NFC and payment cards, be scared now.

In my previous post I have warned people not to share the output of cardpeek with others, as it includes data including the full 16-digits (or 15 or 19, depending on the type) of the card, and its expiration date.

The reason why that happens, is that the EMV implementation requires exposing the data from the magnetic stripe over the chip; this data is defined as Track1, Track2 and Track3 — classically only the first two are of relevance for credit cards, but at least for Italian debit cards (Bancomat), like the one I discussed yesterday, it is present.

Track1 contains the name on the card, while Track2 contains, as I said, the full card number and expiration date. The only thing that is missing is the CVV/CVC/CV2, you name it, the three digits that are printed (not embossed!) on the back of the card. Recording magnetic stripe data is trivial with a skimmer – if you’re interested, check Krebs’s blog – but recording the data from a chip is not much more complex, if you can hack the firmware of the terminal device.

The difficulty, after copying the tracks’ data, is to make a copy of the card itself. At least in theory, the private key used for enciphered PIN verification is supposedly impossible to extract, which makes duplicating a chip not feasible — again, in theory, as I’ve pointed out how many different CVM policies are configured on cards, and some of them do not require enciphered PIN (In particular Italian debit cards seem to be the worst offenders). Similarly, online transactions nowadays always require the CVV code, which is not available on either the magnetic stripe or the EMV data.

On the other hand, the fact that magnetic-stripe usage is still allowed (and it is vastly due to the United States not having moved to the new technology yet), means that just snooping Track1 and Track2 data allows for in-store transactions with a fake card. It’s thus just a matter of lower direct benefits for fraudsters if chip-and-pin cards are not usually cloned in Europe: even if you can read the data with a hacked terminal, you have to sell the data somewhere else to be used.

But all I said up to now involves having the card in your hands, or using a hacked terminal, both options are pretty risky. There is a more “interesting” approach, thanks to the current move to NFC-enabled payment cards (my Irish debit card has it too). It does not really look like one of the NCIS episodes with the fraudster just brushing off people in the street, but it comes close enough.

While NFC payment only works for non-CVM-required transactions (less than 15 euro or 25 dollars), it does expose the full tracks’ data over the contactless interface, which means it’s just a tap away from being cloned. Sure, you still need physical contact with the card, but there are a few reasons why I find it much more worrisome than cloning from the stripe or chip.

The first problem is that the tools required to skim the data out of the chip or the magnetic stripe are much harder to come by than the NFC. Because you only need an NFC-enabled phone (such as a Nexus 4 or 5) and the right app. You can for instance look at cardtest which will show you all the details of the card just by tapping it on the phone — the app will hide the full number of the card, but that is done in software, the NFC inspection would read the full number already.

And the card itself will gladly talk through your average wallet – sure there are RFID blocking wallets but they are rarely good quality – so it’s just a matter of getting the phone, or one of the many RFID readers over, or under, the wallet. Maybe it’s my wannabe-writer imagination at work here, but I can see how it’s easy to set up a few strategically-placed RFID readers embedded on the table around the till of a store can read a lot of cards, even those that are not being used to pay muddling the waters quite a bit.

There is another point of view as well, that can be interesting. Even cards that are NFC-enabled are mailed, at least in Europe, through standard paper envelopes. These do nothing to protect you from NFC skimmers; a malicious postman can easily skim the cards with his unmodified cellphone, by just tapping the letters when they like they contain a card of some kind. I tried this myself the other day as I received an Irish, government-issued card through the mail: just leaving it on top of my laptop and running pcsc_scan made it work, and using my cellphone was just as easy. All the time without opening or even making it look like the envelope was tampered with! And yes, of course the cards are not shipped active, but just wait a week or two and they’ll be — it’s rare for people like me having to wait to ship them to a different country before they get enabled.

So what can we do about this? Well, I’m not sure, I’m not that much of an expert. My best bet up to now is to add as many NFC-enabled cards (Leap, DublinBikes, ZapaTag, Oyster, etc.) on my wallet, to mix up the signal from the actual payment card. This tends to work, but it’s just a matter of tries until the right card comes up. I guess it’s time for me to consider buying one of those two-dozen-cards aluminium holders, which are usually shielded against RFID access, and for you too.

Other than that, the usual advices apply: make sure to check your statements, and report quickly to your institution if something is looking odd!

10 thoughts on “NFC and payment cards, be scared now.

  1. Afaik after 3 transactions using a key in quick succession the card is blocked if you don’t update the token and only the genuine card can update that token internally..Mixing up a signal shouldn’t work, although it does.. There isn’t “mixing” here, it just makes it more difficult for a reader to inductively couple many targets.. NFC supports anti-collision tech, I made the same assumption.I’d maybe just fact check your posts here. Watch this video, it should be useful for you: http://www.youtube.com/watc…Cheers J

    Like

  2. I don’t think anything I said above is disproved by your comment, to be honest. Yes, I said “it’s just a matter or tries” — I know it is not a safe way to protect yourself, but it does stop the most obvious “brush away” attack. Not much, but it helps.As for transactions, that only works when using chip-and-pin, which again is what I said above: you can’t really clone a chip (minus other attacks on the EMV protocol for which I have no idea, it’s not my field of expertise), but you *can* use the track data read over NFC to craft a magnetic stripe for a fraud-card.But I welcome the video, I’m definitely interested, will watch it ASAP.

    Like

  3. It always amazes me that they still get stuff like this wrong. There is no reason to have the legacy card number transmitted in the clear. The credentials for NFC should be different, and as you’ve pointed out it sounds like those are reasonably secure.Honestly, I’d take it a step further and put the pin pad on the card itself, with an LCD display that shows the amount to be charged. That would protect against compromised terminals. However, simply making it impossible to clone cards is already a huge improvement.

    Like

  4. I read an article a few months back about using online shops to try-and-error-find the cvv code…Apparently it works. But of course I’m not shure if that is easily detectable by the card company. Back then, it was not detected. Even if detected, it would DOS you from using that card.

    Like

  5. If you want to block access to your cards, one easy way is to add .) a few to you purse, if there are enough a reader is not able to supply enough power or .) add an (old) card to your wallet that does not support anticollision (e.g. many of the access cards for doors), this makes it impossible for the reader to address an individual card. (which is what I did, but I took a new one with some custom software. I have this card on one side of my purse, the banking card on the other one, so if I open the purse it works again)One other pretty bad thing is that these cards are vulnerable to relay attacks. Using two internet connected mobile phones one can relay the payment process to a card that is in e.g. someones pocket. The main problem here is the horrendously big timeout on the readers. Sure, it only works for small amounts, but still…Btw. there have already been some cards that implemented display and buttons for pin entry. The feedback of e.g. the german banks (this one I know of) was simply that such a card would be too costly. No wonder if you think about it, the high security controllers that are used in those chipcards cost 30-40 cents when bought in bigger numbers (those are the real expensive, high performance ones…). On that scale, even a cheap integratec pushbutton is costly…

    Like

  6. You don’t need to worry too much about frauds, when you card is cloned and used only through the mag stripe, the risk is on the acquirer/bank institution. That’s why EMV was created, to add security to the card and shift the responsibility to the final user.

    Like

  7. Yes and no — while that’s the correct theory, the agreement with banks vary quite a lot case by case. In the case of my Italian cards, I have had the bad experience of trying to repudiate a single €140 transaction, and the paperwork required, including a pointless report to Italian police (when the cloning clearly happened in Los Angeles) drove me away from trying to claim it.Also, it’s not possible to claim back money lost on transactions for debit cards, so if you get your (EMV) debit card cloned, you’re still shafted.

    Like

  8. There are no EMV chip cloning reports at this time, the only possible way to be cheated is by someone stealing your PIN AND your card. The worst that could happen is to be forced to withdraw all your money at an ATM or something, at gun point.

    Like

  9. You haven’t read the post, have you?You are correct, there is no known way to copy the EMV chip. **But the data readable from the chip without a PIN contains enough information to make a non-EMV clone of the card.** Namely the TRACK1/TRACK2 data. Which is also visible by NFC.But you’re absolutely wrong if you think that “the only possible way to be cheated is by someone stealing your PIN” — first of all, you can skim an EMV card just fine if it’s designed to still be usable in the USA (see [my other post](https://blog.flameeyes.eu/2… — the MasterCard was cloned once in SoCal).Also, look at the comment by Andrea to see how the PIN is not as safe as we’d like it to be.

    Like

  10. Spidey,You are correct in stating the liability shifts from the consumer to the bank when fraud occurs unless the fraudulent transactions involved EMV, however you’re statement explaining there has been no recorded clones of EMV. We could go back and forth however I’ll just cut to the chase and present facts back with references so the audience can verify the truth. You say EMV fraud does not exist what you fail to consider is how long the rest of the world has been using EMV and you failed to research credit card fraud in Europe. Europe has been using EMV for a considerable amount of years yet they still have credit card fraud along with Africa which is has the highest amount of fraud recorded in the world. Let’s just look at this with our common sense without considering the numbers of the bankers say all cloning fraud will be eliminated with EMV yet years after countries like Europe and Africa have adopted EMV credit card fraud still exist and is being recorded. The only thing EMV changed is the bank compensating fraudulent transactions. There is not any added layer of security within EMVvs Mag strip, cloning fraud has not been eliminated google pre play attacks, and once again the consumer has been gotten the short end of the stick while the politicians and the banks flourish.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s