Contactless card transactions always struck me as bonkers. By the very nature of the system, there is nothing stopping an individual walking down the street and stealing whatever the cap is out of everyone's card.
You then immediately use this "money" to buy gift cards, which you then sell on, turning the dirty money into clean money. By the time they have traced back the money to the gift card, you're long gone (you can also cross international borders a couple of times to make things difficult/slow).
The fact banks shut down the Mythbusters' investigation into just how insecure contactless cards are really tells you everything you need to know. They know full well they are completely insecure, and they want to keep it hush hush.
Now contactless phone transactions are secure, but contactless phone transactions require action from the user to confirm the transaction. If the plastic cards had you press a button to activate contactless-mode they would be fine too, but they don't...
NFC is great technology that has a lot of uses. This is just a mis-use.
Well with contactless payments a unique CVV is generated by the card for every transaction. The attacker would have to steal the card info, CVV, and use it to purchase something before the victim uses their card again or the card will automatically be disabled by the payment processor. In any case they can only make a fraudulent purchase once for every time they trick the card. That's certainly better than the current situation where once your card is compromised you are screwed.
You've somewhat misrepresented how this works. You can't steal money "out of everyone's card". The card doesn't contain any money, it's not a digital wallet. It's an authorization mechanism.
You could certainly skim authorization codes out of everyone's pockets, but you still have to present those codes (and fairly swiftly) to the payment processing networks for clearing. That means you need a merchant account, which means someone is on the hook for your activity and the fraud has some chance of being detected and sourced.
"Some chance", but if the amounts are small enough, who is going to notice? And if it's an international payment, I'm sure that will make it that much harder too.
Aren't you insured against that? I know that we are in Quebec. That's why I love my credit card so much. It's not my cash, I don't care what happen to it. If it's stolen, I have literally nothing to pay. It's true physically, through a contactless payment or a transaction on the web.
I like your idea of button though, it wouldn't be too intrusive and it would limit some case.
"legitimate" as in "actual fraud", as opposed to "fraudulent fraud" (e.g. reporting your card stolen after a big purchase and then claiming the charge was not yours)
I assume the protocol is designed such that you cannot record a response and then replay it later. If that's true (and I could be way too optimistic here) then an attack like that would require two confederates and some communications hardware, with one guy on the street scanning people's cards at the exact same time as the other guy presents his end of the equipment to the local point of sale. This is all doable, but it doesn't scale too well.
On a packed street, have something to debit it in your pocket. You'll probably be within that distance of enough wallets to get enough to be worthwhile…
That is eavesdropping a transaction, not soliciting one. Plus every NFC transaction generates a new token. Even if you record it as the transaction takes place, that information cannot be used again.
This doesn't make sense. Why would any transaction occur in a foreign currency? If I use my Australian credit card to purchase a cup of coffee in the UK, the transaction occurs in pounds, not Australian dollars.
The terminal never sees "foreign currency". It is the responsibility of Visa/MasterCard to perform currency conversion.
Your card, which sees itself as a payer of AUD, gets a request for a transaction in GBP. This research suggests it will authorize the transaction even if it is above whatever normal local limit you have on AUD transactions.
Whether that's actually true or not, is unknown at this stage - this was a test on a UK contactless card, so maybe we have a slightly different arrangement than your Australian contactless card would.
It's also fairly unlikely that the payment processors would accept a transaction higher than the contactless cap, just because it's in a foreign currency.
It's also entirely possible that they don't bother enforcing a limit because the UK banks involved won't accept any foreign currency contactless transactions. I've never tried to use my UK contactless cards abroad.
The research paper seems to grossly oversimplify the matter of "cashing in" the fraudulent transactions.
While the authors claim to "appreciate that banks will have a number of security systems in place to prevent fraud", they seem to neglect that those systems should effectively render the attack impossible:
- There are limits for CVM-less transactions; not only in the application running on the chip, but also for terminals. I think that there is one limit above which a CVM (e.g. PIN or signature) is required, and another limit for offline authorizations. CVM-less high-vale transactions would not only be suspicious, but even non-compliant for most card schemes.
- It is not trivial to apply for a merchant account, and I guess that a new account would not be allowed to immediately withdraw recently acquired funds. (If it were that simple, magnetic stripe card skimmers could simply apply for a merchant account and avoid all the hassle with PIN skimming, finding vulnerable merchants or ATMs etc.)
- A merchant with a higher than average rate of transactions challenged by cardholders will surely be scrutinized even more closely.
All in all, the implemented failure mode of offline-authorizing all transactions in unknown currencies seems like a really bad idea and should be improved. The rest of the paper seems like speculation, though.
(Compare e.g. to Steven J Murdoch's work ("Chip and PIN is broken" etc.), where the claims have been verified with an actual payment terminal.)
First time I heard about contactless transactions I wondered if people never learned. Apparently they don't.
Allowing anyone to take my money without my explicit approval, even if it's only up to 20 pounds at a time, is simply begging to be abused. I don't understand how anyone could possibly have thought this was a good idea.
Why? The only way it is going to post is if the bank accepts it. Since the card can't know the conversion rate "allow anything" is a perfectly reasonable action.
What's worse, additional steps to validate the transaction via swipe or unlimited purchase side by changing currency?
It's an insecure design, I'm suggesting a simply approach that doesn't require the card to be more intelligent about international financial markets and exchange rates in real time.
Bingo! They didn't test the back end system, but what happens is the conversion is done to local currency and seeing that it's greater than the limit, it's denied. A non-story.
Exactly. They seem to overlook that there are rules for the merchant as well; high-value transactions without a CVM are almost certain to raise flags (or be denied right away) at the merchant acquirer.
You then immediately use this "money" to buy gift cards, which you then sell on, turning the dirty money into clean money. By the time they have traced back the money to the gift card, you're long gone (you can also cross international borders a couple of times to make things difficult/slow).
The fact banks shut down the Mythbusters' investigation into just how insecure contactless cards are really tells you everything you need to know. They know full well they are completely insecure, and they want to keep it hush hush.
Now contactless phone transactions are secure, but contactless phone transactions require action from the user to confirm the transaction. If the plastic cards had you press a button to activate contactless-mode they would be fine too, but they don't...
NFC is great technology that has a lot of uses. This is just a mis-use.