Flaw in New Visa Cards Would Let Hackers Steal $1M Per Card 126
New submitter biomass writes with news about a flaw in Visa's contactless card that lets anyone charge $999,999 to it. According to researchers at Newcastle University in the UK, the card system developed by VISA for use in the United Kingdom fails to recognize transactions made in non-UK foreign currencies and can therefore be tricked into approving any transaction up to 999,999.99. "With just a mobile phone we created a POS terminal that could read a card through a wallet," Martin Emms, lead researcher of the project that uncovered the flaw, noted in a statement about the findings. "All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction."
Re: (Score:3, Informative)
fails to recognize transactions made in non-UK foreign currencies and can therefore be tricked into approving any transaction up to 999,999.99
Motherfucker, you can't read a fucking sentence into the SUMMARY!?
Re:Well... no. (Score:4, Informative)
Even if the transaction is 999,999.00 euros, the point remains: in all likelihood that transaction would be over the limit of 99.999% of all credit cards out there.
Also:
"Since the transaction is done offline without going through a retailer’s point-of-sale system, no other security checks are done."
How do they get at the money, however much it is, without passing it through the payment network at one point or another? It's not like there's only one check done when the card is tapped.
Re: (Score:2, Interesting)
There are 90.5 credit cards in the UK, with Visa owning about 49.6 percent market share.
Given your 99.999% figure, that means there are 288 (or fewer) cards out there that are authorized for over $1000000.
There are 104 billionaires in the UK, and 10,000 multi-millionaires. It seems, then, that 288 is actually a pretty reasonable number. Nice job.
Re:Well... no. (Score:5, Funny)
Re:Well... no. (Score:5, Insightful)
Sounds like if you can find a store that is currently offline (which is rare) you can rip off the store for goods purchased, and that's about it.
It's useless for the thief to directly charge a card unless the thief also has a merchant account, which are not exactly trivial to sign up for, what with credit checks and all.
And these people obviously have no clue how offline transactions actually work. They're held in the POS station until they get uploaded, where they get all the normal verifications before they are processed and the money deposited in the merchant's account.
Other than ripping off a merchant in some way (and that would require a coordinated effort on the part of someone with a portable card reader and someone else at the cash register), there is no risk here whatsoever. Nothing but FUD, deliberately fostering hysteria to sell advertising. In other words, in the world of "journalism", it's a day that ends in "y".
Re: (Score:3, Informative)
heh, I explained the exact same thing to someone on Twitter.
You would need either:
a) A portable POS with a Merchant account or
b) A portable skimmer and an accomplice in the same store from which to rip off that could make such a transaction.
c) An accomplice working for the store from which to rip off to intentionally make such charges happen.
It comes back to you're not buying a million dollars in hotdogs. At best a would-be thief could probably rip off some fast food, coffee and 7-11 type stores in broad da
Re: (Score:1)
Sounds like if you can find a store that is currently offline (which is rare) you can rip off the store for goods purchased, and that's about it.
It's useless for the thief to directly charge a card unless the thief also has a merchant account, which are not exactly trivial to sign up for, what with credit checks and all.
They way most credit card "thefts" work is that someone working at a store is involved, typically in areas where there are tourists.
The idea is that when the tourists pays with a card you get all the information you need to perform transactions. The tourist is current out traveling in an unfamiliar country and will not be in touch with the world and his bank account the next couple of days.
It seems like it would be pretty trivial for someone working at a store to disconnect it from the internet at will.
Re: (Score:2)
The way that most credit card thefts work is that someone working in the store gets the card number to be used somewhere else to buy stuff that's easily fenced.
The chip cards prevent that (easily, anyway).
The only thing that "someone in the store" can do with this is get an offline transaction that will be rejected when uploaded, and if it isn't, the store gets the money, not the minimum wage employee who did the dirty deed. And it doesn't take very many challenged transactions before the store loses their
Re: (Score:2)
It seems like it would be pretty trivial for someone working at a store to disconnect it from the internet at will.
And it would be pretty trivial for the credit card company and police to notice thefts all occurring from this one shop and rain fire down on their asses.
Re: (Score:2)
The bogus "transaction" is done offline. At that point, nothing has happened, no money has changed hands, and none will until it is uploaded.
When it is uploaded, it becomes an online transaction and goes through all the usual security checks, including card limits, and the money gets deposited in the bank account attached to the merchant account.
Contrary to what Hollywood might like you to believe, the cell phone used as an offline POS station cannot magically put money in to your bank account.
Re: (Score:2)
"Cruise through a neighborhood"? Really? Dude, NFC has an effective range measured in millimeters, so to "cruise through the neighborhood scanning cards, you'd have to be cruising through people's living rooms.
And the transaction still have to be uploaded and processed by the merchant service. There is no magic money machine in your phone. Really.
Re: (Score:2)
Stranger things have happened, but it's still a very small scale operation, and a big improvement over stealing a hundred million card numbers at a time from Target.
Re: (Score:2)
Because you're not going to try scamming everyone out of a £million, but rather you're going to contactlessly skim everyone for a more realistic sum - say £250 (I think most, if not all, cards here have at least that limit and often much higher).
In fact, you set up a coffee stand and charge £2 per cup. Instinctively people swipe their card, think they're paying £2 but is actually £200. It'll likely take days before anyone even notices and in that time you could have scammed ten
Re: (Score:3)
Its via the "contactless" chip system - which doesn't need to do online authentication. Its all done in the card for transactions under £20 (or hack foreign currencies). The card generates a transaction key which is passed to the bank when the shop communicates with the bank.
Using the foreign currency hack - you can ask the card for upto 999,999.99 in a foreign currency (not the default currency for the card). No one is going to use the hack to pull the full amount over - you'll use it for something
Re: (Score:1)
Even if the transaction is 999,999.00 euros, the point remains: in all likelihood that transaction would be over the limit of 99.999% of all credit cards out there.
Also:
"Since the transaction is done offline without going through a retailer’s point-of-sale system, no other security checks are done."
How do they get at the money, however much it is, without passing it through the payment network at one point or another? It's not like there's only one check done when the card is tapped.
When the BBC covered this story, the expert they interviewed said that of course the crooks wouldn't actually bill 999,999.00 euros. Even if it did get through the system and the owner's credit limit was high enough, it would be very easy for the recipient to spot on their bill and cancel. The figure quoted is a theoretical maximum, not what would actually happen. More likely is that the crooks would set it to a lower figure that would be authorised and look less out of place on the bill. Even stealing
Re: (Score:2)
AmiMoJo makes a valid point (though not the most important one that could be made on the topic): the article's title is click bait.
Re:Well... no. (Score:5, Interesting)
Up to. Meaning $0-$999,999.
Script a repeated transaction preload for $5 on a device then go wait at a chokepoint to any high traffic area. Subway, airport, shopping center, sports stadium, ect...
You could rake in quite a lot in a short timeframe doing that.
Re: (Score:3)
Yes, and Visa will totally let the 'merchant' keep their gains too, oh wait, wasn't Visa reversible? It sucks and is embarrising, but is there any material harm done here (besides having the hassle of disputing charges) for the consumer?
Re:Well... no. (Score:5, Informative)
A good majority of small transactions are never caught or challenged. Credit card thieves figured this out a long time ago when card skimmers and the internet came about. People don't really pay attention like they should.
Re: (Score:2)
How long does it take, how important where you funds at the time. Needed to pay rent, buy medications, eat, awh shucks, you credit limit is exceeded no more credit for you and as a bonus they can screw with your credit history. The reality is credit card companies and banks do not want to pay for the extra expense of having you photo on the card and confirming of the purchase with a photo taken at the transaction point. For online purchases, the onus is truly in the hands of the merchant for what they will
Re:Well... no. (Score:4, Insightful)
That's why even if you have a Near Field Communications equipped card like Chase Freedom, you don't want to use it directly. Scan it once, into Apple Pay, and then use that implementation of the NFC standard to present the card to merchants without having them see your card. Apple's security is added to whatever security the credit card has, and your fingerprint is required to complete the transaction.
Re: (Score:2)
> Apple's security is added
Hmmmm, that's not exactly a selling point I'm afraid.
Scanning my Visa card into Apple's cloud just creates another possible point of security breach imho.
Re: (Score:2)
Unlike CurrentC, Apple Pay does not involve sending your card information to Apple. You set up cards whose issuing backs have joined the system. When you make a transaction, your phone synthesizes a one-time card number that is all the merchant sees.
Re: (Score:2)
But in facilitating this, two new points of access to your CC account have been created: the backend of Visa apparently allows Apple to connect and your phone becomes a second card next to the physical one. A hacker now sees more opportunities for access.
Re: (Score:2)
Example: once you loose your phone, you've now immediately also lost your CC
That's more risk instead of less
Re: (Score:2)
Only if you lose your thumb at the same time. Otherwise the stolen phone cannot even be opened.
Re: (Score:2)
> Apple's security is added
Hmmmm, that's not exactly a selling point I'm afraid. Scanning my Visa card into Apple's cloud just creates another possible point of security breach imho.
You obviously know nothing how Apple's security with it's pay system works. Your card info is never in Apples cloud. Basically without too many details, an encrypted blob is initially passed via them to your bank and another encrypted blob comes back from your bank with your token and device ID. Apple never sees it or could see it. That's the only time its done is in the setup. After that all transactions are made via a one-time token via your phone to the reader along with your fingerprint, never goin
Re: (Score:2)
Screw that.
Keep the card in a foil lined sleeve. You can get a pack of five for a few dollars, or get a fancy shielded wallet. I quite like the look of the ones made of woven stainless steel thread. I tested the el-cheapo ones that are just card and foil and they prevent card reads from all the readers I tested.
Then your physical removal of the card from it's sleeve is required to complete any transaction, contactless or otherwise. No-one will have a reason to amputate your finger.
If you scan things into Ap
Re: (Score:2)
If that's the only way to use a NFC card safely, then having NFC on a card seems to be a pointless additional security risk.
Re: (Score:2)
How does a niche payment system have to do with the flaw?
Re: (Score:2)
The problem is that the merchant has no good way to prove ID and yet gets left holding the bag. It is possible to make the transactions safe and secure for both parties, but the credit card companies have no incentive to do so because they have managed to push all liabilities off on the merchant (ultimately reflected in higher prices to everyone to cover losses).
Re: (Score:2)
Merchant accounts are not only hard to get, but there's also a fundamental problem you missed - you need banking information. Just because you have a merchant account doesn't mean they cut you a cheque every month with the balance - no, they need bank information so they can transfer to your bank account, as well as handle recovery (
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
People are going to have to start accepting cryptographic signatures (maybe from keys signed by the government, like they have in Estonia).
Most of my utility bills are now via email.
Re: (Score:2)
1) Even assuming you are right, just because it 'only' sucks wouldn't lead me to think this issue can be disregarded. Dealing with credit card fraud while travelling, especially in a foreign country, is not something to shrug off.
2) At least in the UK, credit card companies have used the alleged security of EMV to transfer some of the risk to the cardholder (see http://www.cl.cam.ac.uk/~sjm21... [cam.ac.uk] )
3) I don't think transferring the cost to the merchant is an acceptable solution. As explained in other posts he
Re: (Score:3)
True, but how is that any different to the normal situation where the maximum amount is £20? If that were a realistic attack people would be doing it already, but there is no evidence that they are. More over the cards have been in use for over a decade in Japan, and such an attack has never happened.
The whole point of TFA is that they can get $1,000,000 in a single hit, but in reality they can't. So maybe, at worst, they can up the game a bit by doing a few hundred bucks instead of the previous
Re: (Score:2)
Re: (Score:2)
Contactless payment has been massive since the late 90s in Japan. Most people use Suica, Edy or some other contactless card or an e-wallet enabled smart phone to travel on public transport, for example.
Re: (Score:3)
Arguably it could make the attack more worthwhile. The effort and hit rate involved might not make it worthwhile at low ticket amount (might as well have a real job) but could be worthwhile as the money starts going up.
Realistically though it sounds like the attacker needs a merchant account to benefit (and presumably enough legitimate volume to hide the fraudulent transactions in without raising suspicions)
Re: (Score:2)
Seems like something along the lines of Google Wallet or Apple Pay would be more secure, since they can require to be unlocked before processing NFC transactions. Something as simple as a pressure pad on a card (i.e. requiring it to be pressed while completing a transaction) could solve the vulnerability.
Re: (Score:3)
Yeah... or, just putting the damn card in the card reader.
Not sure about the state of payment cards in the US, but in France (and likely most of Europe) we've had smart cards that actually discuss with the payment terminal. While not that secure at times, you needed an actual/intended physical interaction between the card reader and the card.
Fast forward to nowadays, we've introduced contactless cards, so anyone with an NFC phone can read your card info through your pocket. Like reading the magnetic track
Re: (Score:2)
anyone with an NFC phone can read your card info through your pocket
Do you have any evidence of this? It seems impractical because the transaction takes about a second at best, so someone would have to shove up against you and hold their reader against your pocket for the full second to make it work. That is assuming you only have one NFC card in your wallet, otherwise interference as multiple cards try to respond will scupper the attack anyway.
Tinfoil wallet time?
Re: (Score:2)
Regarding the time needed for this, when I put my own card behind my phone, it really worked in roughly a single second. And it does work as fast through multiple layers of clothing as long as there's nothing metallic in the way. Now, in very crowded area, peoples get pushed on each others. If it was enough in the past for a skilled pickpocket to steal your wallet without you noticing, clearly it's enough promiscu
Re: (Score:2)
It seems impractical because the transaction takes about a second at best
Not true - I can't find the link at the moment, but the London Underground has been working with card issuers for a few years to ensure the cards are quick enough to be used to pay for journies during rush hour. ISTR they required transactions to complete in under about 300ms.
so someone would have to shove up against you and hold their reader against your pocket for the full second to make it work.
Not uncommon in a crowded place. The article suggested performing the attack at an airport since foreign currency transactions would not be unusual - if you've ever waited in line while going through airport security you'd realise th
Re: (Score:1)
Where do dollars come into this (except, of course, as not being pounds stirling)? This kind of assumption that "they mean what I mean" looks like it's at the root of this problem.
And don't get get me started on apostrophes ;-)
Re: (Score:1)
From the article that is linked at Wired:
"The EMV system in the UK limits the maximum value for a contactless transaction to £20, requiring a PIN for anything more than this.
But the researchers found that the system doesn’t recognize foreign currency transactions and therefore doesn’t require a PIN for these."
If it doesn't think the money is over their spending limit due to currency conversion screw ups, then they can't go over their limit with a $999,999.00USD charge. Make more sense now?
Re: (Score:1)
Cards don't make decisions, they just carry bits/numbers that represent an account, and it's up to the bank whether to allow or send an error back. If the customer promises to pay, then it works. If the customer calls to say they didn't authorize it, then it comes off the statement.
Re: (Score:1)
Btw, in the context of card payments, never use the word "bank" as this is massively ambiguous.
Re:Good (Score:4, Interesting)
If it's any consolation I'm a little bummed about the use of RFID in so many things that really should be secure, like passports. Fortunately I got mine issued in those last couple of months before they went RFID, but my wife's renewal is RFID-equipped so we had to get a faraday cage sleeve for it. Mine will expire soon enough that I'll probably also have to get a faraday cage sleeve soon.
I'd love to get one of those stainless-steel woven wallets, but I expect they're a pain in the ass to travel with, as they'll probably be searched every time they go through the X-ray machine.
Re: Good (Score:4, Informative)
Woven steel passport wallet here - dump it on the x-ray belt regularly in jacket and all sorts. Been asked to walk thru with passport/boarding pass on odd occassion but just slip them out of metal sleeve for that. Wallet itself has never been a burden.
Re: (Score:3)
You do realise that the information on the RFID chip in your passport is the same information that is in the passport, encrypted, and to decrypt it, you need the passport number and name, so you're going to need to have seen the inside of the passp
Re: (Score:2)
Decrypting the contents may not be necessary for nefarious uses [go.com]
A more reasonable issue may be people targeting US passports for thefts.
Re: (Score:2)
Easy to find (Score:3)
Re: (Score:2)
If it's any consolation I'm a little bummed about the use of RFID in so many things that really should be secure
To be 100% fair, the RFID is easy to disable, you just have to cut the induction loop.
However the biggest issue with RFID cards is the fact they send your card number, name and expiry date out in an easily decrypted format... So you can now use RFID to harvest CC numbers and rip them off the old fashioned way (in Russia so even if you're identified you can never be caught).
They really should have used a unique identifier for wireless transactions that isn't able to be reverse engineered into your card
Re: (Score:3)
To be 100% fair, the RFID is easy to disable, you just have to cut the induction loop.
To be even more fair, the data on a passport are somewhat encrypted, so it's not as easy as reading a card number ;)
However the biggest issue with RFID cards is the fact they send your card number, name and expiry date out in an easily decrypted format... So you can now use RFID to harvest CC numbers and rip them off the old fashioned way (in Russia so even if you're identified you can never be caught).
That is the thing I find the most infuriating with these contactless payment systems. We *have* the technology to produce contactless smartcards, and yet their new big thing is just sending all data in plaintext to whatever reader is available. When my mother got her new credit card, I put it on the back of my phone, and on screen popped all the informations needed to use the card on any webs
Re: (Score:1)
The data on credit cards is encrypted too, but the encryption was so poor it was broken years ago and new cards are still being issued with the same encryption.
The encryption is so weak it may as well be in plain text.
Re: (Score:3)
Assuming you're an American, your passport's cover is built with a mesh that is already RF dampening. It can't be read unless it's open. Even a fairly narrow crack can permit reading, so carry it someplace that will keep it closed.
The good thing about RFID readers is that the readers are very reliable. They don't have fragile electrical contacts that can get corroded, mechanically damaged, or electronically damaged by static electricity. They don't require a scanner that can get dirty and fail to read.
Re: (Score:1)
Re: Good (Score:2)
I had a woven stainless steel wallet (for money) and be warned, their abrasive edges wear through your pockets really quickly.
There are Faraday cage wallets that are leather on the outside (presumably they have metal foil inside?) that will be kinder to your clothes.
I've traveled a lot with both kinds and never had any hassles.
Re: (Score:2)
RFID in passports requires to enter some passport fields (like last name, date of birth, passport number etc.) in order to be unlocked. In order to "steal" RFID data, you need to open it and read data from the photo page.
That's 1M-0.01 in ANY currency (Score:3)
At least the way I read the article, the flaw allows a charge of 999,999.99 in ANY unit of currency, not specifically US dollars, or UK pounds, or Euros, or Dinars, or Rubles, or whatever.
Re: (Score:3)
I thought maybe the reader can tell the card give me 10^6 Zimbabwe dollars, and then tells the back end card has agreed to 10^6 UK pounds.
Re: (Score:2)
Without reading TFA, "fails to recognize transactions made in non-UK foreign currencies" sounds more like "ANY unit of currency except Pounds Sterling, which was used in development and testing".
Needs to be real money (Score:1)
Re: (Score:2)
Don't have to. Bump into a person every few minutes in a crowded subway area, and get $20 out of any of them that have a card that happen to be close enough to the "bump".IF you do this every two minutes, and only 1 out of 5 person get you a result, a 7-hour day of work will yield 42 card details, or $840 of "chump change".
Now, think about this: this contactless payment system is not going away soon (I'm not even talking about the "vulnerabilities" exposed there). If you manage to get a channel for all thes
Re: (Score:2)
Don't even need to bump into people - Scanning terminal with a range of a few feet and just stand in a crowd with it in your backpack.
Do this at say a theme park or a major tourist destination with a high turnover of passing people (eg. Tower Hill tube station in London, Champ de Mars metro station in Paris) through a narrow choke point where your scanner can pick up everyone passing and you can yield a much higher number of cards.
Wouldn't the target phone need to be turned on (Score:1)
Re: (Score:2)
Re:Wouldn't the target phone need to be turned on (Score:5, Informative)
Re: (Score:2)
Dr Evil Says: (Score:2)
Re: (Score:2)
Nah, Iranian rial (IRR). ;)
Just ask your bank to send you (Score:2)
I got used to bumping my wallet
Re: (Score:2)
Re: (Score:2)
Pins can be read from the POS keypad
That lets you use the card, but not clone it: you still need to have the chip which contains the secret key the PIN unlocks
Re: (Score:3)
Depends on your bank. I have credit cards with 2 different banks. At first both of them flat out refused to send me cards without NFC, and as the NFC chip is integrated in to the chip-and-pin setup you can't simply destroy the chip as many Americans can (swipe isn't the usual way of paying around here)
More recently though one of the banks has wisened up and has sent me a non-NFC card, the other one is still NFC enabled.
That said, I have modified my NFC card to significantly reduce it's effectiveness, I scor
Re: (Score:2)
As for people suggesting Faraday cage wallets and such, I'm unconvinced. A proper Faraday cage has to have no gaps, and most of these are not that tightly constructed. I would not be at all surprised if many of them provide only a feeling of security rather than actual security.
Don't know about "faraday cage" wallets, but I carry most of my cards in a simple metallic case that loosely close (it's not airtight or anything). It is enough for my phone to not pick up the card inside when I put them together, so I suppose it would be a severe hindrance to people trying to read an NFC card with a quick bump.
Still, some tweaked hardware to boost the signal on the receiver side might get through. Hmm I need to run some more tests...
Re: (Score:3)
proper Faraday cage has to have no gaps,
Acutally not quite accurate - a faraday cage that blocks at all wavelengths would need to have a very small mesh. Rule of thumb is you want your mesh to be less then 1/4(c/freq) m.
Since freq in the case of NFC is 13.56 MHz, that will yield us with 22/4=5.5 meters (excuse the rounding, you get the point) so anything you can wrap around your wallet is going to do the trick.
Google NFC blocking wallets for some selections.
Source: I attend hacker conferences. All my credit cards are NFC enabled. I don't want
Re: (Score:2)
Tin Foil... (Score:1)
Re: (Score:3)
Right here [amazon.com]. My new driver's license came with one.
Re: (Score:2)
Re: (Score:2)
I actually have one of these, from REI.
FUD Dectected (Score:2)
I'm not sure why this is news... if you swipe the mag stripe at an untrustworthy place, they can charge up to $999,999.99 too.... the system limit for a Visa/Mastercard transaction. What they're saying is a RFID chip gets to close to an scamming receiver they create a charge. Thing is, if a charge that big hits your account, your cell phone can scream "BIG TRANSACTION DETECTED!" and then you can have the charge reversed. Remember, we live in the era of "$0 liability"... as long as you can tell them it's wro
Re: (Score:2)
2-factor authentication (Score:2)
Even without this flaw, you could still steal up to a certain amount. The flaw just let's you bypass the limit (20 pounds in the UK).
This is an argument against allowing transactions without pins. Yes, it's convenient yo wave your card at something and not have to put in a pin; but it's also dangerous.
Better: I like the active "I won't share my information unless a code is manually entered on me" method of some speculative card systems and of a (configured to require a pin) google wallet.
Damn (Score:2)
I''m a millionaire, Mom I did it!
Cell phones are going to screw you (Score:2)
"you can bump your mobile against someone's pocket "
This is a feature I won't enable on my Samsung S5 (piss poor phone), it just doesn't sound secure.
Even Bluetooth has the same flaw it had when it first came out. The trick was pulled on me recently so know it's an apparent feature. They even added a contact to my phone via Bluetooth.
One can sit in a mall and collect others contacts (for one) just by having Bluetooth on and passing a "collector", I've disabled Bluetooth again.
Just like the first days of Blu
Re: (Score:2)
Nope. You can turn of BT. You can't turn off the NFC. You can only block it with a RFID blocking wallet, tin foil or something like it.
Disabling it on your phone changes nothing in the communication between your card and the thief's phone.
Re: (Score:2)
I appear to be able to turn it off on my Z1 Compact. However you are correct that it will make no difference to having stuff stolen from a card in your wallet.
simple solution!! (Score:2)
Affects only contactless cards (Score:1)
> "EMV cards don’t have to make contact with a reader to be used."
This is misleading. SOME EMV cards are contactless, but most normal (European) cards require a contact terminal and cannot be read / billed remotely.
The author somehow blames EMV itself on the vulnerability. EMV is a complex beast and there are many ways to get it wrong, but this here is something different.
Authorisation is only half the process.... (Score:2, Informative)
Only non-UK foreign currencies? (Score:2)
And what about UK foreign currencies?
Re: (Score:2)
So this is what happens when you use an NFC card while there's a sunspot aimed at us.