Russian POS Pickpocket Generates New Interest In RFID-Blocking Wallets (thestack.com) 109
An anonymous reader writes: A Facebook post depicting a man apparently stealing from commuters by tapping a POS reader against them unobserved on public transport caused a sensation on Facebook before being removed earlier today. The provenance of the photo is uncertain, but unnamed authorities have said that it was taken in Russia. Since this type of opportunistic street theft requires a merchant business account through which any transactions would be easily traceable, the question arises as to how such acts of fraud are being made profitable. Comments on the matter have brought up anew the topic of RFID-blocking wallets as necessary everyday security.
Russian POS? (Score:4, Insightful)
A Russian piece of shit pickpocket? No need for attacking other countries today.... all pickpockets are pieces of shit.
Re: (Score:2)
A Russian piece of shit pickpocket? No need for attacking other countries today.... all pickpockets are pieces of shit.
Point of Sale.... piece of shit, that is.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
RFID (Score:5, Insightful)
who said this is a good idea the first place?
Contact-less payments are dumb, and lead to precisely this kind of abuse. I mean it could be a simple confirmation, a single swipe on the screen or something (when talking about smartphone based payments). And contact-less keys can simply have a button you have to press before unlocking.
Re: (Score:2)
Banks, store owners, governments... pretty much anybody who isn't on the paying end of RFID.
Count of hands... who here did NOT see this coming?
How to quickly blow the RFID chip? (Score:2)
Re: (Score:2)
An icepick is what I used when I had a card like that. A ball peen hammer might do less exterior damage.
The ballpeen hammer is for use on the pickpocket.
Re: (Score:1)
The local Walmart's card slide reader won't even read the strip on chipped cards. They only work in the chip slot. I don't know if the teller has some sort of override available, maybe.
If it's at Wally World it will be everywhere eventually.
Re: (Score:1)
Card with chip is NOT the same as RFID
Bump this up, it's important!
Re: (Score:2)
Banks, store owners, governments... pretty much anybody who isn't on the paying end of RFID.
Count of hands... who here did NOT see this coming?
The bank / store owners eat the payment errors, not the user. If they think it's a good idea and will take the risk then presumably they think it is secure enough.
Re: (Score:2)
As a user you have to spot the error and report it. If the amount of money stolen is small enough, you likely won't notice.
They eat the error only AFTER damage has been done.
It's little consolation if you get your money back after a few months, meanwhile being unable to make purchases.
Lots of people life on a budget that fluctuates around zero.
Correcting a mistake afterwards is not the same as now allowing mistakes in the first place.
It's like being the victim of burglary; the insurance company will "eat th
Re: (Score:2)
1. One (or maybe two) person needs to notice this type of crime to reverse all the charges. Once they;ve identified a dodgy actor the whole account is stopped.
2. If the amount is so small that you dont notice chances are you're not on the edge
3. It takes one phone call and the charge is immediately reversed.
4. The amount you can take contactless is limited to relatively small, I think it's less than £20.
5. (most importantly) This system is already in widespread use. You're not critiquing a probable fu
Re: (Score:2)
The odder thing about this is kind of attempted fraud is the question - where does the money go?
It can't go to an arbitrary account because the POS device is tied to a merchant. You need a merchant account at the bank (you can't just use your retail account for this). So the first time this is noticed, everyone involved should be trivially identifiable. The money HAS to go through the merchant's account.
Re: (Score:2)
Yeah, this is why it's the stupidest fraud possible. It *will* get noticed and the person is easy to track down.
Re: (Score:2)
Re: RFID (Score:2, Insightful)
That is the new standard coming to the us. All other countries that have it, say it is more secure. The change in law, made the business eat any other false charges. Not the credit card company. I expect to see fewer cards accepted by businesses as the false positives aggregate. After all, pay five ormore percent per transaction, and nothing for it? Or cash, check, with a 1% surcharge? Interesting. Or maybe a business could go back to a customer loyalty card, and start rewarding their customers instead of t
Re: (Score:2)
Re: (Score:3)
Actually this kind of protection (confirmation, fingerprint swipe, lock pattern, etc) are already used with NFC payments.
My Galaxy Note requires it for contactless purchases.
Re:RFID (Score:4, Insightful)
The story is bullshit.
Look at the photo in TFA. The item in the guys hand is clearly not what they think it is. It's a phone. The button colours and shape don't match the POS terminal depicted.
In any case, even if it was real, it would be a really, really dumb way to steal money. For the POS terminal to work, you have to have an account set up. That means vetting (okay, might be weak in Russia) and a paper trail. The money has to go into an account somewhere. That's why you don't see many "fallen off a lorry" scammers using POS terminals.
Re:RFID (Score:4, Informative)
Nope. The object in his hand looks just like the contactless payment (combined with chip and pin) devices that are all over the place (in the UK anyway). Granted it doesn't look like the telepower device on the right side of the picture but certainly DOES look like a contactless payment device.
This doesn't rule out the story being BS for all the other reasons you give like needing to be tied to a traceable account...
Re: (Score:2)
Nope. The object in his hand looks just like the contactless payment (combined with chip and pin) devices that are all over the place (in the UK anyway). Granted it doesn't look like the telepower device on the right side of the picture but certainly DOES look like a contactless payment device.
This doesn't rule out the story being BS for all the other reasons you give like needing to be tied to a traceable account...
You dont need a card reader, you just need any NFC enabled device. Here's an app for any NFC enabled Android phone that reads card information [google.com], its censored because it's a demonstration, but the source code is available, or you could just follow the spec's available on Visa and Mastercards websites.
The problem is that the information sent wirelessly isn't unique to contactless payment schemes. In fact it's everything on the front of your card (name, exp date and card number) which is all you need to make
Re: (Score:2)
The problem is that the information sent wirelessly isn't unique to contactless payment schemes. In fact it's everything on the front of your card (name, exp date and card number) which is all you need to make online transactions. So walking around a shopping centre with an antenna is an ideal way to anonymously collect card numbers.
This, while true, is also mostly irrelevant The NFC card will still generate an ARQC that uniquely validates the transaction based on a key present on the chip which the attacker cannot gain without gaining the card.
The data can only be used online if the attacker has the CVV2 from the back of the card, which is never transmitted.
That card could be cloned and used via magnetic stripe but again you don't have the CVV1 (which is on the magnetic stripe and won't be transmitted via NFC because it uses another v
Re: (Score:3)
Please google "Pine Labs' iWL220", and compare to the picture from the subway. It's a GPRS-enabled POS-device.
Look familiar? Being a Daily Mail story should put up a red flag, "may contain shitty editing and journalism".
But yeah, getting such a setup probably isn't hard in Russia, using a fake identity and then shifting money around accounts.
Re: (Score:3)
It's not an iWL220, the body colour and buttons below the screen are different. The buttons below the screen are the standard up/down scroll buttons on Nokia-clone brick phones.
Well, okay, to be fair the photo is crap so we can't be 100% sure either way.
Re: (Score:2)
The item in the guys hand is clearly not what they think it is. It's a phone.
Right, one of those phones with red, yellow, and green buttons on the bottom that I see everyone carrying.
Re:RFID (Score:4, Interesting)
I've been using contactless payments for well over a decade now, and I love it. All buses, minibuses, trams, trains, ferries in Hong Kong take the contactless Octopus card for payment. No fuss with exact change (buses don't give change) or buying single ride tickets. Just swipe and move on, payment done in a fraction of a second. Use them for small payments in convenience stores and supermarkets, vending machines, etc. Many car parks are Octopus-only even.
I have also never heard about any (large scale) fraud with these cards. I really don't know the ins and outs on how fraud is prevented, but obviously it works well. These cards were introduced some 20 years ago and pretty much everyone has one. There have been several technology upgrades which all have been seamless from the user pov.
So I really can't say they're dumb. They're awesome. Wouldn't want it otherwise, it's just too big a big PITA to have to deal with all those small payments in cash.
Re: (Score:2)
Re: (Score:2)
OP was talking about "contactless payments" in general. That's what I responded to - just to show that it can work, and can work really well and securely.
Re: (Score:2)
The reason there isn't much fraud is that to receive the money you have to have a merchant account. Getting a merchant account means going through various security checks. There is a big paper trail so the risk of being caught if very high. Much easier to just steal cash or card details to be used online.
It's worth noting that there are two separate systems in use here. You have stored value cards that you load up and they store the current balance. They are commonly used on public transport systems (Suica/
Re: (Score:2)
Octopus is stored value - which may be linked to a credit card for automatic recharges.
Other possible forms of fraud would be to change the balance on the card (and travel for free) or to create fake cards altogether. None seems to happen.
Re: (Score:2)
I really don't know the ins and outs on how fraud is prevented, ...
Awesome.
So I really can't say they're dumb.
Nor can you say they're smart, since you (admittedly) have no idea what you're talking about.
it's just too big a big PITA to have to deal with all those small payments in cash.
This has NOTHING to do with the questions at hand. Contactless versus something-that-requires-contact-or-verification. Mag stripes would fulfill your requirements.
Skimming a contactless card via RFID can (more-or-less**) obtain all the same information they would get from swiping the mag stripe, but they don't need to touch your card. That is one of the larger problems with that setup.
Please note, this has l
Re: (Score:2)
You obviously don't know what you're talking about, at all. At least I admit I don't know HOW fraud is prevented, but I do know THAT IT IS prevented.
Magnetic strips (as indeed used before the contactless) is too slow and cumbersome. Way too slow. Now I walk through the gate without stopping, instead of having to stop and fiddle with the card. Instead I just leave it in my wallet and swipe the whole thing (or what others do is swiping a hand bag, or mobile phone pouch, or a watch with built-in Octopus chip,
Re: (Score:2)
Thats because a single standard has never been widely deployed. Nor has it had direct access to credit card numbers.
Paypaas/wave are the same the world over. Unlike Oyster/Octopus and other schemes that use a GUID as an identifier, Paypass/wave use the card number, name and expiry date... So basically everything you need to make transactions on the internet. Theives are not interested in making $30 transactions in person (that's a
Re: (Score:2)
But.... but... the convenience! My freedom for CONVENIENCE!
Re: (Score:2)
Hate to break it to you but this system has been in wide use for years now without any real issues - the bank takes the risk because they know that anyone taking payments has to have a merchant account and are tracable if they start acting up. It's a very stupid criminal that tries to steal this way, it's doomed to end in trouble for them.
Re: (Score:2)
"Contact-less payments are dumb, and lead to precisely this kind of abuse. "
Obligatory Fanboy Neener: If you're going to carry around a contactless payment device, make sure it's one that requires a fingerprint for authorization and that not even the FBI and the NSA can hack.
Re: (Score:2)
who said this is a good idea the first place?
Contact-less payments are dumb, and lead to precisely this kind of abuse. I mean it could be a simple confirmation, a single swipe on the screen or something (when talking about smartphone based payments). And contact-less keys can simply have a button you have to press before unlocking.
If contactless payments were using a unique GUID just for contactless then it would merely be dumb.
However it actually sends your card number, expiry date and name (everything on the front of the card and all you need to start making transactions online) so it's actually the heir to the throne of the kingdom of stupid.
In a few years, contactless will be a thing of the past because the cost of fraud will be so high they'll be forced to replace everyone's card.
The whole contactless thing originated w
Whats the news? (Score:2)
"Credit cards that you simply wave at a reader save time and are a boon for visitors to London. But they can also raid your bank account invisibly" (11 Nov 2014)
http://www.telegraph.co.uk/fin... [telegraph.co.uk]
or from slashdot back in 2012 "Android App Lets You Steal Contactless Credit Card Data" (June 21, 2012 )
http://it.slashdot.org/story/1... [slashdot.org]
Whats the new news AC? The risks of some of the newer cards and bank services have been in the tech media for years and been rep
Re:Whats the news? (Score:4, Insightful)
You brought up something that's been troubling me: this increasing desire by business to make all too easy for paying without thought. They want people impulse buy. Apple is the biggest offender. In order to create an Apple ID on an IOS device you must give a payment method - you have to use a desktop system via the web to create an ID without a payment option. Why? They want people to impulse buy songs and apps.
Roku does the same thing "for your convenience". I had their customer no-service people waive that requirement after having to listen to their bullshit how it's for "my convenience". It's idiotic that I even have to create an account with them to use the fucking thing since the streaming goes direct to the content provider.
And of course, if there's a mistaken billing or fraudulent (many channels on Roku's service say they're free by when you click on them, a message pops up saying that they are charging me - it's a great thing I did not give them my payment information!!), good luck getting the money back.
And unlike cash when you lose it, you just lost that, these electronic payment systems allow for thieves to clear you out and it takes weeks to get your money back or in the case of a credit card, you will find yourself SOL in case you're traveling.
Until the financial services industry cleans up it's act, these types of payment systems shouldn't be allowed or forced on us.
Re: (Score:2)
Re: (Score:2)
I have long known about this one (Score:5, Insightful)
The "getaway" is that they are leaving with the goods. If the store doesn't get paid, it doesn't matter.
This completely end runs the entire smart card encryption and every other security measure on the card. It is just a pair of repeaters that are extending the range of the card from 3cm to potentially miles.
I suspect that there are timeouts on the cards but if the repeaters don't induce much lag the speed of light should not add much. Still, depending on how generous these timeouts have been set, it may be possible to fire these signals through an LTE pair of phones giving the pickpockets an international range.
In theory a pickpocket could be having the signals relayed in a nice message queue fashion to a series of people waiting at automated checkouts. So the pickpocket could walk down a train while a small group of purchasers ring transaction after transaction through. Assuming a $100 limit per purchase not only could the pickpocket feed an easy 20 cards from a single train, but he could wait a few minutes before returning for a second pass down the train making it appear that the users were making a second purchase, and then a third and a fourth.
Doing the math that could net $2,000 per pass with maybe 3 possible passes before the pinless swipe limit were hit.
Then step out and do the next train car. Now we are looking at no less than $10,000 in goods per hour during rush hour.
This is assuming that it isn't one long train. If it is a train where you can walk the length of a crowded train it could potentially be 100 cards in a single run if the queuing system is properly organized.
When I first saw someone swipe a card without a pin this scheme popped into my head. I have just been waiting the years since for it to become public.
I suspect the fix won't be that easy because merely being less generous with the timeouts will probably exceed the capabilities of many cards and many machines, causing them to become unreliable.
Re: (Score:2)
Re: (Score:2)
This has been demonstrated with mobile phones that have NFC, reading cards in the US and making transactions in the UK.
Re: (Score:1)
It's actually really difficult to run relay attacks over any kind of distance due to latency. There's a few papers on it, I found one with a brief google: https://eprint.iacr.org/2010/228.pdf [iacr.org]. The technology they used was Bluetooth, they considered and discarded SMS and GPRS/3G as having too high a latency to meet the NFC spec.
Australian banks rolled out contactless payments years ago, there's been concern on and off since, but no major incidents reported. The kind of attack pictured in the photoshopped art
Re: (Score:2)
Re:Remove the chip (Score:4, Interesting)
Even easier - just cut horizontally into the card from the right hand side about 2-3cm. It severs the antenna but the card is still usable in all non contact devices.
Ooops (Score:3)
That should read non contactless devices!
Re: (Score:3)
The cards are just about translucent enough that a bright LED torch can show you just where the antenna loop goes so you can pinpoint exactly where to cut or drill. Make sure you have a NFC app on your smartphone to check that you could read the card details before you cut or drill the card and cannot do so afterwards. Probably best to avoid the mag stripe as well. I might suggest a 1 or 1.5 mm drill in the top right corner as you look at the front of the card, with the center point of the hole being about
Re: (Score:2)
Microwave on high for 10 seconds, works like a charm. You can even throw your iPhone in for a quick charge too!
My solution .. USA based cards (Score:3)
I was in Australia over Christmas with my brand spanking new USA based credit cards (from major bank and CC companies) .. which have barely have chips in them. I was buying some stuff in a shop one day and handed over my credit card and the assistant took my card, looked at it, paused for a second and then finally said with an incredulous tone .. "Oh .. I have to swipe this, don't I".
Talk about an abject lesson in how backwards my CC was.
Re: (Score:2)
Re: (Score:2)
My local credit union just sent me a new card a month ago and it doesn't have a chip in it.
Re: (Score:2)
But but .. its contactless! (Score:2)
It must be good because it saves Joe Dumbfuck from having to remember his PIN and spending 5 secs entering it!
Seriously , if the banks and stores had suddenly suggested bring out a system whereby you just shove your card in the slot but don't need to bother to enter your PIN any more for the shop syphons off your cash there would have been an outcry. But because its contactless - Oooo! Magic! - no one seems to Get It.
Disable the 'tap' (Score:1)
Those tap transactions are insane, I disabled that functionality on all my cards the moment I found out that it became possible to tap my debit cars and have money taken from my debit account. Had to call the banks for that.
As to how this guy does it, I don't know for sure, if I was doing it I suppose I would use stolen merchant accounts to run purchase transactions that would end up buying bitcoins or something, cannot come up with anything better on the spot, I have to deal with merchant accounts and pay
Re: (Score:2)
An idea from a few posts above:
His co-conspirator is in a store about to pay for something. Their phones are linked to relay the RFID communications from the POS terminal between them. The terminal thinks it's communicating with the phone (or a modified card, linked to a phone) in the shopper's hand, but it's actually communicating with a card at a remote location.
I have no idea if this would actually work. I would hope that the terminals at least enforce a minimum communication time delay but there probabl
Can we find another term for "POS"? (Score:4, Insightful)
When I first read the headline it was "Russian Piece of Shit Pickpocket Generates Interest in RFID-Blocking Wallets"
I know it's "Point of Sale", but too many years of experience with the other version of the acronym has conditioned me to read it a certain way with often, as in this case, coming up with a different interpretation of a statement.
Re: (Score:1)
If you've ever worked on "Point of Sale" software you'll know that there really is no difference.
Re: (Score:2)
:^)
Re: (Score:2)
If you've ever worked on "Point of Sale" software you'll know that there really is no difference.
Real shit is usually fresher.
Re: (Score:2)
When I started working in the head office of a supermarket chain the first few meetings were quite confusing with the bullet point presentation mentioning POS transactions etc. :D
Re: (Score:1)
Sure, why not, how about Payment Integration Terminal Apparatus?
So tired (Score:2)
Swiping a little piece of plastic to get my big gulp and bag of funyums is just too difficult and time-consuming for me. Thank god these benevolent companies have given me a way I can save 0.8 seconds in my important, busy day. Because you know, all those little 0.8 seconds whenever I want to buy something in my day add up and drain my life away. Why, if you add up all the time I waste by having to swipe my card, it could add up to as much as maybe three or four seconds a day.
Now excuse me while I go che
I'm from the government (Score:1)
I'm here to help you.
Correlation (Score:4, Informative)
"the question arises as to how such acts of fraud are being made profitable."
"Comments on the matter have brought up anew the topic of RFID-blocking wallets as necessary everyday security."
Seriously? You weren't able to see that relation?
Read your own text slowly. This time, try to think while you read.
Ok. I'm not sure you'll manage it. Let's try a simpler with the key words in bold:
"OMG! How will anyone make a profit out of this?!" followed by "It's time to buy an RFID-blocking wallet!"
RFID protection for wallets? (Score:2)
Saw these a lot since around 2009 in Japan.
how such acts of fraud are being made profitable? (Score:2)
easy. set up a company and a merchant account with the passport data of some homeless guy or from a stolen passport (takes only a few days), grab as much money as you can and disappear.
this is how most russian scams are operated.
I never understood this (Score:2)
I never understood the "need" for contactless payments....is it so hard to buy stuff without pressing a confirmation button? Do you buy so much stuff that the time saved not pressing a button or whatever would really benefit you?
Seriously, I never understood this...yes, I know that at its heart it's meant to make it easier to buy something in the hopes that you'll buy more useless shit, but do people really see this as some truly beneficial feature?
Re: (Score:2)
Re: (Score:2)
Sure, it is a benefit, (clearly, arguable how big it is but it's obviously easier) and since the risk isn't on your end, it's with the banks why should you care?
The payment-taker has to have a merchant account so as soon as they are caught, all the payments are reversed, and then boys are sent around his house to sort-'im-out. There is minimal risk and this has been running quite successfully in EU countries for *years* now.
Why aren't all wallets RFID blocking now? (Score:1)
Why aren't standard wallets RFID blocking now? I got snagged on an out of state trip around 3 or 4 years ago. I don't know exactly how, but I assume it was someone with a scanner in the TSA line at the airport. Ever since I used one of those hard plastic RFID blocking wallets when I travel or go somewhere with long security lines. A few months ago I switched to an everyday leather RFID blocking wallet. I got one from Hammer Anvil on Amazon, but there's other brands out there too. The thing is smaller
that's a bit harsh (Score:1)
Look, I know pickpockets are not the nicest of people--they are petty criminals, after all--but to call them a POS is a bit harsh, isn't it?
Can this work without PIN? (Score:2)
For phones, at least they require some kind of authentication first. Don't chip & PIN cards require at least the PIN?
Apparently Global Entry thinks there's a threat (Score:2)
Merchants R Us (Score:1)
How well do they work? (Score:2)
The last wallet I bought claims to block RFID. I tested it at work and found that it blocked the POS reader in the coffee bar, but not the entry card reader on the door, which doesn't exactly inspire confidence. Perhaps the sort of low-powered device 'pickpockets' are likely to use would also be blocked, but there's no way to be sure. Do the manufacturers actually test these things?
Lots of RFID wallets around (Score:1)
One in three payments? I doubt it. (Score:2)
One of my banks sent me a contactless card last year. But that's OK, because that account I only ever use for online purchases, and the card never leaves the living room. I'm not even sure how you