
Contactless card fraud is too easy, says Which? - rhubarbcustard
http://www.theguardian.com/money/2015/jul/23/contactless-card-is-too-easy-says-which
======
TheLoneWolfling
I have a metal wallet. Why? Because some idiot decided that making student IDs
have NFC was a good idea. Which, among other things, can be used to open doors
after-hours, and buy things.

(And yes, it is idiotic. It replaces a magnetic strip scan (which, by the way,
these cards have - which means that it's strictly less secure now, as it still
has the problems with magnetic strip _and_ the problems with NFC) with a plunk
the card on the scanner - which doesn't save much of any time. And in the
process means that your card isn't secure even if you have it on you at all
times and use only trusted readers. Larger attack surface.)

They are trivially susceptible to relay attacks, among other things. (Plunk a
relay near the target, and a relay near the thing to open, where each one
sends any data it picks up to the other one, which re-broadcasts it.)

Note: _any_ NFC card is susceptible to this sort of blind relay attack. As is
any buttonless key fob (like the ones on some cars).

Theoretically, you can prevent this by means of speed-of-light limitations, or
by requiring user interaction (like pressing a button on the card itself, for
instance. Although even that could be abused). But in practice, they are too
cheap to build that sort of circuitry in. As usual.

~~~
timboslice
I have a car with a buttonless key fob. I keep my keys in a metal box when I
get home, as there have been several stories of cars being stolen by thieves
with relay devices.

It's a sad state of affairs when security is an afterthought

------
davidgerard
Everyone in the UK has these. It's actually stupid: they replaced two-factor
(card and PIN) with one-factor (NFC).

What I did: put my card in a fetching tinfoil hat.
[http://reddragdiva.dreamwidth.org/578323.html](http://reddragdiva.dreamwidth.org/578323.html)
(2012) Also keeps it from interfering with my Oyster card.

~~~
needusername
It's even better than that. Contactless is "faster" because it generally
doesn't do an authorization.

~~~
davidgerard
D-: D-: D-:

This article is still disconcerting, though, at the skimmability in the wild.
TINFOIL! TINFOIL!

------
dozzie
> Industry body, the UK Cards Association, dismissed the findings saying
> Which’s report was “not a new story”.

So the industry body acknowledges that they knew _for a long time_ that the
whole thing is insecure, yet they apparently did _nothing_. This doesn't make
them look any better.

~~~
needusername
They may have issued a memo that if implemented by all issuers, acquirers and
terminal vendors may help. Of course nobody does that.

------
IshKebab
It's worse than that. They have no protection against forwarding attacks. At
all. Not even basic latency time checking. Here's a demo from two years ago:

[https://www.youtube.com/watch?v=t0MCFjYHieQ](https://www.youtube.com/watch?v=t0MCFjYHieQ)

Madness.

