Android App Lets You Steal Contactless Credit Card Data 221
mask.of.sanity writes "An Android application capable of siphoning credit card data from contactless bank cards has appeared on the Google Play store.
The app was developed by a security penetration tester for research purposes and will steal card numbers and expiry dates, along with transactions and merchant IDs.
It requires a near field device capable phone, or accessory."
Re:Anyone surprised? (Score:5, Insightful)
Step 1: Steal contactless CC data.
Step 2: Burn semi-realistic magnetic card with CC data. Emboss the number on the front. 99% of all retail employees will not look twice at the card.
Step 3: Profit.
You don't need the security code for purchases made in person, and if you're doing this in person, you can probably speculate what the zip code is for the few places that even ask for that. Granted, this requires making purchases in person, so you're subject to video surveilance for anyone who REALLY wants to come after you, but since you can repeat this process, it's essentially a use one, throwaway kind of thing.
Re:Anyone surprised? (Score:4, Insightful)
Yes. Pleasantly surprised.
It proves that the Android app store is not strongly censored.
Re:Disaster waiting to happen (Score:0, Insightful)
Why is this modded down? It's all 100% true! I'm not advocating for Apple-extremeness, but Google needs to police it's app store at least to some extent.
Re:Anyone surprised? (Score:4, Insightful)
Yes, outside Australia, the UK and (I think) the EU the uptake of CSC and Chip and Pin is rather low.
As are nfc capable phones.
Re:It was only a matter of time (Score:4, Insightful)
It's the ease with which it's done, and the fact that physical security is no longer enough. If the card isn't NFC capable, you have to physically hand the card to someone. With an NFC reader, bumping up against them in a crowded club/street may be enough. I can protect against handing my card to people who don't have a legit reason for it, and I can prevent it leaving my sight when not at home. I'm not capable of preventing anyone who wants to from brushing against me. So yes, this is a big deal.
Re:It was only a matter of time (Score:5, Insightful)
You contradict yourself.
It's skimming while the card is still in your pocket. It's exactly the same as handing your card to random people for them to play with.
Re:Anyone surprised? (Score:5, Insightful)
The criminals don't have to use the stolen details in the country they stole them from.
That's Unpossible (Score:2, Insightful)
The NFC card proponents and credit card companies said that this could not happen.
They said that the data was encrypted and virtually impervious to interception.
They said we could trust them.
They said that the people saying otherwise were clueless Chicken Littles.
Obviously this app is the product of highly sophisticated terrorists, or possibly an enemy state. /s
Re:Anyone surprised? (Score:4, Insightful)
This is clearly not really the case, although you might think it is.
One obvious fallacy is if I (from the US) come in with my PIN-less credit card and want to make a purchase. No PIN exists, so what are they going to do? Telling me to go away is not a winning strategy. So someone comes in with a re-striped card without a PIN and they are going to be able to pay just like I can.
I suspect the store isn't sending the code but the card issuer. Great for validation but it sucks for the folks trying to use stolen credit card information.
You see, in the US the card holder, the card issuer and the card organization (VISA or MasterCard) don't care about fraud. For everyone but the merchant it is meaningless and the merchant just has insurance to cover their losses due to fraud. So it is important for things to be as easy as possible for people getting stuff with stolen credit card information. Well, I guess you would need to call it "borrowed" because they really haven't stolen anything - just made a copy.
And nobody is ever prosecuted for this sort of stuff, unless you do something wild and crazy with a million credit card numbers.
I do not see this situation changing, ever. Why would it? It doesn't really affect anyone except the cardholder who has to get a new card with a different number. Yes, some people get away with buying stuff that nobody ever pays for, but the merchant is covered by insurance so they lose nothing. Certainly the insurance companies don't want it to change because then nobody would buy the insurance.