Hacker Demos Android App That Can Wirelessly Steal And Use Credit Cards’ Data
Eddie Lee’s Android phone, displaying data it has wirelessly read from his credit card. I’ve blocked… the credit card number on the phone’s screen in orange. The symbol of nested arcs on the card shows that it one of the 100 million RFID-enabled cards in circulation.
Smartphone payment systems like Google Wallet give Android users the futuristic ability to use their phones to make payments with their credit cards. Research Eddie Lee has taken that trick a step further: Using an Android phone to make payments from a credit card that belongs to an unwitting stranger.
In a talk at the Defcon hacker conference in Las Vegas Friday, Lee demonstrated an Android software tool called NFCProxy that’s capable of both reading and “replaying” data from contactless credit cards–any of the common payment cards with embedded RFID chips that allow payments at retail outlets’ wireless point-of-sale devices like these. undefined
After using a Nexus S phone to read his own contactless Visa card onstage at Defcon, he then used his tool to relay the data a moment later to a point-of-sale device, where it was accepted as a payment. “Ive just skimmed, abused and spent someones credit card within a couple minutes. Its really simple,” he told the crowd.
Lee demonstrating a card reader lighting up to show that it’s accepted the payment data he read from… a credit card with his phone.
Preventing Credit Card Skimming
Skimming as a scam has endured for so long because it’s so often successful. Try these tips for foiling card skimmers:
-
Dont use free-standing POS terminals in badly lit or deserted areas. These are the most likely targets for skimmer action.
-
Deal directly with a teller or cashier when exchanging money. ATMs and other kiosks may be convenient, but you reduce your likelihood of being skimmed by avoiding them where possible.
-
Be on the lookout for damaged card readers. Any evidence of tampering should be seen as suggesting a fraudster may be at work.
Only Use Secure Websites
According to the Federal Bureau of Investigation , its crucial to avoid entering your credit card numbers and personal information on unsecured websites. Sometimes a tiny icon of a padlock appears to symbolize a higher level of security to transmit data, according to the bureaus site. This icon is not a guarantee of a secure site but provides some assurance.
Also Check: How Do I Get My Paypal Credit Card Number
Will You Be A Victim Of Digital Pickpockets Hacker Reveals How Easy It Is To Steal Credit Card Numbers In Seconds While You Still Have Them In Your Hand
- Criminals use RFID and NFC wireless communication to steal numbers
- The readers can be brought online or downloaded to phone via an app
- They have to stand six inches away while a transaction is being made
- Within a matter of seconds, the technology can pick up and store data
- A $300 machine can then replicate the card so it can be used elsewhere
- It is estimated 70% cards will soon be vulnerable to digital pick pocketing
- Cards can be protected from RFID skimmers by being wrapped in tin foil
How We Make Money
You have money questions. Bankrate has answers. Our experts have been helping you master your money for over four decades. We continually strive to provide consumers with the expert advice and tools needed to succeed throughout lifes financial journey.
Bankrate follows a strict editorial policy, so you can trust that our content is honest and accurate. Our award-winning editors and reporters create honest and accurate content to help you make the right financial decisions. The content created by our editorial staff is objective, factual, and not influenced by our advertisers.
Were transparent about how we are able to bring quality content, competitive rates, and useful tools to you by explaining how we make money.
Bankrate.com is an independent, advertising-supported publisher and comparison service. We are compensated in exchange for placement of sponsored products and, services, or by you clicking on certain links posted on our site. Therefore, this compensation may impact how, where and in what order products appear within listing categories. Other factors, such as our own proprietary website rules and whether a product is offered in your area or at your self-selected credit score range can also impact how and where products appear on this site. While we strive to provide a wide range offers, Bankrate does not include information about every financial or credit product or service.
Read Also: Can You Negotiate Credit Card Debt
Hacking Nfc Via An App:
Once we have read the key or fob we want, we can store all of the information onto a file. We can then use this information and write it back onto an empty card, essentially cloning the original or fob. Figure 5 below shows the Write Sector portion of the app, in which you can write individual sectors or write all of them. The important sector to keep in mind is sector 0 as it is what contains the UID and manufacturer’s data, basically if you copy sector 0 to another fob then youve made a copy.
The Kisi Reader Pro uses the Mifare Desfire EV1 2K NFC cards, these are some of the most secure NFC cards out today. They provide an added level of security to the already existing Mifare Desfire NFC cards, making them incredibly secure.
If you want to know how we at Kisi use mobile credential and 128bit AES-encrypted NFC cards, check this overview of our mobile access control system or get in touch with us. If you are more interested in .
Skimming Credit/debit Card Information At Point
While this scam has been around for several years, skimming is still a common method of credit card fraud. Skimming occurs at point of sale systems where debit and credit cards are used to make transactions, such as ATMs, gas pumps, and cash registers. More often than not, skimming is pulled off during legitimate transactions.
One example of skimming occurs when thieves use a “universal key” to open gas pumps and embed a device that captures card numbers. They also position a pinhole camera nearby that records the pin numbers. Fake cards are then encoded with the information and fiscal havoc ensues.
How do skim artists do this without getting caught? Sometimes its an inside job, orchestrated by an employee of the institution. Other times it is just good scouting crooks pick stations that dont have adequate camera surveillance. And any of those other instances in between, its the devils work. Seriously…
Don’t Miss: How To Get L1 Visa
How To Protect Yourself Against Nfc Hacks
The most effective way to secure against NFC vulnerabilities is simply not to use NFC at all. However, if you want to use functions like contactless payments, then there are steps you can take to make it more secure.
Compartmentalize your sensitive accounts. If you use your NFC device for, say, quickly making payments through Google Wallet, then one way to stay safe is to have a separate account just for NFC. That way, if your phone is ever compromised and your Google Wallet information is stolen, it will be the dummy account thatâs stolen rather than your main account.
Turn off NFC when you arenât using it. This prevents accidental bumps from delivering unwanted programs and malware to your device. You may not think your phone gets within bump-range of many devices throughout the day. But youâd be surprised, especially if you find yourself in crowds a lot.
Routinely check your device for malware, especially after youâve used NFC. It may or may not be possible to fully prevent NFC hacks. But if you catch them before they do much damage, that will be better than not catching them at all. If you find anything suspicious, change your important passwords and security credentials right away.
How Widespread Is Contactless Card Fraud
It may seem like contactless technology allows fraudsters an easy way to access your money without a PIN. Assuming you take precautions to protect your card, the chances of it happening to you are reduced â however, consumers are right to be vigilant as cases of contactless card fraud doubled in 2018.
Because contactless technology currently limits the value of purchases, the total potential value of fraud involving these cards is reduced. Thieves are always looking for big payouts, which are limited by contactless fraud.
However, there’s also been recent research that shows that the £30 maximum spend on contactless cards can be bypassed. Researchers have found that the flaws in the payments system for some contactless cards could potentially allow criminals to steal hundreds of pounds in a single transaction.
The hack the researchers used to break the £30 limit uses a device which intercepts the signals between the card and the card reader. It then simultaneously âtells’ the card that no verification is needed and the card reader that verification has been provided.
Another purported method that fraudsters use is to actually process payments by standing near someone on a train or in another crowded public place and reading their contactless card through their clothes. However, according to Which?, there’s little evidences that this type of fraud is common.
Don’t Miss: How To Get Japan Visa
History Of Card Frauds
There are lot of ways your card details can be stolen. Skimming tools like these steal data from the magnetic stripe of your card. Then there are portable devices like a mini POS that can handle contactless payment, which can be abused by a rouge actor like for example. Knowing this possible abuse, most POS machines offered to merchants have a limit on how much you can pay via contactless mode on a single tap like an upper limit of 100$ in some countries. For transaction above these limits, you might have to insert the card into the POS machine and manually enter the pin. The data captured from the card via this method will not have the static CVV/CVC that’s printed behind most cards. For an attacker, your Card number, Expiry date and CVV are the most valuable information along with Name/ZIP code in some countries. We will see how one can steal these information with an NFC enabled android phone in the coming section.
Nfc Isn’t Perfectly Secure
So does that mean you don’t have to worry about your NFC devices being hacked?
Unfortunately not. NFC is more secure than other types of RFID, but it’s not perfect. It was designed to be a connection of convenience, not security. NFC requires you to bump, tap, or swipe an NFC-capable device like your phone against an NFC-capable reader like another phone. As long as both devices are NFC-capable and that they are within the NFC wireless range, the connection is valid.
As far as the NFC protocol is concerned, the close distance is all thatâs necessary for a valid transfer.
Can you see the weakness? No password or credential requirements! NFC connections are established automatically and do not require any form of login or password entry in the way that Wi-Fi does. This has the potential for some real problems since anyone can establish an NFC connection with your device as long as they get close enough.
Imagine if you bumped up against a virus-infected NFC device? It would only take one bump for you to catch it.
NFC can be made secure at the application layer by implementing secure channels or by requiring credentials, but NFC as a protocol itself is not secure at all. And despite the close-proximity requirements for an NFC connection to trigger, unwanted bumps do occur. Sometimes, even a well-intentioned bump can result in a disaster.
Read Also: How To Get Credit Card Companies To Settle For Less
How Money Can Be Stolen From Contactless Rfid And Nfc Cards
Recently, a fundamentally improved version of money theft has been discovered. A new method of stealing money from cards equipped with PayWave and PayPass technologies. Criminals intercept the signals from such bank cards out of the air using hand-made readers.
Plastic cards with contactless RFID chips can be used only by attaching them to a PoS bank terminal. In this case, such cards in a PoS terminal are not swiped and not inserted.
There are methods now of money withdrawal from credit cards using the latest smartphone models, with a modification, a kind of RFID technology the NFC device. To withdraw funds from the card, hackers just need to know the full card number and a month/a year of the end of service.
The cards of the MasterCard international system are equipped with PayPass chips, and the cards of the Visa payment system are equipped with chips with the name of PayWave. At the same time, both companies allow using their contactless technologies both on magnetic stripe cards and on newer cards with a square chip.
The convenience of using MasterCard-PayPass and Visa-PayWave systems is to simplify and speed up payments in stores. When making payments for small amounts with the cards with RFID chips, there is no need to sign on the cash receipt or enter your PIN-code into the PoS terminal.
To read the payment data, the fraudster will only need to have the reader approximately ten centimeters near the victims card.
Be careful and get RFID Wallet on Kickstarter!
Apple Pay Security And Privacy Overview
Learn how Apple protects your personal information, transaction data, and payment information when you use Apple Pay.
Apple Pay allows you to make easy, secure, and private transactions in stores, in apps, and on the web. You can also send and receive money with friends and family using Apple Pay in Messages . And with contactless rewards cards in Wallet, you can receive and redeem rewards when paying with Apple Pay. Apple Pay is designed with your security and privacy in mind, making it a simpler and more secure way to pay than using your physical credit, debit, and prepaid cards.
Apple Pay uses security features built-in to the hardware and software of your device to help protect your transactions. In addition, to use Apple Pay, you must have a passcode set on your device and, optionally, Face ID or Touch ID. You can use a simple passcode, or you can set a more complex passcode for even greater security.
Apple Pay is also designed to protect your personal information. Apple doesnt store or have access to the original credit, debit, or prepaid card numbers that you use with Apple Pay. And when you use Apple Pay with credit, debit, or prepaid cards, Apple doesn’t retain any transaction information that can be tied back to youyour transactions stay between you, the merchant or developer, and your bank or card issuer.
Recommended Reading: Can I Use Paypal Credit Card To Send Money
Steal Rfid Credit Debit Atm Card Data With App Hack Proof Rfid/nfc Safety Travel Tip
Are contactless RFID/NFC Credit cards safe? Maybe not. Your tap credit and debit cards can be read by a simple Android app simply by standing next to you. So, is your own wallet/purse/money clip being hacked through a backdoor without your knowledge? Be careful when you are out and about or are traveling abroad. With better and dedicated equipment criminals may be able to read your credit cards from farther away so protect yourself when travelling anywhere, especially in foreign countries!
I will show with my own contactless RFID/NFC credit cards how card skimming/reading could be done with my personal Android phone and show you one solution to help you protect yourself and your identity.
Secure your Visa, Mastercard, American Express, Discover, Interact, ATM and other contactless/NFC/RFID/PayWave/PayPass cards with RFID blocking wallets like the Bastion Carbon Fiber RFID Blocking wallet
NOTE: VaultCard is no longer recommended as I found that it does not work as well as it seems. Sometimes when not positioned properly between the phone and the credit card the app was able to read the information on the card.
Myth #: I Could Accidentally Pay Another Customers Bill Or Make Several Consecutive Payments
Payment terminals are designed to prevent payments being made for the same transaction twice, minimizing the risk of being charged multiple times, according to Jamie Topolski, director of payment card product strategy and output solutions at Fiserv.
And if a terminal detects multiple cards, some will request that only one card be presented, or the transaction might be voided to prevent double charging, he added.
The fears of accidentally paying another customers bill are also unfounded because the card must be placed within a very short distance of the payment terminal to be read, Topolski said.See related: Contactless cards: How they work
Recommended Reading: How Do I Cancel My Fingerhut Credit Card
More Information About Using Apple Pay With Your Transit Card
If you designate a transit card that you added to Apple Pay as an Express Transit card, you can pay and ride without having to use Face ID, Touch ID, or a passcode first. You can manage Express Transit on your iPhone in Settings > Wallet & Apple Pay, and on your Apple Watch via the Apple Watch app.
You can temporarily suspend transit cards by using Find My iPhone to place your device into Lost Mode. Or you can remove transit cards by erasing your device remotely using Find My iPhone or by removing all cards from your Apple ID account page. Transit cards can’t be removed or suspended if your device is offline.
Guide To Avoiding Contactless Card Fraud
Contactless card payments are hugely popular within the UK â in fact, they’ve now overtaken chip and pin payments. Contactless payments increased 30% between June 2017 and June 2018 â and 52% of all shop payments were contactless in July 2018. Overall, there were 7.4bn contactless payments in 2018.
Around 7 in 10 payments in the UK are contactless, and 17% of 25 â 34-year-olds make only one monthly payments using cash â or rely entirely on cards to make payments.
One of the reasons for the increased popularity of using contactless cards is they’re easy and simple to use to pay for a variety of goods. By removing the need for a PIN code, contactless cards do offer a fast and convenient way to pay – however, they may also offer criminals the opportunity to commit fraud.
Below, we look at the facts behind contactless cards, how fraudsters can take advantage and the best ways to avoid becoming of a victim of .
Read Also: What Is The Best Chase Credit Card For Bad Credit