Forgot your password?
This discussion has been archived. No new comments can be posted.

Android App Lets You Steal Contactless Credit Card Data

Comments Filter:
  • by dyingtolive (1393037) <> on Thursday June 21, 2012 @08:57AM (#40397627)
    Okay, you couldn't use it for online purchases, but at a brief glance, you can get magnetic card encoders for 150+ USD. Not sure about whatever tech they use for the contactless style ones, but here's what I'm thinking:

    Step 1: Steal contactless CC data.
    Step 2: Burn semi-realistic magnetic card with CC data. Emboss the number on the front. 99% of all retail employees will not look twice at the card.
    Step 3: Profit.

    You don't need the security code for purchases made in person, and if you're doing this in person, you can probably speculate what the zip code is for the few places that even ask for that. Granted, this requires making purchases in person, so you're subject to video surveilance for anyone who REALLY wants to come after you, but since you can repeat this process, it's essentially a use one, throwaway kind of thing.
  • by Thanshin (1188877) on Thursday June 21, 2012 @09:03AM (#40397697)

    Yes. Pleasantly surprised.

    It proves that the Android app store is not strongly censored.

  • by Anonymous Coward on Thursday June 21, 2012 @09:04AM (#40397711)

    Why is this modded down? It's all 100% true! I'm not advocating for Apple-extremeness, but Google needs to police it's app store at least to some extent.

  • by kelemvor4 (1980226) on Thursday June 21, 2012 @09:07AM (#40397741)

    Yes, outside Australia, the UK and (I think) the EU the uptake of CSC and Chip and Pin is rather low.

    As are nfc capable phones.

  • by AuMatar (183847) on Thursday June 21, 2012 @09:14AM (#40397805)

    It's the ease with which it's done, and the fact that physical security is no longer enough. If the card isn't NFC capable, you have to physically hand the card to someone. With an NFC reader, bumping up against them in a crowded club/street may be enough. I can protect against handing my card to people who don't have a legit reason for it, and I can prevent it leaving my sight when not at home. I'm not capable of preventing anyone who wants to from brushing against me. So yes, this is a big deal.

  • by Joce640k (829181) on Thursday June 21, 2012 @09:15AM (#40397831) Homepage

    You contradict yourself.

    It's skimming while the card is still in your pocket. It's exactly the same as handing your card to random people for them to play with.

  • by petermgreen (876956) <plugwash.p10link@net> on Thursday June 21, 2012 @09:24AM (#40397949) Homepage

    The criminals don't have to use the stolen details in the country they stole them from.

  • That's Unpossible (Score:2, Insightful)

    by Anonymous Coward on Thursday June 21, 2012 @09:53AM (#40398271)

    The NFC card proponents and credit card companies said that this could not happen.

    They said that the data was encrypted and virtually impervious to interception.

    They said we could trust them.

    They said that the people saying otherwise were clueless Chicken Littles.

    Obviously this app is the product of highly sophisticated terrorists, or possibly an enemy state. /s

  • by cdrguru (88047) on Thursday June 21, 2012 @10:14AM (#40398557) Homepage

    This is clearly not really the case, although you might think it is.

    One obvious fallacy is if I (from the US) come in with my PIN-less credit card and want to make a purchase. No PIN exists, so what are they going to do? Telling me to go away is not a winning strategy. So someone comes in with a re-striped card without a PIN and they are going to be able to pay just like I can.

    I suspect the store isn't sending the code but the card issuer. Great for validation but it sucks for the folks trying to use stolen credit card information.

    You see, in the US the card holder, the card issuer and the card organization (VISA or MasterCard) don't care about fraud. For everyone but the merchant it is meaningless and the merchant just has insurance to cover their losses due to fraud. So it is important for things to be as easy as possible for people getting stuff with stolen credit card information. Well, I guess you would need to call it "borrowed" because they really haven't stolen anything - just made a copy.

    And nobody is ever prosecuted for this sort of stuff, unless you do something wild and crazy with a million credit card numbers.

    I do not see this situation changing, ever. Why would it? It doesn't really affect anyone except the cardholder who has to get a new card with a different number. Yes, some people get away with buying stuff that nobody ever pays for, but the merchant is covered by insurance so they lose nothing. Certainly the insurance companies don't want it to change because then nobody would buy the insurance.

If God had a beard, he'd be a UNIX programmer.