Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Crime Security The Almighty Buck IT

Android App Lets You Steal Contactless Credit Card Data 221

mask.of.sanity writes "An Android application capable of siphoning credit card data from contactless bank cards has appeared on the Google Play store. The app was developed by a security penetration tester for research purposes and will steal card numbers and expiry dates, along with transactions and merchant IDs. It requires a near field device capable phone, or accessory."
This discussion has been archived. No new comments can be posted.

Android App Lets You Steal Contactless Credit Card Data

Comments Filter:
  • Anyone surprised? (Score:5, Interesting)

    by dyingtolive ( 1393037 ) <`brad.arnett' `at' `'> on Thursday June 21, 2012 @09:36AM (#40397397)
    Really. Broadcast data can be intercepted by anyone with the ability to receive?
    • by Hentes ( 2461350 )

      Except if they use secure encryption, it's not magic.

      • The problem with that is that you have no guarantee they do, short of getting one of these cards and doing this yourself to see just how the data is encoded.
    • by Thanshin ( 1188877 ) on Thursday June 21, 2012 @10:03AM (#40397697)

      Yes. Pleasantly surprised.

      It proves that the Android app store is not strongly censored.

    • Re:Anyone surprised? (Score:4, Interesting)

      by L4t3r4lu5 ( 1216702 ) on Thursday June 21, 2012 @10:24AM (#40397939)
      Are contactless cards shipped in Faraday cage envelopes? If not, can the card numbers be lifted before the card reaches the recipient?
      • Are contactless cards shipped in Faraday cage envelopes? If not, can the card numbers be lifted before the card reaches the recipient?

        I don't know about elsewhere but in the UK credit cards can't be used until they have been activated either online or over the phone. Not sure if you could skim the card and then wait until the card was activated to use the details but I am fairly sure that NFC connections are a one off deal, you can't store the information and use it over and over again.

        • by sjames ( 1099 )

          Right, so you scan the mailbag, wait a month or two and then abuse the information.

  • by Quick Reply ( 688867 ) on Thursday June 21, 2012 @09:40AM (#40397445) Journal

    I mean really, how idiotic do these companies need to be to make a system where the full Credit Card information is TRANSMITTED over the air with no authentication. Even a token would be more acceptable.

    The Credit Card system is quite happy to take a loss on all the money they have to pay back with protection guarantees when consumers get scammed, instead of actually tackling the problem by inventing a SECURE SYSTEM that is impervious to skimming methods.

    This app does not add any additional functionality that scammers don't already have, but a good highlight of how damn simple it is to do, while Mastercard/Visa and the financial institutions who use them do nothing.

    • by Shoten ( 260439 )

      There is authentication, it's just not done by a computer. Do you hand your credit cards out to people at random? Pass them around in a club for everyone to play with, regardless of whether you know them or not? Of course not...and why not? Because the simple act of doing so authorizes them to access the information on the card. Looking at it will give them your name on the card, the number, expiry date and CVV number on the back. With a $40 device, they can get the read direct off the magnetic strip []

    • by forand ( 530402 )
      I think you have one major flaw with your conclusions: Credit Card processing companies have absolutely no reason to make their systems secure if there are any costs associated with it. The main reason for this is that they pass all the liability onto the retailer. Their goal is the provide the most convenient method to pay a bill on the part of the card holder. Until there is a disruption in this market they will continue to ignore security and pass the costs onto the retailer.
      • The main reason for this is that they pass all the liability onto the retailer.

        This may be true where ever you are posting from but in the UK as long as a payment is made using the Chip and Pin system then the credit card company takes liability. If a payment is made online then again as long as the 3D Secure system is used then the credit card company take liability.

        The only time a retailer is liable is if they essentially waive that protection by accepting a signature authorised payment in person, or allo

    • I give occasional help to a retailer (in Europe, if it matters). The hoops the credit-card companies make them jump through are pretty amazing. Example: they have a simple web-shop with a web-form that allows the customer to enter credit-card info. This info stays online in the MySQL database for a short period of time, until their little ERP system sees it, downloads it and deletes it. In more than 10 years using this system, they have never had a problem.

      Nonetheless, the credit-card companies want them to

      • Nonetheless, the credit-card companies want them to pay for a quarterly "network penetration test" on their website, and to provide detailed technical information on the website set-up. Since their web-site is hosted by a big ISP, they have no access to the necessary technical info, and the ISP doesn't really want network penetration tests pounding on their infrastructure all the time. This is a mess.

        It is called PCI-DSS Compliance and it has been standard practice for years. If you don't store any credit c

    • It's not that bad, some type of cards are more protected: []

      Contactless MSD cards are similar to magnetic stripe cards in terms of the data they share across the contactless interface. They are only distributed in the USA. Payment occurs in a similar fashion to mag-stripe, without a PIN and often in off-line mode (depending on parameters of the terminal). The security level of such a transaction is better than a mag-stripe card, as the

    • by h4rr4r ( 612664 )

      You don't need a secure system at all. Credit card numbers should be near worthless. They should require something held and something known.

      Even that can be skipped if all purchases must be authorized by the purchaser via a website or text message. You give your CC number, you get txt or website login, that then gives you a chance to approve or deny.

    • by cdrguru ( 88047 )

      The credit card issuer (bank?) doesn't take a loss - they charge it back to the merchant. The card holder doesn't take a loss - the fraudulent charges are removed from the bill. The merchant doesn't take a loss - they have insurance for this.

      So nobody loses at all. So why make it secure? It is like having a combination lock on the bathroom door so nobody else can pee in your toilet.

      • So nobody loses at all.

        au contraire ...

        The insurance company charges the merchant a premium to cover this. The merchant is not a charity and often works on small margins so, guess what, the premium is passed off in higher prices to the customer - so because of the fraudsters everybody loses a little (it's just spread out thinly).

  • I am behind the times! Apple will be jealous! Can it read through my tin wallet?

    I wonder what the range is, which I realize it is a function of the phone, but a ball park. Are we talking 10 cm, 50 cm, 1 m?

    • I have a steel business card case that I use as a wallet since I hardly ever carry cash anymore. All of the card readers I've used at various buildings will read my door pass (RFID?) right through the case as long as I hold it a little closer to the reader.
  • With NFC phones you could make an almost crack proof system. Since the phone has a second line of communication it could use NFC to generate an an encrypted transaction with the merchant terminal and then use it's cellular connection to verify that transaction with the bank, and at last the merchant terminal would use it's network connection to the bank to finalize that transaction. Yes that means both devices need a working network connection to make the transaction work, but it would be super secure sin
  • Hate broadcasting CC (Score:4, Interesting)

    by AwesomeMcgee ( 2437070 ) on Thursday June 21, 2012 @10:17AM (#40397851)
    I am so mad that every one of my CC's/Debit cards that has expired has been replaced by the banks with ones that do this broadcasting shit. Has anyone been able to get them to replace with one that doesn't do this shit? There's absolutely no reason I would want my CC to broadcast its info for devices to read, and swiping the thing is just as easy as passing it over an NFC device.

    Or perhaps can anyone name a national bank who has allowed them to get a debit card that doesn't do this?
    • Re: (Score:3, Informative)

      by fsulawndart ( 860628 )
      You could always just drill a hole through the chip. That's what I do.
    • by ffflala ( 793437 )
      What country? I'm loathe to recommend ING since they were purchased by Capital One, but you asked... in the US, unless they've changed their cards out in the past year, their debit card doesn't do this.
    • None of my Bank of America debit cards have ever had NFC chips in them. I'm not sure about their credit cards. There are plenty of reasons to hate BoA, but at least this isn't one of them (so far).
    • Or perhaps can anyone name a national bank who has allowed them to get a debit card that doesn't do this?

      You must be in Europe. In the US, most cards still don't have this functionality. Right now, this vulnerability seems to be limited to MasterCard nfc cards, not Visa nfc cards (and yes, the Mastercard nfc specs are supposed to be different from the Visa nfc ones, not that I've even seen the Visa ones, so I can't confirm that for a fact).

      Your other option could be to use an NFC-phone to pay for things. Contrary to the popular opinion on slashdot, I believe that most nfc phones are actually much more secure t

  • That's Unpossible (Score:2, Insightful)

    by Anonymous Coward

    The NFC card proponents and credit card companies said that this could not happen.

    They said that the data was encrypted and virtually impervious to interception.

    They said we could trust them.

    They said that the people saying otherwise were clueless Chicken Littles.

    Obviously this app is the product of highly sophisticated terrorists, or possibly an enemy state. /s

  • Does anyone know of a good credit card... "sleeve" that shields EM radiation? Ideally something you can put the card into that can fit in your usual wallet and which is still fairly easy to remove for when you do need to use it.

    • You can get those woven stainless steel billfolds for pretty cheap on ebay now. They used to be $100 or more from name brand retailers. I plan on buying one at some point.
  • This is (partly) BS! (Score:2, Informative)

    by Anonymous Coward

    I have an NFC-enabled Android smartphone and tried out this app (and several others with similar claims).

    They simply do not work as advertised. Most cards I tried use encryption and the app wasn't able to break it (as a matter of fact it didn't even try...).

    All that these apps can do consistently is detect if there is some kind of RFID chip nearby (as in "less than 10 cm away from the phone").
    Some can read part of the information stored. But none of them could read the hidden data on any of the cards I trie

  • I guess they never anticipated that a contactless magic wireless super lazy marketing gimmick receiver system could potentially have a similar device built to do the exact same thing the exact same way. I know, I'm sure they're just SHOCKED over there to find out someone did it.

Order and simplification are the first steps toward mastery of a subject -- the actual enemy is the unknown. -- Thomas Mann