This entry’s not a blog post, tale of action or bravery on the front line, more of an urgent Public Service Announcement to make all my blog followers aware of a new type of high-tech crime which has recently landed on our shores ….
Have you got one of those nice new ‘Contactless’ credit or debit cards; you know, the ones with the ‘radio wave’ symbol on which means in lots of shops, there is no need to stick your card in the machine and enter your PIN number; If what you’re buying is less than £15, you can just wave your card in front of the terminal and bingo, an RFID (Radio Frequency Identification) chip built into your card is read automatically and the payment is instantly taken from your bank account.
A similar thing is happening with the latest mobile phones – it’s called NFC (Near Field Communication) and allows you to hold your mobile near a payment terminal and have the cost either debited from your linked bank account or added to your mobile bill.
There are over 19 million ‘contactless cards’ already issued in the UK by all the major banks, with more to come online as existing cards are renewed. It’s all designed to make your ‘shopping experience’ all that much easier. But what if that experience was all about to turn very, very nasty ?
‘RFID Skimming’ is already a major problem Stateside, and it’s starting to happen over here. All that’s needed to obtain all your important (and you thought secure) credit card data, is a little gizmo costing less than £70 off the internet and a laptop or netbook computer – stick them in a laptop bag, manbag or handbag, walk down any street and let the tech do the stealing for you. The equipment constantly ‘scans’ for RFID chips nearby, and when it finds one, it downloads the data straight onto it’s database – your name, credit card number, expiry date, and all the other important information bar the three digit CSS code on the back of your card.
Instantly, someone else can create a clone ‘contactless card’ with your data on it and go on a shopping spree at your expense. OK, so they can only spend a maximum of £15 a time in store, but armed with all that data, there’s many a website or telephone order that can be made without needing or being asked for your CSS code – Amazon is the biggy that comes to mind !!!
Of course, the banks insist the system is safe and that ‘customers will be reimbursed for any fraudulent activity on their account’ but you still have to prove it to them first and we all know how hard that can that be ???!!!
The same equipment can be used to ‘lift’ data from a new style ‘Biometric’ Passport – simply and easily giving Mr Crook a lot more personal info about yourself, including your name, date of birth and even an embedded electronic version of your passport photo !!! Combine that with your card data and you can see how easy the bad guys have it.
In a crowded area; a store; a lift, railway station or even the queue at McDonalds, a ‘skimmer’ could easily obtain card details from literally dozens of victims in a few seconds and some of the readily available equipment happily works up to 20ft or more away from the intended victim/s.
Watch the news Story from one of the American TV Networks below, then ask yourself if you still want that type of plastic in your pocket ???
wow!! Well I wasn’t comfortable with the idea of these new cards as it was and now I despise it! I will definitely not getting one! I’m paranoid as it is. With one of those I’d be scared to go out anywhere with it! Very good and important post.
“‘RFID Skimming’ is already a major problem Stateside”
No, it isn’t. I bet you can’t link to a reputable source of single example of it _ever_ happening. So why do you claim it is a “major problem”? I’m genuinely curious as to why you would say this.
P.S. It’s also an outright lie to claim that you can read the cards from 20 feet away. If you will let me record you on video accurately reading the contactless card details from my lovely new Amex contactless card from 20 feet away I will buy you afternoon tea at the Ritz.
P.P.S. Do you have any theory as to why — if it’s trivial to clone cards and you can read them from 20 feet away — the banks would be introducing a new technology that would cause the entire payment card system to collapse within weeks?
P.P.P.S. It’s also a lie to say that you can read biometrics passports this way. Again, I challenge you to read the biometric passport in my pocket from a foot away, let alone from 20 feet away. In order to read a biometric passport contactlessly, you need to read the machine-readable strip first.
Also, the list of things that cannot be read from a contactless card includes the cryptographic keys used in payments, so the statement “Instantly, someone else can create a clone ‘contactless card’ with your data on it and go on a shopping spree at your expense” is absolutely incorrect. You simply cannot clone contactless cards in this way, and as Dave Birch notes above there is no evidence at all that it’s been done by anyone other than publicity-hungry security researchers or people flogging tinfoil wallets.
If you’re in any doubt as to whether or not RFID skimming is possible, then perhaps watch the video evidence at e-pickpocket.com
There you’ll find a video by UK broadcaster ITN Channel 4 News, in which Thomas Cannon, of ViaForensics, demonstrates how an ‘electronic pickpocket’ can skim personal information remotely from RFID enabled bank cards using a custom smartphone application. Cannon later goes on to make a purchase using this info, and with no requirement to submit a secure CVV number.
Wrapping ‘contactless’ credit-cards in standard tin foil may be a temporary solution for some; although it’s not particularly elegant and defence contractors opt instead for alternative RFID screening materials, – i.e. one’s that specifically shield against 13.5 MHz frequencies; such as those supplied by rfidprotect.co.uk
Whilst certainly not in the hands of criminals at present, perhaps what Thomas Cannon gives us is perhaps a vision of things to come…
Forewarned is forearmed as they say.
Pingback: Are contactless credit cards safe? see constablechaos blog | Wiganshale's Blog