New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second (softpedia.com) 193
An anonymous reader writes from a report via Softpedia: "A criminal group going under the name of The CC Buddies is selling a hi-tech device on the Dark Web that's capable of copying details from contactless debit cards if held as close as eight centimeters away from a victim's card," reports Softpedia. The device, named Contactless Infusion X5, is extremely dangerous because it can copy up to 15 bank cards per second, something that may come in handy if a crook is going through a crowd at a concert or through a crowded subway cart. The device can collect data such as the card's number and expiration date. If the debit card's RFID chip stores information such as the card holder's name, home address, and a mini statement, X5 can steal that data as well. The X5 is sold on the Dark Web for only 1.2 Bitcoin (~$825), and its creators say that each buyer will receive the X5 device, a USB cable for charging and data transfers, and 20 blank plastic cards.
antenna (Score:2)
Re: (Score:3)
Bus, train, bar, concert, elevator, I'm in plenty of situations where I get closer than 8cms to others. If everyone of those people I could scam $99 from, I'll be a millionaire by the end of the month.
Re: (Score:2)
Umm... public transport? Just get into a subway in a moderately important city during early morning rush. Plenty of targets.
Re: (Score:2)
Re: antenna (Score:2)
Or put it somewhere people often open their wallets.
Re: (Score:2)
You can't isolate the RFID signal.
Why not?
Re: (Score:3)
You can, the protocols include collision avoidance.
It's more likely down to the inverse square law - every time you double the range, you need to quadruple the output of your transmitter to maintain the same signal intensity.
Re: (Score:2)
Same result as holding to PayPass cards over the reader: neither will work.
That's just a poor implementation, or a deliberate decision on the part of PayPass to avoid confusion over which card is used. The protocols for contactless smartcards include collision avoidance, you should in theory be able to present a whole stack of them and only read the one you want, or read all of them sequentially.
Re: (Score:2)
and only read the one you want
And how is the machine supposed to know which one you want?
In other news the sun is hot. (Score:5, Informative)
My initial reaction is duh. I have software on my phone for security audits that allow me to do the exact same thing. Only it's not meant to do 15 cards a sec. This is how contactless cards work. Maybe the PCI should just start listening to security professionals and do away with these things?
Re: (Score:2, Interesting)
Or maybe we should start listening to security professionals and understand the threat model. We had this same brown pants moment with RFID passports.
The data you can read wirelessly is not supposed to be secure. You might like it to be, but it's not designed that way. Only the payment part is secure, and this device doesn't clone that.
Re: (Score:2)
The question is why is the card number and expiration date being broadcast free and clear? Especially with card companies actually saying that these cards "can't be cloned". It doesn't matter if the secure portion can't be cloned if you're handing out the rest like candy.
Re: (Score:2)
There are several possibilities:
1) This device simply initiates up to 15 purchases per second from nearby cards. Totally possible but mostly harmless.
2) It's a scam.
The latter is most l
Re:In other news the sun is hot. (Score:5, Informative)
Well, what really happens is this.
When you read the card, you get the card number and expiry date. It's not good enough to actually do a chip/contact payment, but the information is enough to do a swipe transaction. If you can print a card, and have an old enough store that still uses a mechanical imprinter (the big thing that you put the card in, a slip and slide the slider back and forth that imprints the slip). Or of course, you use it for online shopping.
What happens then is up to the merchant and hits bank - if the bank is smart, they will realize the card used supports chip or contactless, and the terminal supports it, and rejects the transation wanting a chip or contactless.
Online stores and even in-person transactions often require the CVV if you swipe them, as well. (The CVV value is not stored on chip or in the magstripe - it's designed to verify that you have physical access to the card).
Actual payments require a challenge-response - the chip contains a secret only known to it and the bank which never leaves the card.
So you likely can use it for a few transactions which still do swipes and don't check CVVs, but that's about it.
Re: (Score:2)
Online stores and even in-person transactions often require the CVV if you swipe them, as well.
On-line stores have to ask for the CVV. It's been a while since I ran my own business, but back then we were explicitly forbidden from capturing the CVV for in-person transactions. The idea is that nobody has it but the physical card holder.
I do admit to being puzzled by this story though. If the wireless conversation between a contactless card and any kind of reader carries enough information for the card to be cloned, then the design is terminally broken. It's not as if the necessary crypto techniques
Re: (Score:3, Informative)
OK. Few things
1. There are lots of CVVs. There are several places cards store a few extra digits. In each case at first they were the same digits, and then banks realised "Oh crap" the digits from one place can be copied to elsewhere. So a modern card _should_ use different values for each CVV. In particular, there's the CVV physically printed on the outside of the card for a human operator (sometimes called CVV2 and used to verify Card Not Present e.g. over the phone or Internet) and a CVV stored on the ma
Re: (Score:2)
Here in Argentina my terminal (swipe, obviously card-present) always asks for CVV when using credit, and for some cards, it also asks for the last 4 digits on the front.
Maestro debit only requires a PIN. Visa debit requires nothing.
Chip cards haven't really been implemented even though for the last few years all terminals i've seen have a smartcard slot. Only a handful of clients (people with Platinum or Black cards) have cards with chip. My bank says this is because the only issue those cards upon request
Re: (Score:2)
Here in Argentina my terminal (swipe, obviously card-present) always asks for CVV when using credit, and for some cards, it also asks for the last 4 digits on the front.
Maestro debit only requires a PIN. Visa debit requires nothing.
Chip cards haven't really been implemented even though for the last few years all terminals i've seen have a smartcard slot. Only a handful of clients (people with Platinum or Black cards) have cards with chip. My bank says this is because the only issue those cards upon request (indirectly: they ask if you travel abroad often, and if you do, they give you one of those cards. Gotta pinch those cents!)
What I find amusing by this is that the Caribbean and Latin America was supposed to switch to chip based transactions only about 2-3 years ago. I don't know of any gateway in the region that actually uses chip, though.
Re: (Score:2)
I can do transactions with chip. I tried swiping a chip card and it told me to put it in the chip reader. I use a Verifone VX520 and the service is provided by POSNET (owned by Mastercard). It also worked that way when I had LAPOS (owned by Visa).
Re: (Score:2)
I can do transactions with chip. I tried swiping a chip card and it told me to put it in the chip reader. I use a Verifone VX520 and the service is provided by POSNET (owned by Mastercard). It also worked that way when I had LAPOS (owned by Visa).
Ahh I knew that FirstData had an EMV Capable processor for Latin America and the Caribbean and I see that POSNET is owned by FirstData (at least the website says that it is a FirstData company). Interesting. Thanks for the info.
Re: (Score:2)
Depends on the implementation of the online or physical check out. I've checked out recently online where the CVV was not required. I've also checked out at local businesses, usually very small shops, restaurants, or doctors offices, where they looked at and entered the
Re: (Score:2)
Depends on the implementation of the online or physical check out. I've checked out recently online where the CVV was not required. I've also checked out at local businesses, usually very small shops, restaurants, or doctors offices, where they looked at and entered the CVV must likely because they were using a virtual terminal.
Amazon never asks for the CVV on a transaction. They assume extra risk by neglecting to ask for the CVV. There is no requirement per se, but there is a fraud liability shift if you do not ask for enough information to authenticate the user.
Re: (Score:2)
On-line stores don't have to ask for the CVV.
FTFY. They can to help eliminate fraud, but it's not required. I've implemented several online transaction systems. You can allow the payment to go through even if the CVV and address verification both fail - you're just a lot more likely to have to deal with fraud.
Re: (Score:2)
Re: (Score:2)
In some cases you can get away with not having the card at all. Terminals have support for manually entering details if the card fails to swipe for some reason. You just need to convince the merchant to type the number in that you have memorized.
Worked well enough for a local thief after obtaining a friends card number. The bank spotted the odd transactions, my friend searched online for the store's details and the idiot came back again trying to repeat his earlier success.
Totally would have gotten away w
Re: (Score:2)
My terminal allows for this, only for credit (because debit cards here don't have embossed digits). It's for when the magstripe fails to read. You have to enter the digits manually but the transaction is still done online (it will still dial up and connect to the bank). And you need the CVV.
If the transaction is approved, it prints a much longer receipt which you have to put over the card and rub a with the side of a pencil or something over the digits so that they get transfered to the paper (no need for p
Re: (Score:2)
In the USA maybe. Some countries not only have support for manual entry if the mag stripe fails, but also no longer have provision for mag fallback. My most recent card doesn't even have a mag stripe on it anymore.
The avenues for using copied cards are rapidly diminishing in much of the world ... except for the USA.
Re: (Score:2)
Basically if you disconnect a terminal it will go into offline mode, requiring manual authentication (id card + signature). If the unit completely breaks down then a manual imprinter can be used instead. Most stores have one (stored away someway), but people probably don't know how to use it any more.
Re: (Score:2)
Well, what really happens is this.
When you read the card, you get the card number and expiry date. It's not good enough to actually do a chip/contact payment, but the information is enough to do a swipe transaction. If you can print a card, and have an old enough store that still uses a mechanical imprinter (the big thing that you put the card in, a slip and slide the slider back and forth that imprints the slip).
Yep, this would work if you found a store that did this, still. Or a store that runs its swipe transactions offline. In this day and age you'd be hard pressed to find someone who does offline auths. You could use it to buy free beer on a plane but it would get denied by the issuer once the auth is ran. EMV Capable contactless cards use a token for the card number and it would be obvious that the data was from a contactless interface.
Or of course, you use it for online shopping.
Nope. You cannot use it for online shopping. The track 2 equivalent d
Re: (Score:2)
Re: (Score:2)
The PIN is the decryption key (or the key for the decription key, most likely). The chip will only unlock if you enter the right PIN. If you enter the wrong PIN too many times it will lock itself for good.
Re: (Score:2)
The PIN is NOT stored on the card, it's in the back-end system.
At least that's how the European cards works.
Too many tries and the card is blocked by the back-end system so it's no idea to change to another terminal.
Re: (Score:2)
In the US back in the late '90s when I was working with related stuff (automated pay systems for gas pumps), not only was the PIN not on the card, but debit terminals had to encrypt the PIN in the keypad. The keypad had an encryption key (and sometimes all its firmware too) injected into RAM by the bank or clearinghouse or whoever, and was potted to prevent tampering. If its battery ran out, too bad, get a new keypad.
Apparently in those days, Europe must not have encrypted the PIN like that, because that w
Re: (Score:2)
It depends, some NFC cards are weakly protected. There are cards with better protection but I wouldn't be surprised if they are cracked as well.
I did play around with a NFC reader once and was able to break into a weak card in the matter of seconds. It was one of the public transport fare cards.
Many entry systems also uses the same technology, and cloning such a card would also be pretty simple.
Re: (Score:3)
Maybe the PCI should just start listening to security professionals and do away with these things?
And why wouldn't they? Because they figured that when the technology did fail that they could pawn the losses off onto somebody else. As long as we pass laws that make it impossible for these losses to ever be passed off onto the victims (i.e. the customers and the merchants) and be sure that there is swift and effective remedy for any fraud, then the banks and credit cards will make damn sure they listen to security experts in the future.
Our problem is not a deficiency in technology and know how, its a de
Re: (Score:2)
Maybe the PCI should just start listening to security professionals and do away with these things?
Yeah, they should totally listen to an AC that hasn't actually looked up how these things really work.
Re: (Score:2)
Re: (Score:2)
My initial reaction is duh. I have software on my phone for security audits that allow me to do the exact same thing. Only it's not meant to do 15 cards a sec. This is how contactless cards work. Maybe the PCI should just start listening to security professionals and do away with these things?
Or envelopes for contactless cards, which advertise as preventing any card reading, will be booming soon. Another way to make money but from different vendors...
Re: (Score:2, Informative)
Except apparently for the fact that there are still quite a number of transactions which you can do with just the card number today. So no point in cloning it apart from the tens of millions of pounds you can get in your bank account if you have a gang of people doing it for you. Apart from that, no point at all. Let's move on to something important like the latest hack for WoW or some photo "accidentally" leaked from some Kardasian phone or something.
Just as a random plug, I have a Koruma [koruma.co.uk] RFID blocking
Re: (Score:2)
Just as a random plug, I have a Koruma [koruma.co.uk] RFID blocking wallet which I got years ago and it's still going fine.
I don't carry a wallet, not doing so cured my back pains when I was much younger. Just what's required in my back pocket.
I've fallen for the hype of being scanned, not helping are the TV's commercialism of those type of wallets (scan blocking) - so just in case...
I wrap my RFID chip embedded cards in an aluminum foil packet I made up. The trick is being able to access it quickly and not looking like a dork :).
Re: (Score:2)
I don't carry a wallet, not doing so cured my back pains when I was much younger
You're absolutely right about the wallet and back pain. Its a no brainer once you think about the fact we were not designed to sit on a tilt or else we would have started out tilted. But it took me years and years to discover the obvious. Now my back problems are all gone.
As for the solution to these issues of cyber fraud, we just have to figure out what obvious thing that we are overlooking. And when we do, and stop it, it will be a problem solved.
Re: (Score:2)
Re: (Score:2)
Also, I just gotta say, your tagline had me rolling on the floor. I am definitely putting it on my list of the truly hilarious. Perhaps, I'm twisted, but that's a real laugh.
Re: (Score:2)
...The trick is being able to access it quickly and not looking like a dork :).
If you're that worried about looking like a dork, then you're not a geek. Time to hand in your membership card. ;-)
Re: (Score:2)
Don't do that, he's going to clone it!
Re: (Score:2)
Doesn't contain the CVV number and most websites require that.
I bought mine (Score:2)
Re: (Score:3)
What is to worry... they have a money back guarantee
Re: (Score:3)
Contactless payment ! (Score:2)
Re:Contactless payment ! (Score:5, Funny)
Since my bank refused to disable it on my card, I used the high tech solution of hole punch through the antenna
Re: (Score:2)
A microwave oven works for this also.
Re: (Score:2)
most of the contactless payment nowadays use one form of authentication or another using either secret keys and/or public/private keys. and those secret/private keys loaded on the card is not obtainable in normal means..
Re: (Score:2)
The best remedy would be to have a fake card in your wallet that gives away useless data when probed.
Re: (Score:2)
Look for this logo:
http://www.brandsoftheworld.co... [brandsoftheworld.com]
With the move to chip cards, most companies are doing away with contactless, it seems.
Re: (Score:2)
Disclaimer: this happens in France, I have no idea how the contactless ship is sailing anywhere else. But we have had chips for as long as I can remember, and contactless just got added recently. A bunch of people jumped on it: payment terminal slowly gets it, automated vending machines too.
Of course, it is as secure as anywhere else (read: not) but that didn't stop the adoption. Thankfully by law banks are obligated to either provide a card without contactless payment or provide a w
Re: (Score:2)
I wouldn't be so sure. Disclaimer: this happens in France, I have no idea how the contactless ship is sailing anywhere else. But we have had chips for as long as I can remember, and contactless just got added recently. A bunch of people jumped on it: payment terminal slowly gets it, automated vending machines too. Of course, it is as secure as anywhere else (read: not) but that didn't stop the adoption. Thankfully by law banks are obligated to either provide a card without contactless payment or provide a way to disable it, but still it's growing. Now, they could probably change the contactless protocol to use the same protocol as actual contact payment, including PIN and EMV validation, but that would get in the way of usability, and between security and ease of use, it seems that even money isn't safe. We had a relatively secure thing: physically put the card in the reader, enter PIN. Takes a few seconds, opposed to... the few seconds it takes for contactless to kick in. But it's not shiny anymore I guess.
They do use EMV for contactless these days. The card data is dynamic and generated on each transaction based on the unpredictable number supplied by the terminal at the time of the transaction. The problem is that there is no one standard for contactless EMV. Each brand has a slightly different implementation and the certification process is a nightmare compared to contact. You can use online PIN validation of contactless transactions, too. That is up to the merchant or acquiring bank to enable through
Re: (Score:2)
Being contact-less does not systematically mean that the card relinquishes all data. NFC/RFID is able to wirelessly supply power to support a secure microcontroller and two-way secure authentication/encryption to prevent man-in-the-middle attacks. Companies simply chose not to implement it this way for some stupid reason.
Plain wireless ((EE)P)ROM is fine for anti-theft tags and basic identification but not wireless payments or other applications that require intrinsic trust.
Comment removed (Score:4, Funny)
Re: (Score:2)
My last smartphone didn't come with a cable OR a charger. Fuck you HTC. ;)
Maybe your "smartphone" is too smart to use a charger.
Re: (Score:2)
I'd rather phones didn't come with chargers, TBH. I have enough already and now USB is standard the only reason to get a new one is if there is some new feature like faster charging. I'll buy one if I need one.
The ones they throw in just add to the cost and often suck anyway.
Uh-huh. (Score:5, Funny)
Sure.
Just send the bitcoin, and you'll get the completely illegal and fraud inducing device sent by random strangers to a street address of your choice.
This in no way is a honeypot OR a scam. I mean, why would it be, right?
Too short (Score:2)
The only person who gets within a penis length of my wallet is me.
Re: (Score:2)
You mean half a penis length?
perfectly secure! (Score:5, Informative)
Don't worry, the banks are working hard to solve this security hole... by telling anyone who will listen that these cards are secure, and sticking their fingers in their ears any time anyone says any different.
My bank graciously offered to turn off the feature on my card, from their end, not mine. Which, if you know anything about how these hacks work, means that they're willing to take away all the convenience of the feature, while carefully maintaining the security risks on my card. I declined and cut the antenna instead.
Right now in Canada it is almost impossible to get a credit card without this security hole baked in. They all have it, they brag about it. And worse yet, if someone does manage to clone the card, the bank will insist that it's not possible to do so, and hold you liable for all the fraudulent transactions, after all, the security on the cards is perfect, so you must have authorized it.
Re: (Score:2)
Because from the bank's point of view it is secure. These cloned cards can't be used to make transactions, only get your name and transaction history. If your bank is particularly dumb it might have your address too. They don't care about that though, it's not part of their threat model.
Re: (Score:2)
Do you work for the bank? You're spreading their lies for them.
There have been many proof of concepts showing making credit card transactions with the data from cloned cards. a simple google search will turn up news reports and plenty of videos.
Re: (Score:2)
They all have it, they brag about it. And worse yet, if someone does manage to clone the card, the bank will insist that it's not possible to do so, and hold you liable for all the fraudulent transactions, after all, the security on the cards is perfect, so you must have authorized it.
So you actually have any examples of this or are you extrapolating from your imagination? The banks claim it to be secure because from your perspective it is, they cover the risk of it being used fraudulently because contactless is only available for small transactions and only by merchant accounts. If any silliness happens they can trace it exactly to the perpetrator, and pull the money back. Contactless cards been in active use in Europe for years now without the world ending like you imagine.
Re: (Score:2)
So it's ok if people steal $100 at a time from you? it's not ok if they steal it from me.
And you don't need a merchant account to use a cloned card, you go to the store and buy things, only you use someone else's card.
If you haven't heard of any examples, you haven't been paying attention. try a simple google search.
I didn't say the world would end, just that fraud would be a problem. And it is.
Re: (Score:2)
As has been said before in this thread, you can't meaningfully duplicate the card using this method, you're missing vital bits of information. So you can't take someone's card details this way and do any buying against it - you can't make another contactless card, and you can't do online stuff because you will fail CVV, address verification and VBV. You could, I suppose, make a swipable card. Nowhere in Europe takes that anymore, and it's considered very suspicious by the bank and will get your card blocked
Re: (Score:2)
Wrong again!
There are many examples out there of exactly this. Duplicating cards using these scanners. It's been done many many times.
You shilling for the banks doesn't do anyone any favours.
The "bad guy" can, and has in the past, buy stuff with your card.
The bank WILL NOT reverse the charge, because they believe the same lies that you do that it's not possible to duplicate the cards, and therefore claim that the fraud must be on the part of the cardholder. This too has happened already, with the fraud vict
Re: (Score:2)
Well, you should really look up definitions for words like "shill" before you throw them around like that.
I don't see how this is possible. Perhaps it is, but since you have provided no evidence, and searching I can see nothing credible, I'm gonna keep believing how I understand the system to work rather than believe someone random on the internet.
Re: (Score:2)
Don't worry, the banks are working hard to solve this security hole... by telling anyone who will listen that these cards are secure, and sticking their fingers in their ears any time anyone says any different.
Yeah, its that much of a threat that I can't even remember a time in Australia that I owned a credit card that wasn't a tap & pay card.
That's at least 14 years. It hasn't caused an explosion in fraud here.
In fact, now my bank even has an NFC payment option baked into any system that also does Tap & Pay that uses NFC on my Android phone to pay without even having the card. I haven't carried a wallet for nearly 6 months now - all I need is a phone.
Re: (Score:2)
14 years? I didn't think it'd been quite that long? Some googling suggests that the first Australian bank to introduce contactless/tap payment was the CBA with a NSW trial in 2006 [commbank.com.au]. Still, wow, the years are flying by.
Re: (Score:2)
NFC on your phone is secure, because it's only active when the phone is in use.
NFC on your credit card is a security hole you can drive an oceanliner through because the card is ALWAYS on and people don't even have to touch it, or you, to get a copy of your card.
Re: (Score:2)
the bank will insist that it's not possible to do so, and hold you liable for all the fraudulent transactions,
I wasn't aware of any country in the west, even the arse backwards (as far as banking goes) USA where the bank can hold you liable for fraudulent transactions.
Re: (Score:2)
Just wait until they tell you that the transaction is not fraudulent because you made it and you're lying. Because after all, the card can not be cloned, so the only explanation is that you made the transactions.
There was a news report out of somewhere in europe a few years back where this exact situation happened, and the victim of the fraud was actually arrested because the credit card company insisted the card was so secure that the only explanation was that he was complicit in the fraud.
Re: (Score:2)
Just wait until they tell you that the transaction is not fraudulent because you made it and you're lying. Because after all, the card can not be cloned, so the only explanation is that you made the transactions.
I don't need to wait. I've been through the process. File a stat dec and then it's up to the other party to prove that you didn't make the charges. There are far more straight forward cases too where they are liable for. Heck in my last case I even ticked every box that sounds scary enough to be a case against you:
- Did you lose the card? No
- Do you have the card with you? Yes
- Do you place purchased online? Yes
and about 6 other ones. Even then you still get refunded, and frankly fraud is often child's play
Re: (Score:2)
Can't do that in Canada, chip cards must be used chip and pin. the chip does both contactless (ridiculously insecure) and chip & pin (the best security you can get on credit cards) destroying one destroys the other.
This problem has created an entirely new line of (Score:3)
products: https://www.google.ca/#q=rfid+... [google.ca]
QED.
Simple Fix (Score:2)
Re: (Score:2)
Yes, because you don't have to input the PIN for small amounts, at least around here the limit is ~$30 (200 DKK) before you have to type the pin. So it's still quicker, plus the contacts don't wear out.
RFID sleeve? (Score:2)
Will an RFID sleeve stop this from happening?
Re: (Score:2)
The RFID protocol has provisions to detect and mitigate collisions between multiple cards. If multiple cards try to respond at the same time, there is a random per-card delay before each card attempts to respond again and the reader can use that to enumerate cards that are within range until it finds the one it wants. Having multiple cards in range will merely slow down the enumeration process.
In my wallet, I simply put a stainless steel eraser stencil in the card pocket between my bank and credit cards.
Re: (Score:2)
It's the intelligence of the reader - our library scanner can read multiple cards simultaneously. - because it's only a one way transaction. So it's perfectly possible to read.
The problem in a POS environment is they need to charge the transaction to one card only. Picking a random card in the customers wallet isn't appropriate.
This whole thing is nonsense anyway.. The reader will only show the publically available info which is the 16 card number and expiry. No CCV and No customer name. It's of no use
almost got one but... (Score:3)
Operating System compatibility:
-Microsoft WHQL 2000, XP, Vista, 7, 8, 10, Server 2003, Server 2008, Server 2008 R2, Server 2012
I'll wait for the linux port. ;)
Clone is an exagerration (Score:4, Interesting)
Re: (Score:2)
An NFC chip would be extremely difficult to clone. The might be able to scrape some information off the NFC that is made public but it is highly doubtful that includes the PIN, the CVV2, the address or possibly even the name of the person. The NFC itself would implement challenge response so that wouldn't be much use either. It's not even obvious to me why point of sale terminals would even need to see what's on the magstripe but perhaps there is a reason. The obvious fix is if a payment card exposes this info then it should obfuscate it, or better yet not expose it at all. Whatever edge case requires it might not be a sufficient reason given any potential for theft.
With modern EMV capable NFC cards, the track 2 data is dynamic and generated every transaction based on an unpredictable number supplied by the terminal. You would not be able to replay a transaction unless your transaction was approved offline.
Re: (Score:3)
Maybe. Maybe not.
Remember that these chips are extremely low power low speed.
They have to perform usually a cryptograhic hash of some input they are passed with their secret key. The algorithm used is not a fully secure algorithm like what would be used in https, it's not NIST approved etc. They are custom algorithms designed to be done by a very simple processor very quickly and are orders of magnitude easier than AES or SHA.
All of the previous chips have so far been cracked after researchers studied the chip, and reverse engineered the encryption algorithm, which are then studied by cryptographers.
A huge part of the security is that no one except one company, actually knows the encryption algorithm and it's extremely difficult for anyone to figure it out, as they would have to somehow view and reverse engineer the silicon circuit by physical inspection.
Hmmmm why are none of these encryption attacks listed by the research team at Cambridge [emvlab.org] then? There are certainly attacks but none based on the cryptography that I know of. Do you have links? And you know that these smart cards have circuits designed for cryptography and that the latest chips actually do 2048 bit RSA encryption used by the terminal to validate that the card has not been cloned? But you're right, they can't even do basic 3DES or AES or even SHA on those cards...
Re: (Score:2)
Maybe. Maybe not.
Remember that these chips are extremely low power low speed.
They have to perform usually a cryptograhic hash of some input they are passed with their secret key. The algorithm used is not a fully secure algorithm like what would be used in https, it's not NIST approved etc. They are custom algorithms designed to be done by a very simple processor very quickly and are orders of magnitude easier than AES or SHA.
Incorrect. Card cryptograms are generated with either 3DES or AES. You can see full details here: https://www.emvco.com/specific... [emvco.com]. Specifically, you want to look at Annex A of EMV 4.3, Book 2, "Security and Key Management".
Note that many of the card issuing networks define their own variations on the EMV specifications, but they all comply with the general framework, algorithms, etc.
As for the nature of the processors, most contactless smart card chips today are 32-bit CPUs running at around 40 Mhz, w
Re: (Score:2)
To top that off, many modern security-oriented chips implement HMAC and AES in hardware, which uses even less power and is orders of magnitude faster still. Doing one complete round of AES3 takes thousands of cycles on a CPU but can be collapsed into a single step process in hardware using a fraction of the silicon of a 32bits CPU.
Re: (Score:2)
I actually mentioned the coprocessors :-)
Though... I'm not aware of any devices that have HMAC-SHA256 or similar in a coprocessor. That's part of the reason why many protocols use AES or 3DES for what amounts to hashing, because it's much, much faster.
A decade late? (Score:2)
"RFID/NFC blocking" wallets are all the rage these days. That is a far bigger scam than this product, which is simply far too late. The only contactless payment method I have is my phone now, after my last contactless card expired a few years ago. I haven't seen a PayPass or payWave card in years, but average people see the chip in their card and believe it doesn't require contact for some reason (My parents and some older doctors I know went full on tinfoil hat when they first got them before I corrected t
Re: (Score:2)
From the VISA Website "If your card is lost or stolen you should notify your bank as soon as possible. If anyone has fraudulently used your contactless card to make a payment, providing you take reasonable precautions to protect your card and let your bank know as soon as you realise it’s gone, you will not be responsible for any losses incurred (subject to your bank’s terms and conditions)."
In other words you are not responsible for any losses. Provided you report it lost as soon as you realis
Dark Web? Really? (Score:2)
Is there some reason we're now using this term? Maybe it's just me, but it really sounds entirely Hollywood.
Can we just say internet? Or web?
What we're seeing around here (Score:2)
Around here we have people that will walk into a mall with a scanner and just stick it on peoples wallet pocket or purse. When security is alerted, they just leave. Security says they weren't doing anything illegal.
As far as I know, any US vendor taking a fraudulent swipe or imprint transaction owns the loss as the bank/cc company won't stand behind a non chip transaction. This scanner won't help anyone make a chipped card. Its rare to have information like the card holders name be accessible in this ma
Re: (Score:3)
Re: (Score:2)
How can you arrange 15 cards on every second within a 8 cm radius?
When cell phones first came with Bluetooth, security required one to disable it.
It was possible to sit in a busy area of a mall and collect all the contacts of those with enabled bluetooth.
15 cards every second within a 8 cm radius, one would surely come across as supisious of doing something dubious.
Re: (Score:3)
it's impossible to read the secret keys over any interface of the card. So those cloning devices at most is reading what normally a contactless terminal can read from a card. meaning those cloned cards will fail all the offline and online CAM (card authentication method) since none of the relevant keys (ICC Private Key, nor the Application Cryptogram secret key) can be read.
Unlike traditional magnetic stripe cards, chip cards has robust security build-in, most of the security breach are not from counterfe
Re: (Score:2)