

Re:Anyone surprised? (1)

Kotoku (1531373) | more than 2 years ago | (#40397685)

It is pretty easy to get an empty pre-paid credit card and clone the mag strip of the card data you just swiped. So the data is indeed pretty valuable for in person purchases.

Re:Anyone surprised? (2)

AuMatar (183847) | more than 2 years ago | (#40397765)

I received a new credit card about two year ago, my old one expired. 3 months ago, a website denied my card. After a few double checks, I found out the problem. The new card had the same number, but a different code. The code I had entered was th one from the old card, 2 years old. Every single place until then I had tried it at had accepted the old code, for two years.

Oh, and many places, including most pay by phones and about 1/3-1/2 of websites I go to don't ask for it. So not only do you not need it to bilk someone, but you don't even need the right one most of the time. I'm not even convinced that a random 3 digits wouldn't work for most of them if a 2 year old code did.

I confirm this in another response (4, Informative)

SmallFurryCreature (593017) | more than 2 years ago | (#40397963)

I can vow that this is true, have had to implement it like this myself. It is often marked as required but never actually checked.

Three reasons, the web master is afraid of putting up any hurdles to a purchase.

During testing, the CVC check is often disabled, so its proper functioning can only be tested on a live account.

And lastly not every card has it and so the idea exists with web shop owners that if they enforce it, they might loose X% of customers.

IF you happily filled in your number correctly for years, that is no proof it was ever checked. Welcome to the online purchasing!

Disaster waiting to happen (0)

noh8rz3 (2593935) | more than 2 years ago | (#40397525)

This was a disaster waiting to happen. Google tried to go from 0 to 60 in their android development, and did not properly consider the ramifications of their design decisions. Now we have
1) an insecure OS that provides all sorts of information to any app
2) unfiltered app stores that allow any malware to be posted and purchased
3) poorly designed NFC system.

As a result,, ALL NFC systems are less safe thanks to these android design decisions. Way to go, Goog.

Re:Disaster waiting to happen (2)

oPless (63249) | more than 2 years ago | (#40397629)

So I can buy an NFC reader for $60ish and connect it to my computer and read the cards that way instead?

The problem is with the protocol, not the hardware.

Re:Disaster waiting to happen (1)

Dog-Cow (21281) | more than 2 years ago | (#40397669)

I suppose the fact that this article is not related to anything you mentioned matters at all to you. It does show everyone who reads your comment that you are an idiot, though.

Re:Disaster waiting to happen (0)

Anonymous Coward | more than 2 years ago | (#40397673)

lol, what a stupid comment. Even the article's subject specifically says it's taking info from OTHER contactless credit cards, and not Google Wallet (which is off by default, and cannot be used without user entering a PIN.

Basically, it's just pointing out that any NFC reader can read NFC data. There's a few youtube videos pointing out that the wave-without-user-input cards are inherently insecure and can be skimmed from a several meters distance.

This app just shows you how bad it is.

Re:Disaster waiting to happen (0, Insightful)

Anonymous Coward | more than 2 years ago | (#40397711)

Why is this modded down? It's all 100% true! I'm not advocating for Apple-extremeness, but Google needs to police it's app store at least to some extent.

Re:Disaster waiting to happen (1)

Anonymous Coward | more than 2 years ago | (#40398177)

Probably because it's a troll, incorrect and off topic.

Re:Anyone surprised? (1)

Hentes (2461350) | more than 2 years ago | (#40397549)

Except if they use secure encryption, it's not magic.

Re:Anyone surprised? (2)

dyingtolive (1393037) | more than 2 years ago | (#40397679)

The problem with that is that you have no guarantee they do, short of getting one of these cards and doing this yourself to see just how the data is encoded.

Re:Anyone surprised? (1)

dav1dc (2662425) | more than 2 years ago | (#40397693)

Is it just me, or is NFC technology not quite near enough to be secure?!?! :S

Re:Anyone surprised? (3, Insightful)

Thanshin (1188877) | more than 2 years ago | (#40397697)

Yes. Pleasantly surprised.

It proves that the Android app store is not strongly censored.

Re:Anyone surprised? (1)

fluffythedestroyer (2586259) | more than 2 years ago | (#40397913)

Even with wired devices, your not safe anymore. Look here [securitytube.net] for the info...it's really scary stuff now.

Re:Anyone surprised? (1)

dyingtolive (1393037) | more than 2 years ago | (#40398025)

Very similar to Van Eck phreaking. Scary that they pulled it off with a keyboard, and at such range.

Check this [wikipedia.org]

Re:Anyone surprised? (3, Interesting)

L4t3r4lu5 (1216702) | more than 2 years ago | (#40397939)

Are contactless cards shipped in Faraday cage envelopes? If not, can the card numbers be lifted before the card reaches the recipient?

Re:Anyone surprised? (0)

Anonymous Coward | more than 2 years ago | (#40398399)

Yes it can.
They wont be able to use it until you "active" your card.
But f they wait a month or two, there are strong chances that the CC number/expiration combo will be valid.

I like olde phones (-1)

Anonymous Coward | more than 2 years ago | (#40397417)

A Microsoft employee hid a folder in the Windows 95 operating system that slows down the computer by 32x. This man is called Cameron Jackdowns, and he has a PhD in Computer Sciences from Oxford. He is also known to be a bit of a joker.
After adding this folder, which contain junk files that look important so that it looked inconspicuous to the people who were testing Windows 95 in order to use up space, he added a file that slows down and surveys on the computer. “Explorer.exe” is the name of the file. What Explorer does is it “explores” your system and uploads a list of files that are on your computer, as well as Internet history, to Microsoft's secret base for analysis. It also slows down the machine by 32 times. Although, when you open it, it opens up a “file explorer”, to hide the file's true purpose.
After the launch of Windows 95, the developers had a party in a premium club, all paid for by Bill Gates and Steve Ballmer. Cameron took way too much alcohol and ended up drunk and manipulatable. People heard him mumble the words, “System32 is a fake. It slows... down... the machine...”.
Shock and disgust filled the room, but that's just because Cameron vomited on everyone after speaking.
After word spread about this folder, there was a large meeting at Microsoft's headquarters. Bill Gates, Steve Ballmer, developers, and engineers were glaring at Cameron Jackdowns. Bill Gates broke the silence like a sledgehammer to glass. “So, explain why you did this...”, with Steve Ballmer finishing his sentence as if they shared a mind, “...and tell us why. Because this is genius!”. Cameron seemed confused, yet still terrified for his own job. He stumbled over his words. “W... wait, what!?”.
Bill and Steve then explained about their new idea about an expensive piece of software ($299) that sped up the system just by deleting the folder. The software was called SpeedoPC and was cancelled at the last minute due to a lawsuit from Speedo, as Microsoft used their trademark.
After the word came out (it came out in the lawsuit), many people deleted their System32 folder, and only the trolls say it breaks the computer. Well, either the trolls or people who deleted the wrong folder and blamed System32. Many top companies' main work computers no longer have System32 and are now as powerful as the higher end machine, even though they are less powerful specification-wise.
So, delete System32 and everything will run amazingly fast.

Re:I like olde phones (1)

dyingtolive (1393037) | more than 2 years ago | (#40397505)

What I don't even....

Re:I like olde phones (1)

ColdWetDog (752185) | more than 2 years ago | (#40397557)

That's right, you didn't.

Re:I like olde phones (1)

Anonymous Coward | more than 2 years ago | (#40398289)

Just in case:
Parent is already modded down as troll, but just in case anyone really daft reads it:
Do not attempt to delete system32 from your Windows system. I'm not sure if it will even succeed but if it does it will leave your system unbootable.

It was only a matter of time (3, Interesting)

Quick Reply (688867) | more than 2 years ago | (#40397445)

I mean really, how idiotic do these companies need to be to make a system where the full Credit Card information is TRANSMITTED over the air with no authentication. Even a token would be more acceptable.

The Credit Card system is quite happy to take a loss on all the money they have to pay back with protection guarantees when consumers get scammed, instead of actually tackling the problem by inventing a SECURE SYSTEM that is impervious to skimming methods.

This app does not add any additional functionality that scammers don't already have, but a good highlight of how damn simple it is to do, while Mastercard/Visa and the financial institutions who use them do nothing.

Re:It was only a matter of time (1)

lucaq (208803) | more than 2 years ago | (#40397499)

It is a token of sorts, the CVV code is one-time use and I think the card gets flagged if the tokens get authorized out of order.

Re:It was only a matter of time (1)

Anonymous Coward | more than 2 years ago | (#40397571)

The amount of times my contactless mastercard doesn't work recently makes me wonder.

Usually what I'll do is take the card out, wave it to the paypass terminal, it may fail, I'll try again, it will fail, then given up and use the chip+pin

In nearly every situation where it fails, it's always after several days have gone past. But when it works consecutively, it's always when I use it at several stores in a row. The interesting thing is that if I go to the same store on consecutive days, without any other store in between, it doesn't work.

Or maybe Westfair foods just has broken equipment. The card itself has quite a bit of use, to the point where the plastic is actually peeling.

Captcha : Contacts

Re:It was only a matter of time (2)

Joce640k (829181) | more than 2 years ago | (#40397843)

It is a token of sorts, the CVV code is one-time use

Is that why they print it permanently on the card?

Re:It was only a matter of time (1)

lucaq (208803) | more than 2 years ago | (#40398037)

from http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/

"At the Shmoocon hacker conference, Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.)"

Re:It was only a matter of time (0)

Anonymous Coward | more than 2 years ago | (#40397575)

Forget the need for secure systems and consumer protection. These credit cards are treated as insurance plans and they don't even investigate real crimes or report anything to the police.

I had a credit card that I used only to buy gas. Needless to say it's easy to see where I am if you look up where I have made purchases. I got a call from the company saying my card was being used all around a large city taking out $60 at gas stations while I was currently driving home. I had only used my credit card at 3 gas stations, only one of which was near the city in question. They told me they wouldn't look into it and would just refund my money. Doesn't that seem a little suspect? Given how easy it would have been to locate where it happened and presumable all these places have cameras seeing as they are gas stations? Free market...

Re:It was only a matter of time (2)

Shoten (260439) | more than 2 years ago | (#40397579)

There is authentication, it's just not done by a computer. Do you hand your credit cards out to people at random? Pass them around in a club for everyone to play with, regardless of whether you know them or not? Of course not...and why not? Because the simple act of doing so authorizes them to access the information on the card. Looking at it will give them your name on the card, the number, expiry date and CVV number on the back. With a $40 device, they can get the read direct off the magnetic strip as well [givemebackmycredit.com] (which is the exact same vulnerability as this). So I really don't see what the big deal is here. It's just skimming [wikipedia.org] , using a new kind of reader.

Re:It was only a matter of time (3, Insightful)

AuMatar (183847) | more than 2 years ago | (#40397805)

It's the ease with which it's done, and the fact that physical security is no longer enough. If the card isn't NFC capable, you have to physically hand the card to someone. With an NFC reader, bumping up against them in a crowded club/street may be enough. I can protect against handing my card to people who don't have a legit reason for it, and I can prevent it leaving my sight when not at home. I'm not capable of preventing anyone who wants to from brushing against me. So yes, this is a big deal.

Re:It was only a matter of time (0)

Anonymous Coward | more than 2 years ago | (#40398321)

I agree with your point. To further it, we need Faraday cage wallets. Assuming we had them (and used them) I think this would become a non-issue.

Re:It was only a matter of time (4, Insightful)

Joce640k (829181) | more than 2 years ago | (#40397831)

You contradict yourself.

It's skimming while the card is still in your pocket. It's exactly the same as handing your card to random people for them to play with.

Re:It was only a matter of time (0)

Anonymous Coward | more than 2 years ago | (#40398415)

Here's the thing. When I hand my card to the waitress at the restaurant, there is a possibility that she could skim it. But, I am aware of where and when I surrendered my card to someone else. Even if I forget, there will be a legitimate transaction on my statement for my lunch, so I know that this is a possible source of the breach and I can backtrack if I need to or provide the information to the local police.

With NFC, I can have my card skimmed at anytime, anywhere by anyone. I may never remove my card form my pocket or hand it to anyone, but still have it skimmed repeatedly, simply because I walked down the street. When this happens, I have no way of knowing who/where/when I was skimmed. I have no ability to backtrack and find the perpetrator. I am completely at the mercy of the credit card company to handle the matter if they choose to and in their sweet time. I cannot call my local police and get a detective on the case because I have precisely nothing for them to go on.

Re:It was only a matter of time (2)

forand (530402) | more than 2 years ago | (#40397713)

I think you have one major flaw with your conclusions: Credit Card processing companies have absolutely no reason to make their systems secure if there are any costs associated with it. The main reason for this is that they pass all the liability onto the retailer. Their goal is the provide the most convenient method to pay a bill on the part of the card holder. Until there is a disruption in this market they will continue to ignore security and pass the costs onto the retailer.

Re:It was only a matter of time (1)

bradley13 (1118935) | more than 2 years ago | (#40398051)

I give occasional help to a retailer (in Europe, if it matters). The hoops the credit-card companies make them jump through are pretty amazing. Example: they have a simple web-shop with a web-form that allows the customer to enter credit-card info. This info stays online in the MySQL database for a short period of time, until their little ERP system sees it, downloads it and deletes it. In more than 10 years using this system, they have never had a problem.

Nonetheless, the credit-card companies want them to pay for a quarterly "network penetration test" on their website, and to provide detailed technical information on the website set-up. Since their web-site is hosted by a big ISP, they have no access to the necessary technical info, and the ISP doesn't really want network penetration tests pounding on their infrastructure all the time. This is a mess.

Bottom line: Having a couple of strings of unchanging numbers should not enable *any* financial transaction. The security problems are on the side of the credit cards. Given how poorly the credit-card companies treat merchants, I don't understand why no other online payment services has been able to get a bigger foothold. Probably backroom collusion amongst the big banks, to strangle any other solution in the cradle.

Re:It was only a matter of time (1)

mapkinase (958129) | more than 2 years ago | (#40398115)

It's not that bad, some type of cards are more protected:

http://en.wikipedia.org/wiki/Contactless_smart_card#Contactless_bank_cards [wikipedia.org]

Contactless MSD cards are similar to magnetic stripe cards in terms of the data they share across the contactless interface. They are only distributed in the USA. Payment occurs in a similar fashion to mag-stripe, without a PIN and often in off-line mode (depending on parameters of the terminal). The security level of such a transaction is better than a mag-stripe card, as the chip cryptographically generates a code which can be verified by the card issuer's systems.

Re:It was only a matter of time (1)

h4rr4r (612664) | more than 2 years ago | (#40398397)

You don't need a secure system at all. Credit card numbers should be near worthless. They should require something held and something known.

Even that can be skipped if all purchases must be authorized by the purchaser via a website or text message. You give your CC number, you get txt or website login, that then gives you a chance to approve or deny.

Funny... (0)

Anonymous Coward | more than 2 years ago | (#40397465)

Most of these contact less cards, etc. are found in Europe, where the majority of credit cards are stolen.

Good ol' US still uses the crappy magnetic strips. Sure they are just as easy to clone, but only through contact with a skimmer.

Re:Funny... (2)

Stavr0 (35032) | more than 2 years ago | (#40397527)

Nope. Contact-less is a US thing. Europe uses chip and PIN.

Re:Funny... (0)

Anonymous Coward | more than 2 years ago | (#40397563)

RFIDs are coming out in cards over there as I have one. Banks in the US are no longer issuing contact-less payments to consumers.

Re:Funny... (1)

Kangburra (911213) | more than 2 years ago | (#40397565)

We have it here in Australia, not happy about it, the new cards have it included for our convenience! lol

Re:Funny... (0)

Anonymous Coward | more than 2 years ago | (#40397647)

Here in Canada, we have both. My American GF only has mag stripe and no contactless or chip.

Re:Funny... (1)

oPless (63249) | more than 2 years ago | (#40397657)

Hi I'm in the UK we have contactless cards here.

Last time I checked the UK was a founder of the EU and in Europe ;-)

Re:Funny... (1)

Teun (17872) | more than 2 years ago | (#40398049)

Last time I checked the UK was a founder of the EU and in Europe ;-)

I see the smiley but am intrigued by your claim the UK was a founder of the EU...

http://en.wikipedia.org/wiki/History_of_the_European_Union [wikipedia.org]

As a matter of fact the UK has so many exemptions to the otherwise general rules of the EU that it's even a bit of a stretch to call them a full member right now.

Re:Funny... (1)

yakumo.unr (833476) | more than 2 years ago | (#40397791)

Barclays made a big thing about introducing this in the UK with the advert with a guy sliding down a near endless water slide buying things as he went.
I was livid as soon as I saw it, I had less than zero faith in it's security, I did NOT want it on my cards.

Even back then I realised it meant a stolen card was instantly usable even if only for the small daily limit before it was reported, I still did not want it. But over the air cloning was what I was expecting.

Re:Funny... (1)

dwightk (415372) | more than 2 years ago | (#40398067)

RTFA Germany uses contact-less

Re:Funny... (1)

lucaq (208803) | more than 2 years ago | (#40397577)

Mastercard PayPass (Visa's equal is PayWave) is a pretty common card in the US now. Europe uses EMV (AKA chip and pin) and I have never seen a contactless card in europe, only the USA (FWIW, PayWave and PayPass are EMV compatible). So it has been demonstrated in the wild that you can skim these contact-less cards and then make a clone mag-stripe card, but it is only good for one transaction since the CVV code changes on the contact-less card with each transmission whereas the mag-stripe has it static. Not only that but you would have to use the mag-stripe before the next contact-less card transaction for it to be successfully authorized and I *believe* that even if you did, the next time that the card holder tried to use the card it would get rejected and flag the card. The industry doesn't try and make fraud-proof products, they try and balance usability with mitigating controls.

Re:Funny... (1)

Thanshin (1188877) | more than 2 years ago | (#40397603)

Most of these contact less cards, etc. are found in Europe, where the majority of credit cards are stolen.

Good ol' US still uses the crappy magnetic strips. Sure they are just as easy to clone, but only through contact with a skimmer.

Are you sure they're not exclusively used in america?

The word 'Steal' is not very appropriate here... (0)

Anonymous Coward | more than 2 years ago | (#40397491)

Would it be theft if someone wore a t-shirt with their social security number printed on it in big numbers, and I were to make note of that?

Re:The word 'Steal' is not very appropriate here.. (0)

fluffythedestroyer (2586259) | more than 2 years ago | (#40397807)

It's not the same thing, your comparison doesn't hold up to this situation. Unfortunately, those companies are aware of this sort of security hole and they don't take enough measure to fix it. Simple problems to fix really. Unfortunately, the android app dev didn't talk to the proper people to get heard and be able to fix the problem. Nope ! Instead he decides to create an app, make it public and put in jeopardy thousands of people including sensitive info. I hope the dev gets arrested. I seriously don't get this kind of action.... I think I never will

Re:The word 'Steal' is not very appropriate here.. (1)

squiggleslash (241428) | more than 2 years ago | (#40397967)

OK, but what if I made a note of someone's VIN code and then used it to clone their car? Would that be stealing?

Wait, can you clone a car from a VIN code? Does that even make sense to begin with? DAMN THESE CAR ANALOGIES!

Let's try again - OK, suppose you have a series of cars, like, red, green, brown, etc, and then you make a note of the ones that pass you, and... no, this isn't working either.

So you're following a car, and you happen to crash into the back, launching yourself through your windshield and through the back window of the car you were following, landing on the backseat. There, you notice someone's handbag, and you quickly pull out your Android phone and scan the card. Would that be stealing? Hmmm? Hmmmmmmm?

Re:The word 'Steal' is not very appropriate here.. (1)

Impy the Impiuos Imp (442658) | more than 2 years ago | (#40398279)

No but if you then fraudulently misused the info, aye, there's he rub.

Foor most people, you wouldn't need encryption or security. You wouldn't need locks on doors or keys for cars. It's because there are lousy jackasses out there that these things are needed.

Bye-bye, RFID (0)

Anonymous Coward | more than 2 years ago | (#40397511)

When I receive a new card that has an RFID tag in it, I simply drill a hole through the tag. Problem solved.

I've proved who I am so many times,
The magnetic strip's worn thin.
And each time I was someone else,
And everyone was taken in.
- Pacing the Cage, Bruce Cockburn

Valid use (1)

hawicz (449905) | more than 2 years ago | (#40397529)

This sounds like exactly what you'd need if you wanted to do something like accept card payments using your phone, similar to the iPhone credit card adapter. Same tech, different color hat.

Re:Valid use (0)

Anonymous Coward | more than 2 years ago | (#40397675)

1. Accept payment using phone
2. Store payment credentials for future use
3. Replay payment details while at the store buying something
4. Profit!!!!!
5. ....??

Take that Apple fabois! (0)

Anonymous Coward | more than 2 years ago | (#40397623)

You won't find this app in the App Store! Heck, you can't even read this data from an iPhone!

Re:Take that Apple fabois! (0)

Anonymous Coward | more than 2 years ago | (#40397887)

Just wait for iPhone 5, it'll probably have NFC.

You'd have to go to Cydia or some other app store for the app, though.

Wow, there is an app for that (1)

AbrasiveCat (999190) | more than 2 years ago | (#40397699)

I am behind the times! Apple will be jealous! Can it read through my tin wallet?

I wonder what the range is, which I realize it is a function of the phone, but a ball park. Are we talking 10 cm, 50 cm, 1 m?

Re:Wow, there is an app for that (1)

Russ1642 (1087959) | more than 2 years ago | (#40397897)

I have a steel business card case that I use as a wallet since I hardly ever carry cash anymore. All of the card readers I've used at various buildings will read my door pass (RFID?) right through the case as long as I hold it a little closer to the reader.

Sort of works... (0)

Anonymous Coward | more than 2 years ago | (#40397759)

I tried it on my PayPass enabled MasterCard and all it got was the NFC ID - 09 08 CC AD. Doesn't seem very useful.

My wife can do better (1)

fluffythedestroyer (2586259) | more than 2 years ago | (#40397775)

She can siphon my credit card better than those stupid android app. All she needs is my wallet...fucking bitch

Re:My wife can do better (0, Troll)

Anonymous Coward | more than 2 years ago | (#40398125)

Your wife siphons my nutz good too. OWNED SCRUB.

card in a balloon in my rectum (0)

Anonymous Coward | more than 2 years ago | (#40397797)

if i carry my card inside a balloon in my rectum, will this protect it?

Re:card in a balloon in my rectum (1)

fluffythedestroyer (2586259) | more than 2 years ago | (#40397817)

Give my a powerful scanner and I'll scan your asshole lol

It could be so much better. (1)

Bocaj (84920) | more than 2 years ago | (#40397845)

With NFC phones you could make an almost crack proof system. Since the phone has a second line of communication it could use NFC to generate an an encrypted transaction with the merchant terminal and then use it's cellular connection to verify that transaction with the bank, and at last the merchant terminal would use it's network connection to the bank to finalize that transaction. Yes that means both devices need a working network connection to make the transaction work, but it would be super secure since there would be no CC number. Each transaction would be unique and unrepeatable. The bank would get verification from both the merchant and the customer for each transaction.

Hate broadcasting CC (4, Interesting)

AwesomeMcgee (2437070) | more than 2 years ago | (#40397851)

I am so mad that every one of my CC's/Debit cards that has expired has been replaced by the banks with ones that do this broadcasting shit. Has anyone been able to get them to replace with one that doesn't do this shit? There's absolutely no reason I would want my CC to broadcast its info for devices to read, and swiping the thing is just as easy as passing it over an NFC device.

Or perhaps can anyone name a national bank who has allowed them to get a debit card that doesn't do this?

Re:Hate broadcasting CC (-1)

Anonymous Coward | more than 2 years ago | (#40398165)

RFID Blocking Wallet
https://www.thinkgeek.com/tshirts-apparel/accessories/8cdd/?srp=1 [thinkgeek.com]

RFID Blocking Passport Billfold
https://www.thinkgeek.com/gadgets/security/910f/?srp=2 [thinkgeek.com]

Stainless Steel RFID Blocking Passport Sleeve
https://www.thinkgeek.com/tshirts-apparel/accessories/a7a2/?srp=4 [thinkgeek.com]

That's Unpossible (2, Insightful)

Anonymous Coward | more than 2 years ago | (#40398271)

The NFC card proponents and credit card companies said that this could not happen.

They said that the data was encrypted and virtually impervious to interception.

They said we could trust them.

They said that the people saying otherwise were clueless Chicken Littles.

Obviously this app is the product of highly sophisticated terrorists, or possibly an enemy state. /s

So... (1)

Nemyst (1383049) | more than 2 years ago | (#40398299)

Does anyone know of a good credit card... "sleeve" that shields EM radiation? Ideally something you can put the card into that can fit in your usual wallet and which is still fairly easy to remove for when you do need to use it.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>