Unfortunately bad use of technology - Flir

[DavidDLC]

David.

[EEVblog]

Ah, they still have to steal your card...
And in Australia at least, we have largely changed over to NFC tap and go for purchases under $100. No pin required.

[DavidDLC]

We still need to take precautions.

That is why the keypads are covered and you use your hand to cover yourself so nobody can see it.

Now something else to take care of....

David.

[SeanB]

Just rest your fingers across all the keytops for a second after pin entry, that way all get heated, and the detection is much harder. As well stay next to the ATM after the transaction for a second or ten to make it harder to get the thermal image.

[TerraHertz]

It's interesting to see that the time-fade makes the sequence so obvious.

Ah, they still have to steal your card...
And in Australia at least, we have largely changed over to NFC tap and go for purchases under $100. No pin required.

Except for those of us who don't like the idea that if someone steals the card, they can use it without a PIN. That's completely unacceptable to me.
Not to mention being uncomfortable with walking around with a little RF identifier in my pocket. Since, what's the bet the actual range is more than a few inches? Enough to register your passing, if for instance stores wanted to track customers instore via hidden transceivers.  Presumably with a directional enough transmit and receive antenna it could be made to work over fairly long distances too.
Regardless of whether such things are done now, or may be in future, I'm quite happy to absolutely ensure the possibility for my own card is zero.

One light tap with a hammer via a flat-ended punch, on the location of the chip inside the card puts an end to that 'no contact RF' stuff. Didn't ask for it, don't want it.
The result is you have to insert the card in POS terminals (twice) till it figures out that the chip is broken and doesn't work with the contacts either. Then you can just swipe the magnetic strip and enter your PIN.

I find it interesting that the readers won't accept a mag stripe swipe first, until they have been told (twice) that the chip is broken. That bit of logic suggests the aim is to phase out mag stripes entirely.

[amyk]

Just rest your fingers across all the keytops for a second after pin entry, that way all get heated, and the detection is much harder. As well stay next to the ATM after the transaction for a second or ten to make it harder to get the thermal image.

This.

You could even "fake-press" the buttons afterwards, so any attacker will see what they think is the right PIN by the thermal image but it won't work at all.

Personally, I think the risk of this is quite small.

[GreyWoolfe]

Or you can use your debit card as a credit card.  No button pressing involved.  I do that at the gas stations.

[SeanB]

Magstripe should go, as it is no longer secure ( not to say chip and pin is more secure but that is something for another topic) and is easy to use with any ATM worldwide, with all the data and the PIN capable of fitting into a standard SMS data packet. Card writer ( using any old card or any number of DIY cards made from card) and pin and you get money. Chip and pin ( and better chip, pin and signature, which puts the onus back on the store for losses) is somewhat safer.

NFC is easy to defeat with a simple copper sheet on one side of the card. Any reader that can read at a distance will have to pump in enough energy to heat the card up to a feelable temperature.

[sacherjj]

Ah, they still have to steal your card...
And in Australia at least, we have largely changed over to NFC tap and go for purchases under $100. No pin required.

NFC tap is the scariest for me.  I have a simple demonstration app on my Android device with NFC to steal the codes directly out of people wallets.  I've done it with my cards, just before I cancelled them due to their terrible security (and to hopefully have my voice heard, but I doubt it).  NFC is STUPID.  BECAUSE ALL YOUR INFO IS STORED ON THE CARD AS PLAIN TEXT RFID.   I "accidentally bumped" my android tablet into the wallet of many guys here at work and then showed them all their credit card data that was NFC enabled.  This should be scaring everyone, but people don't care.

[DavidDLC]

Now you need to buy metallic wallets for your NFC's card.


David.

[DmitryL]

NFC is easy to defeat with a simple copper sheet on one side of the card. Any reader that can read at a distance will have to pump in enough energy to heat the card up to a feelable temperature.

Copper. Really ? Have you tried ?
Quite a long time ago I played with my RFID-based pass and found that usual kitchen aluminium foil makes it harder to read, but doesn't provide enough shielding.
Usual thin ferrous sheet salvaged from a can gave 100% protection.
AFAIK NFC stuff uses mostly magnetic field for communication; thus it is better to use something magnetic for shielding (superconductive stuff will do as well).

[Marco]

Ah, they still have to steal your card...
And in Australia at least, we have largely changed over to NFC tap and go for purchases under $100. No pin required.

The security on this stuff is stupidly weak ... they are just setting us all up for Skimming V2.

www.cs.ncl.ac.uk/publications/trs/papers/1421.pdf

[IanB]

The security on this stuff is stupidly weak ... they are just setting us all up for Skimming V2.

www.cs.ncl.ac.uk/publications/trs/papers/1421.pdf

It's the banks' problem though, since the cardholder is not liable for fraudulent transactions.

[NiHaoMike]

They could just use one of those cheap keychain IR thermometers. A thermal camera is overkill.

[TerraHertz]

The security on this stuff is stupidly weak ... they are just setting us all up for Skimming V2.

www.cs.ncl.ac.uk/publications/trs/papers/1421.pdf

It's the banks' problem though, since the cardholder is not liable for fraudulent transactions.

You're forgetting the hassle factor and time sink of dealing with fraud once it occurs.

I had nothing against cards using internal chips, requiring contact and entry of a PIN. But the idea of cards with wireless operation, requiring no identity check at all, and revealing your ID and other card data to anyone with a covert transponder, is so far into the insane that I don't 'wonder what they were thinking' - I am certain there has to be an ulterior agenda there.

As for what that might be... one guess is that the card chip will maintain a record of transactions, and that this will be exposed to anyone with whatever code it takes to make the card tell all. And the parties with equipment and codes for that, will include both the police and criminals. You can bet on it.
Add that to the persistent drip, drip of measures around the world to eliminate cash as legal tender, and you'd end up with a truly glass fish bowl society. Remote readout of any and every person's entire transaction history - a police state wet dream.

[SeanB]

I keep WiFi turned off, as you have no chance of getting open WiFi here. At home I might turn it on when needed, but otherwise just use mobile data off the package for the month.

[Towger]

One light tap with a hammer via a flat-ended punch, on the location of the chip inside the card puts an end to that 'no contact RF' stuff. Didn't ask for it, don't want it.

The RFID cards can be read from about a meter away with the right equipment.  I am waiting for a genious to write a phone app which will harvest the data... Beware of people brushing against you ;-)

I just told my bank I did not trust their RFID system and they sent me a replacement standard smartcard. The limit here is 15 euro without a pin and you are asked for one anyway every few transactions. So it is clear the banks auditors are not happy with the system.

What I always find amazing is the Yanks are still using basic magnetic strip cards.

[G7PSK]

The RFID cards issued by my bank (Barclays) require that the first 3 transactions using the rfid also require the use of a pin number, I just refuse to use the contactless service at all so as not to activate it.
It is only visa credit cards that fraudulent activity is the responsibility of  the issuing bank visa debit cards the responsibility is down to the account holder so if you get defrauded you wont get your money back. It happened to me luckily for a small amount I used it to top up my mobile phone and a day later it was used in 2 different towns either end of the country a few minutes apart to buy phone top ups for £10-00 a go. Despite the impossibility of any one beeping able to be 150 miles apart within 3 minutes the bank refused to do anything and said it was down to Vodafone who said yes it was obvious fraud they would look into it but it was up to the bank to recompense me, after may phone calls and letters I just gave up as the hassle of pursuing £20 was not worth the trouble. 

[mikeselectricstuff]

They could just use one of those cheap keychain IR thermometers. A thermal camera is overkill.

That would be way harder and less discreet. You need a snapshot of the temp of all keys at the same time, which would be borderline impractical with a spot temp meter.
A TIC catches the temp across all keys, along with the position info. You can also capture all frames, and analyse the data later offline
By applying local avaraging and contrast expansion to enhance the data I think you could get very reliable results in many cases.
Maybe you could write an app to do it..

[justanothercanuck]

My RFID chip in my bank card doesn't even work anymore.  My guess is that either the readers are busted, or my fat ass broke it because I sit on my wallet. 

[Terabyte2007]

Not sure if this will ever be a real problem. May be some isolated cases here and there. Considering 3 digit security pin codes and financial institution daily card limits, I think this will always be more of a cool hack than a mainstream source for identity theft. There are much more efficient ways to steal thousands or even millions of CC numbers and personal information and these are the methods being used by the mainstream identity theft hackers.

And as Dave said, they sill need your card!

[miguelvp]

I keep WiFi turned off, as you have no chance of getting open WiFi here. At home I might turn it on when needed, but otherwise just use mobile data off the package for the month.

Same here, even at home I don't turn the WiFi on, since there is nothing I need to do on the phone that will require WiFi, same thing with GPS is always off unless I do need it. Turning both off has a lot of impact to battery life.

Only time I might use the WiFi in my phone is if I need a quick access point for my android tablet.

[Bassman59]

Or you can use your debit card as a credit card.  No button pressing involved.  I do that at the gas stations.

That works, at least until the debit card is compromised by a bogus card reader at the gas pump. And then the bad guy empties your checking account before you even realize it, and then the mortgage check bounces. Sure, the bank will make you whole, but what about all of the bounce fees?

I have a non-VISA/MC ATM card which can be used only to withdraw money from the machine. For regular purchases, I use a credit card which gets paid off every month.

[miguelvp]

Or you can use your debit card as a credit card.  No button pressing involved.  I do that at the gas stations.

That works, at least until the debit card is compromised by a bogus card reader at the gas pump. And then the bad guy empties your checking account before you even realize it, and then the mortgage check bounces. Sure, the bank will make you whole, but what about all of the bounce fees?

I have a non-VISA/MC ATM card which can be used only to withdraw money from the machine. For regular purchases, I use a credit card which gets paid off every month.

I live in a town with many zip codes, because you must at least enter that.

[Stonent]

Regarding the NFC stuff, Mythbusters wanted to do an episode on NFC but was contacted by the heads of several credit card companies and was told they were warming up their lawyers.  Discovery Networks opted to back away from the episode and it was never made.