You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Anyone in the know about this? Is it a real risk, and are RFID wallets worth buying?
Been a couple of reports of guys on the Tube this week carrying POS units with keyed amounts and actively putting the units next to people.
Anything up to £30 and you'll never know.
Anything up to £30 and you'll never know
I wouldn't know while it was happening, but I would know about it pretty soon afterwards.
I'm one of those rare individuals who checks their bank balance/transactions regularly.
Call the bank, let them sort it out.
I'm wary. At a recent outdoors trade show, got a demo of just how easy it is to skim credit card details with a simple reader, been using an RFID wallet ever since.
Had paywave/rfid for about 3 years ago, been to lots of big cities on lots of public transport and had no issues.
This is a long long way down the list of things I care about right now
It's such an obvious security flaw, I can't believe it wasn't picked up when they were developing contactless.
What I don't get is that the criminal s need bank accounts to accept payment so can't thay easily be caught?
Yep stoner, seen the pic still not high on the list. If it's lifting cash it needs to go somewhere, the bank covers for fraud and the chances are still low. Helped greatly by not going to London.
cheers_drive - MemberIt's such an obvious security flaw, I can't believe it wasn't picked up when they were developing contactless.
It was- it's designed as a low security system at point of sale, all the customer protection is based on response and refund, and all the bank protection based on chasing after people using the inevitable paper trails and tearing them new arses. There'll be losses but they've decided they're worthwhile losses.
I tried to use a contactless card from inside a very thin non-RFID protecting wallet and it didn't work. Not convinced it's really an issue.
keep your card under your foil hat?
Surely a few layers of decent thickness aluminium foil or aluminium tape stuck inside your wallet would do the job of a new wallet? Or just ask your bank for a non RFID card.
I tried to use a contactless card from inside a very thin non-RFID protecting wallet and it didn't work. Not convinced it's really an issue.
Yeah, that's what I'm not getting - are the scammers readers like super charged or something to pick up the cards from further away? I too have tried to just press my wallet against the pub machine and it didn't work - I had to get the card out.
Surely if they were strong enough to just harvest people on the tube I wouldn't need to get my card out my pocket?
Genuinely wondering, btw. I'm interesting the answers, or to read any articles on this, etc.
Mines stopped working after about 12 months anyway. Not very hard wearing cards. I shan't be clamouring for a replacement of a device that saves me the effort of just five key presses.
I was in tescos trying to pay, wallet in one hand, card in the other and the machine said too many contactless cards in vicinity, so I'd have thought if you had more than one contactless card in your wallet it would fail.
Still, it gives me another reason never to visit London unless strictly necessary which is only a good thing 😆
Look up Adam Laurie's (RFIDiot) research on it. He's pretty good.
I do have to wonder about why they put the limit up to 30 quid though. Surely the point of an easier, non-PIN micro transaction is for, well, micro transactions. 30 quid is getting on for more than that.
I'd also heard that there was a flaw in how we'd implemented it and that greatly larger sums could be obtained from the card in the UK if the money was requested in a foreign currency. I'll try and dig out a link for it.
Genuinely suspect the genuineness of that pic, too. If I was a real ne'er do well (not some tit who wants to spread paranoia and have a pic go viral) I'd at least [i]try[/i] to disguise the obvious, LIT UP, POS card reader with I don't know, a plastic bag or something...
I do have to wonder about why they put the limit up to 30 quid though. Surely the point of an easier, non-PIN micro transaction is for, well, micro transactions. 30 quid is getting on for more than that.
Is always been $100au here so about 50 quid, I just don't here of mass fraud, skimming or any of that. Sometimes the risks are over blown and the reality of getting a POS machine linked to a bank account and getting the skims and cash out before fraud was spotted is slim.
I've just tried my life venture wallet on our contactless machine and I couldn't take any money. So that works.
Edit...our machine needs the card about 3mm away before it works. Not sure if there are super powerful machines out there.
what I like about these card skimming fears is that it keeps sad ignorant rif-raff out of London because they are scared of getting skimmed...
I dont have contactless payment
The luddite fix is foolproof
*stiffs junkyard, old skool*
[img] 
[/img]
In my experience contactless machines vary. Some require the card to be held on the machine for 3-5 seconds, some pick it up and complete instantly and with the card 6-12 inches away. That's all with the same card. I can imagine in a close packed public environment (thetube) having a reader at waist height in a thin bag would catch those people who just have their card in a pocket or bag.
Do yo think this is limited to London?
Very narrow view if you do.
grum - MemberI tried to use a contactless card from inside a very thin non-RFID protecting wallet and it didn't work. Not convinced it's really an issue.
Just tried mine using the NFC reader on my phone and it picked up one of the cards no problem. Can do it from in my jacket pocket as well if the wallet is in the right orientation.
Reckon that if a phone can do it, then one of those POS can too.
don't the POS machines need to be connected to a network in order to process the payment? would that work on the Tube?
Full 4G network right through the Tube brakes
oh really? I didn't know that - thought it was just Virgin WiFi.
hmmm. tin foil hat for my wallet then... 🙂
don't the POS machines need to be connected to a network in order to process the payment? would that work on the Tube?
Isn't the issue more skimming cards than lifting an instant payment? That was the impression I got, though I may, in classic STW style, be barking in the wrong forest.
This has been doing the rounds but the only "evidence" for it is a photo of a guy holding a card machine, and the assertion that it's possible. No witnesses of the guy in the photo (or anyone else) going round doing this. No reports of fraudulent transactions done this way.
Given that you need a merchant account to process card transactions, and most make you wait 28+ days to get your money (in case people report fraudulent transactions), which itself has to be paid into a bank account, how likely do you think it is that someone could run around doing this and actually get their hands on any real money without getting caught?
I spent a fair few very nasty, dirty and smelly nights installing cabling and antenna infrastructure around that shit hole in times past.
Massive reradiating system to keep the punters happy 😯
I did think some time ago that a portable card reader is the perfect deterrent to people standing too close on public transport.
I never take my card out of my wallet to pay by contactless, so the range seems pretty good to me. Possibly some of the antenna wires are cracked in those suffering from poor range?
This has been doing the rounds but the only "evidence" for it is a photo of a guy holding a card machine, and the assertion that it's possible. No witnesses of the guy in the photo (or anyone else) going round doing this. No reports of fraudulent transactions done this way.
But RFID skimming is a thing though isn't it? Or is it?
Can't find much on actual reported cases, but lots of tech/possible stuff and gadgets you can buy.
It's such an obvious security flaw, I can't believe it wasn't picked up when they were developing contactless.
An additional flaw (in my eyes) is.... it used to be the case that when you received a new card from the bank you had to call and confirm (via a pin) that you'd received it and were the legitimate owner of if before you could use it. The last few cards I've had (all contactless) - just take them out the envelope and use them, no process of activating them - which means in transit, before you receive it, without even opening the envelope, they can be used to make transactions.
Do yo think this is limited to London?Very narrow view if you do.
There was a day a while ago where 4.8 million used the London tube, which is more than the population of Greater Manchester and the West Midlands.
So London would definitely offer the greater potential, plus you probably have more people with enough money in their current account that they wouldn't notice the smaller scale purchases being made with the skimmed details.
I guess the attraction of the tube is that it allows you to be in close proximity to people without raising suspicion. Not many other places where that is almost expected.
it used to be the case that when you received a new card from the bank you had to call and confirm (via a pin) that you'd received it and were the legitimate owner of if before you could use it
never, ever had to do that.
Not many other places where that is almost expected.
In London?
I've had to call to activate a card, have had to log in to activate a card -- in the not too distant past - c. 10 years ago, anyway.
At this stage I think this is the bigger possibility of how you'll get done:
[url= http://krebsonsecurity.com/2016/02/safeway-self-checkout-skimmer-close-up/ ]Safeway Self Service Skimmers[/url]
or like this
[url= http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/ ]Hacked standalone ATM network cables[/url]
I’ve been bothered by this for a while; partly because I’m bad at checking my account balance afterwards.
I’ve just called up my bank and ordered a non-contactless card as they say I’ll still be able to use the card details contactless via ApplePay anyway. That requires my thumbprint to make the transaction so much more secure. Also, if lost, I can just remote wipe the phone.
Rachel
Having worked in the payments industry I don't remember ever seeing any data which suggested increased rates of fraud on contactless above the rate on chip and PIN... but plenty of media scaremongering playing to people's unfounded fears of new tech.
3 things to remember:
1. The limit is there specifically to cap the fraud risk and to not make it worth criminals efforts
2. Even if you are defrauded, tell your bank and you should get it refunded (I'm not 100% sure on this, but ask your bank if you're concerned
3. If crims want your cash then they'll be finding more efficient ways of going after it than in £30 chunks! e.g. online banking or ecommerce fraud...
If I were you, I'd be more worried about the potential threat of removing cash completely out of circulation if and when we go to negative interest rates. EU has already begun this process by removing 500 Euro notes...
Negative interest rates incentivises us to remove all our funds from the banks and use cash instead, so banning cash becomes essential to stop runs on the banks and another total collapse...
brooess - Member1. The limit is there specifically to cap the fraud risk and to not make it worth criminals efforts
I think that if you go round for a while on a busy Circle line train, you could gather enough at £30 a pop to make it worthwhile. Busy enough that it'd be easy to hide/use the device as well.
Brooess, maybe you can answer me a question?
If as a retailer a contactless card is fraudulently used and the card owner notifies the bank does the retailer still get paid?
The credit card companies are really pushing contactless by offering lower transaction fees , I'm just wondering how it benefits the card company.
But RFID skimming is a thing though isn't it? Or is it?
Reading the RFID stuff from a card is easy. Doing nefarious things with it is hard.
it used to be the case that when you received a new card from the bank you had to call and confirm (via a pin) that you'd received it and were the legitimate owner of if before you could use it
never, ever had to do that.
Maybe just my bank then (coop / smile)
Given coop just managed to send me a new card in the wrongly spelled name, I wouldn’t use them as a bastion of security… :-/
If I were you, I'd be more worried about the potential threat of removing cash completely out of circulation if and when we go to negative interest rates. EU has already begun this process by removing 500 Euro notes...
Apparently they haven't yet, but are considering it. Not particularly surprised, it's widely known/suspected round here in Spain that the only people with 500€ notes are corrupt business(wo)men/politicians.
I think it's best put this way -
If was actually was that easy to just do a lap on the tube and skim £££ in £30 chunks from peoples contactless cards, it would of been done, exposed, and fixed by now. If it was that easy, they'd all be at it.
Brooess, maybe you can answer me a question?
If as a retailer a contactless card is fraudulently used and the card owner notifies the bank does the retailer still get paid?
The credit card companies are really pushing contactless by offering lower transaction fees , I'm just wondering how it benefits the card company.
I don't see why the retailer wouldn't get their cash but I don't know the rules for sure - check with your Acquirer. I suspect they would have to reimburse the retailer otherwise there'd be limited takeup of contactless.
Contactless benefits the issuing bank because it means consumers will use card instead of cash - they don't get revenue from a cash transaction, and neither do the acquiring bank.
If was actually was that easy to just do a lap on the tube and skim £££ in £30 chunks from peoples contactless cards, it would of been done, exposed, and fixed by now. If it was that easy, they'd all be at it.
Correct. There are literally millions more contactless transactions per day on TFL than there were just two years ago after cash was banned on the busses, and the big push to contactless by TFL last year. We would quite definitely know if there'd been a big rise in fraud as a result
I wouldn't be surprised if there's some clever way you could get done/cloned/skimmed or whatever through contactless, and that real people might have lost actual money. But for me it's a long way from being enough of a concern that I'd actually take extra steps to secure against it.
that I'd actually take extra steps to secure against it.
Not even a RFID safe wallet?
Not even a RFID safe wallet?
I don't even have a non-RFID safe wallet, so that kind of investment is far too much for me 😉
We would quite definitely know if there'd been a big rise in fraud as a result
unless it was masked by the massive increase in contactless activity. There may have been a big increase in the amount of fraud, but its percentage of all contactless activity would be shrinking.
I used to work for barclays at the time they introduced this tech to their cards. At the launch have meeting I told the presentation guy it was too easy to clone the card and spend money without you knowing. He said it was secure so I asked him for u is card and cloned it within a few minutes using my new NFC phone then used it to pay for stuff on the demo terminal. He went rather white and made a phone call. They still launched the cards.
I won't have a contact less card for this reason.
He went rather white and made a phone call. They still launched the cards.
was that the reason you used to work for Barclays ?
When I lived in Australia they had contactless a few years before it was common over here and and before PIN codes were mandatory.
I had over AU$6000 dollars stolen from a bank account and the bank reckoned it was from an RFID skim / clone of my card from the contactless that was then used to systematically empty the account.
cloned it within a few minutes using my new NFC phone then used it to pay for stuff on the demo terminal
You used a new technology to clone another new technology during its presentation? You'll forgive me if I'm sceptical.
Assuming you did do that, I'd be very interested to know if you still could.
the bank reckoned it was from an RFID skim / clone of my card from the contactless
By "the bank reckoned," do you mean that some random person working at the bank guessed? Even if that scenario is exactly what happened, I'm at a loss as to how the bank could possibly ascertain that beyond speculation.
milky1980 are your hands registered with the government as lethal weapons? Just wondering...
You used a new technology to clone another new technology during its presentation? You'll forgive me if I'm sceptical.
I was thinking exactly the same thing.
How did you clone the three digit code off the back of the card onto your phone ?
It's hardly a very scalable crime as you need an account linked to a card payment machine from a bank, which makes the perpetrator easily traceable.
I used to work for barclays at the time they introduced this tech to their cards. At the launch have meeting I told the presentation guy it was too easy to clone the card and spend money without you knowing. He said it was secure so I asked him for u is card and cloned it within a few minutes using my new NFC phone then used it to pay for stuff on the demo terminal. He went rather white and made a phone call. They still launched the cards.I won't have a contact less card for this reason.
Would you mind telling us what year this was? We can easily check when Barclays launched contactless. And also, maybe you could tell us what phone it was and we can do a little research to see if NFC was available on that handset model at that time...
There have been a lot of media scare stories about contactless over the years, but funnily enough there's been very few anecdotes or data since the massive increase in transactions seen from 2014 onwards which sugggests any increase in rates of fraud... with a massive increase in use, you'd expect a commensurate increase in fraud, if fraud was in fact an issue...
Barclays launched contactless cards in March 2009.
Fist android phone with NFC launched in 2010 🙂
[img] 
[/img]
Next you'll be telling me that Barclays PingIt doesn't have any flaws...
Next you'll be telling me that Barclays PingIt doesn't have any flaws...
Next you'll be telling us that cash is 100% safe from criminals 🙂
The point is that there's no evidence so far that Contactless fraud rates are significantly higher than Chip and PIN, not that it's flawless... Of course there's a risk, that's why the £30 limit was set. But the calculation was that the extra gain for the banks in revenues from additional card transactions which were previously made with cash would be greater than the costs of any fraud...
Simple solution to this problem, carry more than one contactless card. Tried a few times to pay with my wallet without removing a card, simply doesn't work. So unless they take out my wallet, extract a card, and then skim it; it's not going to happen (and I think I that point I might notice).
I dont have contactless payment
The luddite fix is foolproof
Latest issues of my debit and credit cards have all been contactless without me requesting it.
So you may be getting one anyway.
As I understand it RFID scanning and cloning is pretty trivial. What milky describes sounds technically feasible.
How did you clone the three digit code off the back of the card onto your phone ?
Why would he need that? You don't need any codes for contactless payments - that's kind of the point.
So, who's offering the merchant services to these terminals? I can't believe the merchant account would be kept open for long with lots of contested contactless payments and no payments verified by chip and pin.
The whole thing sounds very unlikely to me.
We now have to pay the credit card people some money and fill in a form saying we won't be naughty so everyone can rest easy.
I don't know about card and RFID but I stayed in a hotel in Oslo that used NFC keycards for the rooms. I used my Nexus 5 to see if I could read a card and it worked. I then set it to delete and managed to wipe a colleagues card that he put in his back pocket. Did it a few times and he was back and forward to reception to get his 'faulty' card replaced. Minutes of fun. Not beyond belief that I could have copied rather than wiped I guess.
How did you clone the three digit code off the back of the card onto your phone ?
Why would he need that? You don't need any codes for contactless payments - that's kind of the point.
Fair enough, I misunderstood and thought he claimed to use the cloned card details to put a sale through manually on the terminal.
Doesn't matter either way, I still don't believe it happened 🙂
So, who's offering the merchant services to these terminals?
That's the tricky bit, but given how prevalent Chip&Pin fraud is then there must be some nefarious ways around it. I'm guessing they get set up as merchants, do a bunch of fraudulent activity then scarper? Not sure how they avoid a very obvious paper trail?
Doesn't matter either way, I still don't believe it happened
It's technically very feasible - read RFID data from card onto your device, then present that same RFID data. That part isn't tricky, it's the merchant bit that is.
If I were one of these guys on the tube I'd set myself as a pop-up coffee stand then skim people on the tube for a relatively small amount. Even folk who check their accounts carefully are unlikely to pick up on a sub £5 transaction at a cafe.
It's technically very feasible - read RFID data from card onto your device, then present that same RFID data. That part isn't tricky
It is when the phone tech wasn't available until the following year.
Apart from the lack of a time machine, I'm sure it's a simple task.
And I'm pretty sure you need Host Card Emulation as well as NFC to be able to read/re-present secure credentials without using a hardware based secure element (SIM or phone). Post-2012 for HCE availability.
So... what was this magic phone you had in 2010 that had a feature that hadn't been invented yet?
Essentially, the banks accept there will be fraud, but if a merchant presents transactions that get flagged by customer as fraudulent in any significant number, I don't think the bank would actually pay up.
Would have been around he end of 2007 as I quit in the beginning of 2008 (refused to sell credit cards and stuff to people who couldn't afford it etc anymore). As for the phone, it was a company supplied no-name thing with various attachments for stuff, the reader was an attachment used for reading the new cards. More a small computer than a phone really. Could also read the login cards use for signing into the till/POD machines. I just used the read/write thing on it to clone his card.
[quote=zippykona ]I've just tried my life venture wallet on our contactless machine and I couldn't take any money. So that works.
Edit...our machine needs the card about 3mm away before it works. Not sure if there are super powerful machines out there.
Hmm, reading [url= http://forum.xda-developers.com/showpost.php?p=21408035&postcount=34 ]this[/url] it appears the hack to make something with much better range is fairy simple, so I certainly wouldn't rely on lack of range for security - though of course you do then have the mentioned issue of multiple responses confusing the device.
wrecker - Member
that I'd actually take extra steps to secure against it.Not even a RFID safe wallet?
What's the point? You then have to fanny around taking the card out of the wallet every time you want to use it, in which case you may as well just stick it in the slot.
I just use my phone now anyway, that can't be spoofed by anything.