FUTILE WORK
  • Home
  • News
    • Articles Of Interest
    • Numbers In The News
    • Life and Humanity
    • Quotes
    • Futile Updates
  • Curio
    • The Wonder of Lasers
    • Japan 2011 Psyop
    • Know Your Rights
    • Masonic Symbols and the LDS Temple
    • The Nun's Story
    • Special Edition
    • Explosion On The Launch Pad
  • Archive
    • COVID Charts Quiz
    • Dave McGowan
    • Document Archive
    • Multi Media
    • Time For A Laugh
  • Blog

Contactless payments - researcher intercepts card data from a metre away

11/1/2013

 
by Lee Munson on October 31, 2013 | 6 Comments
FILED UNDER: Data loss, Featured
Credit card and NFC image courtesy of ShutterstockYour mission, should you choose to accept it, is to intercept contactless payment data at distances of up to 90cm using a backpack, shopping trolley, and a small antenna.

Mission: Impossible?

Apparently not, according to a paper published by the Institute of Engineering and Technology on Tuesday.

University of Surrey researcher, Thomas P Diakos, created an inexpensive receiver, small enough to fit into a backpack, using the above items along with other off-the-shelf electronics. Using this equipment he was able to eavesdrop on cards at distances of 20 - 90 centimetres, maintaining good reception at up to 45cm - despite the fact that one of the main security features of contactless cards is a requirement not to transfer payment data in excess of 10cm from a reader.

Lead academic supervisor Dr Johann Briffa said:
The results we found have an impact on how much we can rely on physical proximity as a security feature. The intended short range of the channel is no defence against a determined eavesdropper.
Contactless payments, utilising Near Field Communication (NFC) technology, are becoming increasingly popular in many parts of the world.

They allow consumers to make low-value purchases (up to £20 in the UK, for example) merely by holding their card near to a reader.

By eliminating the need for a PIN number to be entered, such a payment method allows for extremely quick purchases, something that those with hectic lifestyles undoubtedly appreciate.

There are, however, some security concerns about contactless payments, with 'skimming' being an obvious mode of attack.

In April a survey showed that 45% of the respondents were either totally against the introduction of NFC or, at the least, unsure about using it as a payment method.

Of those who did not want the technology to be introduced, 59% cited security concerns. Such results may have been influenced by a Channel 4 report in March which showed a standard mobile phone could be easily adapted to acquire a limited data set by simply coming into close proximity with a bank card.

Even with this small amount of data – the cardholder's name, the long card number and expiry date - a criminal could still make fraudulent purchases from some companies, though a UK Cards Association spokesman did tell Naked Security that:
There are already additional layers of security in place to prevent the use of a card number and expiry date, such as PIN and the card security code (the three-digit number found on the back of cards), which cannot be harvested electronically. The vast majority of online retailers require the card security code, along with the cardholder's address, and all have robust security checks in place to protect both their business and their customers from fraud.
Fraud related to contactless card payments appears to be small in comparison to their non-contact counterparts though. The UK Cards Association said that at the end of 2012 the levels of fraud on contactless cards were negligible at just £13,700. This compares with non-contactless losses of £55m.

The association also highlighted how cardholders are protected should the worst happen:
In the case of any fraud using a contactless card, consumers are protected against loss - they will not be liable for any fraudulent use.
The trade association for the card payments industry in the UK also played down the University of Surrey's findings, saying that:
Instances of fraud on contactless cards are extremely rare. Although the sort of contactless card reader built by the University of Surrey might be able to interrogate a card, any data obtained would be limited to the card number and expiry date that can be seen on the front of the card. A fraudster would find it very difficult to make a fraudulent transaction using this information - and it certainly could not be used to make a cloned card.
Meanwhile, those at the University of Surrey are set to continue their work, saying that future experiments will look into how 'wave-and-go' cards can be cracked and how the uncovered data could be used by criminals.
http://nakedsecurity.sophos.com/2013/10/31/contactless-payments-researcher-intercepts-card-data-from-a-metre-away/

Media:

joe.2013.0087.pdf
File Size: 884 kb
File Type: pdf
Download File


jump to top | return to articles home

Comments are closed.
    Articles Home

    RSS Feed

    Archives

    March 2021
    January 2021
    November 2020
    June 2020
    November 2019
    October 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    August 2017
    July 2017
    April 2017
    March 2017
    December 2016
    October 2016
    September 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    December 2015
    October 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    June 2014
    May 2014
    April 2014
    February 2014
    January 2014
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    September 2012
    May 2012
    December 2011
    November 2011
    October 2011
    September 2011
    July 2011
    May 2010
    April 2010
    May 2006
    December 2004
    October 2003
    June 2002
    September 2001
    February 2001
    February 1998

New Here?

Updates
About

Miscellany

​Contact
Disclaimer

Search

  • Home
  • News
    • Articles Of Interest
    • Numbers In The News
    • Life and Humanity
    • Quotes
    • Futile Updates
  • Curio
    • The Wonder of Lasers
    • Japan 2011 Psyop
    • Know Your Rights
    • Masonic Symbols and the LDS Temple
    • The Nun's Story
    • Special Edition
    • Explosion On The Launch Pad
  • Archive
    • COVID Charts Quiz
    • Dave McGowan
    • Document Archive
    • Multi Media
    • Time For A Laugh
  • Blog