In: Credit Card Security News
December 27th, 2015
RFID Protective cards – understand the difference before you buy.
Over the past few months it has come to our attention that consumers are judging the effectiveness of the RFID protective cards they are purchasing against retail point of sale terminals.
Based on this method of testing these RFID Protective cards give the appearance of being very effective at blocking a transaction being processed and have received a number of very positive reviews.
The truth is that if you place two PayPass cards together and present them to a retail (tap & go) terminal the transaction will NOT go through. This is so the consumer can make the decision of which card they wish to present to the terminal. Don’t be fooled though, any standard reader (like the one in the image to the right) that can be purchased online will not give you this option and will take the information off the first card that responds to its requests. These readers have anti-collision software so it does not matter how many cards are being interrogated it will always get at least one.
The criminals who perpetrate this electronic pickpocket crime would rarely use a retail style (tap & go) terminal to skim, they are more likely to use a standard off the shelf reader and ‘amp up’ the antenna and signal strength.
The way in which some of these cards are marketed and the terms that they use to boost the hype imply that the cards are loaded with top secret and patented technology some even drop names such as “NASA” to increase their worth.
The truth is actually quite different. Often a standard programable RFID card worth about $0.75 is programmed with essentially garbage in an attempt to confuse the terminal which is trying to interrogate it. This has been shown to be inconsistent in its protective ability and thus cannot reliably support the claims that are being made.
As there is no regulatory body governing the standards of products in this field, it has been left open for anybody to jump on board and try to make a quick dollar. The few companies that have invested significantly in research and development to effectively protect the consumer have been left trying to defend and differentiate their products from those who have clearly blurred the lines and cannot support or prove the claims that are being made. The sooner this industry can be regulated the better.
Where does this leave you? the best advice is to research the product you are considering purchasing.
If it claims to Jam does it have FCC approval?
If it claims to have patented technology is there a reference to a patent? (don’t be fooled by a ™ next to a word, that does not constitute a patent but merely a logo or term being trademarked)
If it claims to be active does it have a battery?
As a consumer you must do your research and due diligence until there is a regulatory body who can help govern the claims being made. Protecting your identity from theft is a serious business and you should only look for companies and products who are serious about protecting your data & not who just want to jump on the band wagon for a quick dollar.
The decision is ultimately yours as to how much worth protecting your personal data is to you.
Beware, Be Aware and Stay Vigilant.
Cloning credit cards today – 9 October 2014, its not hard to do as expert shows.
The new age of credit card skimming and cloning credit cards is on show today at the Breakpoint security conference in Melbourne.
Peter Fillmore an Australian money hacker & security boffin will demonstrate how he probed the protocols behind Visa and Mastercard payment cards and proved the viability of an attack by successfully using cloned versions of his credit cards to shop at supermarket chain Woolworths, and buy beer at a Sydney pub.
He will show today via modded Nexus 4 phone and how it steals data from Paywave and Paypass cards that could be introduced into cloned cards.
While the phone tactic is an inconspicuous attack, Fillmore told Vulture South that enterprising criminal gangs could make a killing by using his tactics with more powerful custom equipment to scam commuters on their way to work.
“The phone needs to be really close to someone’s wallet to work so it’s more of a proof-of-concept. [However], the attack I would be worried about is a criminal gang with a [reader] in a briefcase who captures a whole lot of cards on a tram and uploads them to a central server,” Fillmore said.
“Someone located far away could then wait until their phone pings with the stolen information and start using the cards,” he added.
“This is better than a relay attack because you can store the transactions and you don’t have a timeframe,” he said.
There’s another advantage for the potential criminal, as when the trick fails, it appears to the retailers and banks to be a mundane error, rather than a fraud attempt, which could trigger a well-resourced bank and police investigation.
Large retailers are first choice targets for attack (rather than small new businesses) as they were likely, as in the case of Woolworths, to operate legacy point-of-sale payment equipment and therefore be more open to fraudulent moves.
The Nexus 4 (as Fillmore discovered) served as an efficient and discrete hardware fuzzer for contactless cards. The popular Cyanogen mod gave access to an otherwise inaccessible application programming interface called ‘Host Card Emulation’ that he said is a “great platform” for cloning cards.
Fillmore plans to write an exploit app for a popular but as yet unnamed card reader that would be delivered through the phone.
His attack worked in part by exploiting payment terminal’s legacy support for magnetic stripe cards. The EMV (the gold chip on credit cards) protocol meant cards told terminals if it supported EMV, which then allowed an attacker to pushed payment processing back to mag stripes.
It captured details, including an application transaction counter, which was incremented each time a transaction was made. Attackers needed to conduct the fraud before the next transaction was made or an error would occur.
The attacks weren’t due to particular problems with a given bank, although the Australia and New Zealand Banking Group (unlike the National Australia Bank) was found to have not implemented a randomisation number which while affording additional security, did not prevent the attack.
Fillmore said new startups may be harder targets as they may use new technology that could be, like one tested at a NAB ATM, capable of determining if a contactless credit card was ‘lying’ about not supporting EMV.
Blocking the attack would require the very slow process of dropping legacy support for non-EMV transactions, a feat that could be done faster in Australia than the US.
“I believe that EMV interfaces in general (both RFID and physical) is an area ripe for implementation bugs and errors,” Fillmore said. “Its just the lack of available/affordable test equipment which has prevented researchers from exploiting this area.”
He said the attack may work similar to Cupertino’s Apple Pay platform which supported non-EMV transactions.
Fillmore’s work built on the shoulders of Michael Roland and Josef Langer from NFC Research Lab detailed in the paper
August 28th, 2014
Mythbusters Banned from airing RFID story
The hit Discovery channel show Mythbusters recently wanted to air an episode about how trackable and hackable RFID chips were. It’s still not clear as to why they were not allowed to proceed in airing the show but as Adam Savage the co-host of the hit show eludes to in this interview, some very powerful people / companies made sure that it would never air.
Everyone would’ve learned more about the technology that?s invisibly invading our lives and the vulnerabilities surrounding this global uptake and usage of these technologies on us by the big end of town.
Talk about shutting down and closing ranks…… it seems the card issuing companies and RFID manufacturers really don’t want us (we the people) to know how vulnerable this technology is and how easy it is to hack / skim.
Thanks Mythbusters for trying to expose this vulnerable technology and although your piece did not go live on the Mythbusters show the surrounding hype about the show being pulled shows just how vulnerable we are to skimming.
The only way to protect your personal data is with the latest technology found in an ARMOURCARD. The first Active RFID & NFC protective device.
By Tyler Harris