I will say this is a cool project. However, the implementation of the idea in reality is even worse than NFC. While NFC is useful in many contexts, it then requires you to put a faraday cage around your card and manually turn on or off the NFC to not get your money stolen, and even then can be circumvented. Even further relaxing the distance constraints even makes it even easier to steal money. I'd imagine a lot of the engineering would go into making it safe (having some set up such that the US sounds vary to some degree...then may be even an authentication protocol..then...then...then...
The moment I saw the headline, I was incredulous. The actual project implementation in the article is a rather cool hack, so props to the author. I dread the day someone actually picks this up, assuming someone does actually choose to.
Cool technology, bad problem. I fully agree getting more distance is problematic. Not even in the sense of getting your data stolen, but also to allow pro active payment. I mean you want the customer to do an action (holding the card close to a device which shows the amount deducted) to conclusively agree to that payment. Not the cashier presses a button, and anybody too close pays for it.
This attack (and some variants of it, e.g. fooling the proximity detection or man in the middle) work because the acknowledgement action that the user does is simply having the device nearby. This seems like a poor choice of acknowledgement action for something that transfers money. Payment devices should probably have a physical or soft button that you have to press to acknowledge payment.
Strong disagree. The usability hit is not worth the added security. Having a cutoff for PIN entry requirement and the card issuer taking responsibility for fraud means customers are quite safe (as long as they look at their charges).
Work could be done to make it more usable. With a phone, it could be a button you could press just by holding it. With a smart watch, it could be hooked into any kind of bluetooth sensor. The point is that in normal society, you don't have that much control over who and what gets into proximity with you, and having a system where anything that does get into proximity can take money from you without you even acknowledging that in any way is just a bad way of doing things.
You could do something like "you need to be physically holding the card with your hand", which would complete some circuit. I can't think of many cases where that wouldn't work, except perhaps people who don't take their cards out of their wallets(?).
Getting a payments terminal is not easy, this would requires ID verification and working business bank account (acquirer), this terminals are highly regulated. Someone doing this can get caught easily by just a couple of customers reporting the fraudulent transactions. This is very small risk and is rarely seen.
The moment I saw the headline, I was incredulous. The actual project implementation in the article is a rather cool hack, so props to the author. I dread the day someone actually picks this up, assuming someone does actually choose to.