Can an carder steal card details or money by discreetly using contactless NFC payments?
The topic of security of contactless payments based on NFC technology continues to excite the public. Researchers around the world are putting this technology to the test, testing whether we're all too careless by carrying cards around in the pockets of our backpacks and purses. What can you lose - only card data or, perhaps, money too, despite all security measures?
The topic is potentially serious. My work colleagues already wrote about this not so long ago. Has anything changed in six months?
...Provided that it is standard . From a not too expensive set of parts, the researchers managed to assemble a kit that made it possible to “eavesdrop” on transactions and read card data at a distance of up to 45 cm. The set, however, included a backpack and a cart from the supermarket where, in fact, the experiment was carried out. In general, with a non-standard reader, the chance of obtaining card data increases greatly, but large equipment is required.
The infection of an Android phone with an NFC module by a Trojan looked somewhat more interesting . In the “I keep my phone and money close to my heart” option, the picture that emerged was not very pleasant: counting cards in this case is much easier, and most importantly, no one will notice. If they wanted, attackers could establish a connection with another phone via a cellular communication channel and, using such a kind of “extender,” even buy something worth less than a thousand rubles - within the limits of a “pinless” mini-transaction. A very troublesome and inconvenient method, but it seems to be realistic.
However, since the publication of the study, I have not been able to find a single confirmed case of a successful “remote” attack on NFC cards.
These cards can go through a somewhat more complicated path, ending up in the database of merchant carders, so that later, in the not entirely foreseeable future, perhaps they can become part of some kind of shadow operation. With the above-mentioned data set, the likelihood of troubles under this scheme is somewhat less, but this scenario certainly does not promise anything good.
The simplest option is that a certain girl “from the bank” calls you on the phone and, in order to check/investigate the incident/for another very convincing reason, asks you to provide additional card details, expanding the existing set to a more complete one. It is clear that in fact the young lady is not from the bank, because real bank representatives never do that.
But here we come close to those security measures that are even older than portable terminals. Since ancient times, every cash register has been registered, at least with the tax office. With the advent of the electronic payment system, each terminal (if it is an independent terminal and not a PoS system) is registered when concluding an agreement with the acquiring bank.
A passport and other confirmation of the nature/identity of the company/seller are required. Without this, the monetary relationship between the buyer and the merchant (essentially equivalent to a non-cash exchange between the merchant's bank, the acquiring bank and the bank that issued the card to the buyer) is simply impossible.
Any fraudulent transaction, once contested, can be traced back to the terminal from which it was initiated and its owner. Accordingly, the protested transaction is cancelled, the money is returned, and the competent authorities begin to take a close interest in the owner of the terminal.
This is where the gray area begins, however.
If you wish, you can come up with other circumstances, most often related to the fact that someone is not carefully performing their part of the actions to ensure the security of the payment. Be careful about who you are dealing with and always be clear about the terms you are signing up for.
As for companies registered in someone else’s name, it seems to me that this kind of fraud is organized for the sake of much more serious operations than an attempt to steal several tens of thousands of rubles from other people’s cards, which simply will not recoup the criminal investment.
Oh yes, there is also an option with an unlucky courier who has lost his terminal. But it is not for criminals: you can only withdraw money from the account of the company to which the terminal is registered, for example, by hacking into an electronic bank. And why, then, one might ask, steal the terminal at all?
Here's what I decided for myself:
(с) https://www.kaspersky.ru/blog/nfc-cards-security/11061/
The topic of security of contactless payments based on NFC technology continues to excite the public. Researchers around the world are putting this technology to the test, testing whether we're all too careless by carrying cards around in the pockets of our backpacks and purses. What can you lose - only card data or, perhaps, money too, despite all security measures?
The topic is potentially serious. My work colleagues already wrote about this not so long ago. Has anything changed in six months?
Discreet reading
Experiments have shown that standard devices for contactless payment: telephones, PoS terminals and the like - really only work over a VERY short distance. It turns out that attackers, of course, can extract some of your card data, but the chance is small. In addition, rather unambiguous actions are required that can be noticed from the outside. A reader hidden in a jacket pocket will not help here......Provided that it is standard . From a not too expensive set of parts, the researchers managed to assemble a kit that made it possible to “eavesdrop” on transactions and read card data at a distance of up to 45 cm. The set, however, included a backpack and a cart from the supermarket where, in fact, the experiment was carried out. In general, with a non-standard reader, the chance of obtaining card data increases greatly, but large equipment is required.
The infection of an Android phone with an NFC module by a Trojan looked somewhat more interesting . In the “I keep my phone and money close to my heart” option, the picture that emerged was not very pleasant: counting cards in this case is much easier, and most importantly, no one will notice. If they wanted, attackers could establish a connection with another phone via a cellular communication channel and, using such a kind of “extender,” even buy something worth less than a thousand rubles - within the limits of a “pinless” mini-transaction. A very troublesome and inconvenient method, but it seems to be realistic.
However, since the publication of the study, I have not been able to find a single confirmed case of a successful “remote” attack on NFC cards.
Data…
Numerous studies have shown that the easiest way for a hacker with his super-powerful reader to obtain partial card data: the number and expiration date, plus some information about the last few transactions. Not enough for something serious? In general, most likely yes. However, researchers from Which?, for example, were able to discover a store where the data received was enough to make a purchase that significantly exceeded the “mini-transaction” limit that did not require a PIN.These cards can go through a somewhat more complicated path, ending up in the database of merchant carders, so that later, in the not entirely foreseeable future, perhaps they can become part of some kind of shadow operation. With the above-mentioned data set, the likelihood of troubles under this scheme is somewhat less, but this scenario certainly does not promise anything good.
The simplest option is that a certain girl “from the bank” calls you on the phone and, in order to check/investigate the incident/for another very convincing reason, asks you to provide additional card details, expanding the existing set to a more complete one. It is clear that in fact the young lady is not from the bank, because real bank representatives never do that.
...or money?
What scares ordinary people the most is that they could theoretically have money withdrawn from their card using the “mini-transaction” feature, where you do not need to enter a PIN code to write off money. Of course, you can count - if only there were a terminal capable of conducting contactless transactions, and the ability to get closer to the card with it.But here we come close to those security measures that are even older than portable terminals. Since ancient times, every cash register has been registered, at least with the tax office. With the advent of the electronic payment system, each terminal (if it is an independent terminal and not a PoS system) is registered when concluding an agreement with the acquiring bank.
A passport and other confirmation of the nature/identity of the company/seller are required. Without this, the monetary relationship between the buyer and the merchant (essentially equivalent to a non-cash exchange between the merchant's bank, the acquiring bank and the bank that issued the card to the buyer) is simply impossible.
Any fraudulent transaction, once contested, can be traced back to the terminal from which it was initiated and its owner. Accordingly, the protested transaction is cancelled, the money is returned, and the competent authorities begin to take a close interest in the owner of the terminal.
This is where the gray area begins, however.
What if…
- The owner of the card did not carefully read the clause of the agreement, which states that those same mini-transactions “up to 1000 rubles.” are not subject to protest? (I’ve never seen it myself, but they say it happens.)
- The time to contest mini-transactions is noticeably shorter than for larger payments, but the client did not notice the SMS from the bank in time?
- Is the terminal registered to a fake company, recorded using someone else’s data? Passport theft is not such a rare occurrence, especially given the fact that biometric documents are not yet widespread.
If you wish, you can come up with other circumstances, most often related to the fact that someone is not carefully performing their part of the actions to ensure the security of the payment. Be careful about who you are dealing with and always be clear about the terms you are signing up for.
As for companies registered in someone else’s name, it seems to me that this kind of fraud is organized for the sake of much more serious operations than an attempt to steal several tens of thousands of rubles from other people’s cards, which simply will not recoup the criminal investment.
Oh yes, there is also an option with an unlucky courier who has lost his terminal. But it is not for criminals: you can only withdraw money from the account of the company to which the terminal is registered, for example, by hacking into an electronic bank. And why, then, one might ask, steal the terminal at all?
What should I do?
And is it necessary to do anything at all? Everyone decides for themselves. Just remember that an experiment that requires a backpack and a supermarket cart could become a reality tomorrow.Here's what I decided for myself:
- store contactless cards in a controlled area with clothing on your chest. Not near the phone;
- despite the absence of a direct and immediate threat, consider shielded storage;
- save receipts when using the card. When challenging a fraudulent transaction, having receipts for payments for the period in which it all happened can, at least according to bank support staff, help in the investigation and reduce the chances that the money will disappear forever;
(с) https://www.kaspersky.ru/blog/nfc-cards-security/11061/
