

Credit card data can be stolen with a wave and an app - vy8vWJlco
http://www.cbc.ca/news/technology/story/2013/04/24/nl-smartphone-credit-card-skimming-app-424.html

======
jrockway
It's my understanding that the CVV3 is cryptographically generated for each
transaction (like HOTP), and that the cardholder's name is not available over
NFC. So you can't steal personal information or use the card undetected.

A bit of reading regarding the CVV3:
[http://randomoracle.wordpress.com/2012/09/11/cvv3-demystifyi...](http://randomoracle.wordpress.com/2012/09/11/cvv3-demystifying-
credit-card-verification-part-2/)

I'm not 100% sure about the name not being there, however.

~~~
ifni
When someone at my office spotted this story earlier in the day, a bunch of us
quickly ran around playing with an android app (which doesn't have permissions
to phone home and censors out some of the data) to see what info we could pull
off our cards.

[https://play.google.com/store/apps/details?id=com.samj.CardT...](https://play.google.com/store/apps/details?id=com.samj.CardTest)

Name, number, and expiry are readily available. We figured you could probably
replay that data to get some free gas with stolen credentials... but the
scanning range with phones is more akin to "hold the card up against it for
several seconds to read" than "walk through a crowded room".

~~~
vy8vWJlco
That is probably a moderately-variable function of the power output and
sensitivity/gain of the radio in the phone (and card) used. (A crowded subway
in Japan would probably be ideal conditions. :p) Other phones may have
noticeably better range, or range might be increased by simply going out of
spec using lower level RF controls (if lower level access is possible per-
controller, since as I don't see anything about power control in the Android
docs).

[http://android.stackexchange.com/questions/5044/nfc-
function...](http://android.stackexchange.com/questions/5044/nfc-
functionality-in-google-nexus-s)
[https://developer.android.com/guide/topics/connectivity/nfc/...](https://developer.android.com/guide/topics/connectivity/nfc/index.html)

~~~
jrockway
A high-gain antenna at the NFC frequency (13.56MHz) would be about 11 meters
wide and 6 meters long. This is probably why there isn't much long-distance
NFC skimming going on.

(If you're an ARRL member, there's a good article on building a 14MHz
directional antenna at
[http://www.arrl.org/files/file/protected/Group/Members/Techn...](http://www.arrl.org/files/file/protected/Group/Members/Technology/tis/info/pdf/0107028.pdf).
It's big, and one resonant at 13.56MHz would be a little bit bigger. But it
_is_ something that's physically possible and would make for an interesting
experiment.)

Edit: Here's another idea (and the article is free):
[http://www.arrl.org/files/file/protected/Group/Members/Techn...](http://www.arrl.org/files/file/protected/Group/Members/Technology/tis/info/pdf/5501022.pdf)

~~~
vy8vWJlco
Easily concealable in a floor or wall. :) (I jest.)

------
vy8vWJlco
tl;dr (or watch the video): The software used looks like:
<http://sourceforge.net/p/nfcproxy/wiki/Home/>

Pretty cool to be able to back up and keep your cards on your phone in a
usable way.

~~~
CountSessine
Very cool - no doubt. But I'll take a pass on letting someone else back up my
credit card info for me.

Is there really no challenge-confirm-response built into this technology?

~~~
vy8vWJlco
Based on my reading, there definitely are challenge/response protocols, but
they also seem quite dependent on the specific merchant/POS (and issuer) as to
whether or not they are enforced or effective (for example, there could be an
offline-purchase system that reconciles latter in the day instead of with
every transaction, or the issuer might use a static/clonable challenge). I'm
still learning...

Interestingly, CBC had an article a few years ago anticipating today's:
[http://www.cbc.ca/news/technology/story/2010/05/31/f-rfid-
cr...](http://www.cbc.ca/news/technology/story/2010/05/31/f-rfid-credit-cards-
security-concerns.html)

It outlines a few interesting hacks (ex, anticipatory challenge/response
gathering). Mostly, it just seems very easy to get the card number and expiry
- and apparently that's not a secret, or anything to be concerned about, as
far as the credit card company is concerned.

------
unreal37
I saw the original broadcast on CBC.

I just don't believe the reporting on this. They demo'd it. The girl had her
credit card basically falling out of her pocket. A guy had to touch his phone
to the credit card for a few seconds in order to get it to scan. He then used
his phone to buy a coke at a coke machine using her card.

I'd like to see a demo of this where the credit card owner is not aware of
whats going on. Presumably the phone can't scan the card when its inside a
wallet, or even fully inside a pocket protected by 1/8" of cloth.

With access to the physical card, yes you can use someones credit card. Call
1985 - the problem is the exact same as with cards back then.

