Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Smartphone Used To Scan Data From Chip-Enabled Credit Cards

Soulskill posted about a year and a half ago | from the insufficient-forethought dept.

Cellphones 236

An anonymous reader sends this news from the CBC: "Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card. And it could be done through wallets, pockets and purses. ... Although the NFC antennas in current smartphones need to be very close to a card in order to work — no farther than 10 cm — that could change with the next generation of Android smartphones. Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced driving licenses and passports."

cancel ×

236 comments

Sorry! There are no comments related to the filter you selected.

http://www.linuxadvocates.com/p/support.html (-1)

Anonymous Coward | about a year and a half ago | (#43539501)

Dear Linux Advocate,

Money doesn't grow on trees. And, Linux Advocates is growing. Naturally, we anticipate operating costs and hope to be able to meet them.

But, any amount you feel you are able to donate in support of our ongoing work will be most surely appreciated and put to very good use. Your contributions keep Linux Advocates growing.

Show your support by making a donation today.

Thank you.

Dieter T. Schmitz
Linux Advocates, Owner

http://www.linuxadvocates.com/p/support.html [linuxadvocates.com]

What are we going to call this? (0)

Anonymous Coward | about a year and a half ago | (#43539507)

I propose warstriding.

Re:What are we going to call this? (4, Funny)

GameboyRMH (1153867) | about a year and a half ago | (#43539611)

I'm pretty sure I proposed "cardsnarfing" many years ago, trying to find the post now...

Re:What are we going to call this? (5, Interesting)

compro01 (777531) | about a year and a half ago | (#43539675)

Given how close you need to get to do this, more like wargrinding.

Testing with my GS3 and Interac Flash-enabled debit card, the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.

Re:What are we going to call this? (2)

Nerdfest (867930) | about a year and a half ago | (#43539777)

Same with a Nexus 4. Even a thick case causes problems. I'd actually like to have a bit more range for reading NFC tags.

Re:What are we going to call this? (2, Funny)

fahrbot-bot (874524) | about a year and a half ago | (#43539919)

the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.

Typical real-world vs. "guy" measurement. (right girls?)

Re:What are we going to call this? (0)

Anonymous Coward | about a year and a half ago | (#43539933)

How fast does it read the card?

"Gotta get skin-close and hold for a second or two" isn't quite usable for skimming. ... Unless you walk with "FREE HUGS" sign. Where can I get a suit with several NFC readers sewn in?

Re:What are we going to call this? (5, Informative)

compro01 (777531) | about a year and a half ago | (#43540087)

How fast does it read the card?

Using the TagInfo app from NXP (Who apparently made the NFC chip in my card), takes about 1.5 seconds to read it.

Re:What are we going to call this? (3, Informative)

Andy Dodd (701) | about a year and a half ago | (#43540119)

Yeah, and the FUD comment that "omg phones MIGHT have greatly increased NFC range in the future" is bullshit.

Increasing range would require:
1) More power (eats battery)
2) More antenna surface area. To get a range of about 6-10 inches, you need an antenna that is more than a foot on each side. (I need to hold my badge within 6-10 inches of the reader when badging into the largest readers at my workplace - which are over a foot in both width and height.) Oh yeah, that's with a fixed reader that has all the power it could ever want.

Almost useless (0)

Anonymous Coward | about a year and a half ago | (#43539527)

Without the CVV (verification code) you cannot do anything usefull...

Re:Almost useless (5, Informative)

Anonymous Coward | about a year and a half ago | (#43539565)

Without the CVV (verification code) you cannot do anything usefull...

Bullshit. It will allow you to clone the card and make "swipe" based purchases. You can also use any online or phone retailer who doesn't ask for the CVV, and many of them don't ask.

Re:Almost useless (1)

Anonymous Coward | about a year and a half ago | (#43539617)

Seriously, didn't anyone see this coming? "Swipe" the card and bam -- the purchase is done. How can that be considered secure? No signature, no PIN, no CVV, nothing; just pass it, and it's done. How the fuck was this even considered for adoption? Now, what everybody with half a brain imagined is happening.

Re:Almost useless (5, Funny)

GameboyRMH (1153867) | about a year and a half ago | (#43539657)

The credit card industry is staffed by morons that wouldn't know security from their own asshole. Really, it's that simple.

Re:Almost useless (4, Interesting)

click2005 (921437) | about a year and a half ago | (#43539759)

They do however employ very good lawyers and lobbyists who probably ensure that any liability ends with the consumer or the store not them.

Re:Almost useless (1)

thomasw_lrd (1203850) | about a year and a half ago | (#43540347)

I was gonna suggest lawyers and lobbyists that ensure the government picks up the liablity.

That way the consumer's still happy, and keeps using the card, no matter how many times it gets stolen.

Re:Almost useless (0)

Anonymous Coward | about a year and a half ago | (#43539805)

Just like the IT staffers are morons who wouldn't know how to run a successful business from their own asshole. Really, it's that simple. Fuck convenience, usabilty, and all that other crap customers want! I KNOW that SECURITY is the most important thing.

Re:Almost useless (4, Funny)

Doug Otto (2821601) | about a year and a half ago | (#43539903)

Says the AC running a business from his/her own asshole.....

Re:Almost useless (1)

Cenan (1892902) | about a year and a half ago | (#43539907)

Of the three, only lack of security can bleed a company dry of funds in milliseconds.

Re:Almost useless (1)

Minwee (522556) | about a year and a half ago | (#43540429)

Just like the IT staffers are morons who wouldn't know how to run a successful business from their own asshole. Really, it's that simple. Fuck convenience, usabilty, and all that other crap customers want! I KNOW that SECURITY is the most important thing.

And that's how you just bought someone who stood next to you on the subway a couple of new iPhones.

Wasn't that convenient?

Re:Almost useless (4, Informative)

realityimpaired (1668397) | about a year and a half ago | (#43539921)

The credit card industry is staffed by morons that wouldn't know security from their own asshole. Really, it's that simple.

Yes and no... a few years ago when I got my first RFID card from Mastercard, I had to threaten to cancel the card if they didn't send me one without it. Two years later, when I got one from Visa, it was a 5 minute phone call and the new card (minus RFID) was in my inbox 3 days later.

That says it all, I think. And TFA says that I was right, and I will be quite smug all day about it. ;) (and will continue to insist on having cards without the RFID).

Disable the RFID (0)

Anonymous Coward | about a year and a half ago | (#43540211)

Many card companies probably won't provide a different card with RFID.
Instead, just drill a hole in the card to break the antenna wires and disable the RFID.
The chip and the magstripe should still work.

Re:Almost useless (0)

jwgreene (2906395) | about a year and a half ago | (#43540439)

So you enjoy having a far higher likelihood of credit card fraud? Chip and PIN technology vastly reduces the amount of fraud. In two years of using out chipped CCs, e haven't had a single unauthorized charge of any sort, in person, online, or by phone. This story is FUD for the most part, because anyone getting their phone that close to my wallet is going to be entirely noticeable and will get told to sod off.

Re:Almost useless (2, Interesting)

Anonymous Coward | about a year and a half ago | (#43539979)

I'm sure they're aware it's insecure, it just a level of insecurity they are comfortable with. They don't want to change to a new (more secure) system because that means replacing legacy equipment. And, most importantly, the credit card companies that make the decision are not the people who lose money from fraud (except for the small second-order effect of people not using credit cards due to fear of fraud).

Re:Almost useless (1)

eric_herm (1231134) | about a year and a half ago | (#43540327)

I think they just checked how much lack of security cost vs reducing the cost of security. IE, like a 1000$ system to protect a 10$ book is overkill, maybe that's the same kind of issue. If being a moron was the road to make money, I guess we would know by then.

Re:Almost useless (4, Informative)

nomorecwrd (1193329) | about a year and a half ago | (#43539869)

Here in Chile PIN is mandatory... but cloning is still being done (a hidden camera usually captures your PIN)

News flash! Now they are cloning - and altering - the swipe machines, to capture everything including PIN and sending it through hi intensity bluetooth. The machines (GPRS -EDGE) are being switched without the merchant's knowledge.

Re:Almost useless (1)

jeffmeden (135043) | about a year and a half ago | (#43539893)

Seriously, didn't anyone see this coming? "Swipe" the card and bam -- the purchase is done. How can that be considered secure? No signature, no PIN, no CVV, nothing; just pass it, and it's done. How the fuck was this even considered for adoption? Now, what everybody with half a brain imagined is happening.

Sure they all saw it coming. And "smart chip" credit cards that would hold biometric authentication have been teased for a decade. Problem is, security doesn't *sell*. Not when you can just tell the merchant that fraudulent use is their problem, and then give them no viable way to increase security aside from asking tellers to ask for ID (and we know how well that works).

Re:Almost useless (5, Informative)

neokushan (932374) | about a year and a half ago | (#43540335)

Hai! "Expert" here (And by "expert" I mean I work in the industry, my company has a hand in testing everything from the cards themselves right up to the host in your Bank's basement).

Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about. It takes no time at all to clone a magstripe card. It can be done using a $10 reader off ebay. It's easy to do and has been a direct cause of so much fraud you wouldn't believe.

Chip cards, on the other hand, work completely differently. They use the same technology that's in the SIM card of most GSM phones, the chip isn't just a static bank of data but an actual miniature computer (likely running a cut-down version of Java). It doesn't just hand over your card details upon request, it actually uses a lot of cryptogeraphy, using public/private keypairs (Amongst other things) to ensure that no two transactions are ever the same. Cryptograms are used to ensure that data being sent and received is valid, it's impossible to change any data without breaking this. Even a compromised terminal can, at best, record an existing transaction and nothing more - it can't change amounts or anything like that without breaking it. If EITHER the card or the terminal suspects anything is up, it'll either decline or force the transaction "online" - to your bank, where they have the final say.

Contactless chip cards are nothing more than a wireless standard that compliments the above. Similar to Wi-fi versus ethernet, it's only the transmission medium that actually differs here, the same sorts of cryptograms and hashes are done here. The net result? Yes, you can skim some data using any NFC equipped smartphone, but it's useless to you because you cannot even replay a transaction because you don't have any of the private keys.

Yes, you can use the information to clone the magstripe on a card - the card gives you enough information in the clear to do this, but you'll find that the magstripe is largely useless to you as it's only used as a fallback. These days, even magstripe transactions are used "online" - that is, the terminal WILL contact the host to veryify it, a side effect of the rampant card fraud that goes on. The host will question why a chip-enabled terminal is doing magstripe with a card it knows is chip-enabled. The result? Transaction voided. Terminal prompts you to use the chip, because the terminal knows there's nothing wrong.

As for online shops - those shops that DON'T ask for the CVN are liable for the fraud, so few are left out there that don't. What's more, most cards these days have a secure online payment page requiring you to type in a password before continuing.

Sum total? This is a non-issue, there is nothing new in this article and anything else you hear is scaremongering. You cannot clone a chip card, it's physically impossible.

Re:Almost useless (1)

langelgjm (860756) | about a year and a half ago | (#43539643)

It will allow you to clone the card and make "swipe" based purchases.

Are you also going to fake the look and design of a bank card, including, possibly, raised numbering/lettering? Or are you just going to clone it on an old library card?

All this is is a slightly easier way to obtain credit card information from a limited number of NFC enabled cards... but getting that information wasn't particularly hard in the first place...

Re:Almost useless (1)

GameboyRMH (1153867) | about a year and a half ago | (#43539715)

Look and design - Blank magstripe cards are the same shape and size, the face design can be printed:

http://pvc.idcardgroup.com/productdetails.aspx?item=800059-106-01 [idcardgroup.com]

Raised lettering - using a set of letter stamps intended for metalwork.

Re:Almost useless (2)

langelgjm (860756) | about a year and a half ago | (#43539767)

The point is not that it cannot be done - I have cloned magstripe cards myself. The point is that there are hurdles to jump before you have a card you can actually use in person, and other hurdles for card not present transactions.

If you are willing to print on the card face and do the raised lettering for each card's information, good for you - what is the time and cost involved in doing that, versus the value of the fraudulent purchase you can make, versus the risk of the fraud being traced back to you?

Re:Almost useless (2)

omnichad (1198475) | about a year and a half ago | (#43540107)

Raised lettering is no longer required. Which is fine, because basically nobody has a manual imprinter these days. Which is terrible at the drive-through when the machines are down...again.

Re:Almost useless (1)

Anonymous Coward | about a year and a half ago | (#43539859)

I could simply take my old expired card and write the copied data onto it. No one would notice that the numbers on the check don't match the visible ones on the card.

Re:Almost useless (0)

Anonymous Coward | about a year and a half ago | (#43539913)

Or, I could just go to the grocery store and swipe a damn hotel card myself.

Re:Almost useless (-1)

Anonymous Coward | about a year and a half ago | (#43539741)

Without the CVV (verification code) you cannot do anything usefull...

Bullshit. It will allow you to clone the card and make "swipe" based purchases. You can also use any online or phone retailer who doesn't ask for the CVV, and many of them don't ask.

The only "swipe" based purchases that I know that still exist are in cheap restaurent...
Also, my lastest purchases over the phone always required me my CVV except for fast food delivery....

So yes you can get a free meal, but I think it is pointless..

Re:Almost useless (0)

Anonymous Coward | about a year and a half ago | (#43539991)

gas stations don't tend to need any authorization. that's a bunch of money and a very common thing for people with stolen credit cards to resell.

Re:Almost useless (1)

mythosaz (572040) | about a year and a half ago | (#43540057)

...and every grocery store, which has never, ever, checked my ID.

Re:Almost useless (2)

omnichad (1198475) | about a year and a half ago | (#43540129)

Wal-Mart, Best Buy, grocery stores....? Plenty of brick & mortar stores with big ticket items. Most of them let you swipe the card yourself, so it doesn't even have to look very real.

Re:Almost useless (1)

alen (225700) | about a year and a half ago | (#43539885)

almost every retailer has cameras
unless you use the card for small purchases the real owner won't notice, the cops will go after you

Re:Almost useless (0)

Anonymous Coward | about a year and a half ago | (#43539585)

Not necessarily. A lot of times stores will only require two pieces of information match of the card number and either address or CVV. If you have a name, you could reasonably guess at an address with publicly available information and then you wouldn't need to worry about the CVV matching.

Re:Almost useless (1)

parkinglot777 (2563877) | about a year and a half ago | (#43539703)

Does that CVV really matter if a thief got everything he/she needs but merely 3-digit (or 4-digit) number? Is it impossible for someone to implement a way (even brute-force) to get those 3 (or 4) digit numbers? I highly doubt that there is NO way to obtain a card's CVV number. Think out of the box please...

Re:Almost useless (1)

compro01 (777531) | about a year and a half ago | (#43539819)

Is it impossible for someone to implement a way (even brute-force) to get those 3 (or 4) digit numbers?

Sure, you might even get 4 or 5 attempts before you get locked out.

Re:Almost useless (1)

parkinglot777 (2563877) | about a year and a half ago | (#43540215)

Dedicated thieves don't go the route most people think to make money. They may also have plenty of time in their hand and no need to make it obvious. Besides, What would they lose if they really try and got locked out? Unless they are not that sophisticated thieves and associate their real identity to the attempt.

Re:Almost useless (0)

Anonymous Coward | about a year and a half ago | (#43539823)

Well, depending on the backend security, somebody brute forcing credit card codes would be found easily and the card blocked.

Re:Almost useless (4, Insightful)

whoever57 (658626) | about a year and a half ago | (#43539915)

Without the CVV (verification code) you cannot do anything usefull...

Tell that to the criminals who were spending money in gas stations and restaurants in central California using a clone of my wife's card a couple of years ago.

Re:Almost useless (0)

Anonymous Coward | about a year and a half ago | (#43540441)

Except that they DID have the cvv because you wife's card stored it on the magnetic strip. If it was stored on an nfc chip (like the cards in the article), then it couldn't have been cloned.

Re:Almost useless (2)

AuMatar (183847) | about a year and a half ago | (#43540075)

ABout 2 years ago, I got a new credit card. I started making online purchases. A year later, I had a purchase rejected. Turns out that I used the wrong CVV- I used the CVV from the old card it replaced. I'd been using that CVV the whole time. I'd been using the wrong CVV for over a year, and this was the first time it had stopped the transaction.

Basically, almost no merchants check it.

Re:Almost useless (3, Interesting)

neokushan (932374) | about a year and a half ago | (#43540391)

Not necessarily. You said the new card was a replacement for the old card - often those replacements don't change the card number, so really all that will have changed is the expiry date and the CVV. It's possible that the online systems thought you were still using your old card and thus accepted the CVV because the "new" card had never been activated. So it's not the CVV they don't necessarily check, but rather the expiry date (Because hey it's in the future and that's good enough).

It's not ideal though, it should be much stricter than that.

Qiuck Everyone Panic!!! (4, Funny)

gooman (709147) | about a year and a half ago | (#43539553)

This NFC technology must be stopped. Why should anyone's life be any more convenient than it already is.
Why back in my day a phone was attached to the wall with wires. It made phone calls and only phone calls and we liked it.
You youngsters and all your fancy gewgaws. Get off my lawn!

Re:Qiuck Everyone Panic!!! (2, Funny)

Anonymous Coward | about a year and a half ago | (#43539593)

Because swiping a card is ever so difficult. Our brittle wrists are just unable to cope with such massive stresses.

Re:Qiuck Everyone Panic!!! (4, Funny)

ArcadeMan (2766669) | about a year and a half ago | (#43539663)

You may be joking, but some of us actually carry platinum cards in our wallets. Do you know how heavy platinum is?

Re:Qiuck Everyone Panic!!! (1)

Anonymous Coward | about a year and a half ago | (#43539747)

Less than your gargantuan ass?

Re:Qiuck Everyone Panic!!! (0)

Anonymous Coward | about a year and a half ago | (#43539871)

You may be joking, but some of us actually carry platinum cards in our wallets. Do you know how heavy platinum is?

Yeah, I'm so glad I upgraded to Amex Invisible.

Re:Qiuck Everyone Panic!!! (0)

Anonymous Coward | about a year and a half ago | (#43539973)

Because swiping a card is ever so difficult. Our brittle wrists are just unable to cope with such massive stresses.

Your wrist can, but your brain can't. Watch people try to swipe their credit card. Count how many times it takes them to correctly orient the card. Time is money.

Re:Qiuck Everyone Panic!!! (1)

Anonymous Coward | about a year and a half ago | (#43539711)

This NFC technology must be stopped. Why should anyone's life be any more convenient than it already is.

NFC isn't that useful.

The premise was that you didn't need to take your credit card out of your wallet or purse.

But, if you have more than one NFC credit card, then you DO have to take out your card so that the correct card gets charged.

The other odd thing is that the credit card industry is has been moving to higher-security chip & pin cards instead of the magnetic stripe.

NFC is much, much easier to clone & spoof. The credit card industry believes the savings in convenience & faster transaction processing will offset the greater amount of fraud. I'm not sure about that.

Re:Qiuck Everyone Panic!!! (0)

Anonymous Coward | about a year and a half ago | (#43539879)

The credit card industry believes the savings in convenience & faster transaction processing will offset the greater amount of fraud.

They don't actually believe that. That's what they're telling the people who pay for fraud.

Forget tinfoil hats... (2, Insightful)

Anonymous Coward | about a year and a half ago | (#43539563)

...what we need is tinfoil wallets!

(all joking aside, when I got my RFID enhanced driver's license I went out and got an RFID shielded wallet).

Re:Forget tinfoil hats... (4, Informative)

rgmoore (133276) | about a year and a half ago | (#43539755)

Forget tinfoil; woven stainless steel [google.com] is the in thing for wallets. I got mine more for the durability, but blocking RFID readers is a nice bonus.

Re:Forget tinfoil hats... (4, Informative)

fahrbot-bot (874524) | about a year and a half ago | (#43540103)

...what we need is tinfoil wallets!

(all joking aside, when I got my RFID enhanced driver's license I went out and got an RFID shielded wallet).

All joking aside, when I got my RFID "enhanced" VISA card, I got a hammer and hole punch and punched through the chip.
Problem solved.

The cat's out of the bag now (0)

Anonymous Coward | about a year and a half ago | (#43539581)

There's nothing stopping a motivated skimmer from adding a more capable external antenna to extend read range. It's much simpler than rolling your own wi-fi antenna. The NFC antenna's usually one of the most outermost parts of a phone or table, which makes it easy to get at, and it's not nearly so frequency dependent, which makes it easier to build.

Re:The cat's out of the bag now (1)

neokushan (932374) | about a year and a half ago | (#43540399)

I don't think you know how NFC works. Tell me, how is this extended antenna going to power the card?

apply tags (1)

alphaminus (1809974) | about a year and a half ago | (#43539601)

Re:apply tags (3, Insightful)

Anonymous Coward | about a year and a half ago | (#43539705)

A solution looking for a problem. I love how we invent all this crap and then have to invent more crap to make the crap barely usable. If you have to put the card in a faraday wallet then how is it any better than...say...SWIPING IT?

We seem to be able to introduce NFC, but we can't implement chip and pin. I can does security! Herp de derp...

Sensationalist.... (0)

langelgjm (860756) | about a year and a half ago | (#43539609)

If it's a card not present transaction, the security code should be required, and presumably that isn't being transmitted as well.

I've got a hot news story for you - everyone person you hand your credit card to is able to access your card number, name, and expiration date!

CBC News asked Google why apps capable of skimming credit card information were available on the Google Play store.

You mean, why are apps capable of using the NFC capabilities of your phone available on Google Play? You might as well ask why eBay sells magnetic card readers.

Re:Sensationalist.... (4, Insightful)

gstoddart (321705) | about a year and a half ago | (#43539707)

I've got a hot news story for you - everyone person you hand your credit card to is able to access your card number, name, and expiration date!

Yes, but this provides opportunities for people you don't hand your card to to be able to get the same information.

So anybody on the street with a phone potentially has access to your information. And if some schmuck walked up to me on the street and asked me for my card number, name, and expiry date I wouldn't give it to them -- this makes it possible for people who you have no intention of giving this information to able to get it without you even knowing.

If NFC is so horribly broken that any random person with a free app from Google Play can access your credit card information without you knowing it, it's defective from the get go. Something I've always believed anyway. It's goal is to be convenient and spur people to use this as a payment option; it has never been designed with security and privacy in mind.

Re:Sensationalist.... (2)

Zerth (26112) | about a year and a half ago | (#43539807)

You'd be surprised how many people will give you that info if you just walk up to them and tell them you are a credit card technician from MC/Visa/etc while wearing a jacket with the logo badly sewn on it.

Re:Sensationalist.... (3, Insightful)

gstoddart (321705) | about a year and a half ago | (#43539875)

Surprised isn't the right word. Appalled, sure. Surprised? No.

Then again, people still fall for spam, phishing, and those fake tech support calls from "the Windows provider" which people fall for.

Critical reasoning is a surprisingly uncommon thing. It depresses me, but it doesn't surprise me.

Re:Sensationalist.... (1)

langelgjm (860756) | about a year and a half ago | (#43539849)

And if some schmuck walked up to me on the street and asked me for my card number, name, and expiry date I wouldn't give it to them -- this makes it possible for people who you have no intention of giving this information to able to get it without you even knowing.

At which point, they face the same hurdles of using credit card information fraudulently that every other fraudster does.

I'm not saying this doesn't make it easier to get the information - it clearly does. However, you typically need to put in more effort than just getting that information before you can perpetrate the fraud, which the article ignores. I also don't care for the insinuation that Google should ban NFC apps.

They probably shouldn't put NFC chips in cards - there's little benefit to be had from tapping your wallet versus swiping a card. NFC payment via phone makes more sense, since you could toggle availability of the information. And NFC for automation of other tasks is great.

Re:Sensationalist.... (0)

Anonymous Coward | about a year and a half ago | (#43540023)

The same problem exists with the chip+pin cards. Any off-the-shelf smartcard reader can in fact read even more data. The card number, account numbers, names, expiry, all of it.

The *correct* solution to this problem really is to stop having cards to begin with. If you have a smartphone, you select your virtual mastercard, NFC is switched on until the card reader is activated, then turned right back off. They could secure this better with one-time cypher's as well, but that's not something that a chip in a card is going to do.

Re:Sensationalist.... (1)

realityimpaired (1668397) | about a year and a half ago | (#43540083)

I've got a hot news story for you - everyone person you hand your credit card to is able to access your card number, name, and expiration date!

With the advent of chip/pin cards, I can't remember the last time I actually had to hand my credit card to somebody in order to complete a transaction. It was many years and multiple cards ago.

the same can't be said for RFID cards: they can be read with a suitably powerful antenna from 50 feet away.

Did anybody not see this coming? (5, Insightful)

gstoddart (321705) | about a year and a half ago | (#43539623)

I've always thought those tap-to-pay things were really a bad idea from a security perspective, as your card can be used without you even knowing it and without any form of authentication.

The fact that it will broadcast all of that information to just about anything tells me it's something which retailers and credit card companies like -- but it's mostly bad for security, but great for convenience.

I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.

I've always thought this was massively insecure, and it looks like I was right.

Re:Did anybody not see this coming? (2)

GameboyRMH (1153867) | about a year and a half ago | (#43539731)

I knew it was a terrible idea before it was cool. B-)

(No, seriously, like back when Bush was president).

Re:Did anybody not see this coming? (1)

gstoddart (321705) | about a year and a half ago | (#43539835)

I remember when it first came out people telling me about it.

My response at the time was "so, all you need to do is wave your card near the reader, and it takes your money ... how do you keep it safe?".

Of course, I was dismissed as somewhat paranoid and got a lot of suggestions I was blowing it out of proportion. From the sounds of it, these things are just waiting to gladly spend your money without caring about your security.

I may be somewhat on the paranoid side, but that doesn't mean this was a giant security hole waiting to happen.

Re:Did anybody not see this coming? (1)

Anonymous Coward | about a year and a half ago | (#43539779)

A hole puncher will take care of it. Pretty easy to disable. Just find the chip embedded in the card and pop it out.

Usually there's an ever so slight dimple in the surface of the card where the chip resides.

Re:Did anybody not see this coming? (0)

Anonymous Coward | about a year and a half ago | (#43540231)

Just tell your bank to give you a card without the stupid NFC chip. Both Chase and Citi do that, I'm sure others can too.

Re:Did anybody not see this coming? (0)

Anonymous Coward | about a year and a half ago | (#43539983)

I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.

I know that CIBC will permit you to not have "Pay Wave" on your card. I had to complain for a while before they would agree to it, but they did send me a replacement card without it.

Re:Did anybody not see this coming? (1)

realityimpaired (1668397) | about a year and a half ago | (#43540105)

I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.

It was a 5 minute phone call for me, when I wanted my Visa to send me a new card without RFID. They sent me the card, and added a flag on my account to not automatically "upgrade" me to RFID ever again.

Re:Did anybody not see this coming? (1)

Andy Dodd (701) | about a year and a half ago | (#43540181)

I am fairly certain the tap-to-pay systems add a capability not present in standard magstripe systems - a transaction counter within the card.

Yes, failed cards will occasionally trigger a few extra counts, but you can safely assume that all transactions with a given card are going to be monotonically increasing.

If a thief starts using your card, and then you use it - now the CC company is going to see cases where the transaction counter goes backwards, a sure sign that something is VERY WRONG. Easy fraud detection trigger.

Re:Did anybody not see this coming? (0)

Anonymous Coward | about a year and a half ago | (#43540227)

That would assume you never buy anything online.

Re:Did anybody not see this coming? (0)

Anonymous Coward | about a year and a half ago | (#43540291)

Use a hammer.
Really. Use a hammer on the cards. Find where the chip is, place it on something solid then whack the chip a few times.

so? (1)

MintyKiwi (2904129) | about a year and a half ago | (#43539645)

these information are available on the card in TEXT FORM anyways.... it is easy to be "stolen" everytime you whip it out with the wonderful technology we call "EYES".... this is why pin number exist, this is why the 3 digit security code exist.... and without those information, any transaction processed on the card can be easily reverted by calling your credit card company.... non-issue... technically this makes phone payment more secure since it does not have card number, expiry date and name written in plain text, you don't need to worry about people reading it when you whip it out and NFC can be easily disabled and only enable by button press using apps such as tasker.... as long as you don't lose your phone (even if you do, google wallet for example has pin number and can be remotely disabled in google accounts)

Re:so? (0)

Anonymous Coward | about a year and a half ago | (#43540045)

Phone payment is more secure, because it has the option of showing you the payment amount and payee name and asking for confirmation before making the transaction. This is not how it is usually done with them, but you have the option.

You cannot easily copy real smart cards (ones with a real microcontroller chip instead of the simple memory chip) as they don't give access to data without cryptographic authentication. But then they are still inferior to the phones, since without an input/output device they can still be faked into accepting different transactions.

Common Unencrypted RFID Chips (0)

8Complex (10701) | about a year and a half ago | (#43539749)

Just goes to show you how much the credit card companies /really/ care about security.

What got my attention (2)

glaurungn (1253152) | about a year and a half ago | (#43539787)

was that the summary says that more capable antennas could improve reading distance, while in reality the tecnology was desinged for very short ranges, with a practically working distance of less than 10 cm. This is I belive because most tags are passive, have no energy and most be powered by the reading device with magnetic induction.

Re:What got my attention (1)

YrWrstNtmr (564987) | about a year and a half ago | (#43539867)

10 cm.

Install one or two of these in rear seat of a taxi. How many can you snag during a typical shift?

Passports are encrypted (4, Interesting)

IamTheRealMike (537420) | about a year and a half ago | (#43539797)

The data on a passport is encrypted with a key derived from the "machine readable zone" that's inside the book. To decrypt the data available via NFC you have to actually optically scan the open page. In addition US passports have a shielded chip so the book has to be open to be readable.

I'm pretty impressed with the passports (4, Interesting)

YesIAmAScript (886271) | about a year and a half ago | (#43539935)

I was very much against them, in fact swearing I would smash my passport's smart chip when I got a new passport that had one.

But having read it with my phone, I'm impressed. You need key data from the printed page to make the NFC work and as you mention, the passports are unreadable when closed.

I think it's really well done. I'm a bit unsure quite what it's good for since it is slower than swiping it, I can only figure it was done just because putting that much info in a barcode was infeasible.

Now let me submit my pic as a link to a PNG or whatever instead of printing out a picture, having them scan it back in and turn it into a JPEG2000.

Re:I'm pretty impressed with the passports (2)

IamTheRealMike (537420) | about a year and a half ago | (#43540079)

The data stored in the chip is signed using a new PKI. Modern chips can also do challenge/response. So it makes the passports impossible to forge. That's the reason for it.

A simple solution (1)

GenieGenieGenie (942725) | about a year and a half ago | (#43539825)

Most of the fear, FUD and panic will go away if the card requires some form of semi-prolonged contact with the reading device in order to activate or unmask the magnetic data. Then unsolicited reading will be more or less the same as swiping, but without the dedicated hardware.

fuck A mare (-1)

Anonymous Coward | about a year and a half ago | (#43539829)

too gay (-1)

Anonymous Coward | about a year and a half ago | (#43539837)

i would care about this but my face is covered with too much semen

sadness :'(

what app is he using? (2)

YesIAmAScript (886271) | about a year and a half ago | (#43539851)

I have a VISA card with NFC and multiple tag readers for my phone and none of the tag readers can get any info like that out of the card. I've got apps that can read fare cards, passports, etc. but I can't find anything on my credit card.

What am I missing?

Re:what app is he using? (1)

ColdWetDog (752185) | about a year and a half ago | (#43539977)

The power switch?

Re:what app is he using? (1)

omnichad (1198475) | about a year and a half ago | (#43540191)

The data's probably encrypted. Of course in order to accept credit cards, a merchant needs the decryption key so this has probably leaked all over the place. An "App" is not going to have an illegal copy of the decryption key, but it's not hard to custom-program something for it.

Need a better source than some hack reporter (4, Interesting)

Tony Hoyle (11698) | about a year and a half ago | (#43539863)

I'd be intrigued to know what app they're using that's returning the code and expiry date.. that information is encrypted on the card and none of the free nfc tag readers I've tried even attempt to decrypt it (I don't trust the banking system to use half decent encryption so not discounting the possibility entirely).

Of course it could just be the typical bullshit scare story that newspapers come out with..

I am safe, I dont care. (1)

140Mandak262Jamuna (970587) | about a year and a half ago | (#43539937)

I keep all my credit cards and smart chip embedded driving lincens in my hat. And my hat is actually a Faraday's cage constructed using a product from Reynolds. I understand the product is made by electrolysis of bauxite. So no one can read anything from it from a distance.

Re:I am safe, I dont care. (0)

Anonymous Coward | about a year and a half ago | (#43540365)

So, it's just an overpriced tinfoil hat?

Advertising (1)

ArcadeMan (2766669) | about a year and a half ago | (#43540187)

Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada...

Really? I don't know anyone with one. It's all flip-phones, HTC and iPhones where I live. And I'm in Canada.

Re:Advertising (0)

Anonymous Coward | about a year and a half ago | (#43540305)

I live in Canada too. I'm a driving instructor, and the Galaxy SIII is definitely what I see the most when I take away my students' phones before their lesson starts. That is followed by the iPhone, and then various Blackberries (a number that is shrinking every year). Also, I use a Galaxy SIII personally.
But neither of us are any more right; it's all just anecdotes.

Re:Advertising (1)

ArcadeMan (2766669) | about a year and a half ago | (#43540397)

Your anecdote is worth more than mine however, given that you see more new people in a given week than me.

"near" is a strange concept (1)

RichMan (8097) | about a year and a half ago | (#43540205)

In RF land the concept of placing object A near object B means very little. The big question is antenna gain/directionality and reciever gain and the ability of both to reject out of band noise and not create in band noise.

If a cell phone can read a signal from your credit card over a 2" gap then an antenna in a van can do it from across the street and Jodrell Bank can do it from the other side of the planet.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?