Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Bitcoin Privacy Security Communications Network Networking Software The Almighty Buck The Internet News Hardware Technology

New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second (softpedia.com) 193

An anonymous reader writes from a report via Softpedia: "A criminal group going under the name of The CC Buddies is selling a hi-tech device on the Dark Web that's capable of copying details from contactless debit cards if held as close as eight centimeters away from a victim's card," reports Softpedia. The device, named Contactless Infusion X5, is extremely dangerous because it can copy up to 15 bank cards per second, something that may come in handy if a crook is going through a crowd at a concert or through a crowded subway cart. The device can collect data such as the card's number and expiration date. If the debit card's RFID chip stores information such as the card holder's name, home address, and a mini statement, X5 can steal that data as well. The X5 is sold on the Dark Web for only 1.2 Bitcoin (~$825), and its creators say that each buyer will receive the X5 device, a USB cable for charging and data transfers, and 20 blank plastic cards.
This discussion has been archived. No new comments can be posted.

New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second

Comments Filter:
  • Is there a way to increase the range with an antenna or something? 8cm is kind of a short range, even at a concert........
    • 8cm is enough if that's all you require to get free money.
      Bus, train, bar, concert, elevator, I'm in plenty of situations where I get closer than 8cms to others. If everyone of those people I could scam $99 from, I'll be a millionaire by the end of the month.
  • by Anonymous Coward on Monday June 13, 2016 @08:56PM (#52312087)

    My initial reaction is duh. I have software on my phone for security audits that allow me to do the exact same thing. Only it's not meant to do 15 cards a sec. This is how contactless cards work. Maybe the PCI should just start listening to security professionals and do away with these things?

    • Re: (Score:2, Interesting)

      by AmiMoJo ( 196126 )

      Or maybe we should start listening to security professionals and understand the threat model. We had this same brown pants moment with RFID passports.

      The data you can read wirelessly is not supposed to be secure. You might like it to be, but it's not designed that way. Only the payment part is secure, and this device doesn't clone that.

      • The question is why is the card number and expiration date being broadcast free and clear? Especially with card companies actually saying that these cards "can't be cloned". It doesn't matter if the secure portion can't be cloned if you're handing out the rest like candy.

    • by Cyberax ( 705495 )
      No, you can't do it with bank cards. They actually do challenge-response authentication with the bank with the secret key sealed inside the cheap, so simply listening or getting public info gets you nothing. You _might_ be able to clone insecure RFID access cards as used by turnstiles at various locations, but that's it.

      There are several possibilities:
      1) This device simply initiates up to 15 purchases per second from nearby cards. Totally possible but mostly harmless.
      2) It's a scam.
      The latter is most l
      • by tlhIngan ( 30335 ) <slashdot AT worf DOT net> on Tuesday June 14, 2016 @01:30AM (#52313175)

        Well, what really happens is this.

        When you read the card, you get the card number and expiry date. It's not good enough to actually do a chip/contact payment, but the information is enough to do a swipe transaction. If you can print a card, and have an old enough store that still uses a mechanical imprinter (the big thing that you put the card in, a slip and slide the slider back and forth that imprints the slip). Or of course, you use it for online shopping.

        What happens then is up to the merchant and hits bank - if the bank is smart, they will realize the card used supports chip or contactless, and the terminal supports it, and rejects the transation wanting a chip or contactless.

        Online stores and even in-person transactions often require the CVV if you swipe them, as well. (The CVV value is not stored on chip or in the magstripe - it's designed to verify that you have physical access to the card).

        Actual payments require a challenge-response - the chip contains a secret only known to it and the bank which never leaves the card.

        So you likely can use it for a few transactions which still do swipes and don't check CVVs, but that's about it.

        • by johnw ( 3725 )

          Online stores and even in-person transactions often require the CVV if you swipe them, as well.

          On-line stores have to ask for the CVV. It's been a while since I ran my own business, but back then we were explicitly forbidden from capturing the CVV for in-person transactions. The idea is that nobody has it but the physical card holder.

          I do admit to being puzzled by this story though. If the wireless conversation between a contactless card and any kind of reader carries enough information for the card to be cloned, then the design is terminally broken. It's not as if the necessary crypto techniques

          • Re: (Score:3, Informative)

            by Anonymous Coward

            OK. Few things

            1. There are lots of CVVs. There are several places cards store a few extra digits. In each case at first they were the same digits, and then banks realised "Oh crap" the digits from one place can be copied to elsewhere. So a modern card _should_ use different values for each CVV. In particular, there's the CVV physically printed on the outside of the card for a human operator (sometimes called CVV2 and used to verify Card Not Present e.g. over the phone or Internet) and a CVV stored on the ma

          • by hjf ( 703092 )

            Here in Argentina my terminal (swipe, obviously card-present) always asks for CVV when using credit, and for some cards, it also asks for the last 4 digits on the front.

            Maestro debit only requires a PIN. Visa debit requires nothing.

            Chip cards haven't really been implemented even though for the last few years all terminals i've seen have a smartcard slot. Only a handful of clients (people with Platinum or Black cards) have cards with chip. My bank says this is because the only issue those cards upon request

            • Here in Argentina my terminal (swipe, obviously card-present) always asks for CVV when using credit, and for some cards, it also asks for the last 4 digits on the front.

              Maestro debit only requires a PIN. Visa debit requires nothing.

              Chip cards haven't really been implemented even though for the last few years all terminals i've seen have a smartcard slot. Only a handful of clients (people with Platinum or Black cards) have cards with chip. My bank says this is because the only issue those cards upon request (indirectly: they ask if you travel abroad often, and if you do, they give you one of those cards. Gotta pinch those cents!)

              What I find amusing by this is that the Caribbean and Latin America was supposed to switch to chip based transactions only about 2-3 years ago. I don't know of any gateway in the region that actually uses chip, though.

              • by hjf ( 703092 )

                I can do transactions with chip. I tried swiping a chip card and it told me to put it in the chip reader. I use a Verifone VX520 and the service is provided by POSNET (owned by Mastercard). It also worked that way when I had LAPOS (owned by Visa).

                • I can do transactions with chip. I tried swiping a chip card and it told me to put it in the chip reader. I use a Verifone VX520 and the service is provided by POSNET (owned by Mastercard). It also worked that way when I had LAPOS (owned by Visa).

                  Ahh I knew that FirstData had an EMV Capable processor for Latin America and the Caribbean and I see that POSNET is owned by FirstData (at least the website says that it is a FirstData company). Interesting. Thanks for the info.

          • by cdrudge ( 68377 )

            On-line stores have to ask for the CVV. It's been a while since I ran my own business, but back then we were explicitly forbidden from capturing the CVV for in-person transactions. The idea is that nobody has it but the physical card holder.

            Depends on the implementation of the online or physical check out. I've checked out recently online where the CVV was not required. I've also checked out at local businesses, usually very small shops, restaurants, or doctors offices, where they looked at and entered the

            • On-line stores have to ask for the CVV. It's been a while since I ran my own business, but back then we were explicitly forbidden from capturing the CVV for in-person transactions. The idea is that nobody has it but the physical card holder.

              Depends on the implementation of the online or physical check out. I've checked out recently online where the CVV was not required. I've also checked out at local businesses, usually very small shops, restaurants, or doctors offices, where they looked at and entered the CVV must likely because they were using a virtual terminal.

              Amazon never asks for the CVV on a transaction. They assume extra risk by neglecting to ask for the CVV. There is no requirement per se, but there is a fraud liability shift if you do not ask for enough information to authenticate the user.

          • On-line stores don't have to ask for the CVV.

            FTFY. They can to help eliminate fraud, but it's not required. I've implemented several online transaction systems. You can allow the payment to go through even if the CVV and address verification both fail - you're just a lot more likely to have to deal with fraud.

          • by tlhIngan ( 30335 )

            On-line stores have to ask for the CVV. It's been a while since I ran my own business, but back then we were explicitly forbidden from capturing the CVV for in-person transactions. The idea is that nobody has it but the physical card holder.

            I do admit to being puzzled by this story though. If the wireless conversation between a contactless card and any kind of reader carries enough information for the card to be cloned, then the design is terminally broken. It's not as if the necessary crypto techniques are

        • In some cases you can get away with not having the card at all. Terminals have support for manually entering details if the card fails to swipe for some reason. You just need to convince the merchant to type the number in that you have memorized.

          Worked well enough for a local thief after obtaining a friends card number. The bank spotted the odd transactions, my friend searched online for the store's details and the idiot came back again trying to repeat his earlier success.

          Totally would have gotten away w

          • by hjf ( 703092 )

            My terminal allows for this, only for credit (because debit cards here don't have embossed digits). It's for when the magstripe fails to read. You have to enter the digits manually but the transaction is still done online (it will still dial up and connect to the bank). And you need the CVV.
            If the transaction is approved, it prints a much longer receipt which you have to put over the card and rub a with the side of a pencil or something over the digits so that they get transfered to the paper (no need for p

          • In the USA maybe. Some countries not only have support for manual entry if the mag stripe fails, but also no longer have provision for mag fallback. My most recent card doesn't even have a mag stripe on it anymore.

            The avenues for using copied cards are rapidly diminishing in much of the world ... except for the USA.

        • by fuzzyf ( 1129635 )
          It's still used as backup.

          Basically if you disconnect a terminal it will go into offline mode, requiring manual authentication (id card + signature). If the unit completely breaks down then a manual imprinter can be used instead. Most stores have one (stored away someway), but people probably don't know how to use it any more.
        • Well, what really happens is this.

          When you read the card, you get the card number and expiry date. It's not good enough to actually do a chip/contact payment, but the information is enough to do a swipe transaction. If you can print a card, and have an old enough store that still uses a mechanical imprinter (the big thing that you put the card in, a slip and slide the slider back and forth that imprints the slip).

          Yep, this would work if you found a store that did this, still. Or a store that runs its swipe transactions offline. In this day and age you'd be hard pressed to find someone who does offline auths. You could use it to buy free beer on a plane but it would get denied by the issuer once the auth is ran. EMV Capable contactless cards use a token for the card number and it would be obvious that the data was from a contactless interface.

          Or of course, you use it for online shopping.

          Nope. You cannot use it for online shopping. The track 2 equivalent d

        • I'm not sure how they accomplish this, but I know there are hackers in Europe who have figured out how to determine CVVs of US credit cards. I suspect some sort of brute force against an improperly configured local cache somewhere in the validation system. The credit card processing systems we have were created before the internet and contain architectural elements and complexity that would be unnecessary if designed from scratch today.
      • by Z00L00K ( 682162 )

        It depends, some NFC cards are weakly protected. There are cards with better protection but I wouldn't be surprised if they are cracked as well.

        I did play around with a NFC reader once and was able to break into a weak card in the matter of seconds. It was one of the public transport fare cards.

        Many entry systems also uses the same technology, and cloning such a card would also be pretty simple.

    • by Bob_Who ( 926234 )

      Maybe the PCI should just start listening to security professionals and do away with these things?

      And why wouldn't they? Because they figured that when the technology did fail that they could pawn the losses off onto somebody else. As long as we pass laws that make it impossible for these losses to ever be passed off onto the victims (i.e. the customers and the merchants) and be sure that there is swift and effective remedy for any fraud, then the banks and credit cards will make damn sure they listen to security experts in the future.

      Our problem is not a deficiency in technology and know how, its a de

    • Maybe the PCI should just start listening to security professionals and do away with these things?

      Yeah, they should totally listen to an AC that hasn't actually looked up how these things really work.

    • I'd like to see how they are going to get within 8 cm of 15 cards in one second. The author is stupid for making that the headline. The more important point is that it can scan a single card in 1/15th of a second.
    • My initial reaction is duh. I have software on my phone for security audits that allow me to do the exact same thing. Only it's not meant to do 15 cards a sec. This is how contactless cards work. Maybe the PCI should just start listening to security professionals and do away with these things?

      Or envelopes for contactless cards, which advertise as preventing any card reading, will be booming soon. Another way to make money but from different vendors...

  • I bought mine here: https://nkna77c37nculpeh.onion... [onion.cab] I'm sure they will ship it soon. Totally trustworthy.
  • Without any authentication is in my opinion is a "technology waiting for misuse" . So, I'm not surprised.
    • by ewibble ( 1655195 ) on Monday June 13, 2016 @09:58PM (#52312423)

      Since my bank refused to disable it on my card, I used the high tech solution of hole punch through the antenna

    • by Eugene ( 6671 )

      most of the contactless payment nowadays use one form of authentication or another using either secret keys and/or public/private keys. and those secret/private keys loaded on the card is not obtainable in normal means..

    • by Z00L00K ( 682162 )

      The best remedy would be to have a fake card in your wallet that gives away useless data when probed.

  • by Shakrai ( 717556 ) on Monday June 13, 2016 @09:09PM (#52312171) Journal

    its creators say that each buyer will receive the X5 device, a USB cable for charging and data transfers, and 20 blank plastic cards.

    My last smartphone didn't come with a cable OR a charger. Fuck you HTC. ;)

    • My last smartphone didn't come with a cable OR a charger. Fuck you HTC. ;)

      Maybe your "smartphone" is too smart to use a charger.

    • by AmiMoJo ( 196126 )

      I'd rather phones didn't come with chargers, TBH. I have enough already and now USB is standard the only reason to get a new one is if there is some new feature like faster charging. I'll buy one if I need one.

      The ones they throw in just add to the cost and often suck anyway.

  • Uh-huh. (Score:5, Funny)

    by Anonymous Coward on Monday June 13, 2016 @09:46PM (#52312355)

    Sure.

    Just send the bitcoin, and you'll get the completely illegal and fraud inducing device sent by random strangers to a street address of your choice.

      This in no way is a honeypot OR a scam. I mean, why would it be, right?

  • The only person who gets within a penis length of my wallet is me.

  • perfectly secure! (Score:5, Informative)

    by green1 ( 322787 ) on Monday June 13, 2016 @10:07PM (#52312447)

    Don't worry, the banks are working hard to solve this security hole... by telling anyone who will listen that these cards are secure, and sticking their fingers in their ears any time anyone says any different.

    My bank graciously offered to turn off the feature on my card, from their end, not mine. Which, if you know anything about how these hacks work, means that they're willing to take away all the convenience of the feature, while carefully maintaining the security risks on my card. I declined and cut the antenna instead.

    Right now in Canada it is almost impossible to get a credit card without this security hole baked in. They all have it, they brag about it. And worse yet, if someone does manage to clone the card, the bank will insist that it's not possible to do so, and hold you liable for all the fraudulent transactions, after all, the security on the cards is perfect, so you must have authorized it.

    • by AmiMoJo ( 196126 )

      Because from the bank's point of view it is secure. These cloned cards can't be used to make transactions, only get your name and transaction history. If your bank is particularly dumb it might have your address too. They don't care about that though, it's not part of their threat model.

      • by green1 ( 322787 )

        Do you work for the bank? You're spreading their lies for them.

        There have been many proof of concepts showing making credit card transactions with the data from cloned cards. a simple google search will turn up news reports and plenty of videos.

    • They all have it, they brag about it. And worse yet, if someone does manage to clone the card, the bank will insist that it's not possible to do so, and hold you liable for all the fraudulent transactions, after all, the security on the cards is perfect, so you must have authorized it.

      So you actually have any examples of this or are you extrapolating from your imagination? The banks claim it to be secure because from your perspective it is, they cover the risk of it being used fraudulently because contactless is only available for small transactions and only by merchant accounts. If any silliness happens they can trace it exactly to the perpetrator, and pull the money back. Contactless cards been in active use in Europe for years now without the world ending like you imagine.

      • by green1 ( 322787 )

        So it's ok if people steal $100 at a time from you? it's not ok if they steal it from me.

        And you don't need a merchant account to use a cloned card, you go to the store and buy things, only you use someone else's card.

        If you haven't heard of any examples, you haven't been paying attention. try a simple google search.

        I didn't say the world would end, just that fraud would be a problem. And it is.

        • As has been said before in this thread, you can't meaningfully duplicate the card using this method, you're missing vital bits of information. So you can't take someone's card details this way and do any buying against it - you can't make another contactless card, and you can't do online stuff because you will fail CVV, address verification and VBV. You could, I suppose, make a swipable card. Nowhere in Europe takes that anymore, and it's considered very suspicious by the bank and will get your card blocked

          • by green1 ( 322787 )

            Wrong again!
            There are many examples out there of exactly this. Duplicating cards using these scanners. It's been done many many times.

            You shilling for the banks doesn't do anyone any favours.

            The "bad guy" can, and has in the past, buy stuff with your card.
            The bank WILL NOT reverse the charge, because they believe the same lies that you do that it's not possible to duplicate the cards, and therefore claim that the fraud must be on the part of the cardholder. This too has happened already, with the fraud vict

            • Well, you should really look up definitions for words like "shill" before you throw them around like that.

              I don't see how this is possible. Perhaps it is, but since you have provided no evidence, and searching I can see nothing credible, I'm gonna keep believing how I understand the system to work rather than believe someone random on the internet.

    • by CRC'99 ( 96526 )

      Don't worry, the banks are working hard to solve this security hole... by telling anyone who will listen that these cards are secure, and sticking their fingers in their ears any time anyone says any different.

      Yeah, its that much of a threat that I can't even remember a time in Australia that I owned a credit card that wasn't a tap & pay card.

      That's at least 14 years. It hasn't caused an explosion in fraud here.

      In fact, now my bank even has an NFC payment option baked into any system that also does Tap & Pay that uses NFC on my Android phone to pay without even having the card. I haven't carried a wallet for nearly 6 months now - all I need is a phone.

      • by Sabriel ( 134364 )

        14 years? I didn't think it'd been quite that long? Some googling suggests that the first Australian bank to introduce contactless/tap payment was the CBA with a NSW trial in 2006 [commbank.com.au]. Still, wow, the years are flying by.

      • by green1 ( 322787 )

        NFC on your phone is secure, because it's only active when the phone is in use.
        NFC on your credit card is a security hole you can drive an oceanliner through because the card is ALWAYS on and people don't even have to touch it, or you, to get a copy of your card.

    • the bank will insist that it's not possible to do so, and hold you liable for all the fraudulent transactions,

      I wasn't aware of any country in the west, even the arse backwards (as far as banking goes) USA where the bank can hold you liable for fraudulent transactions.

      • by green1 ( 322787 )

        Just wait until they tell you that the transaction is not fraudulent because you made it and you're lying. Because after all, the card can not be cloned, so the only explanation is that you made the transactions.
        There was a news report out of somewhere in europe a few years back where this exact situation happened, and the victim of the fraud was actually arrested because the credit card company insisted the card was so secure that the only explanation was that he was complicit in the fraud.

        • Just wait until they tell you that the transaction is not fraudulent because you made it and you're lying. Because after all, the card can not be cloned, so the only explanation is that you made the transactions.

          I don't need to wait. I've been through the process. File a stat dec and then it's up to the other party to prove that you didn't make the charges. There are far more straight forward cases too where they are liable for. Heck in my last case I even ticked every box that sounds scary enough to be a case against you:
          - Did you lose the card? No
          - Do you have the card with you? Yes
          - Do you place purchased online? Yes
          and about 6 other ones. Even then you still get refunded, and frankly fraud is often child's play

  • I covered a piece of flexible plastic (your average office plastic folder and scissors does the trick) with some aluminium foil that is the same size as a paper note. Then insert the new rfi blocker in the walled like a note. Now the tap and go doesn't work while the card is in the wallet I have to take it out. You can also get special card covers that do the same thing but my solution is cheap and works fine.
  • Will an RFID sleeve stop this from happening?

  • by Gravis Zero ( 934156 ) on Tuesday June 14, 2016 @02:46AM (#52313367)

    Operating System compatibility:
    -Microsoft WHQL 2000, XP, Vista, 7, 8, 10, Server 2003, Server 2008, Server 2008 R2, Server 2012

    I'll wait for the linux port. ;)

  • by DrXym ( 126579 ) on Tuesday June 14, 2016 @06:55AM (#52313949)
    An NFC chip would be extremely difficult to clone. The might be able to scrape some information off the NFC that is made public but it is highly doubtful that includes the PIN, the CVV2, the address or possibly even the name of the person. The NFC itself would implement challenge response so that wouldn't be much use either. It's not even obvious to me why point of sale terminals would even need to see what's on the magstripe but perhaps there is a reason. The obvious fix is if a payment card exposes this info then it should obfuscate it, or better yet not expose it at all. Whatever edge case requires it might not be a sufficient reason given any potential for theft.
    • An NFC chip would be extremely difficult to clone. The might be able to scrape some information off the NFC that is made public but it is highly doubtful that includes the PIN, the CVV2, the address or possibly even the name of the person. The NFC itself would implement challenge response so that wouldn't be much use either. It's not even obvious to me why point of sale terminals would even need to see what's on the magstripe but perhaps there is a reason. The obvious fix is if a payment card exposes this info then it should obfuscate it, or better yet not expose it at all. Whatever edge case requires it might not be a sufficient reason given any potential for theft.

      With modern EMV capable NFC cards, the track 2 data is dynamic and generated every transaction based on an unpredictable number supplied by the terminal. You would not be able to replay a transaction unless your transaction was approved offline.

  • "RFID/NFC blocking" wallets are all the rage these days. That is a far bigger scam than this product, which is simply far too late. The only contactless payment method I have is my phone now, after my last contactless card expired a few years ago. I haven't seen a PayPass or payWave card in years, but average people see the chip in their card and believe it doesn't require contact for some reason (My parents and some older doctors I know went full on tinfoil hat when they first got them before I corrected t

    • by jaseuk ( 217780 )

      From the VISA Website "If your card is lost or stolen you should notify your bank as soon as possible. If anyone has fraudulently used your contactless card to make a payment, providing you take reasonable precautions to protect your card and let your bank know as soon as you realise it’s gone, you will not be responsible for any losses incurred (subject to your bank’s terms and conditions)."

      In other words you are not responsible for any losses. Provided you report it lost as soon as you realis

  • Is there some reason we're now using this term? Maybe it's just me, but it really sounds entirely Hollywood.

    Can we just say internet? Or web?

  • Around here we have people that will walk into a mall with a scanner and just stick it on peoples wallet pocket or purse. When security is alerted, they just leave. Security says they weren't doing anything illegal.

    As far as I know, any US vendor taking a fraudulent swipe or imprint transaction owns the loss as the bank/cc company won't stand behind a non chip transaction. This scanner won't help anyone make a chipped card. Its rare to have information like the card holders name be accessible in this ma

The IQ of the group is the lowest IQ of a member of the group divided by the number of people in the group.

Working...