Shmoocon Demo Shows Easy, Wireless Credit Card Fraud

Sparrowvsrevolution writes with this excerpt from a Forbes piece recounting a scary demo at the just-ended Shmoocon: "[Security researcher Kristin] Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer's credit card onstage and obtained the card's number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer's money with the counterfeit card she'd just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.) ... A stealthy attacker in a crowded public place could easily scan hundreds of cards through wallets or purses."

Re:Is this news?

[Jeng]

It is news in that this has now been brought up to the credit card companies in a manner which cannot be easily ignored.

FUD

[OverlordQ]

In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor that detects multiple transactions with the same code or codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number for one transaction, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.

You should be more worried about waiters and cashiers then somebody in a crowd grabbing your data.

This is sort of old news.

[MrCrassic]

Its been well known that RFID cards are suspectible to this kind of threat. The only reason why jammers and blocks havent been enforced as much is because there haven't been enough cases of this happening to justify wide-scale enforcement. I really like the convenience of contactless payment systems and hope jammers and guards become ubitquitous enough for banks to provide them along with these cards.

Re:Mitigating factors

[vlm]

Put two of these cards next to eachother, and they won't read. Put them in an aluminium card case, and they won't read. Move more than about 5 cm away from the card and it won't read.

Stand in line at the convenience store behind victim. Tada, you just got owned.

There are numerous ways around this problem. It shouldn't stop people from using the technology.

Its about as secure as tatooing your social security number on your forehead, then telling people its safe because you need a telephoto lens from over 100 feet, or you can just wear a skimask all the time.

Re:Mitigating factors

[berashith]

The issue isnt being able to mitigate, the issue is that if the CC companies convince everyone that this isnt possible, then they have an easy path to never having to pay out against fraud. They can just refuse to believe this exists, and tell anyone who had their card info stolen that the cause was their behavior, and then never have to honor a dime of repayment. This is enough to let everyone know that theft can occur this way, and liability remains with the CC companies.

Square is the big security fail here...

[randomlogin]

The fact that you can make a payment via Square without any form of authentication is the biggest failure here. At least with the RFID payment you've got a cryptographically strong authentication method which is pretty hard to fake. The sooner the credit card companies get rid of the magstripe the better...

Re:Glossing over one problem...

[oneiros27]

So we'd have to funnel people through a chokepoint to isolate them ... and it might not work if they had more than one RFID enabled card in their wallet? And then you have to use it quickly, like this was done (while still on stage), rather than waiting for the person to try to make a legit transaction.

I'm guessing that someone standing near the entrance to a subway system could work within those restrictions well enough that even if they got less than 1% success rate per person entering could still turn a nice little "profit" during rush-hour.

Re:Glossing over one problem...

[CimmerianX]

>> the cards are set to offer up a one-time CVV code with every scan

Wait, I thought RFID only offered up static information. Does this infer that the cards have some sort of logic onboard to generate these 'one-time codes' and have create a new code on every scan that matches up with its processor? How does this effect an inadvertent scan, do the codes get all out of sync? Is there resync logic as well? How would this be handled throught payment processors and 3rd party clearing houses?

Now, someone enlighten me on this if it's true. But this sounds to me like total bullcrap.

Re:FUD

[Dr_Barnowl]

Untrue ; waiters and cashiers will eventually get busted by data mining - you just need to correlate the transactions that pay for food and note the common location, then go through their time cards.

Whereas with wireless, you could collect the data in a location not covered by security cams, and transmit it, encrypted (how ironic) to avoid detection, to another location where payments are processed. A crowded subway car would be ideal - people are not going to be using their cards, and it's the ultimate in cultured anonymity - everyone goes out of their way not to notice anyone else.

Re:Is this news?

[Joce640k]

Why is it "hyperbole" if somebody can drain hundreds of bank accounts wirelessly with a $50 device?

To me that sounds more like "panic stations, block all cards now!!"

Why anybody needs RFID credit cards is beyond me anyway. Is it sooooo hard to swipe a card through a reader?

PS: Why would the CVV number be on the RFID chip? Surely that's the secret only you and the company are supposed to know?

gender

[Sebastopol]

Probably should be modded as off topic for this, but why did the article feel the need to point out Paget's gender change? did it make her a better programmer, or design better hardware? or were there lots of people reading the article were like "Hey, I knew I guy with the last name Paget that worked there, I wonder if they are related? ... Oh!" /scratches head

Re:FUD

[sjames]

Or they're smart and pass the numbers on to someone else who collects the info from many waiters and runs charges the next day.

Re:Is this news?

[arglebargle_xiv]

It's hyperbole because the attacker has to be incredibly close to you. They actually have to bump the device up against your wallet. While it's technically "wireless" that's not what most people have in mind when they hear the word.

I was at Kristin's talk. The range with a standard cheap-ass reader is a few cm. With your own higher-power add-on (13.56MHz is right next to the 14MHz amateur band for which you can get off-the-shelf gear), it's tens of feet.

Also the CVV number it gives you works for one use only.

So you perform multiple reads and get one CVV per read.