Author Topic: EEVblog #890 - ArmourCard Active RFID Jamming Teardown  (Read 19733 times)

0 Members and 1 Guest are viewing this topic.

Online EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« on: June 15, 2016, 05:42:40 am »
What's inside the ArmourCard active RFID jammer for NFC contactless credit cards?
Does it work? Will it protect you from skimming?

Patent: https://www.google.com/patents/WO2014085862A1
Lithium Battery: http://www.gmbattery.com/dl/cp4/CP/CP142828.pdf

 
The following users thanked this post: feilipu

Online Muttley Snickers

  • Supporter
  • ****
  • Posts: 2333
  • Country: au
  • Cursed: 679 times
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #1 on: June 15, 2016, 06:01:39 am »
My cheques are good but my cash bounces and I have no clue what the cards are up to with her in charge.   ::)

If you need one of those Rosslare vandal proof keypads with a built in proximity reader to have a play with then I have one or two spare hanging about that I could send up along with a truck load of various card formats mostly old stock and rip outs.
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11228
  • Country: us
    • Personal site
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #2 on: June 15, 2016, 06:38:21 am »
"L 536" looks like it may be STM8L-series device, their first line is marked as "L xxx". But I can't find which one exactly.

Edit: Although, if there are no exceptions, then the part would be STM8L536, which does not exist.
« Last Edit: June 15, 2016, 06:46:59 am by ataradov »
Alex
 

Offline JoeMuc2013

  • Contributor
  • Posts: 21
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #3 on: June 15, 2016, 08:06:53 am »
Here is an open solution that uses the scanner's own power against it. No batteries. Love it!
http://hackaday.com/2016/02/18/guardbunny-active-rfid-protection-going-open-hardware/
 

Online EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #4 on: June 15, 2016, 08:09:24 am »
Here is an open solution that uses the scanner's own power against it. No batteries. Love it!
http://hackaday.com/2016/02/18/guardbunny-active-rfid-protection-going-open-hardware/

Still a massively over-engineered solution. You just need al-foil
 

Offline rch

  • Regular Contributor
  • *
  • Posts: 168
  • Country: wales
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #5 on: June 15, 2016, 09:58:12 am »
Here is an open solution that uses the scanner's own power against it. No batteries. Love it!
http://hackaday.com/2016/02/18/guardbunny-active-rfid-protection-going-open-hardware/

Still a massively over-engineered solution. You just need al-foil

How does the aluminium foil work?  Does it need to be a shorted turn?  Or don't we really know?
 

Online EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #6 on: June 15, 2016, 10:03:20 am »
How does the aluminium foil work?  Does it need to be a shorted turn?  Or don't we really know?

Must be an eddy current effect.
 

Offline freman

  • Contributor
  • Posts: 21
  • Country: au
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #7 on: June 15, 2016, 11:09:36 am »
Hi there.

Long time watcher first time poster. I thought it was extremely important to bring this up.

Dave has repeatably said that they need to perform a transaction simply scanning the card won't help them (paraphrasing), however this is entirely incorrect.

You can actually read the credit card number, the expiry date, and a bunch of recent transactions from the card.

Try using an app like this on your phone - https://github.com/devnied/EMV-NFC-Paycard-Enrollment .

Might not sound like enough but you note Dave tapes up the credit card number and expiry so you can't read it, and there's no way you'd post a photo of your card online.
Combine that number, expiry, with the transactions, and a little social engineering - it doesn't take much - and you can convince a phone monkey you need a password reset.
 

Online EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #8 on: June 15, 2016, 11:27:38 am »
Dave has repeatably said that they need to perform a transaction simply scanning the card won't help them (paraphrasing), however this is entirely incorrect.
You can actually read the credit card number, the expiry date, and a bunch of recent transactions from the card.
Try using an app like this on your phone - https://github.com/devnied/EMV-NFC-Paycard-Enrollment .
Might not sound like enough but you note Dave tapes up the credit card number and expiry so you can't read it, and there's no way you'd post a photo of your card online.
Combine that number, expiry, with the transactions, and a little social engineering - it doesn't take much - and you can convince a phone monkey you need a password reset.

As I understand it, early generation cards gave the card number and name, but newer ones are encrypted?
 

Offline freman

  • Contributor
  • Posts: 21
  • Country: au
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #9 on: June 15, 2016, 11:31:25 am »
As I understand it, early generation cards gave the card number and name, but newer ones are encrypted?

I've a card issued early this year, the name isn't exposed but the number, expiry, brand (ie, the retailer that I got it through, not just "mastercard") 10 recent transactions (date, time and amount) are all available.

Edit. I don't mean to sound like a paranoid nut, but people have to be aware that there's not only enough information exposed to complete a manual transaction but that there's enough to start someone down the path of identity theft and I think Dave might have left people feeling a little more secure than they are in reality (having said that, attacks are still amazingly rare considering how many of these cards are in existence.)
« Last Edit: June 15, 2016, 11:34:30 am by freman »
 

Online EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #10 on: June 15, 2016, 11:50:33 am »
I've a card issued early this year, the name isn't exposed but the number, expiry, brand (ie, the retailer that I got it through, not just "mastercard") 10 recent transactions (date, time and amount) are all available.

Ok, I tried three cards with another app and I got the card number and expiry date. No name. Only one gave a transaction history and card issuer, they other two didn't.

Quote
Edit. I don't mean to sound like a paranoid nut, but people have to be aware that there's not only enough information exposed to complete a manual transaction

Probably a bit hard without the CVV these days?

Quote
but that there's enough to start someone down the path of identity theft and I think Dave might have left people feeling a little more secure than they are in reality (having said that, attacks are still amazingly rare considering how many of these cards are in existence.)

And there is likely a reason it's rare, likely because it's not as easy or profitable as you think.
« Last Edit: June 15, 2016, 11:54:23 am by EEVblog »
 

Offline freman

  • Contributor
  • Posts: 21
  • Country: au
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #11 on: June 15, 2016, 12:02:25 pm »

Ok, I tried three cards with another app and I got the card number and expiry date. No name. Only one gave a transaction history and card issuer, they other two didn't.

I happily hope your sample set is reflected in the market, unfortunately my sample set has shown the opposite - perhaps that's a reflection of the company we keep ;)

Quote

Probably a bit hard without the CVV these days?


No actually, was only a couple of weeks ago a friend placed a purchase for his mum at Bunnings, $497, they asked to speak with the card holder over the phone, date and number were all that was required. I was there cos I'm a tagalong bum, just getting out of the house you know :D

Quote
And there is likely a reason it's rare, likely because it's not as easy or profitable as you think.

No, I never imagined it was profitable, or easy. Knowing someones card number, it's expiry date and last few transactions is one thing. Figuring out their home address or date of birth actually requires social engineering and most people I know with the smarts to pull this are either not that way inclined, or couldn't social engineer their way out of a paper bag.

I'm a security conscious person, part of the job, part of the industry I find myself in, part of my job is foreseeing this - if I can imagine it, someone's doing it. Do I wear tin foil on my head... or indeed my wallet? No. Because while the possibility is there, the probability isn't, and hey, that's what insurance is for right?
 

Offline wikktor

  • Newbie
  • Posts: 6
  • Country: pl
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #12 on: June 15, 2016, 12:59:34 pm »
I would like to see how the foill will work if you would use more powerfull reader like:


Is this the same "rfid": http://www.rfidseal.com/products/fixed-reader.html ? I do not see any information about ISO15693, but they claim 3 - 25 m.
Foil may not work for this from 30 cm distance.
 

Offline sutfuf

  • Newbie
  • Posts: 1
  • Country: au
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #13 on: June 15, 2016, 01:45:53 pm »
Not sure if anyone noticed.. 13.56Mhz/16 = 847.5KHz ;-)  i.e.: carrier / 16 is the modulated freq. Shift right...  Love it.

Anyway, I came across [1] a while back when researching passive jamming techniques.. then HaD beat me to the punch.  Anyway,  the paper's a good read even if you don't want to make a cheap high longish range reader.    Share and Enjoy. :-)

[1] - https://www.usenix.org/legacy/event/sec06/tech/kirschenbaum.html 
 

Offline Urs42

  • Supporter
  • ****
  • Posts: 142
  • Country: ch
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #14 on: June 15, 2016, 04:31:27 pm »
I cut the coil in all RFID Credit Cards. The terms and conditions here say that i'm responsible for all payments that are done with NFC :wtf: , i can't get a card without RFID.

And yes, some people are using mobile card terminals to steal money.


« Last Edit: June 15, 2016, 04:46:00 pm by Urs42 »
 

Offline SeanB

  • Super Contributor
  • ***
  • Posts: 16272
  • Country: za
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #15 on: June 15, 2016, 05:33:12 pm »
Simplest and better will be a copper sheet both sides of the card in your wallet. Did that with my ones, so not likely they will be read in a drive by scan. Sure a simple piece of blank unetched PCB material either side will do the same, I just used some copper sheet I had around, cut to the same size as the cards. 1mm thick, so definitely a good attenuator.
 

Offline richnormand

  • Supporter
  • ****
  • Posts: 674
  • Country: ca
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #16 on: June 15, 2016, 07:43:39 pm »
Given the secondary coil transformer geometry would it be possible for the card makers to integrate a pressure sensitive area, with something similar to a thin dome switch or resistive contact as used in cheap keyboards or TV remotes?

That could be integrated with a void in a middle layer, top and bottom layers of the card would have the metalised contacts for the coil continuity. Pinching the card completes the coil circuit only while tapping it. At all other times the card would not be active.

A reading of your card would require your intervention. This probably means an extra cent or two in cost and overall reliability is the other factor.
Repair, Renew, Reuse, Recycle, Rebuild, Reduce, Recover, Repurpose, Restore, Refurbish, Recondition, Renovate
 

Offline f4eru

  • Super Contributor
  • ***
  • Posts: 1086
  • Country: 00
    • Chargehanger
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #17 on: June 15, 2016, 09:51:50 pm »
Still a massively over-engineered solution. You just need al-foil
Nope. With al foil, you just need 20dB higher power. That's easy.
And a more sensitive receiver.

The constant modulated jammer is not so good, can also be overcome.


Concerning the detector : 3 diodes in series ? that's quite bad...

Concerning the risk : There is a serious security risk. It will get exploited in a short time, don't worry. Or do worry :)
« Last Edit: June 15, 2016, 09:59:48 pm by f4eru »
 

Offline adh

  • Contributor
  • Posts: 15
  • Country: cz
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #18 on: June 15, 2016, 11:40:26 pm »
Quote
Edit. I don't mean to sound like a paranoid nut, but people have to be aware that there's not only enough information exposed to complete a manual transaction

Probably a bit hard without the CVV these days?

For card not present transactions that completely depends on how much the acquiring bank trusts the merchant (or how they don't care).
 

Online EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #19 on: June 15, 2016, 11:52:26 pm »
Concerning the risk : There is a serious security risk. It will get exploited in a short time, don't worry. Or do worry :)

RFID cards have been around a long time now (like a decade), they are not new. Contactless skimming fraud is pretty minimal after all this time. There must be a reason for this.
 

Offline R005T3r

  • Frequent Contributor
  • **
  • Posts: 387
  • Country: it
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #20 on: June 15, 2016, 11:59:42 pm »
Guys, If you are traveling with these just be careful: in Italy (and also other countries) possessing or using any kind of jammer is illegal. In my country, I've discovered that the reason behind this choice is what happend (or maybe more correctly happens) 2 years ago that some thieves made a robbery in an entire apartment array and alarms didn't triggered because they had a jammer...
 

Offline chicken

  • Frequent Contributor
  • **
  • Posts: 257
  • Country: us
  • Rusty Coder
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #21 on: June 16, 2016, 01:57:48 am »
"L 536" looks like it may be STM8L-series device, their first line is marked as "L xxx". But I can't find which one exactly.
Edit: Although, if there are no exceptions, then the part would be STM8L536, which does not exist.

My first guess as well. The font is definitely STM'ish.

Pin 1 nReset and pin 28 SWIM in the patent also fit nicely with the STM8L datasheets. E.g. STM8L101F1.
http://www.st.com/content/st_com/en/products/microcontrollers/stm8-8-bit-mcus/stm8l-series/stm8l101/stm8l101f1.html
 

Offline CaptCrash

  • Regular Contributor
  • *
  • Posts: 50
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #22 on: June 16, 2016, 11:55:59 am »
Concerning the risk : There is a serious security risk. It will get exploited in a short time, don't worry. Or do worry :)

RFID cards have been around a long time now (like a decade), they are not new. Contactless skimming fraud is pretty minimal after all this time. There must be a reason for this.

I don't get how you can make such a point.
As far as I am aware fraud/skimming statistics are not publicly provided for traditional Vs contactless cards.  The latest report is for 2015 with data from 2014.  http://www.apca.com.au/docs/fraud-statistics/Australian-payments-fraud-details-and-data-2015.pdf

In terms of skimming and then card not present fraud, its simple and it works to the tune of $300 million in 2014 (a 42% increase) on credit cards plus an additional $23 million on debit cards (a 25% increase).

"The total rate of fraud on Australian payment cards and cheques increased from 16.2 cents per $1,000 transacted in 2013 to 20.8 cents per $1,000 transacted in 2014."
Quite ironically the fraud rate on cheques is significantly lower than with credit cards, checks have a fraud rate of 0.5c per $1000

Overall the report presents quite a bit of detail that can be summarised into criminals are looking to get the best return on the investments they have made (magstripe readers/writers).  If you have a process for collecting data, putting it on mag stripes, then keep doing that until you can't anymore (the significant increases in skimming and overseas card not present transactions) lead to this, though this is my interpretation of what they are saying.
 

Offline Dave Turner

  • Frequent Contributor
  • **
  • Posts: 447
  • Country: gb
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #23 on: June 16, 2016, 02:15:39 pm »
Sort of surprised that someone hasn't punched out credit card sized pieces of aluminium, painted them, added a logo and tried to sell them at an extortionate price. Or have they?
 

Offline Tek_TDS220

  • Regular Contributor
  • *
  • Posts: 74
  • Country: 00
Re: EEVblog #890 - ArmourCard Active RFID Jamming Teardown
« Reply #24 on: June 16, 2016, 03:47:39 pm »
The 'patent' that Dave showed is an application, not a patent.  This means that the decision as to whether the applicant will have any of their claims allowed is pending.  It is common in these applications to start with very broad claims that will probably be rejected, followed by more narrow claims that the applicants really want to be allowed.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf