NFC and payment cards, be scared now.

In my previous post I have warned people not to share the output of cardpeek with others, as it includes data including the full 16-digits (or 15 or 19, depending on the type) of the card, and its expiration date.

The reason why that happens, is that the EMV implementation requires exposing the data from the magnetic stripe over the chip; this data is defined as Track1, Track2 and Track3 — classically only the first two are of relevance for credit cards, but at least for Italian debit cards (Bancomat), like the one I discussed yesterday, it is present.

Track1 contains the name on the card, while Track2 contains, as I said, the full card number and expiration date. The only thing that is missing is the CVV/CVC/CV2, you name it, the three digits that are printed (not embossed!) on the back of the card. Recording magnetic stripe data is trivial with a skimmer – if you’re interested, check Krebs’s blog – but recording the data from a chip is not much more complex, if you can hack the firmware of the terminal device.

The difficulty, after copying the tracks’ data, is to make a copy of the card itself. At least in theory, the private key used for enciphered PIN verification is supposedly impossible to extract, which makes duplicating a chip not feasible — again, in theory, as I’ve pointed out how many different CVM policies are configured on cards, and some of them do not require enciphered PIN (In particular Italian debit cards seem to be the worst offenders). Similarly, online transactions nowadays always require the CVV code, which is not available on either the magnetic stripe or the EMV data.

On the other hand, the fact that magnetic-stripe usage is still allowed (and it is vastly due to the United States not having moved to the new technology yet), means that just snooping Track1 and Track2 data allows for in-store transactions with a fake card. It’s thus just a matter of lower direct benefits for fraudsters if chip-and-pin cards are not usually cloned in Europe: even if you can read the data with a hacked terminal, you have to sell the data somewhere else to be used.

But all I said up to now involves having the card in your hands, or using a hacked terminal, both options are pretty risky. There is a more “interesting” approach, thanks to the current move to NFC-enabled payment cards (my Irish debit card has it too). It does not really look like one of the NCIS episodes with the fraudster just brushing off people in the street, but it comes close enough.

While NFC payment only works for non-CVM-required transactions (less than 15 euro or 25 dollars), it does expose the full tracks’ data over the contactless interface, which means it’s just a tap away from being cloned. Sure, you still need physical contact with the card, but there are a few reasons why I find it much more worrisome than cloning from the stripe or chip.

The first problem is that the tools required to skim the data out of the chip or the magnetic stripe are much harder to come by than the NFC. Because you only need an NFC-enabled phone (such as a Nexus 4 or 5) and the right app. You can for instance look at cardtest which will show you all the details of the card just by tapping it on the phone — the app will hide the full number of the card, but that is done in software, the NFC inspection would read the full number already.

And the card itself will gladly talk through your average wallet – sure there are RFID blocking wallets but they are rarely good quality – so it’s just a matter of getting the phone, or one of the many RFID readers over, or under, the wallet. Maybe it’s my wannabe-writer imagination at work here, but I can see how it’s easy to set up a few strategically-placed RFID readers embedded on the table around the till of a store can read a lot of cards, even those that are not being used to pay muddling the waters quite a bit.

There is another point of view as well, that can be interesting. Even cards that are NFC-enabled are mailed, at least in Europe, through standard paper envelopes. These do nothing to protect you from NFC skimmers; a malicious postman can easily skim the cards with his unmodified cellphone, by just tapping the letters when they like they contain a card of some kind. I tried this myself the other day as I received an Irish, government-issued card through the mail: just leaving it on top of my laptop and running pcsc_scan made it work, and using my cellphone was just as easy. All the time without opening or even making it look like the envelope was tampered with! And yes, of course the cards are not shipped active, but just wait a week or two and they’ll be — it’s rare for people like me having to wait to ship them to a different country before they get enabled.

So what can we do about this? Well, I’m not sure, I’m not that much of an expert. My best bet up to now is to add as many NFC-enabled cards (Leap, DublinBikes, ZapaTag, Oyster, etc.) on my wallet, to mix up the signal from the actual payment card. This tends to work, but it’s just a matter of tries until the right card comes up. I guess it’s time for me to consider buying one of those two-dozen-cards aluminium holders, which are usually shielded against RFID access, and for you too.

Other than that, the usual advices apply: make sure to check your statements, and report quickly to your institution if something is looking odd!