EEVblog #890 - ArmourCard Active RFID Jamming Teardown

[f4eru]

RFID cards have been around a long time now (like a decade), they are not new. Contactless skimming fraud is pretty minimal after all this time. There must be a reason for this.

Yeah. GSM has been around also 10 years before massive security breaches have been openly available.
The same for other technologies where security breaches have not be very profitable.

But.

The RFID cards have gone from a low value to very high value (100$ it seems) lately. That for sure will increase fraud.

The most obvious technique is a relay based system to a uncooperative vendor. The same kind has been used to breach passive acess on cars lately This also took over 10 years to be in the wild, and the manufacturers all knew it will come one day (I know the subject

[mikerj]

"L 536" looks like it may be STM8L-series device, their first line is marked as "L xxx". But I can't find which one exactly.

Edit: Although, if there are no exceptions, then the part would be STM8L536, which does not exist.

Definitely an STM8L and probably an STML151 variant, but I can't find a list of package markings for their UFQFPN packages.  The 151x2/151x3 datasheet gives an example marking of "L526".

[FrankD]

I had problems with my public transport rfid card. Scanning at an entrance point was failing because all the cards in my wallet interfered with the handshaking.
My solution was to laminate alu foil in a card size format. I use two with the bank passes in between and the public transport card on the outside.
Never had a problem with interfering since.

[Bud]

This thread is about a solution for a non-existent problem.

[f4eru]

The problem is non existent for you today. That may change.

RFID relays have been implemented. It's a physical weakness of the system, and cannot be countered by redesign of the card or reader.
it has now great monetary value. it will be (and has probably been) exploited.

an example of POC :
https://online.tugraz.at/tug_online/voe_main2.getvolltext?pCurrPk=72600

This one has a big lag time, that can be detected by the system, if the system is designed for it. But the lag can be reduced to undetectable levels, and then you have a breached system that cannot be corrected. So there is a real problem.

An extremely simple proof of concept is just a coax cable with two coils.
It's not really practical, but adding amplifiers and low-lag transceivers make it really exploitable.

[f4eru]

Just a word on Credit card fraud :
Fraud is rampant in this industry, but it's actually at a manageable level.
But if an important breach comes out, it will scale very quickly. That has happened many times.

It's really a technology war.

The state of the art skimmer is now miniaturized to a point they physically insert it into the card reader :
http://krebsonsecurity.com/2016/06/atm-insert-skimmers-in-action/

Walking in doing "tech support" :
http://krebsonsecurity.com/2016/06/banks-credit-card-breach-at-cicis-pizza/

Old fashionned skimmers still going strong:
http://krebsonsecurity.com/2016/05/skimmers-found-at-walmart-a-closer-look/

[kalleboo]

The state of the art skimmer is now miniaturized to a point they physically insert it into the card reader :

It was years ago I started considering just scraping off the magstripe off my debit card, since any store I go to the past how many years uses a chip reader. But the question is, what ATMs still use magstripe vs chip? There's no way to tell. When are EU banks going to kill the magstripe? Maybe issue a separate card for travel to the US and other third-world countries?

[Fungus]

It was years ago I started considering just scraping off the magstripe off my debit card but the question is, what ATMs still use magstripe vs chip?

A lot of ATMs require the magstripe to be present just so you can insert the card. The card slot is blocked until it detects the presence of a magstripe.

There's no way to tell.

Sure there is. Scrape it off and do a survey.

[f4eru]

You don't need to scrape it off.
Cover it with 3-5 layers of electrical tape, and it should be reversibly deactivated.

For a permanent erase, pass some strong magnets over it

[System Error Message]

lol at the store, the jammer next to the reader. Good marketing bad impractical.

If you have a big wallet get 2 of these and put 1 at either side.

[Urs42]

I got some interesting information from a bank. They are giving out RFID shield sleeves with each card. They get about two complaints about unathorized payments each day...