Author Topic: Credit Card, Bank Card NFC. The most useless function every invented  (Read 15555 times)

0 Members and 1 Guest are viewing this topic.

Offline ve7xen

  • Super Contributor
  • ***
  • Posts: 1195
  • Country: ca
    • VE7XEN Blog
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #75 on: March 14, 2022, 08:29:05 pm »
Relay attacks are demonstrated in some of the Defcon talks. But, there were others with focused RF energy that allowed reading from greater distances.

One can trade convenience for security. I choose more security. Others choose convenience. The only thing that is important is to recognize there is a trade-off and to be able to properly asses one's risk and decide if mitigation is needed.

I'm not claiming that everyone should drill their cards, just that people should be able to make an informed choice.  When banks claim "NFC is super secure", I beg to differ.

What you seem to be claiming, though, is that it is possible to clone a card remotely via NFC. In other words, that having temporary access to your card could be used by an attacker to make arbitrary transactions in the future. Barring some major undisclosed problem with the technology, that is not the case, it's a challenge-response system and the nonce is provided by the transaction processor, so you basically have a few seconds to execute the attack before the transaction times out. Any attack would need active access to your card while the transactions are being completed...the relay attack. With fancy antennas and so on maybe you can make this happen at some significant distance, but you still need to be doing this in sight of both the card and the terminal simultaneously. The activity at the terminal would also look pretty suspicious, not to mention someone waving a yagi around pointing at restaurant patrons or whatever. So maybe you can manage to pull off a couple of low-value transactions before you need to tear down your setup and move on. It's a far, far less valuable and higher risk attack than card skimming, and I think pretty impractical. The actual risk seems low, and it's certainly much more secure than the old magstripe or America's chip+sign system.
73 de VE7XEN
He/Him
 
The following users thanked this post: tom66

Offline twospoons

  • Frequent Contributor
  • **
  • Posts: 269
  • Country: nz
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #76 on: March 14, 2022, 08:38:49 pm »
Don't forget the carrier is 13.5MHz, so any antenna with decent gain is going to be huge.
 

Online tom66

  • Super Contributor
  • ***
  • Posts: 7334
  • Country: gb
  • Electronics Hobbyist & FPGA/Embedded Systems EE
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #77 on: March 15, 2022, 03:25:20 pm »
Also, since it's powered for passive NFC cards... NFC has peak power of 1W for distance of ~2-3cm max.  How much power do you need to get NFC to work at say 2-3m?    The card is only going to be chirping at a few milliwatts, so how well will you receive the response at your attack distance?
 
Rough calculation: inverse square law, assuming the antenna is omnidirectional, you're going to be looking at 100W+ transmitter powers.  I think you might notice someone walking around with a 100W radio-transmitter.  You might even just about feel it! Sure the attacker could use a very directional antenna but now the attack has to become a lot more careful - where is the card positioned in the wallet, pocket, etc.?
 

Offline edtyler

  • Contributor
  • Posts: 38
  • Country: us
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #78 on: March 15, 2022, 04:05:40 pm »
I often see 2mW (+3dBm) transmitters in the HF band with a range of 20M, using an Omni type antenna. High power transmitters to power the NFC device are easy to conceal, but an efficient antenna would not be. The demos I saw used a somewhat directional magnetic loop, which had a 2M diameter - not too easy to conceal. But, there are wire antennas that could be concealed, especially if one wanted to work at a fixed location for a while.
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 7043
  • Country: nl
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #79 on: March 15, 2022, 06:07:13 pm »
Rough calculation: inverse square law
Up to 20 meters, radiation is an unwanted byproduct, not a mode of operation. For inductive coupling, size and ferrite can substitute for power.
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 15797
  • Country: fr
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #80 on: March 15, 2022, 07:51:56 pm »
This is just completely unrealistic for any real-world use. There are definitely many worse sources of concern than this, just move on.
 

Offline Berni

  • Super Contributor
  • ***
  • Posts: 5050
  • Country: si
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #81 on: March 16, 2022, 06:44:23 am »
Theft prevention is not about making it impossible to steal something. Just making it difficult enough for the thief to not bother.

Yes a RFID repeater attack is possible on a NFC bank card, but it takes so much setup(needs one person skimming the card and another using the stolen card info at a POS terminal simultaneously) to be able to steal one maximum contactless transaction worth of money.

Besides if you are worried about it you can still just get a metal sleeve for your card or a wallet with metal sheets embedded in it. This shields the card from harvesting enough power to power itself, so it wont work. Yet the card is still usable as NFC once you pull it out of there.

For me personally i don't bother with shielding my bank card since even if they do manage to pull it off i would loose at most 25€ and get a SMS about the transaction, so i can take countermeasures. I have lost more money to stupider things before.
 

Online tom66

  • Super Contributor
  • ***
  • Posts: 7334
  • Country: gb
  • Electronics Hobbyist & FPGA/Embedded Systems EE
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #82 on: March 16, 2022, 08:05:42 am »
All of this is also pretending that we care that the bank loses the money.

At the end of the day, a fraud attempt like this (especially against a credit card in basically every Western country and probably beyond, but in all of EU also against debit cards) is protected for the consumer.

So unless you live on a bank balance of 100 euros regularly, it's unlikely you'll miss the funds.  You'll get a notification, call your bank up, cancel the card and the transactions, and "7-21 working days later" the money will be back home.
 

Offline Bassman59

  • Super Contributor
  • ***
  • Posts: 2501
  • Country: us
  • Yes, I do this for a living
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #83 on: March 16, 2022, 09:04:39 pm »
All of this is also pretending that we care that the bank loses the money.

At the end of the day, a fraud attempt like this (especially against a credit card in basically every Western country and probably beyond, but in all of EU also against debit cards) is protected for the consumer.

So unless you live on a bank balance of 100 euros regularly, it's unlikely you'll miss the funds.  You'll get a notification, call your bank up, cancel the card and the transactions, and "7-21 working days later" the money will be back home.

I don't particularly care if the bank loses money, that's for sure. If my credit card is compromised, they'll sort it out.

The only thing I worry about is a debit card. Now I never use a debit card for purchases, just for the rare ATM withdrawal. Why? Because even though I'll eventually be made whole by the bank if the card is compromised, the last thing I need is for mortgage or other payments to bounce in the interim.

Really, there's no good reason to use a debit card for purchases. Use a credit card, get the consumer protections/warranty extensions/etc the card issuers give as benefits. Take advantage of the 1-cent cash back. Just pay it off every month and there's no cost to using a credit card.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #84 on: March 16, 2022, 10:04:45 pm »
Quote
there's no good reason to use a debit card for purchases

It's instant settling of a debt, as opposed to having several debts hanging around for a month before they all hit you at once. If you are not the sort that gets turned on with columns of numbers and really understand that your current balance of, say, £300 is actually going to be a debt of £50 next week already so, no, you can't afford that fish'n'chip supper tonight, then not having any debt around longer than it takes to pocket your card is dead useful.

That isn't saying that credit cards don't have advantages, some of which you note. But debit cards are not advantage-free and there are good reasons for using them.

A quite good reason for having one (credit card), even if you don't want the delayed debts, is for credit worthiness. If you have no cards and no debts your credit rating will be lower than if you have a card and some debts. Shove a fiver on the card, pay it off every month, and your credit rating is boosted quite nicely since it shows you can regularly service debt.
 

Offline twospoons

  • Frequent Contributor
  • **
  • Posts: 269
  • Country: nz
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #85 on: March 16, 2022, 11:11:27 pm »
Plenty of low-margin retailers wont accept credit cards because the transaction fees just about wipe out any profit. I've heard Amex is particularly bad - higher fees and slow to pay.
 

Online Monkeh

  • Super Contributor
  • ***
  • Posts: 8134
  • Country: gb
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #86 on: March 17, 2022, 12:58:59 am »
Really, there's no good reason to use a debit card for purchases. Use a credit card, get the consumer protections/warranty extensions/etc the card issuers give as benefits.

Some of us get consumer protections and reasonable warranties as a given, instead of a benefit of placing oneself into debt to a private company which doesn't care about you.
 
The following users thanked this post: newbrain

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 15797
  • Country: fr
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #87 on: March 17, 2022, 01:52:28 am »
That may depend on your country. Over here, debit cards have good consumer protection. The thing to be aware of though, is that the "higher end" the card is, the better the protection (like those "premier", "gold", "platinum" cards). And yes, those are available as debit cards too, at least over here. Not sure about the USA.
 

Offline Berni

  • Super Contributor
  • ***
  • Posts: 5050
  • Country: si
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #88 on: March 17, 2022, 06:37:49 am »
I just use a debit card all the time.

Here in Europe i don't really see the benefit of a credit card other than getting a cheep 1 month loan of money.

A few years ago i had to do some google research on what this "cashback" thing even is, because i got a foreign issued card and it shown cashback in the browser UI. It is simply not a thing here. Same for credit score. No such thing here. Your bank loans here get approved on the basis of providing paperwork that proves you have enough regular income to pay them every month. If you rack up too much debt you can get any assets to your name repossessed.

Debit cards also get fraud protection, they can have monthly limits etc... so they can't just drain you whole bank account in the case of fraud. For internet payments i use a separate prepaid visa debit card where i can transfer funds using my banks web ui. I only keep a few hundreds of Euro in there, so that is the most i can loose to fraud anyway.
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 7043
  • Country: nl
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #89 on: March 17, 2022, 08:16:45 am »
Because of the recent EU law making credit card surcharges illegal credit cards are slowly going become the norm just as in the US (just as the US is removing similar laws and already has precedent making forbidding surcharges by contract invalid).

Extra insurance and easier chargeback are good services, if you pay for other people using credit cards you might as well derive benefit from it. Sucks to be forced into it by corrupt Eurocrats, but it is what it is.
 

Offline Faranight

  • Supporter
  • ****
  • Posts: 241
  • Country: si
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #90 on: March 27, 2022, 12:44:04 pm »
Well, I have to say I am personally not a big fan of contactless payment cards.

I was a bit upset when my bank suddenly notified me they were going to issue me a new contactless card without offering any options at all to stay with non-NFC cards (some rare banks still offer this choice, mind you). Angry as I was, I ended up drilling a small 2mm hole through my card where the NFC coil is located. You have to place your card against a strong light and you'll be able to see where the wires inside the plastic are. Thus I converted my brand new NFC card to a brand new non-NFC one. If anyone is interested it does work - it stops the NFC from working, but the contact payment isn't affected at all.

Was funny to see all those cashiers trying to place my card onto a NFC reader and then waiting a long time wondering why it isn't working.  :-DD

Fara-day? Fara-night.
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 15797
  • Country: fr
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #91 on: March 27, 2022, 06:10:49 pm »
I've recently seen that they want to generalize contactless to ANY payment of any amount. It's going to appear relatively soon in the EU from what I've seen. Dunno about the rest of the world.

This means all transactions will be issued through NFC. A pin code will still be required above the max amount allowed for what is currently contactless payments, but you won't insert your card anymore in a reader. Not sure what it really brings to the table (apart from less wear of the cards and readers...) But for people who don't like NFC for payment cards, this is probably not good news.

 

Online Monkeh

  • Super Contributor
  • ***
  • Posts: 8134
  • Country: gb
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #92 on: March 27, 2022, 06:13:04 pm »
But for people who don't like NFC for payment cards, this is probably not good news.

Back to cash they go then.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #93 on: March 27, 2022, 08:48:41 pm »
But for people who don't like NFC for payment cards, this is probably not good news.

Back to cash they go then.

Or a phone wallet, which may be more acceptable to them.

I would see it as the phone showing a QR code which the payment terminal scans and then contacts the user's bank to authorize a transfer, the bank does the transfer, then the vendor sees that it's paid for. Things like Tesco Pay are almost there. Previously it would have been unheard of because of the 2-5day transfer timescale, but nowadays I can get notification from my bank that I've just spent money at Tesco before I've pulled the phone away from the reader.

The reverse could work: the payment  terminal shows the QR code which the phone scans. Either way the phone has a link to the bank, a does the vendor, so it's all matched up in realtime.
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 6126
  • Country: au
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #94 on: March 27, 2022, 10:35:31 pm »
Really, there's no good reason to use a debit card for purchases. Use a credit card, get the consumer protections/warranty extensions/etc the card issuers give as benefits.

Some of us get consumer protections and reasonable warranties as a given, instead of a benefit of placing oneself into debt to a private company which doesn't care about you.

I happen to agree with Monkeh here. I'm of the exact opposite mind. I don't have a credit card, but do have several Visa debit cards (which work the same way as a credit card, albeit without the credit).

Most (all?) banks here will offer protections to a certain amount and refund/reverse unauthorised purchases without questions asked.

Unless you have a specific need for rewards that come with certain cards and you're disciplined enough to pay the balance every month as not to incur interest charges, credit cards will certainly cost you more for very few benefits compared to a regular bank card, particularly if you pay a monthly or yearly fee.

As for warranty extensions, they are almost pointless in countries with strong consumer laws. Regardless of manufacturers warranties (extended or otherwise), Australian consumer law applies to all consumer products (including motor vehicles). If a product fails after the warranty expires, depending on the type of product, you could be entitled to a free replacement or refund. For example, Apple was one company that was forced to provide an explanation of what Australian consumer law covers after numerous consumers complained about them declining refunds/replacements: https://www.apple.com/au/legal/statutory-warranty/au/

In some cases, Australia Consumer Law offers more protections than the paid AppleCare+ extended warranty.
 

Offline retiredfeline

  • Frequent Contributor
  • **
  • Posts: 572
  • Country: au
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #95 on: March 27, 2022, 10:44:51 pm »
you're disciplined enough to pay the balance every month as not to incur interest charges

Never had a problem. You can set up automatic debit. Of course now you would probably worry they might take the wrong amount and drain your bank balance. It all comes down to what risk you can live with.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #96 on: March 27, 2022, 11:16:08 pm »
Quote
As for warranty extensions, they are almost pointless in countries with strong consumer laws.

Kind of. If you buy of Aliexpress your local laws are irrelevant. Suppose you buy from the Amazon marketplace and the vendor is that same Aliexpress one, just advertising on Amazon. Which law applies? I think that technically you (the buyer) are the importer and responsible for stuff like warranties. That's how Amazon gets away with a '1 month return and then up yours' policy, I think.

Edit: The other week I bought a low-cost item on Amazon and would normally have not done so because of the reviews saying the thing breaks. But I was offered a 2-year extended warranty for £1 which made the deal sweat. I normally wouldn't have taken the warranty, but it's so cheap and takes any worry about longevity away. Strangely, it's the first time I've been offered a warranty on such a low cost item, so maybe they've been reading the reviews too!
« Last Edit: March 27, 2022, 11:19:10 pm by dunkemhigh »
 

Online Monkeh

  • Super Contributor
  • ***
  • Posts: 8134
  • Country: gb
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #97 on: March 28, 2022, 12:32:53 am »
you're disciplined enough to pay the balance every month as not to incur interest charges

Never had a problem. You can set up automatic debit. Of course now you would probably worry they might take the wrong amount and drain your bank balance. It all comes down to what risk you can live with.

Never seen that occur - have seen a card transaction for a few tens of dollars of flowers from a vending machine somehow transform into over $65k, though.. quality US bank goes 'looked legit, not our problem'.
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 6126
  • Country: au
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #98 on: March 28, 2022, 05:28:14 am »
Quote
As for warranty extensions, they are almost pointless in countries with strong consumer laws.

Kind of. If you buy of Aliexpress your local laws are irrelevant. Suppose you buy from the Amazon marketplace and the vendor is that same Aliexpress one, just advertising on Amazon. Which law applies?

Australian Consumer Law applies to any company who sells a product or provides a service in Australia, regardless whether or not the company is based or headquartered in Australia. So yes, companies such as Aliexpress, Amazon etc... are still bound by the legislation here if they choose to offer their products for sale in Australia. They don't get to opt-out of their responsibilities just because they aren't in the country. If they want Australian customers, they must comply with our laws.

Also, resellers don't get away with it simply because they didn't manufacture the product. The seller is just as liable as the manufacturer. One cannot fob a customer off onto the other (that's illegal).

I've personally had an ACL claim against a US-based company in the past, which was ruled in my favour. Whilst the company didn't really get a legal "smack", it cost them a total refund + an additional 100% of the purchase cost at the time. That's money in my pocket for their stuff-up.
« Last Edit: March 28, 2022, 05:34:21 am by Halcyon »
 

Offline Berni

  • Super Contributor
  • ***
  • Posts: 5050
  • Country: si
Re: Credit Card, Bank Card NFC. The most useless function every invented
« Reply #99 on: March 28, 2022, 05:44:31 am »
Or a phone wallet, which may be more acceptable to them.

I would see it as the phone showing a QR code which the payment terminal scans and then contacts the user's bank to authorize a transfer, the bank does the transfer, then the vendor sees that it's paid for. Things like Tesco Pay are almost there. Previously it would have been unheard of because of the 2-5day transfer timescale, but nowadays I can get notification from my bank that I've just spent money at Tesco before I've pulled the phone away from the reader.

The reverse could work: the payment  terminal shows the QR code which the phone scans. Either way the phone has a link to the bank, a does the vendor, so it's all matched up in realtime.

I already have this. My phone emulates a NFC Visa debit card using an app.

This means i am not limited to using it at one specific supermarket chain, having to set up an account with banking details with them, install there app on my phone for just that one store etc...

This works on any POS terminal that accepts a Visa NFC card. This means pretty much every vendor in my country that takes cards (unless they have such an old POS terminal that only takes chip&pin cards, but i haven't seen one of those in a long time). These days some ATMs are supporting NFC too, so i means i can also withdraw cash using just my phone.

However i rarely use it and instead just use my actual Visa card. The reason being convenience. Here is the comparison of the process for paying 20€ at a cash register:
- Visa card: Take wallet out of pocket, Take card out of wallet, The cashier can already see i want to pay with card and pushes the button, I press the card on the POS terminal, Wait for beep beep, Leave
- Paying with phone: Take phone out of my pocket, Tell the cashier i want to pay with card, Unlock my phone, Open the menu and launch the banking app, Wait for app to load, Enter the unlock pin into the app, Press the NFC pay button, Place the phone on the POS terminal, Wait for beep beep, Leave
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf