What can help steal your credit card info?

Contactless payment cards have radio frequency identification tags in them which can be read from a distance by using a scanner. The same RFID technology ensures the operation of building access cards and transport cards. Therefore, data on all types of contactless cards are not secure.

A number of publications, such as NBC New York and The Sun, have conducted experiments showing that contactless card information can be stolen at close range. To do this, experts simply held a reader disguised as an iPad to the victim’s pocket, wallet, or bag. Now, scammers don’t even need to buy any devices to do this. Google Play has apps that can be used for the same purpose.

If you are in a public place where a lot of people have gathered, the risk of such fraud increases significantly.

What information can be stolen?

As a result of using RFID readers, fraudsters can get access to different types of data, for example, credit card numbers, information about the expiration date of the card. This data is sufficient for resale on the darknet, and after this information is supplemented with other personal information, it could be used for making transactions on a number of sites or opening an account in your name. If a fraudster has received part of your personal data, the chance that they will receive all the information necessary for making a transaction or opening an account increases significantly. At the same time, security experts say that 80% of credit cards are compromised in some way.  Their data was stolen as a result of phishing, skimming, malicious software on websites, fraudulent phone calls, and data violations.

How to protect your cards from skimming and other types of fraud

Of course, credit card companies are trying to improve the technology with encryption, but thieves are also using increasingly advanced technologies that allow them to steal personal information.

Therefore, we recommend that you follow the simplest preventive security measures against RFID skimming:

• Do not store your cards in your pockets or money clip wallets. Only in your wallet, and your wallet is in a zippered bag. The wallet must have a separate slot for each card so that you can see each card in its place.
• Use a special blocking wallet, holder, or blocking card to protect your contactless card from skimming. Do not wrap the cards in foil, it is not intended for shielding.
• If you see someone holding a mobile phone next to your wallet or bag, or acting strangely in the checkout line, step back and ask the store’s staff for help.
• Before using the card anywhere, check for card skimmers.
• Use one card for autopay accounts and the other for everyday purchases. The autopay and everyday strategy helps you save your money and personal data.
• Do not store photos of your cards on your phone, or write their data to your phone.
• Keep cards that you don’t use at home in a safe place. You can also keep a list of all your card numbers, expiration dates, and security codes, as well as contact information in case your cards, are ever stolen.
• Destroy any documents containing your credit card information, including documents containing the last 4 digits.
• Keep track of your account statements. If you see a suspicious purchase, immediately notify the card Issuer.
• Periodically check the personal accounts of the online stores that you use most often (Amazon, Target, etc.). if you find any transactions that were not made by you, contact the seller immediately.
• If someone asks you to provide your card details over the phone on behalf of the card Issuer, do not agree. Call the customer support number on the back of your card and ask the Issuer’s representative what to do in this case.
• Use a credit card instead of a debit card whenever possible. In General, the losses will be less if the thief drains your credit limit, rather than having access to funds from your debit card. If your debit card is compromised, you may lose access to all the money in your current account until the Bank deals with the fraud. This could take several days.
• Periodically change your passwords and update your card pin codes.

Keep your data and funds safe at all times.

‘If you are worried about someone reading your cards, there are several RFID blocking products that can prevent skimming.

The post Can someone steal your credit card info from your pocket? appeared first on RFID Cloaked - Protecting your RFID personal data.

How easy is it to get at data stored on your contactless bank card, it’s easy than you think.

Card data scanned without authorisation

BBC Rip Off Britain investigate how easy it is to use your bank card data scanned using a smart phone, all this is possible with shocking results. The security expert makes an Amazon online payment using the scanned card data.

BBC Rip Off Britain

The post How safe is contactless payment? BBC – Rip Off Britain appeared first on RFID Cloaked - Protecting your RFID personal data.

The presentation describes potential RFID vulnerabilities in various devices (Mifare, RFID biometric passports, Mastercard PayPass, VISA PayWave), and how to exploit them using NFC smartphones.

It shows how to read/write cards, crack/gain keys, read biometric RFID passports, read NFC payment cards.

To view the presentation, follow the link →

The presentation describes the NFC Protocol and its history, the main devices that use RFID technology, as well as RFID vulnerabilities that exist for these devices.

You will see that there are no secure RFID devices, so RFID protection is necessary.

‘Want to learn more about RFID protection? See the information in our online-shop.

The post Hacking RFID devices using NFC smartphones appeared first on RFID Cloaked - Protecting your RFID personal data.

A report by the UK Cards Association said that contactless transactions were higher in the six months to June than they were for the whole of last year.

The average transaction cost £8.60, the report added.

Making a payment with a contactless payment, RFID, NFC bank card

“Contactless cards are firmly entrenched as the preferred way to pay for millions of consumers, who expect to be able to use them for everyday purchases,” said Richard Koch, head of policy at UK Cards Association.

“We anticipate the use of contactless cars will continue to increase, particularly as charities and transport operators outside London recognise the benefits this technology can bring,” he added.

The use of contactless has been boosted by small retail purchases such as food and drink purchases and public transport.

Cash still remains the most common method of payment.

In the first six months of the year, 1.1 billion transactions were made using contactless cards, up from 1.05 billion in 2015.

Many retailers do not accept contactless payments, despite the one-off spending limit being raised from £20 to £30 last September.

http://nr.news-republic.com/Web/ArticleWeb.aspx?regionid=4&articleid=71362552&source=viber

The post Nearly One In Five Sales Use Contactless Payment appeared first on RFID Cloaked - Protecting your RFID personal data.

The relay attack is also known as the “chess grandmaster attack”, by analogy to the ruse in which someone who doesn’t know how to play chess can beat an expert: the player simultaneously challenges two grandmasters to an online game of chess, and uses the moves chosen by the first grandmaster in the game against the second grandmaster, and vice versa. By relaying the opponents moves between the games, the player appears to be a formidable opponent to both grandmasters, and will win (or at least force a draw) in one match.

Similarly, in a relay attack the fraudster’s fake card doesn’t know how to respond properly to the payment terminal because, unlike a genuine card, it doesn’t contain the cryptographic key known only to the card and the bank that verifies the card is genuine. But like the fake chess grandmaster, the fraudster can relay the communication of the genuine card in place of the fake card.

For example, the victim’s card (Alice, in the diagram below) would be in a fake or hacked card payment terminal (Bob) and the criminal would use the fake card (Carol) to attempt a purchase in a genuine terminal (Dave). The bank would challenge the fake card to prove its identity, this challenge is then relayed to the genuine card in the hacked terminal, and the genuine card’s response is relayed back on behalf of the fake card to the bank for verification. The end result is that the terminal used for the real purchase sees the fake card as genuine, and the victim later finds an unexpected and expensive purchase on their statement.

Demonstrating the grandmaster attack

I first demonstrated that this vulnerability was real with my colleague Saar Drimer at Cambridge, showing on television how the attack could work in Britain in 2007 and (Play video) in the Netherlands in 2009.

In our scenario, the victim put their card in a fake terminal thinking they were buying a coffee when in fact their card details were relayed by a radio link to another shop, where the criminal used a fake card to buy something far more expensive. The fake terminal showed the victim only the price of a cup of coffee, but when the bank statement arrives later the victim has an unpleasant surprise.

At the time, the banking industry agreed that the vulnerability was real, but argued that as it was difficult to carry out in practice it was not a serious risk. It’s true that, to avoid suspicion, the fraudulent purchase must take place within a few tens of seconds of the victim putting their card into the fake terminal. But this restriction only applies to the Chip and PIN contact cards available at the time. The same vulnerability applies to today’s contactless cards, only now the fraudster need only be physically near the victim at the time – contactless cards can communicate at a distance, even while the card is in the victim’s pocket or bag.

While we had to build hardware ourselves (from off-the-shelf components) to demonstrate the relay attack, today it can be carried out with any modern smartphone equipped with near-field communication chips, which can read or imitate contactless cards. All a criminal needs is two cheap smartphones and some software – which could be sold on the black market, if it is not already available. This change is likely the reason why, years after our demonstration, the industry has developed a defence against the relay attack, but only for contactless cards.

Closing the loophole

The industry’s defence is based on a design that Saar and I developed at the same time that we demonstrated the vulnerability, called distance bounding. When the terminal challenges the card to prove its identity, it measures how long the card takes to respond. During a genuine transaction there should be very little delay, but a fake card will take longer to respond because it is relaying the response of the genuine card, located much further away. The terminal will notice this delay, and cancel the transaction.

We set the maximum delay to 20 nanoseconds – the time it takes a radio signal to travel six metres; this would guarantee the genuine card is no further away than this from the terminal. However, the contactless card designers made some compromises in order to be compatible with the hundreds of thousands of terminals already in use, which allows far less precise timing. The card specification sets the maximum delay the terminal allows at two milliseconds: that’s 2m nanoseconds, during which a radio signal could travel 600 kilometres.

Clearly this doesn’t offer the same guarantees as our design, but it would still represent a substantial obstacle to criminals. While it’s enough time for the radio signal to travel far, it’s still a very short window for the software to process the transaction. When we demonstrated the relay attack it regularly introduced delays of hundreds or even thousands of milliseconds.

It will be years before the new secure cards reach customers, and even then only some: there is only one Chip and PIN specification, but there are seven specifications for contactless cards, and only the MasterCard variant includes this defence. It’s not perfect, but it makes pragmatic compromises that should prevent smartphones being used by fraudsters as tools for the relay attack. The sort of custom-designed hardware that could still defeat this protection would require expertise and expense to build – and the banks will hope that they can stay ahead of the criminals until the arrival of whatever replaces contactless cards in the future.

Steven J. Murdoch is a member of The Tor Project and employee of VASCO.

http://nr.news-republic.com/Web/ArticleWeb.aspx?regionid=4&articleid=70003692&source=viber

The post How contactless cards are still vulnerable to relay attack appeared first on RFID Cloaked - Protecting your RFID personal data.

Paying for goods is even easier with contactless pay. A tap and away you go. But if you are asked to pass your card over to the bartender or shopkeeper should refuse.

You shouldn’t let someone else use your contactless card

Andrew Goodwill, the founder of the Goodwill Group against CNP (card not present) fraud, shared his advice with our sister title Mirror Online .

He said: “There is an unwritten code of good practice which is that when paying by either contactless card or by any other card, that the card should always be in the sight of the customer.

“If the card reader is not brought

to you for the transaction to take place then you should challenge why not and refuse to let the card out of your sight.

“The waiter or waitress may be all smiles and maybe served you very well, but do they have a card reader behind the counter? You just don’t know.”

You can now use Android Pay on your mobile as Google launches system in UK

The Mirror reported in February there is an app that could turn a phone into a card reader and pulled the details of several cards within seconds.

Mr Goodwill also warned of the dangers of keeping contactless cards on your person in general.

“Contactless cards have a security issue when they are in your purse or wallet and should be protected by using a Metal Card Holder wallet with RFID blocking technology

“Fraudsters can come up close to you and by using a card reader they can read your card details even if it is in your bag or wallet.”

Mirror Money performed an investigation into these claims in February and found card details could be pulled easily.

Phones could replace cash in nine years

It took the team less than a minute to search for an app that turns a smartphone into a card reader, download it then drop the phone next to a wallet to see if the card could be read while inside.

It could. Not just on one person, and not just with one wallet. In less than five minutes they had pulled seven people’s card details, all from different wallets and purses, just using a phone.

It even worked when the card was inside someone’s wallet, inside someone’s pocket.

And despite warnings about the danger of card clash , when the Mirror tried it with a wallet that had three different contactless cards in it, it still worked. All that happened was that the reader picked one and took its details, ignoring the rest.

The Mirror team stress that they used a simple, legal, app and could pull card details such as the long card number, the provider and expiry date.

http://nr.news-republic.com/Web/ArticleWeb.aspx?regionid=4&articleid=69925910&source=viber

The post Why you should never hand your card over when paying with contactless appeared first on RFID Cloaked - Protecting your RFID personal data.

via RFID – The Risk inside your credit card – – YouTube.

The post ▶ RFID – The Risk inside your credit card – YouTube appeared first on RFID Cloaked - Protecting your RFID personal data.