Archive for the ‘Credit & Debit Card Skimming’ Category

Growing concern that Marks and Spencers' contactless payment terminals takes money from customer accounts without their permission

 

The British Broadcasting Corporation (BBC) broke the news today that certain Marks and Spencer (M&S) customers are experiencing issues with the use of contactless payment cards at stores in the UK.

BBC reporter Bob Howard (Radio 4’s ‘Money Box’ programme) appears to have been approached by a number of M&S customers who claim that payments have been taken from their RFID enabled / contactless cards, whilst still in their wallets but nonetheless in proximity to ‘point-of-sale’ terminals.

A BBC spokesperson said,

“Cards are supposed to be within about 4cm of the front of the contactless terminal to work.

But some customers say payments have been taken from cards while in purses and wallets at much greater distances.”

M&S remains (perhaps understandably) adamant that its payment processes are robust and entirely fit for purpose.   However, one customer told the BBC…

” I put my card into the reader and the assistant was asking whether or not I wanted cash back.

“Before I could answer, the transaction came up as complete and the till issued a receipt so I hadn’t put in a pin at all at that stage. I queried it with an assistant and she looked rather puzzled and looked at the receipt and compared it to my card and realised that the numbers didn’t tally.”

There have also been reports of  ‘double charging’ , where two contactless payment cards are charged simultaneously – however, the jury is currently out on whether this is a real problem or not.  Elsewhere amongst Britain’s press (n.b. The Daily Mail, The Telegraph) are articles reporting similar themes, and one claim that we have heard about is where a customer would like to make a cash payment for goods at the payment terminal, only to find that their item has already been checked out.  What may be happening in such instances, is that the person wishing to make a cash purchase has moved sufficiently close enough to the payment terminal for a contactless credit, debit or store card on their person to activate – and thus complete the sale.

Some will take the view that this is an invasion of privacy, although perhaps the overarching theme is merely that our choice as customers is being eroded, (i.e. our ability to determine exactly how, and when, we pay for goods).  However, by keeping our contactless payment cards safe within RFID protective sleeves we can take control quite easily – dictating when, and how, we are charged for goods – making payments on our terms.

To purchase low-cost RFID shielding sleeves for your contactless cards click here.

More on this extraordinary development can be found at the following link:

bbc.co.uk/news/business-22545804

pin-skimmer-a-new-threat-to-smart-phone-security“Distrust and caution are the parents of security.”
Benjamin Franklin, 1706

University of Cambridge boffins Laurent Simon and Prof. Ross Anderson have demonstrated a new vulnerability in the security features of certain smart phones. By deploying custom software – dubbed ‘PIN Skimmer’ – the device’s accelerometer and gyroscope channels can be interrogated (potentially by third parties), and in doing so it appears possible to determine probable PIN number entries.

Prof. Anderson tested his theory on the Google Nexus-S and the Galaxy S3 smart phone platforms – this week he released a report claiming actual ‘proof of concept’.

“By recording audio during PIN input, we can detect touch events. By recording video from the front camera during PIN input, we can retrieve the frames that correspond to touch events.”

“Then we extract orientation changes from the touch-event frames, and we show that it is possible to infer which part of the screen is touched by users”, explains Prof Ross Anderson.

In a 2010 survey of mobile customers, 33 percent of smart phone users cited security concerns as a main reason why they avoid using their phones to access financial accounts. (source: comScore.com/insights)

It could be argued that with the advent of ‘PIN Skimmer’ their concerns are not without grounds – because many smart phone users have a PIN code not only to secure their phone, but also to unlock e-payment applications.

Source: bbc.co.uk/news/technology-24897581

11 November 2013

https://contactless.files.wordpress.com/2011/11/appsdesigner_brief_page4.png?w=150&h=300&h=299

Above image: Copyright © 2012 RFID Protect

The Australian edition of Secure Business Intelligence magazine, (or SC to those in the know), has uncovered evidence of a new Android app capable of skimming customer data from contactless payment cards!  Earlier this year Thomas Cannon (ViaForensics) successfully demonstrated (on ITN Channel 4 News) a prototype app for NFC smartphones that could e-pickpocket the victims’ bank card account number, expiry dates and obtain sufficient details to enable purchases with a major online store.

It seems that Developer Thomas Skora, (Integralis), has taken Canons’ concept one step further – his new app called ‘paycardreader‘ not only skims card details, but it is claimed this tech can also access, “…transactions and merchant IDs” when tested against certain PayPass Mastercards.

Interviewed by SC during an awareness-raising event for the security industry,

Skora stated that his app was, “…only for technical demonstration”.

SC magazine suggests that the app, “…was available for download on the Google Play Store and on GitHub” although we were unable to track it down and suspect that it has since been removed for fear this technology will fall into the wrong hands.

Mindful that in Thomas Cannon and Thomas Skora we now have two independent app developers that have successfully produced a functional ‘e-pickpocket’ app for smartphones, important questions need to be asked of our security professionals. For instance, are there more developers working on similar applications we wonder? And just how long before organised crime produces its own version?  After all, it could be argued that the prospect of a ‘contactless’ theft – one where the victim doesn’t even realise they’ve been ‘mugged’ – will be an attractive proposition for career criminals; and therefore is likely to be an idea worthy of their time and investment.

Learn more about e-pickpocketing at: www.e-pickpocket.com

Or watch Thomas Cannon in action here: www.rfidprotect.co.uk/video6.html

Original source:  http://www.scmagazine.com.au/News/305881,android-app-steals-contactless-credit-card-data.aspx

Everyone’s favourite daytime TV show This Morning featured a selection of RFID Protect products during a slot about credit card fraud and the fast-growing issue of ‘e-pickpocketing‘.  During a five-minute feature, presenter Phillip Schofield showcased RFID Protect’s latest Leather Multi-card Holder, which has been designed in collaboration with crime-reduction officers at Victoria Police, Australia and is new to the UK.

Mr Schofield was visibly shocked at the ease by which information can be ‘skimmed’ from a contactless credit or debit card; during a demonstration given by Thomas Cannon (Director of Research and Development) at American company ViaForensics.

First shown on Thursday 10th May, 2012 the programme can be viewed again for a limited period, at http://www.itv.com/thismorning/ and a direct link to their Crime File discussion area for this particular issue can be found at: http://www.itv.com/thismorning/life/crime-file-120510/

A spokesman for RFID Protect said,

“…we’re absolutely thrilled that ITV came to us for guidance on the whole issue of ‘e-pickpocketing’, and what members of the public can do to better protect their contactless bank cards.  Working with the team on This Morning has been a great pleasure; it’s great to receive so much positive feedback about our work and products.”

Adding,

“…ITV has very kindly agreed to provide viewers with a direct link to our products from their main website.  This will go live shortly, but in the meantime our full range of RFID shielding kit can be purchased on-line at: http://www.rfidprotect.co.uk/products.html

TWENTY million Brits are at risk of having their bank details stolen by electronic pickpockets, a Sun investigation has revealed!

Journalist Nick Francis of The Sun newspaper has spearheaded a major investigation into the potential for contactless crime, taking the work of RFID Protect to a national audience.  In an interview with RFID Protect spokesman [David Maxwell] The Sun revealed:

“…David is a former cop and director of RFID Protect, a firm specialising in products which combat RFID fraud.  It has been a big problem in America for a while and now it is getting to be a problem over here. It is a difficult thing to put statistics on because it’s hard to tell how your card details were skimmed.”

“If you ring your bank they will point out there are many ways to lose your card ID, which is true, and by the time you find out you’ve been skimmed it is too late to work out how.

“But the technology is out there and in the wrong hands.”

Source: The Sun (News International)

Date: Sunday 29 April 2012

Original author: Nick Francis

You can read the full story at this link:  “Robbed by Radiowave”  The Sun Newspaper (News International)  or get protected from contactless crime at: RFID Protect (click here)

Update | 05 May 2012:  This story has now captured the attention of numerous media agencies, and continues to expand its reach on a daily basis.  We are aware that the following players have run either similar features during the course of the past week, or intend to do so before long:

The Daily Mail

This is Money

DNA Daily News Analysis

This Morning (ITV.com)

Image

“All I did was tap my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card, that includes the long card number, the expiry date and your name.”  Thomas Cannon, ViaForensics

Finally, the ‘eagle has landed’.

So when your bank tells you that a new ‘contactless’ payment card is 100% secure, perhaps you’ll keep in mind their track record for ‘security’ and that we’ve been calling for a greater awareness of the vulnerabilities of ‘contactless’ payment technologies for over two years now!

There’s probably nothing to worry about in the longer-term, but right now and – just to be on the safe side – then why not avoid potential mayhem and consider a low-cost ‘anti-skim’ sleeve for that new ‘contactless’ credit or debit card; such as those that can be purchased from RFID Protect.

This article makes reference to an original story by Benjamin Cohen, who is Channel 4 News’ Technology Correspondent.  You can watch the video here, or read the full story at  Channel 4 News

If you’re a regular visitor to this blog then you’ll no doubt be familiar with RFID technology – and now it appears that our cousins in Australia are waking up to some of its potential vulnerabilities.  Linking automatically to a retailers ‘point-of-sale’ terminal (but without the need for a verification PIN or signature) makes Radio Frequency ID (RFID) payments quite different to normal transactions using a swipe card, cash or personal cheque.

The ability to process transactions rapidly means that RFID e-payment solutions are very attractive to retailers too, although it has been reported in the media that a growing number of consumers in Australia are not entirely convinced by industry claims that these ‘contactless’ systems are 100% foolproof!

ABC News 24 recently reported that, “…There’s been some very famous attacks where people have been reading passport numbers and other serial numbers from RFID-enabled cards. Proximity cards, such as the one that you use to get into your secured building, those have been cloneable for quite some time.”

Whilst Australia has been relatively slow to adopt ‘contactless’ systems – we’ve learned that as of March 2012 it’s going to be a case of ‘full steam ahead’ with major stores keen to deploy ‘tap-and-pay’ payment options.  More likely to ‘crack a mental’ than crack open the Champagne – some quarters are arguing that the roll-out of contactless e-commerce is fast becoming a headache for those involved.

A spokesperson at ABC News 24 urged caution reporting that, “…one of the first attacks that we’re most likely to see being used by criminals are probably relay attacks. When you have your phone in your pocket or your card in your wallet and attackers work out a mechanism to activate the card in your pocket, relay the transaction somewhere else, maybe not even in the country and perform a transaction at a terminal by another party, stealing money from that particular account. That’s probably the most likely attack that we’ll see occurring in the future.”

Here’s the link: http://www.abc.net.au/news/2012-01-30/consumers-warned-over-tap-and-pay-technology/3801162

The following link will take you to the RFID Protect webpage where any nervous Australians can get protected now! http://www.rfidprotect.co.uk/products.html

DN Systems has published a helpful overview of the considerable benefits that come with new ‘contactless’ technologies, and also some of the alleged associated risks for businesses keen to deploy this new technology. Firstly, it seems important to keep in mind that this is a relatively new sector, and therefore security policies are still in their infancy – so this is a shifting terrain.  Whilst companies may have given much thought to the design of their RFID enabled devices (for instance door-access control cards, RFID tags, and ID cards) – their supporting ‘back-end’ IT systems may still have possible inherent flaws.

A spokesperson for DN Systems said, “…RFID tags are always an integral part of a larger IT system and should be seen in this context. Given a compatible RFID reader device, anyone can freely read and modify data stored on these RFID tags without the legitimate owner even being aware of it. RFID auditing tools like RFDump can be used to explore the weaknesses of existing RFID infrastructures.”

Is on-tag encryption – a cause for concern?
Certain RFID tags carry something called ‘on-tag encryption’.  DN Systems argue that this approach is inherently vulnerable to unauthorised access and modification.  ‘On-tag’ encryption simply means that the code used to access the RFID devices’ data is stored on the device itself.  (In this respect, it would be a little like writing down the PIN code for a new credit card somewhere on the surface of the card – duh!)

Some suggest that with the right equipment it is possible to break the encryption on such devices.  Using a software package such as ‘RFDump’, DN Systems suggest the information contained within the RFID device can be manipulated.

The ‘Mifare Classic’ chip (used in public transport systems and building access control across the globe – even today?) appears vulnerable to this sort of probing.

DN Systems have this to say on the matter, “At the Chaos Computer Congress 2007 Karsten Nohl from the University of Virginia presented the results of his research. Nohl had analyzed the Mifare chip layer by layer under an electron microscope and reverse engineered significant parts of its proprietary encryption logic revealing major design flaws showing how easy it is to break the chip’s security features. With the dollar amount of the ticket directly stored on the tag, ticketing systems based on this chip, like the Oyster Card in London or the Charlie Card in Boston, are at risk. An attacker could attempt to either clone a ticket or change its value to gain illegal access to the service provided. Similar cloning and tampering scenarios apply to other open loop applications as well, including hotel key cards, ski lift and event tickets, electronic payment systems and the electronic passport.”

But that was then – this is now…
The ‘Mifare Classic’ chip emerged way back in 1994 and has since been superseded by more improved products with so-called “light-weight cryptography” solutions for the RFID element.

Today’s RFID chips contain approximately 15,000 secure ‘gates’. Although DN Systems is keen to stress that, “…only a fraction of these are available to implement crypto functionality, the rest is required to implement the tag’s state. Strong private key crypto systems on the other hand require at least 20,000 – 30,000 gates alone when implemented in hardware.”

What the above would appear to suggest (to this layperson at least) is that in order to deliver a 100% secure solution a designer would require more ‘gates’ than are currently available with commercially available RFID tags.  Therefore, whilst recent developments – i.e. since the ‘Mifare Classic’ –  have made our ‘contactless’ experience far more secure –  there is still further to go.

Some percieved RFID vulnerabilities
Ranked in no particular order of importance, what follows is an overview of common perceived RFID vulnerabilities:

  • RFID Cloning: Here the target RFID device (often a tag) is probed for vulnerabilities, and once compromised a duplicate is made.  This identical copy allows the perpetrator access to a secure area (i.e. cloned door-entry pass) or the prospect of introducing non-authorised products into an operations’ supply chain.  Another tactic would be to manipulate the value of goods, via cloned item tags, when shopping.  This phenomenon has been dubbed, “Cyber Shop-lifting”.
  • Malicious Code Injection: In this scenario, the aim of the perpetrator is to introduce a virus into the RFID device, which once read seeks to corrupt or crash an associated ‘back-office’ IT support system.  The main aim is to cause disruption or ‘hack’ into a secure area – such as a database.  What, you don’t believe the databases of major corporations can be ‘hacked’ – well, here’s an overview of some of the more staggering database ‘hacks’ over the last decade.
  • Man in the middle: Here the perpetrator seeks to trick users into presenting their RFID enabled device to a non-authorised reader.  The goal is to decrypt certain information during this electronic transaction that might provide useful keys for performing other attacks in due course.
  • Electronic eavesdropping / Skimming information:  This subject has already been explored at length elsewhere on this blog:
    https://contactless.wordpress.com/2011/06/11/eavesdropping-attacks-on-high-frequency-rfid-tokens/

The above vulnerabilities should not be read as proof that all RFID devices will be compromised in due course.  Nor should we fear a new crime wave at this point in time.  Rather, this article seeks to raise awareness that with any new technology come benefits and drawbacks – often in equal measures.

British-based company RFID Protect has positioned itself in this arena, as an operation that provides a range of security counter-measures for those seeking to combat some of the above issues.

To learn even more about this fascinating subject or to view the original article visit: http://www.dn-systems.de/technology/risks/

On 8th December 2011, news broke that US police officials had been deployed to North Miami Beach Senior High School to investigate the alledged theft of 2,000 student ID cards.  According to a local media outlet, these ID cards contained sensitive personal information on the holder – including details of each students’ social security number.

Commentators on the situation have said, “…it’s very concerning because it has our social security numbers [on the ID card].”

Some will suggest that this is an excellent example of how any ‘foolproof’ system, (not least one that’s designed to improve security for its participants), is only 100% effective until the moment when something goes wrong.

Expect the unexpected – these are words to live by.

The original article can be found at:  BayPay Forum

____________________

And the trend continues…

According to Alien Vault Labs, the U.S. Defense Department ‘Common Access Cards (CAC)’ and Windows smart card are now being targetted by a new variant of the already infamous Sykipot malware.  Re-engineered in March 2011, this new variant has ‘raised the bar’ – with dozens of attack samples evident over the past 12 months.  The malware would appear particularly interested in government agencies, and a view has been expressed elsewhere that China may be behind this development – since a main goal in these attacks is to access information specifically from the US defense sector.  (Smart cards are in common use across the US Defense sector as a means of identifying employees and allowing them access to facilities or services.)

Alien Vault Labs explain how these attacks work by stating, “…the attackers use a spear phishing campaign to get their targets to open a PDF attachment which then deposits the Sykipot malware onto their machine. Then, unlike previous strains, the malware uses a keylogger to steal PINs for the cards. When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information. The malware is controlled by the attackers from the command & control center.”

You can read the full report here: Alien Vault Labs

Once again this news adds weight to the growing argument that as encryption systems improve those of a criminal disposition will raise their game accordingly.  There’s probably nothing to worry about for the moment (unless you’re in the US defense industry?), but just to be on the safe side then why not avoid potential mayhem and consider a low-cost ‘anti-skim’ sleeve for that new ‘contactless’ credit or debit card; such as those that can be purchased from RFID Protect.

Flashback to 2005 for a moment, and witness the arrival of new advice for the US banking sector concerning how best to marshal its risks in respect of online e-payments.  This guidance came from none other than the Federal Financial Institutions Examination Council (FFIEC) – an interagency body of the United States government empowered to prescribe uniform principles, and standards, across all US financial institutions.

Now fast forward to the present day.  Digital security expert, Adam Dolby of Gemalto, recently made the following comments,

“…the 2005 guidance was stricter than its predecessor because most banks had failed to take action. The FFIEC was hoping the banks would self- regulate, but that didn’t happen!”

It now transpires that rather than acting upon the FFIEC guidance, many key players within banking instead opted for a ‘minimum compliance’ approach, or in simple terms – ‘what can we get away with’.  So, if our banks are reluctant to spend money on payment authentication, and on-line security, then it’s perhaps not unreasonable to form the view that losses through fraudulent activities are merely absorbed by the banks; i.e. it’s just the price of doing business on-line.

Dolby continues stating,

“…when we rolled out internet banking we educated people and told them it was safe, protected behind firewalls and secure socket layers. And now everyone thinks it’s safe.”

It’s an interesting statement, one that hints to ongoing security threats for e-payments; ones which the banks are not necessarily equipped to counteract.  Movie fans may draw parallels with the Brad Pitt and Edward Norton film ‘Fight Club’.  In the movie, Norton’s character talks about how automotive giants determine whether a car should be recalled once found unsafe.

Edward Norton: A new car built by my company leaves somewhere travelling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, (A), multiply by the probable rate of failure, (B), multiply by the average out-of-court settlement, (C).

A x B x C = X.

If X is less than the cost of a recall, we don’t do one.

Woman on plane: Are there a lot of these kinds of accidents?

Edward Norton: You wouldn’t believe.

Woman on plane: Which car company do you work for?

Edward Norton: A major one.

So when your bank tells you that a new ‘contactless’ payment card is 100% secure, perhaps you’ll keep in mind their track record for ‘security’ and their approach to acting on the advice of independent regulators such as the FFIEC.  There’s probably nothing to worry about, but just to be on the safe side then why not avoid potential mayhem and consider a low-cost ‘anti-skim’ sleeve for that new ‘contactless’ credit or debit card; such as those that can be purchased from RFID Protect.

This article makes reference to an original story in Digital ID News: