
Intro to NFC Payment Relay Attacks - dsr12
https://salmg.net/2018/12/01/intro-to-nfc-payment-relay-attacks/
======
chrsstrm
Unfortunately the article stops short of actually stating how this would be
useful as you couldn't really do this in real time on an unsuspecting card
holder (Hey, can I casually hold my phone over your credit card while my buddy
over there buys a TV?). My best guess is that you physically control a
compromised card and use the reader-emulator setup to drain the card as
quickly as possible. Think of a scenario where you are holding the card at
your secret hideout and then send out a team of goons, each with an emulator,
to buy gift cards using the stolen card a la NFC. This just feels like a much
more complicated version of card cloning.

~~~
sdwisely
I'm not thinking of the card as the weak point, more the reader.

a rogue employee putting a false reader that relays to the real reader.

Back when I worked in retail we had an issue in our local area where a group
impersonated our support department and came on site to install altered
versions of our readers.

I'd imagine things like the readers in our public transport ticketing machines
are a pretty easy target too to hide a nearby relay.

In Australia our NFC limits are pretty high at ~$100, readers are nearly
everywhere and the readers are sometimes display-less plastic discs.

Even the local animal shelter has a tap to make a donation thing now.

~~~
dzhiurgis
How about setting up a relay on ATM slot?

------
taoistextremist
How useful is the info gathered from an attack like this? Does it depend on
the specific method (e.g., contactless card versus something like Google Pay)
how compromising the information is? I was under the impression that by having
virtual cards and the service itself to contact, Google Pay had something of a
buffer from attacks like this.

~~~
londons_explore
The privacy angle is only part of it - the other part is someone else spending
my money, and they can do that just as easily with something like Google Pay.

~~~
taoistextremist
Well, only if you unlock your phone, too.

------
amaccuish
Is there any other ways to prevent this? I know there's latency checks, but I
assume in some cases this attack could still work.

~~~
robocat
Buy a wallet with conducting mesh (Faraday cage) or make a sleeve for your
card (e.g. from an aluminium can).

Quick failure test it: by seeing if card still works on terminal when
protected.

Not perfect, but would prevent most "risks".

~~~
justin66
I've carried a Datasafe wallet made by Kena Kai for ten years or so. It
includes a metallic mesh next to the leather that is durable enough that the
wallet is still in good shape. I have no idea how well the protection truly
works (it's marketed as complying with "FIPS-201 guidelines," which might not
mean a lot) but it's been an excellent wallet in its own right.

There don't seem to be _nearly_ as many of these for sale now as there were
ten years ago, which is interesting.

------
PanMan
Secrid wallets prevent this attack, and are quite popular here in the
Netherlands (where almost all bank cards are NFC enabled). Funny enough they
are more popular for their form factor, than the NFC shielding that was their
core feature.

------
Sephr
There are many door access control systems vulnerable to this same kind of
attack. I'm currently working on open source red team tools for exploiting
this.

The best way to protect yourself from these type of attacks is to have a
Faraday-shielded wallet.

~~~
EGreg
Why?

~~~
post_break
Because they can stop the scanners from picking them up. Some of these people
buy a long range scanner made for drive up gates because you can glean the
info from a block away.

------
notduncansmith
This is why many debit systems require both the chip and the PIN. For credit
cards, the situation is still scary.

~~~
newaccoutnas
NFC payment systems don't require a pin though, even if they are limited (to
say £30 in the UK)

~~~
ErneX
You mean by default? because here by default if the purchase is <= 20 no pin
is required, but this is something my bank at least allows you to remove so
you get asked the PIN always.

~~~
avianlyric
In the UK yeah, and I think the limit is going up. If someone uses your card
fraudulently the banks have pay you back the money, and they (the banks) can
get in trouble for kicking up a fuss.

~~~
newaccoutnas
There's a sweet spot between making it easy for the customer to pay (and
thereby increasing the volume of sales and therefore card charges) vs. anti-
fraud measures. It's the old adage of security vs. usability.

------
Bucephalus355
The latest Yubico 5 Keys are NFC. Any thoughts on how this will affect them?

