

Android app swipes contactless credit card - dlapiduz
http://www.newscientist.com/blogs/onepercent/2012/06/android-app-lets-you-swipe-con.html

======
sahaskatta
The one mentioned in the article is no longer in the Play Store. However, this
one is still available for download:
[https://play.google.com/store/apps/details?id=com.idstrongho...](https://play.google.com/store/apps/details?id=com.idstronghold.CCReaderMkt)

I gave it a quick try with some credit cards I have and it immediately
displayed information.

------
talkingquickly
Here's the github link to the App for anyone who wants more details:
[https://github.com/thomasskora/android-nfc-
paycardreader#rea...](https://github.com/thomasskora/android-nfc-
paycardreader#readme)

~~~
spindritf
It 404s now.

~~~
talkingquickly
wow that was quick, guess it was kind of inevitable, wonder if all the forks
will have gone as well

------
ragmondo
Here is a clone which is still up at github:
<https://github.com/rayyan/android-nfc-paycardreader> and this is the most
"interesting" bit of source : [https://github.com/rayyan/android-nfc-
paycardreader/blob/mas...](https://github.com/rayyan/android-nfc-
paycardreader/blob/master/src/net/skora/eccardinfos/ECCardInfosActivity.java)
\- it can identify card types and that's about it...

~~~
danielhunt
Looks like it's not quite up to date - it doesn't have the latest pull request
in it

------
ajross
So what's the exploit here? Is it a bug in the cards or the protocol or what?
Or is the card info considered "public" by the protocol (i.e. I could imagine
an authentication scheme where the card could provide its number but the bank
would only honor charges via the secure contactless scheme which came with a
RSA cookie or whatenot).

------
ragmondo
Sorry.. Am calling BS on this... To read any protected memory regions on an
NFC card a fairly complicated handshake has to occur with various exchanges of
keys - you can't just read details with your average NFC reader in an Android
phone using an app that doesn't even require root...

~~~
lucaspiller
The app is designed to be used with the German GeldKarte which appears to use
an old NFC technology. It isn't a credit card, you have to load cash onto it
before you can spend it, and doesn't use the same security as modern
contactless bank cards.

Also it appears this isn't the first app to do this:

<http://www.nfc.cc/2011/12/11/nfc-geldkarte-broken-by-design/>

------
mneedham
Along these lines - are there any good 'hacker' tools out there for the
various phone platforms? I know there are port scanners and some other things
out there but is this a well-developed space?

~~~
objclxt
Depends what you're interested in, but as an iOS developer I highly recommend
Jonathan Zdziarski's "Hacking and Securing iOS Applications", published by
O'Reilly. It's a good primer, and covers a wide variety of both exploits and
hacks.

<http://shop.oreilly.com/product/0636920023234.do>

------
GvS
It seems it's already removed from Google Play.

