The (in)security of plastic cards has always been a hot topic, but with the spread of contactless cards it has grown into a real phobia - no worse than the phobia of GMOs, “killer phones”, brain-burning Wi-Fi and the like. In case you haven’t heard, many, many people are sure that contactless “plastic”, which is so easy to pay for a purchase in a store (swipe next to the terminal - and you’re done! No need to enter a PIN code), just as easily gives money to “evil” people. hackers." The popular press fuels the hysteria without going into detail. Horror stories follow one another: if a few years ago researchers were amusing themselves with this at security conferences, now real thieves allegedly empty “wallets” on public transport, simply passing next to victims. What is it, the other day there was a message about a device for “small-scale” cloning of contactless cards - as many as 15 pieces per second!
With all this, sensible people have the idea somewhere that all this is precisely an unreasonable phobia, paranoia (cards have been on the market for a decade and a half, and the end of the world has not come). But in order to confirm the suspicion, it is necessary to delve into technical issues, for which there is always not enough time. So let's do this together.
There are different types of contactless cards, not just bank cards: for identification, travel on public transport, etc. However, what is in the wallets of the majority (including Russians) are credit or debit bank cards produced based on the ISO/IEC 14443 standard. This standard involves the use of the NFC protocol (digital radio communication at a frequency of 13.56 MHz) as a communication channel. . The receiver does not have a power source and operates using energy induced in an antenna hidden inside the card. This is enough to receive and transmit a certain small amount of information. NFC is a slow protocol (tens of kilobytes per second), but in this case much is not required. VISA payWave, MasterCard PayPass and the domestic “Mir” cards work exactly this way.
And the main problem with contactless “plastic” is not in technology, but in a superficial understanding of the principle of their operation. Trying to make it as easy as possible for ordinary people to adapt to the new product, marketers explained to them that swiping a plastic card with a magnetic stripe across a reader and making a contactless “click” on an NFC terminal are the same thing. So people, especially in countries where the culture of using “plastic” goes back more than one decade (magnetic strip is the brainchild of the 70s), do not see the functional difference between the two. And they reason something like this: before, the card had to be taken out of my wallet, but now a thief can simply walk next to me and, without even touching me, steal all the information from my credit card!
Well, this is partly true, but only partly. You too can try yourself in the role of such a “high-tech thief.” To do this, you don’t have to solder anything or even buy an illegal card reader. A modern smartphone with NFC support is enough. Install any of the numerous applications for reading NFC tags (NFC Basic, Banking Card Reader, etc.), touch the card to the phone, and voila, the data is “stolen”. The subtlety is what kind of data it is.
In open form, contactless bank cards store only the number, expiration date, and less often the user name and transaction history. Formally, this is already enough to use your card without your knowledge, for example, to buy something online: not all online stores require a CVV code located on the back of the card (but not written into memory). So yes, this is a cause for concern.
But it will not be possible to fully “clone” a card (write information onto a blank blank card and use it in regular stores without restrictions), as sellers of devices like the mentioned illegal high-speed card reader (for only $800!) promise. Why? Because any offline transaction involves communication between, roughly speaking, the cash register and the card chip, and for each such session the chip generates a one-time key using strong crypto. To clone your card, you need to extract the crypto keys from it - and this is impossible to do via NFC.
There are only two real ways to use a contactless card. Firstly, a thief can acquire his own PoS terminal that supports contactless cards. By hiding one in his bag, he can actually walk around crowded places and initiate purchases when someone’s card is nearby. However, figuring out the name of the fraudster in this case will not be difficult (all terminals are registered with the authorities), and the size of a contactless transaction that does not require a PIN code is limited to a certain small amount (in Russia this is about one thousand rubles).
Secondly, a thief can use a radio signal relay scheme - taking advantage of the experience of “colleagues” who steal cars in this way . Here you will need two NFC auxiliary devices. The first should be located next to the victim's card, the second - at the point of purchase, say, next to the cash register in a store. Such devices can be, for example, smartphones that support NFC. The cash register initiates the sale, the second smartphone transmits an NFC signal to the first, which transmits it to the card, and the information is returned back through the same chain. The victim did not notice anything, but the purchase was completed. The difficulties, however, are obvious. Special software is required, which, as far as we know, does not exist (correction, thanks to the readers: it has already been implemented in laboratory conditions). Plus, again, the transaction size is limited.
By the way: mobile wallets (Apple Pay, Android Pay, Samsung Pay) are not susceptible to the problem of contactless theft - for the simple reason that the virtual card responds to requests from the reader only when the user needs it, and is silent the rest of the time.
What's the result? It is not possible to clone a contactless card. You can only steal a small amount from it while you are nearby. So the stories about unfortunate people who “lost thousands of dollars in one moment without removing the card from their pocket” are either fiction or delusions (the card was probably compromised in another way).
The only real threat remains the theft of the card number and its use for unauthorized purchases via the Internet. The risk is actually small: the thief must get too close to you, plus in developed countries the bank is obliged to cancel such a transaction upon request and refund the amount. In Russia, the law doesn't yet require this (correct me if it's already wrong), so if you're feeling anxious, use a good old Faraday cage: store contactless cards in an aluminum foil pocket. But it’s better - think about replacing the card with a mobile application: electronic wallets that store analogues of bank cards are not at all susceptible to the problem of contactless theft.
(c) Evgeniy Zolotov
www.computerra.ru
With all this, sensible people have the idea somewhere that all this is precisely an unreasonable phobia, paranoia (cards have been on the market for a decade and a half, and the end of the world has not come). But in order to confirm the suspicion, it is necessary to delve into technical issues, for which there is always not enough time. So let's do this together.
There are different types of contactless cards, not just bank cards: for identification, travel on public transport, etc. However, what is in the wallets of the majority (including Russians) are credit or debit bank cards produced based on the ISO/IEC 14443 standard. This standard involves the use of the NFC protocol (digital radio communication at a frequency of 13.56 MHz) as a communication channel. . The receiver does not have a power source and operates using energy induced in an antenna hidden inside the card. This is enough to receive and transmit a certain small amount of information. NFC is a slow protocol (tens of kilobytes per second), but in this case much is not required. VISA payWave, MasterCard PayPass and the domestic “Mir” cards work exactly this way.
And the main problem with contactless “plastic” is not in technology, but in a superficial understanding of the principle of their operation. Trying to make it as easy as possible for ordinary people to adapt to the new product, marketers explained to them that swiping a plastic card with a magnetic stripe across a reader and making a contactless “click” on an NFC terminal are the same thing. So people, especially in countries where the culture of using “plastic” goes back more than one decade (magnetic strip is the brainchild of the 70s), do not see the functional difference between the two. And they reason something like this: before, the card had to be taken out of my wallet, but now a thief can simply walk next to me and, without even touching me, steal all the information from my credit card!
Well, this is partly true, but only partly. You too can try yourself in the role of such a “high-tech thief.” To do this, you don’t have to solder anything or even buy an illegal card reader. A modern smartphone with NFC support is enough. Install any of the numerous applications for reading NFC tags (NFC Basic, Banking Card Reader, etc.), touch the card to the phone, and voila, the data is “stolen”. The subtlety is what kind of data it is.
In open form, contactless bank cards store only the number, expiration date, and less often the user name and transaction history. Formally, this is already enough to use your card without your knowledge, for example, to buy something online: not all online stores require a CVV code located on the back of the card (but not written into memory). So yes, this is a cause for concern.
But it will not be possible to fully “clone” a card (write information onto a blank blank card and use it in regular stores without restrictions), as sellers of devices like the mentioned illegal high-speed card reader (for only $800!) promise. Why? Because any offline transaction involves communication between, roughly speaking, the cash register and the card chip, and for each such session the chip generates a one-time key using strong crypto. To clone your card, you need to extract the crypto keys from it - and this is impossible to do via NFC.
There are only two real ways to use a contactless card. Firstly, a thief can acquire his own PoS terminal that supports contactless cards. By hiding one in his bag, he can actually walk around crowded places and initiate purchases when someone’s card is nearby. However, figuring out the name of the fraudster in this case will not be difficult (all terminals are registered with the authorities), and the size of a contactless transaction that does not require a PIN code is limited to a certain small amount (in Russia this is about one thousand rubles).
Secondly, a thief can use a radio signal relay scheme - taking advantage of the experience of “colleagues” who steal cars in this way . Here you will need two NFC auxiliary devices. The first should be located next to the victim's card, the second - at the point of purchase, say, next to the cash register in a store. Such devices can be, for example, smartphones that support NFC. The cash register initiates the sale, the second smartphone transmits an NFC signal to the first, which transmits it to the card, and the information is returned back through the same chain. The victim did not notice anything, but the purchase was completed. The difficulties, however, are obvious. Special software is required, which, as far as we know, does not exist (correction, thanks to the readers: it has already been implemented in laboratory conditions). Plus, again, the transaction size is limited.
By the way: mobile wallets (Apple Pay, Android Pay, Samsung Pay) are not susceptible to the problem of contactless theft - for the simple reason that the virtual card responds to requests from the reader only when the user needs it, and is silent the rest of the time.
What's the result? It is not possible to clone a contactless card. You can only steal a small amount from it while you are nearby. So the stories about unfortunate people who “lost thousands of dollars in one moment without removing the card from their pocket” are either fiction or delusions (the card was probably compromised in another way).
The only real threat remains the theft of the card number and its use for unauthorized purchases via the Internet. The risk is actually small: the thief must get too close to you, plus in developed countries the bank is obliged to cancel such a transaction upon request and refund the amount. In Russia, the law doesn't yet require this (correct me if it's already wrong), so if you're feeling anxious, use a good old Faraday cage: store contactless cards in an aluminum foil pocket. But it’s better - think about replacing the card with a mobile application: electronic wallets that store analogues of bank cards are not at all susceptible to the problem of contactless theft.
(c) Evgeniy Zolotov
Крадём миллион с бесконтактной «кредитки» | Компьютерра
(Не)безопасность пластиковых карт всегда была темой горячей, но с распространением карт бесконтактных переросла в настоящую фобию — не хуже фобии ГМО, «телефонов-убийц», выжигающего мозги Wi-Fi и тому подобного. Если вдруг вы не слышали, многие и очень многие уверены, что бесконтактный...
www.computerra.ru
