Author Topic: EEVblog #889 - Credit Card RFID Theft Protection Tested  (Read 19823 times)

0 Members and 1 Guest are viewing this topic.

Offline EEVblog

  • Administrator
  • *****
  • Posts: 31356
  • Country: au
    • EEVblog
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #50 on: June 14, 2016, 03:30:31 am »
Who, these days, has only one NFC capable card in their wallet?

I've got 3 plus a 125KHz lab access card.
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 31356
  • Country: au
    • EEVblog
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #51 on: June 14, 2016, 05:38:52 am »
If the bank claims perpetul ownership of the card it is probably so they can enforce a replacement policy at some future time, and retrieve the old card.

Why would anyone be concerned about if the bank owns that card or not? It's a nothing issue. They don't care what you do to it. In fact they expect you to abuse it in daily use and factor this into their budget for replacements.
Even if they did care, what are they going to do is you deliberately destroy it? Cancel it? Charge you for another one? Whoody-do. It's not a federal crime like destroying currency.
 

Offline Towger

  • Super Contributor
  • ***
  • Posts: 1577
  • Country: ie
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #52 on: June 14, 2016, 07:17:45 am »


Charge you for another one? Whoody-do. It's not a federal crime like destroying currency.

Here they have taken to charge 15 euro for a new one and my banks current cards are cheapest crap they can buy from Oberthur.  They start to delaminate after a few months and after a couple of years crack in the middle from ATM pinch rollers.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12135
  • Country: gb
    • Mike's Electric Stuff
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #53 on: June 14, 2016, 07:53:43 am »
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline jitter

  • Frequent Contributor
  • **
  • Posts: 804
  • Country: nl
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #54 on: June 14, 2016, 08:04:17 am »
Wow, and it can do that from eight cm away...
Would that also be able to scan through alu foil and something like mumetal or permalloy would be needed for effective shielding?
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 3957
  • Country: au
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #55 on: June 14, 2016, 09:02:01 am »
I'll be the first to admit that I'm a user of contactless payment and probably will continue to be. Because I don't usually carry cash, almost everything I purchase is on card. This meant that if I had to rely on the chip, it would be likely to wear out well before the card expires (I get a new card every two years). The tap-and-go payment method means less wear and tear on my card and less chance of it snapping inside a EFTPOS pin pad or ATM. (As a backup, I can use NFC on my phone to make payments if my card gets lost or broken.)

That said, the best security is taking responsbility for your own accounts. My advice (which I follow) is:

1. Check your internet banking regularly and report any suspicious payments. I check mine at least once a week.

2. Adjust withdrawal limits (where your bank allows it) on your primary (keycard accessible) account and store savings in a sub-account which is not accessible by card. For example I have a sub-account which can only be accessed via internet banking and that has a $10k daily withdrawal limit. My everyday keycard account has a limit of $1000 per day.

3. Check with your bank what they are doing to protect you. My bank will call me within 10-15 minutes of a transaction that is out of the ordinary. This includes transactions outside Australia, purchases for large amounts or for "card not present" transactions where the CVC/CVV number is not entered. This area of my bank operate 24/7 and will reverse any unauthorised transactions.

4. Watch where you type your credit/debit card number. As much as I dislike Paypal in some ways, I actually use them to process my card payments whenever possible so the vendor never actually has my card details.
« Last Edit: June 14, 2016, 09:04:58 am by Halcyon »
 

Offline kalleboo

  • Regular Contributor
  • *
  • Posts: 100
  • Country: jp
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #56 on: June 14, 2016, 10:51:14 am »
If you just tap your entire wallet when making a payment, how do you tell the machine which card to use? You can't, therefore it won't accept it until you use only one card.
Here in Japan there are actually POSes with touch panels where you can select which card to use. Commonly found at convenience stores.
 

Offline jdraughn

  • Regular Contributor
  • *
  • Posts: 106
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #57 on: June 14, 2016, 01:39:25 pm »
Who, these days, has only one NFC capable card in their wallet?

Personally, I have five and, frankly, it took me a while to figure out why I had to take out my public transport card after I had been issued a new bank card.

I don't have any.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 10821
  • Country: 00
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #58 on: June 14, 2016, 01:49:11 pm »
If the bank claims perpetul ownership of the card it is probably so they can enforce a replacement policy at some future time, and retrieve the old card.
Why would anyone be concerned about if the bank owns that card or not? It's a nothing issue.

I think it's just so they can ask you to give it back anytime they want to.

They don't care if you break it - they get to charge you for a new one!
 

Offline qno

  • Frequent Contributor
  • **
  • Posts: 422
  • Country: nl
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #59 on: June 14, 2016, 08:11:44 pm »
I think the alu foil works as a shorted winding for the 13 MHz signal.
The 13 MHz signal is the power transfer to the chip in the card.

So the power for the chip is literally shorted out
Why spend money I don't have on things I don't need to impress people I don't like?
 

Offline adh

  • Contributor
  • Posts: 15
  • Country: cz
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #60 on: June 14, 2016, 11:59:12 pm »
NFC cards use essentially same protocol as normal EMV cards (ie. "Chip and PIN"), only the physical layer is different (+ some transaction flows are not practical with the RF interface, mainly anything that involves offline PIN verification). Security wise there are two main points that this causes:
- mechanism that is used to check whether the terminal is even compatible with the card and mutual authentication used in doing so is completely absurd
- the card contains many files that must be readable without any authentication and most of these files contain information that is somewhat sensitive (usualy this set of data includes some kind of transaction log, freely readable PAN(!) and partially obscured binary image of the magnetic stripe)

Cloning EMV (NFC or not) card probably involves at least decaping the chip. But if you have clueless issuing bank, using the aforementioned freely readable sensitive data you can create perfectly working magstripe card or use this data for some kinds of card not present transactions.

For some reason, the whole security of payment cards is not built on the system being secure, but on ability to exactly define who is liable for losses when something goes wrong and on ability of various actors involved in the system to have different security vs. convenience tradeoffs (eg. whether PIN, signature or whatever is required for given transaction is result of pretty complex algorithm that involves transaction itself, card's current internal state, terminal's internal state and essentially arbitrary computation on that inputs defined by both card issuer and merchant's bank)
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 4143
  • Country: ca
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #61 on: June 15, 2016, 02:55:17 am »
New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second :

https://yro.slashdot.org/story/16/06/13/2211221/new-device-sold-on-the-dark-web-can-clone-up-to-15-contactless-cards-per-second

Yep, there is a lot of news like that from techmedia in the Crowdfunding section of this forum.
Facebook-free life and Rigol-free shack.
 

Offline Alexei.Polkhanov

  • Frequent Contributor
  • **
  • Posts: 683
  • Country: ca
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #62 on: June 15, 2016, 05:45:40 am »
New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second :

https://yro.slashdot.org/story/16/06/13/2211221/new-device-sold-on-the-dark-web-can-clone-up-to-15-contactless-cards-per-second

Scanning I understand, but cloning, hmmmmm, I am very skeptical at minimum. How can you clone a card using only data from wireless reply? As far as I know only one, published and independently verified way to steal something from your card is to have wireless device at point of sale to interrogate someone else's card remotely. Riiiiidiculosly complicated way to buy cup of coffee or whatever the maximum "tap" transaction set to. Is that what they call "cloning" ?
 

Offline feilipu

  • Contributor
  • Posts: 10
  • Country: au
    • Stuff I need to write down.
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #63 on: June 15, 2016, 06:39:02 am »
Use a  hole-punch, after using a smartphone LED to identify where the induction coil can be found.
Plague eradicated.

PayWave & PayPass deletion.

 :-+
You can flog a dead horse to water, but the grass is always greener on the flip side.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12135
  • Country: gb
    • Mike's Electric Stuff
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #64 on: June 15, 2016, 08:11:07 am »
Just remembered this - open source self-powered active RFID jammer
http://hackaday.com/2016/02/18/guardbunny-active-rfid-protection-going-open-hardware/
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline G7PSK

  • Super Contributor
  • ***
  • Posts: 3698
  • Country: gb
  • It is hot until proved not.
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #65 on: June 15, 2016, 08:40:59 am »
I took an old card to pieces last year (Barclays debit) and there was only one chip inside underneath the gold contacts the NF coil was connected to bond pads on the same chip. I still have the chip on my bench but the rest of the card long went in the bin, I did take some photo's though which will be somewhere on my computer. If I find the I will post.
 

Offline Krakonos

  • Contributor
  • Posts: 13
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #66 on: June 15, 2016, 05:22:34 pm »
So, has anyone tried to analyze the tape pictures to see if the number can be read? A shadow here and there could go a long way
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 3957
  • Country: au
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #67 on: June 15, 2016, 08:06:58 pm »
So, has anyone tried to analyze the tape pictures to see if the number can be read? A shadow here and there could go a long way
It cannot -- There are simply not enough impressions to determine Dave's CC number. Even if there was, why would you want to?
 

Offline westfw

  • Super Contributor
  • ***
  • Posts: 3195
  • Country: us
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #68 on: June 17, 2016, 05:45:02 am »
Thinking that I could sell some 0.5mm double sided PCB boards with a fancy pattern on one side at a good markup for the same purpose.
A lot sturdier than Al Foil...
 

Offline rrinker

  • Super Contributor
  • ***
  • Posts: 2030
  • Country: us
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #69 on: June 17, 2016, 12:06:57 pm »
 Fund it on IGG.
 :-DD

 

Offline System Error Message

  • Frequent Contributor
  • **
  • Posts: 469
  • Country: gb
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #70 on: June 22, 2016, 12:26:47 pm »
This is a real problem because small transactions arent noticed. Lets say you had a high end receiver transmitter, you walked through the street scanning every card you possibly can and for every card that you get you transfer $1. The value would be too small for the bank to stop it and if you walk through a city that means $100s a day if you do it everyday but the bank wont do anything because each transfer is small and unless you check your transfers daily (i know my bank wont show transfers till like a week) no one will notice.

This is basically the new way of theft where it used to be a fake ATM frame with hidden pinhole camera and reader or a card reader with built in keylog and store and before that it was pick pocketing your cash
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf