Contactless cards again! [OT in uk.d-i-y]


N

newshound

By shining a bright LED torch though various MiFARE type cards I can
easily see the aerial wires running round the cards, but on a Barclays
contactless card I can't see anything other than the chip itself ...
Good thinking. Works on two of my site passes but not the third. Can't
spot an obvious aeriel loop on any of my Visa cards, only one of them is
marked contactless enabled. Perhaps it is behind the ferrite stripe or
the tamper proof signature strip? One of the two holograms is "blotchy",
the other is completely opaque.
 
Ad

Advertisements

B

bm

Roger Mills said:
So how do you prove that *you* didn't make the transaction?
It's called "trust" LOL. Some years back someone was pulling from my debit
card, 2 or 3K ish. I didn't know until the statement arrived. Phoned the
bank, told them which payments weren't made by me and they simply refunded.
I maybe had to sign something, can't remember.
 
B

Bob Eager

Roger Mills explained on 20/05/2013 :
This article http://www.bbc.co.uk/news/business-22545804 appears to
vindicate what I have always said about contactless cards.

Not only are they vulnerable to fraud by villains with scanners who
don't need to get close enough to arouse suspicion, but it now seems
that they're also vulnerable to *accidental* use!

I'm very glad that I ditched my CapitalOne card when they insisted [1]
on replacing it with a contactless card.

More and more financial institutions are now using these things, making
it very difficult to avoid unless you do away with credit and debit
cards altogether. I've unfortunately still ended up with one or two,
but they never leave the house and are used only for on-line
transactions.

The sooner the whole idea is re-thought, the better!

[1] Using the very dubious tactic of pretending that my previous card
had been "compromised" (which I'm damn sure it hadn't!) in order to
provide a pretext for needing to issue a new card long before the old
one had expired.
A sheet of cooking foil, in with the notes of your wallet, would
probably be enough to defeat it.
http://www.lessemf.com/fabric.html
 
D

David Woolley

Roger said:
Not insignificant!
I think the reverification policy is actually an issue for the bank,
based on the perceived level of risk. They, or the card, might well
trigger a verification if there were a smaller number of transactions
all very close to the limit, or on a random basis.

In part the amount at risk is chosen to similar to the amount of cash
that might be lost to a pick pocket.
 
Ad

Advertisements

P

polygonum

Mifare is a brand name. Contactless payment cards use the same physical
layer and discovery protocols as Oyster, and can be read and written by
Oyster card terminals. Oyster does use Mifare cards.
Ladies only?
 
M

Martin Brown

Mifare is a brand name. Contactless payment cards use the same physical
layer and discovery protocols as Oyster, and can be read and written by
Oyster card terminals. Oyster does use Mifare cards.
That *is* interesting since Dutch cryptographer at Nijmegen have totally
broken the encryption on Oyster and all the cards of that ilk.

http://www.theregister.co.uk/2008/06/23/dutch_clone_oyster_card/

I presume this particular vulnerability has been patched now.
 
Ad

Advertisements

N

Nightjar

On 20/05/2013 17:44, John Rumm wrote:
....
I seem to recall that my bank wrote to me saying they were going to
issue these things, and to object if you did not want one. I did, and
later they sent one anyway. I wrote and pointed out I had requested not
to have one, and they said basically "tough, its policy now!"
My bank wrote to me to ask if I wanted them and also offered me a
sticker to put on my mobile phone that would work as a contactless card.
I said no to both and my personal cards from that bank are not
contactless, although my business cards from the same bank are.

Colin Bignell
 
D

D.M.Chapman

That *is* interesting since Dutch cryptographer at Nijmegen have totally
broken the encryption on Oyster and all the cards of that ilk.

http://www.theregister.co.uk/2008/06/23/dutch_clone_oyster_card/

I presume this particular vulnerability has been patched now.

No, not really. It's not a massive issue for Oyster as the best you could
do would be to clone a card and use it that day - it would get picked up
overnight in the consolidation runs (if not before, they have some rather
clever pattern detection software). They have other checks in place that
make it tricky.

Mifare Classic cards are compromised now. It's not trivial. They do however
carry various sectors that can be used and if what you put in there is
encrypted then it's not a lot of use without the key to the encryption.

Got a modern smartphone with NFC built it? You can read a mifare card.
Plenty of tools around to crack it. Ebay will supply all the tools and
blank cards. It's pretty simple.

As pointed out, Mifare is a brand though - they have many other cards that
are not (yet) compromised. Mifare DESFire is common (although IIRC, the
original version of those have been broken).

Darren
 
T

Theo Markettos

In uk.d-i-y Roger Mills said:
A carefully placed drill hole should do the trick.

If anyone asks, you drilled it to keep cards on your keychain like those
Tesco Clubcard thingies.

Theo
Do you have a template for where it needs to be drilled? [I assume that
it's not as simple as drilling out the contactless icon].
I've not tried this, but:
http://linuxcentre.net/disabling-contactless-cards

The loop antenna goes around the edge, so any cut sufficiently deep into the
three edges furthest from the chip should do it. However that's not
mechanically stable (ie is liable to turn into a larger tear).

X-rays:
http://imageshack.us/a/img89/4470/cardswb.jpg

Based on the sample I have here, I think the top two cards may be from TCT
(look at the tiny print on the top right of the back of your card) - I think
that's Thames Card Technology (who provide the cards to the bank, but aren't
themselves the manufacturer). What's curious about these is the lack of
visible antenna on the X-ray. However it may be a polymer antenna not
metal.

Assuming the polymer antenna is in the same place as the copper on other
cards, drilling about 5mm in from the long edge of the card should do the
trick.

Theo
 
N

Nick

David Woolley said:
A lot of those materials are not specified at the frequencies used for
the cards, which are in the short waves. Most of the materials seem to
be designed for microwave use.
Something I read earlier today suggested keeping two (or more) cards
close together as they interfere and cancel out any accidental
transaction. This certainly works for my security passes - the correct
card has to be removed from the stack in the card holder to work. A M&S
PoS terminal was tested by I can't remember whom and found to have a
maximum NFC range of 5cm.
 
D

D.M.Chapman

Nick said:
Something I read earlier today suggested keeping two (or more) cards
close together as they interfere and cancel out any accidental
transaction. This certainly works for my security passes - the correct
card has to be removed from the stack in the card holder to work. A M&S
PoS terminal was tested by I can't remember whom and found to have a
maximum NFC range of 5cm.

I wouldn't rely on that. I regularly travel in London with both my Oyster
card and my word ID card. Both are Mifare classics - if I have them both
in my wallet about 75% of the time the oyster readers get it right, 25% of
the time I get an error. Removing my id card cures it. Likewise the other
way around - word security readers barf around 25% of the time if my
oyster card is in my wallet.

So while it does appear to confuse it sometimes, it's far from a reliable
method! (might be different for non-mifare classic cards, but I'd not
rely on it).

Darren
 
Ad

Advertisements

B

Bob Minchin

Roger said:
This article http://www.bbc.co.uk/news/business-22545804 appears to
vindicate what I have always said about contactless cards.

Not only are they vulnerable to fraud by villains with scanners who
don't need to get close enough to arouse suspicion, but it now seems
that they're also vulnerable to *accidental* use!

I'm very glad that I ditched my CapitalOne card when they insisted [1]
on replacing it with a contactless card.

More and more financial institutions are now using these things, making
it very difficult to avoid unless you do away with credit and debit
cards altogether. I've unfortunately still ended up with one or two, but
they never leave the house and are used only for on-line transactions.

The sooner the whole idea is re-thought, the better!

[1] Using the very dubious tactic of pretending that my previous card
had been "compromised" (which I'm damn sure it hadn't!) in order to
provide a pretext for needing to issue a new card long before the old
one had expired.
If you want to use the contactless facility every now and then, store it
in your wallet with an oyster card on top. The mifare system cannot
differentiate between two co located cards.

Otherwise just disable it by cutting a part or all the way through with
a Stanley knife as shown here on my barclaycard
http://i115.photobucket.com/albums/n313/9fingersphotos/IMG_1790.jpg

This has no effect on the chip and pin function or the mag stripe swipe.
 
D

David Woolley

D.M.Chapman said:
I wouldn't rely on that. I regularly travel in London with both my Oyster
card and my word ID card. Both are Mifare classics - if I have them both
in my wallet about 75% of the time the oyster readers get it right, 25% of
the time I get an error. Removing my id card cures it. Likewise the other
way around - word security readers barf around 25% of the time if my
oyster card is in my wallet.
That's handled by the discovery protocol, which should try to establish
the serial number of the card and address further requests to other
cards. In theory it is supposed to be able to detect multiple numbers
and abort the transaction, but it sounds like it might not be as good as
it might be.

I believe the discovery protocol applies to all the ISO standard cards,
on that frequency, not just NXP's Mifare ones.
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top