Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Flipper Zero Banned By Amazon for Being a 'Card Skimming Device' 50

Amazon has banned the sale of the Flipper Zero portable multi-tool for pen-testers as it no longer allows its sale on the platform after tagging it as a card-skimming device. From a report: The Flipper Zero is a compact, portable, and programmable pen-testing tool that can help experiment with and debug various digital and hardware devices via various protocols, including RFID, radio, NFC, infrared, Bluetooth, and others. Since its launch, users have showcased Flipper Zero's capabilities demonstrating its capacity to activate doorbells, conduct replay attacks to unlock cars and open garage doors, and clone a wide range of digital keys. According to notices sent to sellers on Thursday evening, Amazon has now banned Flipper Zero on its platform, tagging it as a "restricted product." Card-skimming devices are listed on Amazon's Seller Central portal under the Lock Picking & Theft Devices restricted product category, next to key duplicating devices and shoplifting devices, such as sensormatic detachers. Currently, some links to previously available Amazon pages selling Flipper Zero tools are dead and displaying "Sorry, we couldn't find that page. Try searching or go to Amazon's home page." errors, while others list it as "Unavailable."
This discussion has been archived. No new comments can be posted.

Flipper Zero Banned By Amazon for Being a 'Card Skimming Device'

Comments Filter:
  • by flink ( 18449 ) on Friday April 07, 2023 @09:55AM (#63432832)

    Robert Evans just talked about this device on the most recent Behind the Bastards live show [iheart.com] and said to get one before it was illegal. I wonder if the increased visibility killed it.

    • by Anonymous Coward on Friday April 07, 2023 @10:08AM (#63432862)

      Robert Evans just talked about this device on the most recent Behind the Bastards live show [iheart.com] and said to get one before it was illegal. I wonder if the increased visibility killed it.

      I got mine a few weeks ago. While I have a basic knowledge of RF, I was pretty impressed with the devices capabilities.
      With permission, I ran a few tests and was easily able to:
      * Get access to a secured area by standing by the door with the device under my sleeve near the reader and waiting for someone to put their card to the reader. I could 'replay' the card and open the door.
      * Identify the frequency of keyfobs, record them, and unlock vehicles. This worked about 50% of the time. I think newer FOBs have some rotating encryption--like I can't use it to unlock my 2018 Subaru, but I can unlock a lot of cars older than 2015.
      * Stand next to someone and grab their "tap to pay" credit card info. It doesn't get the "code from the back", but it does get the card number and expiration date.
      * Easily mess with TVs via IR in stores, offices, and homes.
      * I can read YubiKeys with NFC. I'm not sure if I can "replay" them or not. Haven't tried that part yet.
      * I haven't messed with the "Bad USB" stuff yet.

      The problem isn't that the "flipper zero" exists. The problem is a lot of the technology around us isn't designed with security in mind. I mean...how in the hell can a credit card be designed so I can read the number and expiration date from a foot away?

      Again, with permission, I tested this at my local convenience store. I had a friend grab something to eat, and I grabbed a soda. When he reached for his wallet, I stood behind him and nabbed a credit card number. After he paid and moved out of the way, I tapped the flipper zero to the terminal and paid for my soda.

      I have used an RFID-blocking wallet for years, but right after the test, my wife and friend both purchased RFID-blocking wallets / purses.

      • by S_Stout ( 2725099 ) on Friday April 07, 2023 @10:11AM (#63432872)
        Dude you asked me for permission to buy a soda. I said it was not my business what you buy. Now you are saying you stole my credit card number to buy your soda?!?!?

        Our friendship is in big trouble.
      • The problem isn't that the "flipper zero" exists. The problem is a lot of the technology around us isn't designed with security in mind. I mean...how in the hell can a credit card be designed so I can read the number and expiration date from a foot away?

        Again, with permission, I tested this at my local convenience store. I had a friend grab something to eat, and I grabbed a soda. When he reached for his wallet, I stood behind him and nabbed a credit card number. After he paid and moved out of the way, I tapped the flipper zero to the terminal and paid for my soda.

        Those are just card transactions. All you've captured is the stripe data, which isn't treated as a secure transaction like a normal chip or tap transaction.

        You see, tap transactions not only report the card and expiry date, the same as if you swiped the card. Then there's a secret challenge sent to the card that uses a key known only to the card and bank.

        It's this second encrypted part that secures the tap transaction otherwise it's just a swipe transaction.

        Flipper Zero isn't getting anything that isn't already plaintext on the card, or on the stripe. The magic behind chip and tap is that additional challenge and response - it's also the magic behind things like Apple Pay which emulates a chip with multiple secrets. The thing is that you need to enroll Apple Pay because the secret needs to be communicated between the iPhone and the bank which is where the additional fancy stuff happens.

        There is no magic to it. Any phone with NFC can read tap cards already - on Android, an NFC scanner app can read a credit card and get that information already.

        • Are you sure it does challenge/response? With the chip I see the delay, and the delay is good. But once the cashier tapped it instead and the transaction went through much faster than the chip method. I suspect the tap was the same as swiping the mag stripe, it got just the credit card number and didn't bother with more than basic authentication (is the number valid or not).

          Just havng the credit card number and expiration date is enough to get a lot of transactions done online. If you have the 3 digit c

      • Stand next to someone and grab their "tap to pay" credit card info. It doesn't get the "code from the back", but it does get the card number and expiration date.

        It varies from bank to bank, and even then cardholder to cardholder, but generally this information on its own is totally useless. There are other messages here that your device likely isn't picking up, but I'm guessing that's because they're only useful once so it doesn't bother providing them to you.

        I can read YubiKeys with NFC. I'm not sure if I can "replay" them or not. Haven't tried that part yet.

        Like credit cards, yubikeys are smart cards. And they do both ISO7816 and ISO14443a. Yubikeys have multiple application modes, among them being PIV and FIDO2.

        In order for you to "replay" them, you'll need to c

      • by fermion ( 181285 )
        Sercurity is limited by what people will endure. For instance I used to have a one time pad app to access Google accounts. Now as long as I logged into an account on one device, I can authorize any other. Much less secure. I use my watch to pay for most items, and the gas station app p for fuel. But not everyone is comfortable with these.
        • by Anonymous Coward

          A one-time pad [wikipedia.org] for accessing Google would be really, really cool, but it doesn't exist.

          You may have meant 'one-time password' or 'two-factor authentication' (2FA systems often use OTPs).

      • Security is more often than not extremely lax. Much if it is "good enough for most purposes". Ie, sometimes ATM cards would have the PIN encoded onto the mag stripe on the back, because it was faster than waiting for the round trip to a central database before popping up the UI. The rationale was that only very sophisticated criminals could afford mag stripe readers, even though there was plenty of evidence out there that this was relatively straight forward to obtain. But the losses from theft are ofte

      • by AmiMoJo ( 196126 )

        Years ago I was developing a product that used the same chip, the Texas CC1101. Had some reports that occasionally people couldn't unlock their cars when production was testing batches.

        After some investigation I was able to unlock they cars for them, to but for some reason they weren't very impressed with my solution.

      • by sjames ( 1099 )

        For the credit cards and such, the real question is why is just the number good enough to charge something. There's a smart chip in it, why doesn't it just sign a transaction record complete with the timestamp so it won't replay (clearing house rejects duplicate signed transactions)

        You would only need a CC number for card not present transactions, at least until appropriate hardware or software can be distributed to people to use for web based shopping.

        Cars should use a handshake with the remote, nut just h

      • BTW reading this post a second time...

        * Get access to a secured area by standing by the door with the device under my sleeve near the reader and waiting for someone to put their card to the reader. I could 'replay' the card and open the door.
        * Identify the frequency of keyfobs, record them, and unlock vehicles. This worked about 50% of the time. I think newer FOBs have some rotating encryption--like I can't use it to unlock my 2018 Subaru, but I can unlock a lot of cars older than 2015.
        * Stand next to someone and grab their "tap to pay" credit card info. It doesn't get the "code from the back", but it does get the card number and expiration date.
        * Easily mess with TVs via IR in stores, offices, and homes.
        * I can read YubiKeys with NFC. I'm not sure if I can "replay" them or not. Haven't tried that part yet.
        * I haven't messed with the "Bad USB" stuff yet.

        So far I'm not hearing anything this device can do that you can't already do with much cheaper arduino components, all of which are still available on Amazon.

  • by Anonymous Coward on Friday April 07, 2023 @10:05AM (#63432856)

    Still a-ok though!

  • by Duds ( 100634 ) <dudley&enterspace,org> on Friday April 07, 2023 @10:07AM (#63432858) Homepage Journal

    They'll ban that but a cursory search reveals a big pile of 16tb USB sticks that are about as legit as a chocolate teapot.

    • "tb" as a unit is about as legit as the aforementioned hot beverage container.
    • by Luckyo ( 1726890 )

      Can't steal NFC enabled payment cards with fake USB sticks. Can do it with this thing.

      • No, you're not going to "steal" NFC cards with this any time soon. A lot of people buy those stupid faraday sleeves because they saw some derp on an infomercial get the account number and expiration date off of one through a bag.

        It's a neat little party trick to make your friends think you're a hacker because they don't know any better, but that information is basically useless, as are those little faraday sleeves.

        It's also entertaining seeing those people put their passport in a microwave to fry the NFC an

        • by Luckyo ( 1726890 )

          This is cute and all, but I spent about an hour looking into this thing, and I already found instruction on how to do so. Turns out most people don't in fact buy faraday cages for their credit cards. That's a myth.

          This dolphin thing has an amazing community. And by "amazing" I mean "criminal AF". No wonder it's always sold out.

          • This is cute and all, but I spent about an hour looking into this thing, and I already found instruction on how to do so.

            Let's see your instructions then, because I really doubt they'll work. Furthermore, even if they did, they're unlikely to work with every card out there, and even for the few it might work on, it won't work on every merchant's terminal. I doubt it will even work anywhere in the United States at all.

          • Oh and as for your myth:

            https://www.amazon.com/Blockin... [amazon.com]

            Yeah, people do buy them. Unless you're in Europe where the security standards are lower, then these are useless.

            • by Luckyo ( 1726890 )

              Ok, so you know absolutely nothing about security and think that just because body armor exists, shooting people with pistols doesn't kill them. Got it.

              Best of luck.

              • The fact that you need a "flipper" to do this means you're a script kiddie, which also tells me that I already know a lot more about this topic than you do. In fact everything NFC that this device is capable of is easily done with an arduino for a lot less.

                Example:

                https://werner.rothschopf.net/... [rothschopf.net]

                One thing you might notice in that page is mention of public keys and issuers. You'll also notice that the card openly gives away the PAN (among other things) without so much as asking you to authenticate. This is

                • Your sig tells me you know a thing or two about smart cards (btw, I don't get it? Is it just that this is the "non-PC status" that needs to be rephrased? Or do you want to say that you won't accept having that status? Needs clarification), so maybe I found someone to have a sensible discussion about the whole matter, because reading here generally gives me a bit of a headache.

                  I do actually have a Flipper, mostly because it makes a cool show-and-tell device for managers. It's kinda hard to pull off with some

                  • Your sig tells me you know a thing or two about smart cards (btw, I don't get it? Is it just that this is the "non-PC status" that needs to be rephrased? Or do you want to say that you won't accept having that status? Needs clarification),

                    The ISO7816 spec only defines a few basic status words, for example, SW 0x90 SW2 0x00 generally means "ok", as in, whatever APDU you just sent was executed successfully by the card, and no data was returned. Beyond that it tends to be application specific. In this case, refer to EMV APDU responses. And yeah, it is deliberately vague :D

                    That's in my opinion the value of a Flipper. Less so that you could do something you could not do otherwise. Of course you can, they didn't beam in the parts of that Flipper from that place where Hollywood goes to get the scripts for their hacking movies where things go that are impossible, they built it from the same components that you can get. But showing that off to a manager is tough to pull off, and very easy with a Flipper where you can show them that even THEY can do it.

                    Unfortunately, people who are serious about trying to break into your systems are rarely script kiddies anymore. I mean, if your defenses are THAT bad, maybe... I could say ri

                • by Luckyo ( 1726890 )

                  >The fact that you need a "flipper" to do this means you're a script kiddie, which also tells me that I already know a lot more about this topic than you do.

                  Ding ding ding, we have a winner.

                  Here's something from someone who understand security as a process, to someone who clearly thinks of security as a product. Needing a handful of experts to do common exploits is what keeps world safe. Granting every kid with a couple of hours of time ability to break through common security processes on the cheap is w

                  • The thing that stops people from just opening your house leaving no marks behind, walking in, taking only a few valuable things and leaving is that there is no "script kiddie" version of lockpicking.

                    While the police and insurance might like you to believe that locks can't be opened without leaving marks, this simply isn't true. Bump keys are easy to use and don't leave any marks.

                    • by Luckyo ( 1726890 )

                      Lockpicking in general doesn't leave marks. Be it using proper picks on mechanical lock, or using a magnet to engage the mechanism of an electronic one.

                      So even if your lock is not susceptible to a bump attack, it can almost certainly still be picked by a half decent picker.

          • To read my NFC card, you have to be close enough to me that I'd expect at least a blowjob to happen.

            Quite frankly, you're literally touching my ass here.

            • by Luckyo ( 1726890 )

              Could you tell me where you live where people don't walk near one another? Because I live in one of the least densely populated countries on this planet, where culture is that you stay away from other people when you can.

              And even here, people in places like supermarkets routinely walk close enough to each other to easily read RFID tags in their pockets. So what is the country and the culture that is more distant that we Finns are?

    • by dohzer ( 867770 )

      Wait... where can I find one of these chocolate teapots you speak of?!

  • ....where's the best and most reliable place to buy these now?

    Links welcome!

  • by Anonymous Coward

    The Flipper job ads are all in Cyrillic. How is the Russian team being paid right now while selling product outside Russia?

    It is an interesting device, perfect for a trojan horse attack on its own customers. Perfect way to hack the hackers, through their tools.

  • by bill_mcgonigle ( 4333 ) * on Friday April 07, 2023 @10:19AM (#63432890) Homepage Journal

    This looks like a really nice RF debugging tool.

    But 'card skimming'? Not anything that's even a little bit secure from what I'm reading in the specs.

    I guess it can clone a 1990's prox card or garage door opener, since they're not secure in the first place. My gods, it can even clone your RCA TV remote!

    I wonder - do Amazon's hardware developers have any of these in their labs?

  • Comment removed based on user account deletion
  • The "Flipper One" will be out shortly -- problem solved.

  • by dgatwood ( 11270 ) on Friday April 07, 2023 @01:34PM (#63433348) Homepage Journal

    And this, right here, in a nutshell, is a perfect example of why Amazon's near monopoly over online sales is harmful to consumers. Meanwhile, scalpers are selling them at a $100 premium through Walmart.

  • Create device that can read clone credit cards and other data

    Get device banned on Amazon for publicity

    Lots of people scramble to get and use device

    Device uploads all the cloned data via its "app"

    Cloned data sold on the dark web

    Profit (no underwear required)

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...