Author Topic: EEVblog #889 - Credit Card RFID Theft Protection Tested  (Read 19841 times)

0 Members and 1 Guest are viewing this topic.

Offline EEVblog

  • Administrator
  • *****
  • Posts: 31388
  • Country: au
    • EEVblog
EEVblog #889 - Credit Card RFID Theft Protection Tested
« on: June 12, 2016, 02:56:26 am »
Do those RFID shielded wallets and bags actually work to protect your contactless credit cards?
Systems like VISA PayWave and Mastercard PayPass.
Does aluminium foil work?
Dave does some measurements to find out using a H-Field probe
TekBox EMC probe set: http://amzn.to/1YkCLPO

 

Offline adcurtin

  • Contributor
  • Posts: 27
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #1 on: June 12, 2016, 04:33:36 am »
I was watching  at 16:00 in 0.5 speed to see if I could figure out any of the credit card numbers since the tape got a little pushed into the card. I thought I saw the 12th really clear, but not so sure anymore. I don't think anyone would be able to get anything useful from it.

Anyway, your inflections and sentence pacing sounds hilarious like Bill Cosby at 0.5 speed  :-DD
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 3969
  • Country: au
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #2 on: June 12, 2016, 06:59:14 am »
Could you use a hole punch to punch a hole through the windings (in one corner of the card) to essentially disable the contact-less payment option (forcing you to use the chip)?

(Apologies if this was answered in the video, I didn't get time to watch it the whole way through.)
« Last Edit: June 12, 2016, 07:03:07 am by Halcyon »
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 31388
  • Country: au
    • EEVblog
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #3 on: June 12, 2016, 08:07:03 am »
Could you use a hole punch to punch a hole through the windings (in one corner of the card) to essentially disable the contact-less payment option (forcing you to use the chip)?

Possible.
A tiny drill would on the coil would do it.
 

Online bingo600

  • Super Contributor
  • ***
  • Posts: 1465
  • Country: dk
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #4 on: June 12, 2016, 08:13:42 am »
Here ya go (look it up)
http://www.ebay.de/itm/182062293897

The stuff is used for lining the walls in secure (as CIA/NSA grade) rooms.
And DIY pouches (pockets) for creditcard OR The NEW Contactless CarKeys.


Or silencing a smartphone (BB is listening ... Well FB is)
https://thehackernews.com/2016/06/facebook-microphone-ads.html

http://killyourphone.com/


/Bingo
« Last Edit: June 12, 2016, 08:35:15 am by bingo600 »
 

Offline jitter

  • Frequent Contributor
  • **
  • Posts: 804
  • Country: nl
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #5 on: June 12, 2016, 08:27:18 am »
I just tested the alu foil on my own bank card and found that it not only works when lying over the card, it also works lying under the card  (i.e. with no foil over it). So you don't even have to wrap foil around the card, a single layer in close vicinity is enough!

Not until you lift the card up about half a cm away from the alu foil will the NFC be able to read the card.

Does the alu foil reflect and those reflections interfere enough for it to become unreadable?
« Last Edit: June 12, 2016, 11:53:20 am by jitter »
 

Online bingo600

  • Super Contributor
  • ***
  • Posts: 1465
  • Country: dk
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #6 on: June 12, 2016, 08:30:18 am »
I just tested the alu foil on my own bank card and found that it not only works when lying over the card, it also works lying under the card (i.e. with no foil over it). So you don't even have to wrap foil around the card, a single layer in close vicinity is enough!

Not until you lift the card up about half a cm away from the alu foil will the NFC be able to read the card.

Does the alu foil reflect and those reflection interfere enough for it to become unreadable?

My guess is it ruins the "tuned" antenna match.

/Bingo
 

Offline DTJ

  • Frequent Contributor
  • **
  • Posts: 906
  • Country: au
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #7 on: June 12, 2016, 08:39:11 am »
Could you use a hole punch to punch a hole through the windings (in one corner of the card) to essentially disable the contact-less payment option (forcing you to use the chip)?

Possible.
A tiny drill would on the coil would do it.

The antenna in mine fail after a few months of flexing in my back pocket wallet. I toyed with using a small blade but a drill bit would be tidier and opening the antenna.
 

Offline jitter

  • Frequent Contributor
  • **
  • Posts: 804
  • Country: nl
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #8 on: June 12, 2016, 08:48:34 am »
Please note that bank cards are not your property, but the bank's. Messing with them may cause them to be not amused.

Over here you can request a bank card without NFC capabilities, some banks also supply shielding holders, on special request.
 

Offline VK3DRB

  • Super Contributor
  • ***
  • Posts: 1745
  • Country: au
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #9 on: June 12, 2016, 09:02:40 am »
It is not true that at the low kHz range aluminium does not affect the coupling.

I have done a lot of work in proof-of-concept for a device recently using 134 kHz animal RFID transponders. The coupling between the transponder and the reader is in fact affected by aluminium shielding at these very low frequencies. Aluminium foil has a very minimal effect, but a 20mm aluminium tube with a 2mm wall thickness seriously attenuates the coupling to the point the device cannot be read.
 
 

Offline johnh

  • Regular Contributor
  • *
  • Posts: 148
  • Country: au
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #10 on: June 12, 2016, 09:03:20 am »
My shwmbo bought some of these for a recent trip through asia.

Just tested it with my phone.  Works quite well can't read the credit card when its in the sleeve
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 31388
  • Country: au
    • EEVblog
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #11 on: June 12, 2016, 09:06:54 am »
It is not true that at the low kHz range aluminium does not affect the coupling.

I didn't mean to imply that. In fact the graph I showed effectively stats the opposite (i.e. it has non-zero attenuation)
 

Offline Kjelt

  • Super Contributor
  • ***
  • Posts: 5834
  • Country: nl
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #12 on: June 12, 2016, 09:07:21 am »
This was the first video my girlfriend also wanted to watch due to the nice bag, she really liked the bag Dave, your wife has good taste  :)

What I find remarkable is that the layout of the gold pads of the security pinchip is also modified in comparison to the card without RFID. I saw this change when my bankcards got rfid and see it also on your card, there are circular antenna like thin golden traces added around the normal 6-8 pads.
Does anyone have any idea where they are for? Perhaps protection against the rfid field or also another nfc wireless communication channel?
 

Offline Someone

  • Super Contributor
  • ***
  • Posts: 2467
  • Country: au
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #13 on: June 12, 2016, 09:33:00 am »
Could you use a hole punch to punch a hole through the windings (in one corner of the card) to essentially disable the contact-less payment option (forcing you to use the chip)?

Possible.
A tiny drill would on the coil would do it.
Tried and tested, works fine. Another option is microwaving the card but that may damage the smart card chip too.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12135
  • Country: gb
    • Mike's Electric Stuff
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #14 on: June 12, 2016, 09:43:22 am »
I just tested the alu foil on my own bank card and found that it not only works when lying over the card, it also works lying under the card  (i.e. with no foil over it). So you don't even have to wrap foil around the card, a single layer in close vicinity is enough!

Not until you lift the card up about half a cm away from the alu foil will the NFC be able to read the card.

Does the alu foil reflect and those reflection interfere enough for it to become unreadable?
The effect of alu foil is  NOT shielding. RFID works by magnetic coupling, and alu is not magnetic. What the alu does is absorb energy due to eddy-current losses, severely damping the signal so not enough energy reaches the card to power it, so it doesn't matter where it is as long as it can absorb enough of the field energy.   Copper would be even better. 
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12135
  • Country: gb
    • Mike's Electric Stuff
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #15 on: June 12, 2016, 09:44:35 am »
Could you use a hole punch to punch a hole through the windings (in one corner of the card) to essentially disable the contact-less payment option (forcing you to use the chip)?

Possible.
A tiny drill would on the coil would do it.
Tried and tested, works fine. Another option is microwaving the card but that may damage the smart card chip too.
You can sometimes see the coil, if the card doesn;t have dark in k colours,  by shining a bright light through it. The wire is very thin, so a pin in the right place would do it.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Someone

  • Super Contributor
  • ***
  • Posts: 2467
  • Country: au
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #16 on: June 12, 2016, 09:50:25 am »
Please note that bank cards are not your property, but the bank's. Messing with them may cause them to be not amused.
Perhaps in your country but certainly not in Australia.
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 10826
  • Country: 00
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #17 on: June 12, 2016, 10:07:12 am »
You can sometimes see the coil, if the card doesn;t have dark in k colours,  by shining a bright light through it. The wire is very thin, so a pin in the right place would do it.

Around here we have paper ones for use on the metro. You can peel the layers apart and see all the inner workings.

Maybe I can find one that I don't need.

Edit: Here you go...

(the last one is quite high res if you view it separately).
« Last Edit: June 12, 2016, 10:37:54 am by Fungus »
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 9449
  • Country: gb
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #18 on: June 12, 2016, 10:38:16 am »
I recently uploaded an X-Ray image of the contactless credit card to my X-Ray image thread.

https://www.eevblog.com/forum/projects/the-x-ray-image-thread-by-aurora-various-electronics-via-x-ray-imaging/msg748531/#msg748531

Repeated here for your interest. The large white area is lead sheet to protect my card number that would otherwise be visible.

Fraser
« Last Edit: June 12, 2016, 10:41:42 am by Fraser »
 
The following users thanked this post: BillyD

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 9449
  • Country: gb
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #19 on: June 12, 2016, 10:45:33 am »
For comparison, here is an X-Ray of a security access control Prox card.

Fraser
« Last Edit: June 12, 2016, 10:47:56 am by Fraser »
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12135
  • Country: gb
    • Mike's Electric Stuff
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #20 on: June 12, 2016, 11:10:03 am »
For comparison, here is an X-Ray of a security access control Prox card.

Fraser
Judging by the amount of wire, that's a 125khz one
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 9449
  • Country: gb
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #21 on: June 12, 2016, 11:15:07 am »
Mike,

I cannot be certain as I do not recall the system it was designed for.

I thought it had a lot of turns on the coil as well, but then thought the turns were on a former of some sort that obscured the required detail, so I cannot be certain. The fact that a former is used would suggest many turns though.

Fraser
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 10826
  • Country: 00
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #22 on: June 12, 2016, 11:18:58 am »
Could it be that you can have more than one chip inside them? There's space for three.

« Last Edit: June 12, 2016, 11:20:40 am by Fungus »
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 10826
  • Country: 00
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #23 on: June 12, 2016, 11:22:01 am »
Nice little bridge at top left.



Edit: And from the other side...

« Last Edit: June 12, 2016, 11:43:20 am by Fungus »
 

Offline kalleboo

  • Regular Contributor
  • *
  • Posts: 100
  • Country: jp
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #24 on: June 12, 2016, 11:23:37 am »
My shwmbo bought some of these for a recent trip through asia.

Just tested it with my phone.  Works quite well can't read the credit card when its in the sleeve
Here in Japan where NFC cards have been used for trains and payments for 15 years now, you can get these at any dollar store. I use them to pad between my NFC cards so one side of my wallet is for the train and the other side is for payments without interference
 

Online retrolefty

  • Super Contributor
  • ***
  • Posts: 1633
  • Country: us
  • measurement changes behavior
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #25 on: June 12, 2016, 11:25:53 am »
I really enjoyed this video especially using the test equipment and running of the experiments.

HOWEVER I do have one complaint. Over and over and over you repeated that this isn't RF but rather magnetic field being used. Not RF, not RF, ... But of course all RF is composed of both E-field and H-field components. RF loop antennas for example try to selectively use only the H-field to get better directivity for use in RF directional finding antennas. To state that magnetic coupling and RF coupling are somehow different things can be very confusing to beginners trying to properly learn RF fundamentals.

 So your intent was good but instead of properly explaining about the two fields comprising an RF signal, E and H,
you went the direction you did of stating that RF and magnetic fields are different things.

 
 
The following users thanked this post: Dave

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 9449
  • Country: gb
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #26 on: June 12, 2016, 11:38:00 am »
In the technical security world we had a keen interest in the vulnerabilities of RFID Prox readers and cards. The 'long range' readers were considered too vulnerable to attack so very short range types were used that needed the card to be virtually resting on the reader.

I saw a demonstration in the early 2000's by Tektronix of one of their DSP DSO's capturing both the high speed and low speed handshaking and communications between the card and the reader. The DSO was capable of grabbing the whole handshake and comm's event. It could then disassemble the event into individual data bits, no matter what the change in bit rates during the link. The demo proved that that the Prox card data could be captured and cloned using a decent  DSO and appropriate antenna. Food for thought  ;) It was a classic 'stand-off' attack that just required the Prox card user to present their card to the reader. The data was captured during the transaction with the card user blissfully unaware. Any card protection wallet is thus useless in this scenario.

Chip and PIN or Prox and PIN can be safer but cannot be considered invulnerable. That is why I would never consider such to be secure to Government security standards.

Why do banks take the risk ? Simple, they operate on the risk analysis models where the convenience to the customer rates high on the requirements and the vulnerability to fraud may be reduced to an acceptable level. Some people believe Banks use the best security available on the market. I will not say too much on that topic but consider the purely financial risk management that they MAY operate..... If a security vulnerability that could potentially cost them $100K a year costs $5 Million to counter, it is not unlikely that the Bank will run with the risk and just pay out to the victim when an attack occurs. That is just business. I always tried to educate the client that Reputation has a definite 'value' as well. It would seem the way to preserve your reputation in such a scenario is to just pay out to the victim without a fuss and deny, deny, deny.  ;D

Fraser
« Last Edit: June 12, 2016, 11:47:49 am by Fraser »
 

Offline jitter

  • Frequent Contributor
  • **
  • Posts: 804
  • Country: nl
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #27 on: June 12, 2016, 12:08:00 pm »
What I find remarkable is that the layout of the gold pads of the security pinchip is also modified in comparison to the card without RFID. I saw this change when my bankcards got rfid and see it also on your card, there are circular antenna like thin golden traces added around the normal 6-8 pads.
Does anyone have any idea where they are for? Perhaps protection against the rfid field or also another nfc wireless communication channel?

I have a sneaking suspicion that they are just for show. My bank card (green) doesn't have them, yet it's an RFID. The orange card is a non-RFID bank card.
Despite the more elaborate looking contacts on the orange card, electrically they are not different from the green bank card.
« Last Edit: June 12, 2016, 12:19:07 pm by jitter »
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 31388
  • Country: au
    • EEVblog
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #28 on: June 12, 2016, 12:12:54 pm »
So your intent was good but instead of properly explaining about the two fields comprising an RF signal, E and H,
you went the direction you did of stating that RF and magnetic fields are different things.

I didn't want to spend any time in this video explaining the details, apart from the fact that I thought it was important to offhandedly mention it's a transformer and not an antenna as a beginner might have thought it was.
Heck, you can spend several semesters at uni trying to understand near and far field theory etc.
To think I'd be able to explain something like that in a few minutes (or even 10 minutes) in a video not focused on that is just completely impractical, it would have confused beginners more than helped them I think.
« Last Edit: June 12, 2016, 12:56:28 pm by EEVblog »
 

Offline jitter

  • Frequent Contributor
  • **
  • Posts: 804
  • Country: nl
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #29 on: June 12, 2016, 12:16:38 pm »
I just tested the alu foil on my own bank card and found that it not only works when lying over the card, it also works lying under the card  (i.e. with no foil over it). So you don't even have to wrap foil around the card, a single layer in close vicinity is enough!

Not until you lift the card up about half a cm away from the alu foil will the NFC be able to read the card.

Does the alu foil reflect and those reflection interfere enough for it to become unreadable?
The effect of alu foil is  NOT shielding. RFID works by magnetic coupling, and alu is not magnetic. What the alu does is absorb energy due to eddy-current losses, severely damping the signal so not enough energy reaches the card to power it, so it doesn't matter where it is as long as it can absorb enough of the field energy.   Copper would be even better.

Thanks, that explains why the NFC started reading the card if the alu foil was below less than roughly three quarters of the card and I was holding the reader close to the part that had no foil under it.
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 31388
  • Country: au
    • EEVblog
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #30 on: June 12, 2016, 12:21:10 pm »
For comparison, here is an X-Ray of a security access control Prox card.

That's a 125KHz ones, I fixed one of those here:
 

Offline AF6LJ

  • Supporter
  • ****
  • Posts: 2903
  • Country: us
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #31 on: June 12, 2016, 01:00:34 pm »
Good Video, and a reasonably good explanation.
Just an observation; it seems as convince becomes greater our security is the price we pay.
/She who is wondering when someone comes out with an RFID jammer.
Sue AF6LJ
Test Equipment Addict, And Proud Of It.
 

Offline jitter

  • Frequent Contributor
  • **
  • Posts: 804
  • Country: nl
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #32 on: June 12, 2016, 01:05:17 pm »
I wonder...
Since this thing is basically a transformer, what would happen if the transmitter were to output a much higher amplitude at the correct frequency? In other words: could you fry the chip in the card?
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 31388
  • Country: au
    • EEVblog
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #33 on: June 12, 2016, 01:09:23 pm »
/She who is wondering when someone comes out with an RFID jammer.

I can buy one at the local JB-HiFi store. Which I might do for a teardown and test.
Silly idea though, just use al-foil.
 

Offline SeanB

  • Super Contributor
  • ***
  • Posts: 15391
  • Country: za
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #34 on: June 12, 2016, 01:11:26 pm »
High power RF would kill the card, so it might not be a good idea to go up an AM or FM transmitter with a NFC card or reader ( phone) in your pocket, as it likely will get enough RF coupled into it for long enough to heat up the card chip as the protection diodes conduct to clamp the voltage. Don't really want to place one in front of a cellular base station antenna either, as the high RF field there will also cook it.

Same with putting it in a microwave oven, though there it will blow the coil to pieces as well as it rotates through the antinodes.
 

Offline Electra

  • Newbie
  • Posts: 1
  • Country: au
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #35 on: June 12, 2016, 02:38:44 pm »
I posed a reply on the video but I never get much response there, maybe there would be more interest here. :)
As far as I know, because it's a transformer action, these 'shields' act as much like a shorted turn as magnetic shielding, taking the energy the card requires and turning it into heat.

The photo shows a a 'loop' of aluminium sheet(flashing) just wide enough to cover the antenna works as a great shield for my Go Card(A Myfare Classic), but one with a break in it(Still overlapping, but insulated with some tape) doesn't do anything to stop the reader.

I believe as a result of this the more conductive the material the better it would work in this application. I wish I had a piece of ferrite large enough to test this further.? I suspect that wouldn't stop the reader.

The black card is a NFC/RFID test card from Dangerous Things(https://dangerousthings.com/shop/rfid-diagnostic-tool/?) that shows the HF(coil around the outside) and LF(inner coil) of a typical card.
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 31388
  • Country: au
    • EEVblog
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #36 on: June 12, 2016, 03:45:55 pm »
I posed a reply on the video but I never get much response there, maybe there would be more interest here. :)

Youtube comments isn't the place for detailed discussions.
 

Offline saturation

  • Super Contributor
  • ***
  • Posts: 4788
  • Country: us
  • Doveryai, no proveryai
    • NIST
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #37 on: June 12, 2016, 04:46:24 pm »
Readers who want to duplicate Dave's tests can make a poor man's near field probe by making a loop with a DSO probe's ground lead, more loops more gain, and clip the alligator end to the tip.  Then just follow Dave's video where he uses the near field probe, and enjoy.

You can get better results with the foil shield by making it a loop, not just a flat barrier, to act like a Faraday cage.

 
« Last Edit: June 12, 2016, 04:48:44 pm by saturation »
Best Wishes,

 Saturation
 

Offline RobK_NL

  • Frequent Contributor
  • **
  • Posts: 250
  • Country: nl
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #38 on: June 12, 2016, 05:55:43 pm »
Who, these days, has only one NFC capable card in their wallet?

Personally, I have five and, frankly, it took me a while to figure out why I had to take out my public transport card after I had been issued a new bank card.
Tell us what problem you want to solve, not what solution you're having problems with
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 19745
  • Country: nl
    • NCT Developments
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #39 on: June 12, 2016, 06:10:41 pm »
How about having coins in your wallet? It would be interesting to know whether they work as a shield as well.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: se
  • Hobbyist
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #40 on: June 12, 2016, 06:28:22 pm »
Why do banks take the risk ? Simple, they operate on the risk analysis models where the convenience to the customer rates high on the requirements and the vulnerability to fraud may be reduced to an acceptable level. Some people believe Banks use the best security available on the market. I will not say too much on that topic but consider the purely financial risk management that they MAY operate..... If a security vulnerability that could potentially cost them $100K a year costs $5 Million to counter, it is not unlikely that the Bank will run with the risk and just pay out to the victim when an attack occurs. That is just business. I always tried to educate the client that Reputation has a definite 'value' as well. It would seem the way to preserve your reputation in such a scenario is to just pay out to the victim without a fuss and deny, deny, deny.  ;D
That's part of the explanation. But over here the supreme court has also made it the responsibility of the card user to prove that they have taken appropriate security measures to protect the card information. So there is absolutely zero risk for the banks and consequently they have zero interest in improving security unless it becomes a publicity problem and people stop using the cards.
 

Offline smithnerd

  • Regular Contributor
  • *
  • Posts: 104
  • Country: gb
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #41 on: June 13, 2016, 04:06:47 am »
Contactless payment in my bank card?

Bugger that...
 

Offline Alexei.Polkhanov

  • Frequent Contributor
  • **
  • Posts: 683
  • Country: ca
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #42 on: June 13, 2016, 05:15:58 am »
I have an opposite problem with my Credit Card. I actually do use, and I like using RFID "Tap" payment to pay for my lunch and groceries, but 2 weeks ago I went to US and I think it happen at the corner store in Miami - stupid self checkout machine zapped my card and voila RFID does not work anymore. It is only an educated guess about when it happened.

Now I am very curious to find out HOW and WHY...

Does anyone have similar experience?
This kind of misfortune happened to me second time - am I just unlucky?
Is there some kind of incompatible technology that can damage RFID cards? How do I identify and avoid it?


 

Offline NANDBlog

  • Super Contributor
  • ***
  • Posts: 4649
  • Country: nl
  • Current job: ATEX certified product design
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #43 on: June 13, 2016, 10:12:47 am »
For comparison, here is an X-Ray of a security access control Prox card.

Fraser
Judging by the amount of wire, that's a 125khz one
For sure. I was working on a 125Khz reader years ago. It is amazing what you can do by slapping enough voltage on the coil, even if it is this size. A typical door entry system, you need to put the card maximum 1-2cm from the reader, mine was able to read a flying card (thrown above it) from 10-15 cm. The 125 KHz cards are bulkier, they need a lot of turns on the coils, so the card is typically 3-4 mm thick, not the usual credit card.

 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12135
  • Country: gb
    • Mike's Electric Stuff
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #44 on: June 13, 2016, 10:16:22 am »
For comparison, here is an X-Ray of a security access control Prox card.

Fraser
Judging by the amount of wire, that's a 125khz one
For sure. I was working on a 125Khz reader years ago. It is amazing what you can do by slapping enough voltage on the coil, even if it is this size. A typical door entry system, you need to put the card maximum 1-2cm from the reader, mine was able to read a flying card (thrown above it) from 10-15 cm. The 125 KHz cards are bulkier, they need a lot of turns on the coils, so the card is typically 3-4 mm thick, not the usual credit card.
You can easily get 125K cards at standard thickness.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 9449
  • Country: gb
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #45 on: June 13, 2016, 11:50:43 am »
The Prox card I imaged is standard credit card thickness.

The long range readers are able to read it a distance of around 12cm but the more secure short range versions only work within around 5mm of the readers surface.

I am pleased to see that the bank cards use a different version that is very short range. The needs of contactless payment cards and RFID access control are somewhat different in terms of range and convenience.

Fraser
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 3969
  • Country: au
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #46 on: June 13, 2016, 09:01:37 pm »
Please note that bank cards are not your property, but the bank's. Messing with them may cause them to be not amused.
Perhaps in your country but certainly not in Australia.

It's actually true, even in Australia. My card has "This card remains the property of ***** Bank" printed on the back.

That said, they aren't going to give two shits what you do with your card.

Who, these days, has only one NFC capable card in their wallet?

Personally, I have five and, frankly, it took me a while to figure out why I had to take out my public transport card after I had been issued a new bank card.

True but it won't prevent a crook from reading your card. As Dave mentioned in his video, this technology has anti-collision protocols so other cards don't interfere with one another. The reason why card readers at train stations or EFTPOS machines throw up an error or refuse to read when presented with more than one card, is it doesn't know which one you intend it to read, not that it isn't capable of actually reading both cards.

Many people have a debit card and a seperate credit card, both with NFC capabilities. If you just tap your entire wallet when making a payment, how do you tell the machine which card to use? You can't, therefore it won't accept it until you use only one card.
« Last Edit: June 13, 2016, 09:11:44 pm by Halcyon »
 

Offline photon

  • Regular Contributor
  • *
  • Posts: 234
  • Country: us
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #47 on: June 14, 2016, 12:26:18 am »
Interesting video and discussion. Thanks.
 

Offline Someone

  • Super Contributor
  • ***
  • Posts: 2467
  • Country: au
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #48 on: June 14, 2016, 01:11:42 am »
Please note that bank cards are not your property, but the bank's. Messing with them may cause them to be not amused.
Perhaps in your country but certainly not in Australia.

It's actually true, even in Australia. My card has "This card remains the property of ***** Bank" printed on the back.

That said, they aren't going to give two shits what you do with your card.
I checked several cards from different banks and their contracts, no clauses or claims of ownership were made in any of them. You might want to change banks!
 

Offline sakhmatd

  • Contributor
  • Posts: 20
  • Country: ru
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #49 on: June 14, 2016, 02:56:38 am »
Please note that bank cards are not your property, but the bank's. Messing with them may cause them to be not amused.
Perhaps in your country but certainly not in Australia.
Is that really true? I've tried looking around for proof of that, but couldn't find any.

Most of the world, to my knowledge, prefers to keep bank cards as properties of the bank itself and there would be a clause about this on the bank card itself. Australia has it pretty nice if that is not the case there.

I sincerely doubt the bank would really mind you drilling a small hole through it though. You could probably rule it out as an "accident".
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 31388
  • Country: au
    • EEVblog
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #50 on: June 14, 2016, 03:30:31 am »
Who, these days, has only one NFC capable card in their wallet?

I've got 3 plus a 125KHz lab access card.
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 31388
  • Country: au
    • EEVblog
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #51 on: June 14, 2016, 05:38:52 am »
If the bank claims perpetul ownership of the card it is probably so they can enforce a replacement policy at some future time, and retrieve the old card.

Why would anyone be concerned about if the bank owns that card or not? It's a nothing issue. They don't care what you do to it. In fact they expect you to abuse it in daily use and factor this into their budget for replacements.
Even if they did care, what are they going to do is you deliberately destroy it? Cancel it? Charge you for another one? Whoody-do. It's not a federal crime like destroying currency.
 

Offline Towger

  • Super Contributor
  • ***
  • Posts: 1577
  • Country: ie
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #52 on: June 14, 2016, 07:17:45 am »


Charge you for another one? Whoody-do. It's not a federal crime like destroying currency.

Here they have taken to charge 15 euro for a new one and my banks current cards are cheapest crap they can buy from Oberthur.  They start to delaminate after a few months and after a couple of years crack in the middle from ATM pinch rollers.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12135
  • Country: gb
    • Mike's Electric Stuff
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #53 on: June 14, 2016, 07:53:43 am »
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline jitter

  • Frequent Contributor
  • **
  • Posts: 804
  • Country: nl
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #54 on: June 14, 2016, 08:04:17 am »
Wow, and it can do that from eight cm away...
Would that also be able to scan through alu foil and something like mumetal or permalloy would be needed for effective shielding?
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 3969
  • Country: au
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #55 on: June 14, 2016, 09:02:01 am »
I'll be the first to admit that I'm a user of contactless payment and probably will continue to be. Because I don't usually carry cash, almost everything I purchase is on card. This meant that if I had to rely on the chip, it would be likely to wear out well before the card expires (I get a new card every two years). The tap-and-go payment method means less wear and tear on my card and less chance of it snapping inside a EFTPOS pin pad or ATM. (As a backup, I can use NFC on my phone to make payments if my card gets lost or broken.)

That said, the best security is taking responsbility for your own accounts. My advice (which I follow) is:

1. Check your internet banking regularly and report any suspicious payments. I check mine at least once a week.

2. Adjust withdrawal limits (where your bank allows it) on your primary (keycard accessible) account and store savings in a sub-account which is not accessible by card. For example I have a sub-account which can only be accessed via internet banking and that has a $10k daily withdrawal limit. My everyday keycard account has a limit of $1000 per day.

3. Check with your bank what they are doing to protect you. My bank will call me within 10-15 minutes of a transaction that is out of the ordinary. This includes transactions outside Australia, purchases for large amounts or for "card not present" transactions where the CVC/CVV number is not entered. This area of my bank operate 24/7 and will reverse any unauthorised transactions.

4. Watch where you type your credit/debit card number. As much as I dislike Paypal in some ways, I actually use them to process my card payments whenever possible so the vendor never actually has my card details.
« Last Edit: June 14, 2016, 09:04:58 am by Halcyon »
 

Offline kalleboo

  • Regular Contributor
  • *
  • Posts: 100
  • Country: jp
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #56 on: June 14, 2016, 10:51:14 am »
If you just tap your entire wallet when making a payment, how do you tell the machine which card to use? You can't, therefore it won't accept it until you use only one card.
Here in Japan there are actually POSes with touch panels where you can select which card to use. Commonly found at convenience stores.
 

Offline jdraughn

  • Regular Contributor
  • *
  • Posts: 106
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #57 on: June 14, 2016, 01:39:25 pm »
Who, these days, has only one NFC capable card in their wallet?

Personally, I have five and, frankly, it took me a while to figure out why I had to take out my public transport card after I had been issued a new bank card.

I don't have any.
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 10826
  • Country: 00
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #58 on: June 14, 2016, 01:49:11 pm »
If the bank claims perpetul ownership of the card it is probably so they can enforce a replacement policy at some future time, and retrieve the old card.
Why would anyone be concerned about if the bank owns that card or not? It's a nothing issue.

I think it's just so they can ask you to give it back anytime they want to.

They don't care if you break it - they get to charge you for a new one!
 

Offline qno

  • Frequent Contributor
  • **
  • Posts: 422
  • Country: nl
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #59 on: June 14, 2016, 08:11:44 pm »
I think the alu foil works as a shorted winding for the 13 MHz signal.
The 13 MHz signal is the power transfer to the chip in the card.

So the power for the chip is literally shorted out
Why spend money I don't have on things I don't need to impress people I don't like?
 

Offline adh

  • Contributor
  • Posts: 15
  • Country: cz
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #60 on: June 14, 2016, 11:59:12 pm »
NFC cards use essentially same protocol as normal EMV cards (ie. "Chip and PIN"), only the physical layer is different (+ some transaction flows are not practical with the RF interface, mainly anything that involves offline PIN verification). Security wise there are two main points that this causes:
- mechanism that is used to check whether the terminal is even compatible with the card and mutual authentication used in doing so is completely absurd
- the card contains many files that must be readable without any authentication and most of these files contain information that is somewhat sensitive (usualy this set of data includes some kind of transaction log, freely readable PAN(!) and partially obscured binary image of the magnetic stripe)

Cloning EMV (NFC or not) card probably involves at least decaping the chip. But if you have clueless issuing bank, using the aforementioned freely readable sensitive data you can create perfectly working magstripe card or use this data for some kinds of card not present transactions.

For some reason, the whole security of payment cards is not built on the system being secure, but on ability to exactly define who is liable for losses when something goes wrong and on ability of various actors involved in the system to have different security vs. convenience tradeoffs (eg. whether PIN, signature or whatever is required for given transaction is result of pretty complex algorithm that involves transaction itself, card's current internal state, terminal's internal state and essentially arbitrary computation on that inputs defined by both card issuer and merchant's bank)
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 4154
  • Country: ca
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #61 on: June 15, 2016, 02:55:17 am »
New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second :

https://yro.slashdot.org/story/16/06/13/2211221/new-device-sold-on-the-dark-web-can-clone-up-to-15-contactless-cards-per-second

Yep, there is a lot of news like that from techmedia in the Crowdfunding section of this forum.
Facebook-free life and Rigol-free shack.
 

Offline Alexei.Polkhanov

  • Frequent Contributor
  • **
  • Posts: 683
  • Country: ca
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #62 on: June 15, 2016, 05:45:40 am »
New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second :

https://yro.slashdot.org/story/16/06/13/2211221/new-device-sold-on-the-dark-web-can-clone-up-to-15-contactless-cards-per-second

Scanning I understand, but cloning, hmmmmm, I am very skeptical at minimum. How can you clone a card using only data from wireless reply? As far as I know only one, published and independently verified way to steal something from your card is to have wireless device at point of sale to interrogate someone else's card remotely. Riiiiidiculosly complicated way to buy cup of coffee or whatever the maximum "tap" transaction set to. Is that what they call "cloning" ?
 

Offline feilipu

  • Contributor
  • Posts: 10
  • Country: au
    • Stuff I need to write down.
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #63 on: June 15, 2016, 06:39:02 am »
Use a  hole-punch, after using a smartphone LED to identify where the induction coil can be found.
Plague eradicated.

PayWave & PayPass deletion.

 :-+
You can flog a dead horse to water, but the grass is always greener on the flip side.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12135
  • Country: gb
    • Mike's Electric Stuff
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #64 on: June 15, 2016, 08:11:07 am »
Just remembered this - open source self-powered active RFID jammer
http://hackaday.com/2016/02/18/guardbunny-active-rfid-protection-going-open-hardware/
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline G7PSK

  • Super Contributor
  • ***
  • Posts: 3698
  • Country: gb
  • It is hot until proved not.
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #65 on: June 15, 2016, 08:40:59 am »
I took an old card to pieces last year (Barclays debit) and there was only one chip inside underneath the gold contacts the NF coil was connected to bond pads on the same chip. I still have the chip on my bench but the rest of the card long went in the bin, I did take some photo's though which will be somewhere on my computer. If I find the I will post.
 

Offline Krakonos

  • Contributor
  • Posts: 13
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #66 on: June 15, 2016, 05:22:34 pm »
So, has anyone tried to analyze the tape pictures to see if the number can be read? A shadow here and there could go a long way
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 3969
  • Country: au
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #67 on: June 15, 2016, 08:06:58 pm »
So, has anyone tried to analyze the tape pictures to see if the number can be read? A shadow here and there could go a long way
It cannot -- There are simply not enough impressions to determine Dave's CC number. Even if there was, why would you want to?
 

Offline westfw

  • Super Contributor
  • ***
  • Posts: 3198
  • Country: us
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #68 on: June 17, 2016, 05:45:02 am »
Thinking that I could sell some 0.5mm double sided PCB boards with a fancy pattern on one side at a good markup for the same purpose.
A lot sturdier than Al Foil...
 

Offline rrinker

  • Super Contributor
  • ***
  • Posts: 2033
  • Country: us
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #69 on: June 17, 2016, 12:06:57 pm »
 Fund it on IGG.
 :-DD

 

Offline System Error Message

  • Frequent Contributor
  • **
  • Posts: 469
  • Country: gb
Re: EEVblog #889 - Credit Card RFID Theft Protection Tested
« Reply #70 on: June 22, 2016, 12:26:47 pm »
This is a real problem because small transactions arent noticed. Lets say you had a high end receiver transmitter, you walked through the street scanning every card you possibly can and for every card that you get you transfer $1. The value would be too small for the bank to stop it and if you walk through a city that means $100s a day if you do it everyday but the bank wont do anything because each transfer is small and unless you check your transfers daily (i know my bank wont show transfers till like a week) no one will notice.

This is basically the new way of theft where it used to be a fake ATM frame with hidden pinhole camera and reader or a card reader with built in keylog and store and before that it was pick pocketing your cash
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf