Author Topic: Credit Card, Bank Card NFC. The most useless function every invented  (Read 15558 times)

0 Members and 1 Guest are viewing this topic.

Offline edtyler

  • Contributor
  • Posts: 38
  • Country: us
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #50 on: March 05, 2022, 03:43:15 am »
Overall, I'd agree that the risk is low and does require a terminal to submit the fraudulent transactions. The fact that detected fraud has gone down does not necessarily mean that undetected fraud is not present.

One thing I have noticed about NFC transactions if that the user rarely gets a paper receipt showing the amount charged for later comparison against the bank statement. They are too concerned about convenience. I'd expect these folks don't even review their credit/debit card statements. So, there is a greater chance for undetected fraud.

I advise people that are concerned about this issue to either request non-NFC cards or drill a hole to break the antenna. My (45 and 30) kids love the ease of use. I am much more concerned about security than they are. To each, their own...

 

Offline edtyler

  • Contributor
  • Posts: 38
  • Country: us
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #51 on: March 05, 2022, 03:49:07 am »
Relay attacks are demonstrated in some of the Defcon talks. But, there were others with focused RF energy that allowed reading from greater distances.

One can trade convenience for security. I choose more security. Others choose convenience. The only thing that is important is to recognize there is a trade-off and to be able to properly asses one's risk and decide if mitigation is needed.

I'm not claiming that everyone should drill their cards, just that people should be able to make an informed choice.  When banks claim "NFC is super secure", I beg to differ.
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 6126
  • Country: au
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #52 on: March 05, 2022, 03:54:02 am »
Overall, I'd agree that the risk is low and does require a terminal to submit the fraudulent transactions. The fact that detected fraud has gone down does not necessarily mean that undetected fraud is not present.

One thing I have noticed about NFC transactions if that the user rarely gets a paper receipt showing the amount charged for later comparison against the bank statement. They are too concerned about convenience. I'd expect these folks don't even review their credit/debit card statements. So, there is a greater chance for undetected fraud.

I advise people that are concerned about this issue to either request non-NFC cards or drill a hole to break the antenna. My (45 and 30) kids love the ease of use. I am much more concerned about security than they are. To each, their own...

I also think the cases of "undetected fraud" are also decreasing as consumers are becoming more and more aware of scams and are more vigilant in checking their bank accounts/transaction statements. Particularly as apps have made this process so much easier. Many banks will even notify you via push notifications when a transaction occurs.

As for receipts, that behaviour hasn't changed (at least here). Receipts are still printed by the card terminal, but for me, I say "no" to them as I don't have any use for them. It's just scrap paper to me.

 

Offline austfox

  • Regular Contributor
  • *
  • Posts: 158
  • Country: au
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #53 on: March 05, 2022, 09:46:20 am »
The device "skims" the card and can be used once only due to a "rolling code" (it's a bit more complex). Any transaction in Australia >= $100 requires a PIN. So the skim can be used once for a transaction < $100 and only if the card holder hasn't used the card between the skim and the attempt.

I realise NFC via phones are active, and hence can have a 'rolling code', but wouldn't a passive card always have the same code?
 

Online langwadt

  • Super Contributor
  • ***
  • Posts: 4857
  • Country: dk
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #54 on: March 05, 2022, 09:59:56 am »
The device "skims" the card and can be used once only due to a "rolling code" (it's a bit more complex). Any transaction in Australia >= $100 requires a PIN. So the skim can be used once for a transaction < $100 and only if the card holder hasn't used the card between the skim and the attempt.

I realise NFC via phones are active, and hence can have a 'rolling code', but wouldn't a passive card always have the same code?

the chip cards are not passive, they get power from the communication to run a processor on the card
 

Offline Berni

  • Super Contributor
  • ***
  • Posts: 5050
  • Country: si
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #55 on: March 05, 2022, 10:54:43 am »
I realise NFC via phones are active, and hence can have a 'rolling code', but wouldn't a passive card always have the same code?

Even if the NFC card is emitting sending a fixed sequence you still need electronics to create the sequence and send it back. So you need digital logic and circuitry to extract power from the NFC field anyway. Once you have that you can power any sufficiently low power digital circuitry. So this way you can have pretty much all of the functionality of a gold contact smart card chip, just that the communication method is different.

A lot of people also don't know that these SmartCards used in bank cards, satelite TV cards, cellular SIM cards are all a common interface and contain tiny microcontrollers with firmware inside. This rarely does anything more than store data and do a bit of cryptography, but some SIM cards from certain carriers do actually have software functionality built in (phones typically used to show this as the "SIM Menu" where the items on the menu are actually "functions" inside the SIM firmware)
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #56 on: March 05, 2022, 08:05:26 pm »
Quote
Try using your favorite search engine to look for "defcon nfc hacking". It turned up stuff as far back as 2013.

Or, since you're the one pushing this stuff, you could just supply a link to the exact thing you're talking about, saving potentially hours of finding many of the wrong thing.

There is an actual link somewhere, isn't there?
 
The following users thanked this post: tom66, Someone, Bassman59, Brumby

Offline SL4P

  • Super Contributor
  • ***
  • Posts: 2318
  • Country: au
  • There's more value if you figure it out yourself!
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #57 on: March 07, 2022, 03:52:50 am »
Easy solution, my NFC cards are only linked to accounts that have my ‘transaction funds’ typically less than $300-300 at a time.

SMH, but I won’t die because of it.
Don't ask a question if you aren't willing to listen to the answer.
 

Offline m98

  • Frequent Contributor
  • **
  • Posts: 634
  • Country: de
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #58 on: March 07, 2022, 01:22:03 pm »
To everyone trying to mutilate their card, you can most likely just deauthorise NFC payments in your online banking/bank app. If it's on your smartphone, you can even simply turn NFC on and off as you need.
Relay attacks, as risky as they are for a criminal because payment service providers virtually x-ray their clients, are also soon going to become impossible by distance-bounding protocols.
 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 13157
  • Country: ch
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #59 on: March 07, 2022, 02:45:08 pm »
The device "skims" the card and can be used once only due to a "rolling code" (it's a bit more complex). Any transaction in Australia >= $100 requires a PIN. So the skim can be used once for a transaction < $100 and only if the card holder hasn't used the card between the skim and the attempt.

I realise NFC via phones are active, and hence can have a 'rolling code', but wouldn't a passive card always have the same code?
The thing people don’t know about the chips (both of them, for electrical and NFC) is that they aren’t little memory cards, they’re actually cryptographic processors. So it’s not simply a matter of replaying a transaction.

But indeed, Apple Pay is apparently even more secure than the card’s own NFC (according to various sources, including the head of security at a credit union I spoke to). (I don’t know anything about Samsung Pay so I can’t comment on its relative security.)
 

Offline m k

  • Super Contributor
  • ***
  • Posts: 2651
  • Country: fi
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #60 on: March 07, 2022, 04:24:28 pm »
Here cash is the law.
Though, for decades, some have been rejecting it, like electricity company.

Magnet stripe for money is also illegal.
Skimming news have disappeared, so are stripes.

I find myself being more concerned that bad guys are rooting the system, or the phone.
But I'm far from everything and possibly paranoid.
Advance-Aneng-Appa-AVO-Beckman-Danbridge-Data Tech-Fluke-General Radio-H. W. Sullivan-Heathkit-HP-Kaise-Kyoritsu-Leeds & Northrup-Mastech-OR-X-REO-Simpson-Sinclair-Tektronix-Tokyo Rikosha-Topward-Triplett-Tritron-YFE
(plus lesser brands from the work shop of the world)
 

Offline twospoons

  • Frequent Contributor
  • **
  • Posts: 269
  • Country: nz
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #61 on: March 07, 2022, 08:46:17 pm »

The thing is, for the ones I've used, there is no way you as an end user can take it apart to fix any pins.
As soon as you look at it the wrong way, its going to brick itself and you have to send back to the manufacturer to repair it and re-load whatever software keys.
...

As a contractor currently working for a company making payment terminals I can confirm the extreme lengths we go to to prevent unauthorised tampering. There are tamper switches and security grids everywhere. As soon as any kind of intrusion is detected the thing will wipe its cryptographic keys, rendering it useless. 

The biggest risk, around here anyway, is some low-life nicking the NFC card and running around using it for transactions below the limit requiring a PIN (here its $80).

I hear the small retailers don't like them because the banks charge extra for NFC transactions.  That may be different elsewhere in the world.
« Last Edit: March 07, 2022, 08:50:59 pm by twospoons »
 
The following users thanked this post: tom66, SeanB

Offline NiHaoMike

  • Super Contributor
  • ***
  • Posts: 9321
  • Country: us
  • "Don't turn it on - Take it apart!"
    • Facebook Page
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #62 on: March 08, 2022, 02:31:40 am »
As a contractor currently working for a company making payment terminals I can confirm the extreme lengths we go to to prevent unauthorised tampering. There are tamper switches and security grids everywhere. As soon as any kind of intrusion is detected the thing will wipe its cryptographic keys, rendering it useless. 
Cryptocurrency has taught me to love math and at the same time be baffled by it.

Cryptocurrency lesson 0: Altcoins and Bitcoin are not the same thing.
 

Offline Berni

  • Super Contributor
  • ***
  • Posts: 5050
  • Country: si
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #63 on: March 08, 2022, 06:16:24 am »
Everyone seams to have higher limits for contactless card PIN entry. Over here you can only do up to 25€ without a pin and something like every 10 pinless payments you have to enter a pin anyway.

What was an issue at some point with contactless bank cards is that the non encrypted memory area had a fair bit of personal information inside of it. This is data that any RFID reader will spit out if you try to read a bank card. Later on they stopped putting the credit card owners details in there.
 

Online Haenk

  • Super Contributor
  • ***
  • Posts: 1304
  • Country: de
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #64 on: March 10, 2022, 03:32:19 pm »
I think the "risk" part of contactless payment can be neglected - the PIN-less transactions are limited to AFAIK a combined 150 EUR.
 

Offline Bassman59

  • Super Contributor
  • ***
  • Posts: 2501
  • Country: us
  • Yes, I do this for a living
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #65 on: March 11, 2022, 03:24:00 pm »
Replying to both folks that asked for links.

Try using your favorite search engine to look for "defcon nfc hacking". It turned up stuff as far back as 2013. The proxy more is quite interesting, but the presentation I saw in 2019, if I recall correctly, was on a dish type antenna with high gain and a very narrow beamwidth used to activate a specific target.

You are making the claim. You need to provide the evidence to support that claim. "Do your own research!" is not an acceptable response to a request for that evidence.
 

Offline Bassman59

  • Super Contributor
  • ***
  • Posts: 2501
  • Country: us
  • Yes, I do this for a living
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #66 on: March 11, 2022, 03:24:37 pm »
I think the "risk" part of contactless payment can be neglected - the PIN-less transactions are limited to AFAIK a combined 150 EUR.

All transactions should require a PIN, then. Anyone who says, "... but that takes too long!" is an idiot.
 

Online tom66

  • Super Contributor
  • ***
  • Posts: 7334
  • Country: gb
  • Electronics Hobbyist & FPGA/Embedded Systems EE
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #67 on: March 11, 2022, 04:15:14 pm »
One thing I have noticed about NFC transactions if that the user rarely gets a paper receipt showing the amount charged for later comparison against the bank statement. They are too concerned about convenience. I'd expect these folks don't even review their credit/debit card statements. So, there is a greater chance for undetected fraud.

Whenever I use a contactless card or Apple Pay I receive a notification on my phone within a minute of making the transaction.
I can also easily dispute any contactless transaction and the max payment is £100 by contactless alone.
 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 13157
  • Country: ch
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #68 on: March 11, 2022, 04:47:16 pm »
Indeed, I usually get the confirmation within 5 seconds.
 

Offline Infraviolet

  • Super Contributor
  • ***
  • Posts: 1185
  • Country: gb
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #69 on: March 13, 2022, 02:36:28 pm »
Where banks don't offer you cards without contactless functionality you can always take a scalpel or other sharp implement and make deep scratches at certain points on the card (this will vary by card manufacturer) so as to break the antenna loop. Chip and pin functionality will be unaffected.

As far as arguments abouta need for always needing a PIN go, this is sensible. A PIN isn't perfectly secure, and maybe contactless RFID/NFC isn't so insecure, but contactless without a PIN is definitely extra attack surface (even if a PIN gets required on some proportion of transactions) and reduces security, even if only by a small amount, for no conceivable benefit. If paying quickly matters there is a thing called exact change, keep it in your pocket, price up your stuff before you're at the till, count it up in advance and hand over the coin/note pile as you walk up. cashiers love it, much faster than ****ing around with NFCs which always decide not to work when there's a big queue and a need to hurry.

Really we should all be endeavouring to use actual cash as much as possible, to keep in circulation the one form of payment which is not under threat whenever infrastructure is disrupted by malicious (foreign governments, own governments, criminals...) or accidental (power cuts, broken fibre cables, software updates...) events. Card payments should be reserved for their true purpose, online or other purchases of the kind where the buyer and seller are physically separated such that exchanging physical cash is impractical.
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 7043
  • Country: nl
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #70 on: March 13, 2022, 02:48:26 pm »
As I've said before, given how cheap transistors are they should have done time of flight measurements of the signal and made that part of the standard (so the NFC device remodulates a PRNG sequence it receives from the terminal on a different frequency in some analogue circuitry to send its data, the terminal measures the lag). They still should for a new version.

MITM would be gone and it would just become a digital key for a true proximity lock.

Mobile phone payment would still be more secure, because you see a vendor independent confirmation of the payment details without having to rely on a possibly compromised terminal ... but I hate having to have a mobile with me everywhere so meh.
« Last Edit: March 13, 2022, 02:59:17 pm by Marco »
 

Offline Berni

  • Super Contributor
  • ***
  • Posts: 5050
  • Country: si
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #71 on: March 13, 2022, 05:09:50 pm »
Cash is still the primary way of payment here.

Pretty much everyone doing face to face business will take cash, while not everyone has a POS terminal to accept cards. So i tend to keep 10 to 100€ of cash on me. Yet find myself using cards more often because it is faster and more convenient.

It is more the US that had big dollar counterfeiting issues, to the point where a lot of places would only accept cards.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #72 on: March 13, 2022, 05:31:22 pm »
Problem with cash is that things like buses don't give change, and those and car parks charge stupid values like £3.29.

Can't remember the last time I paid cash for anything, but I notice in the likes of Lidl that those using cash take far longer on checkout than those dabbing a card (even when it needs a PIN check). Also can't remember the last time I had to patch a hole in my pocket because of the coins, or had to find a cashpoint before going anywhere or doing anything.
 

Offline Bassman59

  • Super Contributor
  • ***
  • Posts: 2501
  • Country: us
  • Yes, I do this for a living
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #73 on: March 14, 2022, 05:56:19 pm »
It is more the US that had big dollar counterfeiting issues, to the point where a lot of places would only accept cards.

I think counterfeiting is probably low on the list of reasons why many places only accept cards here in the US.

In no particular order:

A: credit card issuers are all competing with each other to get customers to use cards instead of cash. They do this by offering "rewards," which used to be points to be used for purchases through "partners," but now is increasingly just either a 5% discount at point of purchase (Target does this with their store-brand "Red Card), or some percentage of "cash back," commonly 1%, but for certain "categories" like groceries and gas station purchases the cash back can be 5%. Of course the categories change frequently, so you need to be on your toes to take maximum advantage, but cash back is always better than "points" you have to redeem for products.

YES -- it is obvious that cash back isn't free. It is paid out of the swipe fees charged to merchants so they can accept card payments. Of course the merchants have to charge 3% to 5% more for their products just to cover the cost of the swipe fees, and sadly the merchant agreements between the card issuers and the retailers generally precludes the retailer from offering a cash discount. So from a consumer perspective, you're paying for the swipe fee, anyway, so you might as well use the card and get the "benefits."

So to that end -- I will pay for purchases at my locally-owned coffee shop or record store or guitar shop in cash, and they get the benefit of not having to pay the swipe fee. For the big box chains? Screw 'em, I'm going to use the cards that give me the benefits.

B: some merchants see the cost of swipe fees as being lower than the labor cost to manage counting and handling cash. I asked my friend who runs a local coffee roaster/shop about this, and he said from his small perspective, he goes to the bank regularly anyway so dealing with cash is no big deal. And he appreciates the savings from not paying the swipe fees. But, with the big box stores, it's a lot easier for all transactions to be electronic so they don't have to have the armored car come and take a million dollars in cash to the bank.

C: Employers do not trust employees to not steal cash from the till, even though the tills are counted out at the start of a shift and counted in at the end. (Employees don't trust employers, either; different issue.) Employers will embrace any idea that keeps workers from handling large amounts of cash.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #74 on: March 14, 2022, 06:27:47 pm »
Quote
It is more the US that had big dollar counterfeiting issues, to the point where a lot of places would only accept cards.

Another US thing is civil asset forfeiture: the police apparently pull trivial traffic stops and then confiscate any cash they find. Even if the traveller isn't charged with anything, the cops keep the money. Clearly, using a card instead of cash circumvents that.

https://www.nlg-npap.org/civil-asset-forfeiture/
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf