Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Contactless Card (in)Security  (Read 3445 times)

JGO

  • Reg Member
  • ***
  • Posts: 729
Contactless Card (in)Security
« on: October 31, 2013, 11:01:31 AM »

This reference links to the BBC story and a report of the experiment on which it is based.
It makes disturbing reading.

http://www.southgatearc.org/news/october2013/contactless_cards_data_intercepted.htm
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Contactless Card (in)Security
« Reply #1 on: October 31, 2013, 07:40:04 PM »

It always annoys me when anybody suggests there is some 'fixed distance' beyond which a radio transmission can't be received.  The signal strength simply diminishes as the distance increases, it doesn't magically become zero at some specific distance.   

That said, I'm not sure exactly what you'd gain from the data 'snooped'.   You'd probably get the card number, but that's never really been seen as security-critical, we've been reading them out loud over unencrypted phone lines for 30 years without any worries? :-\

To me, the biggest risk of these infernal devices (contactless cards) is the worry over accidental debits, when it's not the card I wanted to use.  That would make me very grumpy indeed.   The only contactless card I have is a actually a rarely-used business card, and I really don't want (eg) my take away chinese meal to show up on business accounts >:(
Logged

JGO

  • Reg Member
  • ***
  • Posts: 729
Re: Contactless Card (in)Security
« Reply #2 on: October 31, 2013, 08:01:23 PM »

"It always annoys me when anybody suggests there is some 'fixed distance' beyond which a radio transmission can't be received.  The signal strength simply diminishes as the distance increases, it doesn't magically become zero at some specific distance."

100% agree - but that is what happens when IT people, who can only understand 0s and 1s, start playing at electronics.

I wonder if we could turn it back on them ?
 If the system isn't absolutly secure then it isn't fit for purpose !!   
Logged

renluop

  • Kitizen
  • ****
  • Posts: 3326
Re: Contactless Card (in)Security
« Reply #3 on: October 31, 2013, 08:02:48 PM »

Can't think where, but I received something from my bank about the need to not use a contactless card without removing it from one's wallet to avoid debit of wrong card.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Contactless Card (in)Security
« Reply #4 on: October 31, 2013, 08:16:54 PM »

My attention span isn't up to figuring this aspect out for myself but I've often wondered....

...Could they have implemented contactless cards (at greater cost perhaps) in such a way that, instead of just relying on weak signals,  the card monitors the round-trip delay between transactions with the reader and refuses to play ball if it exceeds the propagation time equivalent to (say) 2 inches?

I honestly don't know if that would be feasible, it's an awfully short time..  speed of light over 2 inches.   But I can't help thinking there might be a way.   But that would be better, wouldn't it?   :-\
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Contactless Card (in)Security
« Reply #5 on: November 01, 2013, 12:59:53 AM »

I seem to recall there was a topic not too long ago where debits were being taken from the wrong card. :(
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

JGO

  • Reg Member
  • ***
  • Posts: 729
Re: Contactless Card (in)Security
« Reply #6 on: November 01, 2013, 08:50:23 AM »

sevenlayermuddle
You could in theory range on the card, but it means sub-nsec measurement which AFAIK is straining technique. If I was given the job I would go for ultrasonics, a million times slower, but that would mean two systems to do the job.

kitz
Yes M&S had trouble with reading the wrong cards.

What was wrong with magnetic stripes ?  two in one wallet demagnetising each other ? There was a story that security pass would do that somewhere I once worked.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Contactless Card (in)Security
« Reply #7 on: November 01, 2013, 10:51:17 AM »


 There was a story that security pass would do that somewhere I once worked.

I can believe that.   On one security pass I used to have, the magnet was so strong you could pick up paper clips and drawing pins with it.  :)
Logged

guest

  • Guest
Re: Contactless Card (in)Security
« Reply #8 on: November 11, 2013, 07:53:43 AM »

I've seen data suggesting that certain NFC implementations (*cough* Barclay/Mastercard for one) can be functional over a distance of 4 metres. Its certainly possible to read the cards over a distance of 1-2m, as a local supermarket recently had to suspend all "contactless" transactions for a firmware update on their terminals - cards were being read by adjacent terminals.

The chipset in all NFC cards is powered by a magnetic field from the terminal which induces a voltage into the induction loop on the card, so if you increase the magnetic field strength then you increase the range at which the card is "powered up". At that point then the limiting factor will be how good the (software) antenna inside the terminal is - the cards should have (by design) very poor antennas.

It doesn't seem at all unlikely to me that modified terminals will appear, as has happened thousands of times already with chip & pin terminals in the UK.

The specs say that (at least) every 5 times the "contactless" card is used then a PIN will be requested, but personally I believe that will ultimately turn out to be a critical weakness as "modified/compromised" terminals will have a good chance of storing NFC and PIN transactions from the same card. I've no doubt that the banks/CC companies will have (as always) taken the cheap route on this - the encryption used will NOT have been peer-reviewed and probably is only to US export standards (128 bits max), hence that's what will get broken.

There is something fundamentally wrong with pushing NFC out when the banks KNOW that it makes the customer more vulnerable to theft (hence the £20 limit), but the banks are only interested in pushing responsibility for fraud onto the customer. That was the whole raison d'etre of Chip & PIN - making it much more difficult for customers to get their cash back when fraud happens.

I've got a wallet that screens the various NFC/RFID/ID card frequencies (there are a few) & have instigated a "complaint" with my bank whereby I've told them I won't ever be using "contactless" and any transactions using it will be repudiated. The "complaint" is simply so that stays flagged on my account forever.

The problem with magstripes is that they are utterly trivial to read and clone onto another card. By "trivial" I mean the setup cost is well under £100. I've never had (or heard of) a magstripe demagnetising due to storing two cards together - its the same technology as audio cassettes and I don't remember any of them ever being demagnetised either when stored together :)
Logged
 

anything