
An Android app that collects Mag-Stripe data and CVC3 codes from PayPass cards - oxplot
https://github.com/MatusKysel/EMVemulator
======
withinthreshold
Ok, I am a complete noob in this regard. I have a VISA Gold card with a chip
and payWave, what should I do to protect myself from this?

~~~
lstamour
First, this doesn't affect PayWave yet, just PayPass. But to continue:

(1) Don't put your phone in the same pocket as your card, (2) Get either a
metal or protected wallet for NFC-enabled cards, (3) Review card usage and
don't worry about it. You aren't responsible for card fraud with credit cards.
The chances of this being used against you are incredibly slim. It's also less
useful as an avenue to commit fraud since payment with NFC is usually limited
to under $25 by merchant agreements. Besides, duplicated cards are old hat,
what with programmable chips and magnetic strips already. What's neat here is
the proof-of-concept demo involving phones without the need for specialized
SIM cards or approved phone handsets. Not 100% sure myself, but maybe it only
works because PayPass allows for stickers on your phone case to emulate a
credit card?

Oh and if you go to pay for something on a website and enter your 3-digit code
plus the card number, well, spyware could have your card already. So NFC as an
attack vector is slower and less useful. Watch out for those custom keyboards
;-)

~~~
tonteldoos
Commenter below mentions that it works on his paywave...

------
georgebarnett
One workaround (instead of buying an rf shielded wallet) I've heard of in the
past is to put two cards next to each other because it causes signal
interference. I have no idea if it works (I use an iphone) so ymmv.

~~~
ikari_pl
It works perfectly with my cards. I can't open the office door if my paypass
is too close. My city card (basically a fancy name for a long-term bus ticket)
also interferes with both of these two.

~~~
abritishguy
That just means your office doors aren't configured properly and don't know
which card to talk to and choose to do nothing in this case. The reader could
very well talk to one card (or both) without interference.

------
chias
Is this different from NFC Proxy in a significant way?
[http://sourceforge.net/projects/nfcproxy/](http://sourceforge.net/projects/nfcproxy/)

------
mappu
Should be worryingly easy to piggyback this onto popular android apps. Good
time to start keeping your phone and wallet in separate pockets...

~~~
voltagex_
I use XPrivacy. I realise that's out of reach for most users but it's been
very very useful for me to allow/deny use of NFC/GPS/connectivity. (Yes I know
about the new bypass trick)

------
dmix
This is why people should invest in an RF-blocking cellphone case for when
you're in public, for example:

[http://silent-pocket.com/](http://silent-pocket.com/)

[http://www.amazon.com/HideCell-Cell-Protection-Bag-
Standard/...](http://www.amazon.com/HideCell-Cell-Protection-Bag-
Standard/dp/B00GSZI24M/)

This is the only thing that can really stop wireless snooping. Even pervasive
location tracking.

~~~
Sephr
This is irrelevant to cloning NFC-enabled cards. Neither Google Wallet nor
ISIS broadcasts payment card NFC data when your phone is locked (or even when
it's unlocked--usually you need to enter the app and then enter your PIN
first).

What you really should be getting is an RF-shielded _wallet_ for NFC-enabled
cards. Your phone doesn't need anything shielding it, and most phones have
sane permission models around how you permit apps to use your GPS.

~~~
bostik
> _What you really should be getting is an RF-shielded wallet for NFC-enabled
> cards._

And when you do, go with something that shields everything in the wallet. (I
bought ID Stronghold wallets for myself and the family.)

Here in London it should be possible to market these wallets with an extra
twist. Oyster cards are used everywhere, and for the last 4-5 months I've
noticed a constant stream of announcements - "Please keep your oyster and
contactless payment cards separate to prevent card clash." An enterprising
individual with import and retail experience could tap into this market by
selling wallets with _one_ outside - unshielded - pocket for the Oyster card,
and everything else inside fully shielded.

People in general don't care about privacy or security, but they _do_ care
about convenience. So, by way of introducing a convenient way to prevent card
clash, they would also get automatic protection against these drive-by NFC
payment card attacks.

~~~
eli
I'll vouch for that -- same problem in DC. I'd love a wallet with an
unshielded pocket for my Smartrip card.

~~~
ubernostrum
My experience is that a fully-shielded wallet isn't so bad.

I just got back to the US from a month in Europe. The entire time, I was
carrying passport, credit cards, transit-system cards, hotel key cards, etc.
in a fully shielded wallet. It wasn't a problem at all to have to pull out the
transit card when necessary in order to get on/off a tram or bus, or
enter/leave a station (hotel key card has to come out anyway, since often you
have to put it in the slot by the door to turn on the room's lights). And the
peace of mind is worth it.

(my only actual complaint about the wallet is that I bought it because it had
an internal zippered pouch for coins, something that's much more useful for
EUR than for USD, but the zipper broke after less than a week)

~~~
eli
But I'm not actually concerned about my credit card number getting stolen or
being tracked by ne'er do wells with NFC readers. There are much easier ways
to steal my credit card or track me. I just want to get through the turnstile
without looking like a tourist.

------
zmanian
It would be great to see something that does what Firesheep did for SSL in
payment security.

------
techinsidr
Has anyone tried to verify this?

~~~
ZaneA
Working for me, Nexus 5 with Visa Paywave

Edit: Reading that is...

~~~
voltagex_
Works for me too - Nexus 5, MasterCard PayPass. The app in its current form
isn't dangerous, it takes ~2 minutes to read the card and if the screen goes
off or the reader loses contact you have to start again.

~~~
ZaneA
Though as I understand from the source this also acts as an emulator, so if
you scan your phone it may replay those card details, worth keeping in mind.

~~~
voltagex_
I'd _love_ this. My bank wants me to pay $2.99 for a sticker to go on the back
of my phone (to do contactless purchases) while supporting Galaxy S* phones
natively...

~~~
cbhl
Google Wallet's "Tap and Pay" works with select phones in the US:
[https://support.google.com/wallet/answer/1347934?hl=en](https://support.google.com/wallet/answer/1347934?hl=en)

You might also be interested in Coin:
[https://onlycoin.com/](https://onlycoin.com/)

~~~
jackvalentine
Sounds to me like his bank is the Commonwealth Bank of Australia(1), so Google
Wallet is a non-starter. Coin is interesting, but the payments landscape in
.au is rapidly moving away from card swipes to Paywave/Paypass. I've seen
quite a few places that offer Cash or Tap, no swipe (I presume because of the
fee structure).

1) [https://www.commbank.com.au/paytag](https://www.commbank.com.au/paytag)

~~~
XorNot
Commonwealth Bank charge $2.99 a year regardless of what you want to do. To
use their Android app, they also bill you that to have the functionality
turned on.

~~~
oxplot
The annual fee is not applicable in case of the PayTag
([https://www.commbank.com.au/personal/can/can-
tap.html](https://www.commbank.com.au/personal/can/can-tap.html)). Also, can
you refer me to the doc that mentions the extra cost of using the Android app
for that purpose?

~~~
XorNot
The Android app itself says it (I have it open right here).

