First, this doesn't affect PayWave yet, just PayPass. But to continue:
(1) Don't put your phone in the same pocket as your card,
(2) Get either a metal or protected wallet for NFC-enabled cards,
(3) Review card usage and don't worry about it. You aren't responsible for card fraud with credit cards. The chances of this being used against you are incredibly slim. It's also less useful as an avenue to commit fraud since payment with NFC is usually limited to under $25 by merchant agreements. Besides, duplicated cards are old hat, what with programmable chips and magnetic strips already. What's neat here is the proof-of-concept demo involving phones without the need for specialized SIM cards or approved phone handsets. Not 100% sure myself, but maybe it only works because PayPass allows for stickers on your phone case to emulate a credit card?
Oh and if you go to pay for something on a website and enter your 3-digit code plus the card number, well, spyware could have your card already. So NFC as an attack vector is slower and less useful. Watch out for those custom keyboards ;-)
I'm not clear from your comment whether HCE means I could in fact use it for PayWave (rather than just PayPass), despite the title? Would it work with Opal too for instance?
I haven't tried myself (I have PayWave, and this is now on my todo list for tomorrow), but I imagine that they maybe hadn't tested it on Paywave when they wrote the title?
The standard(s) seem pretty pervasive, and I've often had PayWave work where there is only a PayPass sign...
On your last question - I'm not familiar with Opal at all. Any links/information?
One workaround (instead of buying an rf shielded wallet) I've heard of in the past is to put two cards next to each other because it causes signal interference. I have no idea if it works (I use an iphone) so ymmv.
Having two cards next to each other may well make the illusion of preventing the cards from working as quite a lot of readers will refuse to communicate with a card if there is more than one in range (sensible for some applications). This does not mean, however, that they are not capable of doing so - the first thing a reader does is get all the cards in range to broadcast their UID - it then uses this UID to select a card to talk to.
When I was cracking mifare cards (used as authentication in many buildings) I found that it was significantly quicker to crack several cards at the same time than to crack them individually - this is because the attack that I was using required demagnetising the card hundreds of times which takes a lot longer than any communication with the card.
I could crack a single mifare card in 5 seconds, I could crack 5 in 6 seconds (and for most applications cracking one card is all you need - all cards use the same encryption key).
It works perfectly with my cards. I can't open the office door if my paypass is too close. My city card (basically a fancy name for a long-term bus ticket) also interferes with both of these two.
That just means your office doors aren't configured properly and don't know which card to talk to and choose to do nothing in this case. The reader could very well talk to one card (or both) without interference.
Actually some RFID card standards (Mifare for example) have card selection and anti collision built in, so it would still be possible to read the correct card without interference.
I use XPrivacy. I realise that's out of reach for most users but it's been very very useful for me to allow/deny use of NFC/GPS/connectivity. (Yes I know about the new bypass trick)
This is irrelevant to cloning NFC-enabled cards. Neither Google Wallet nor ISIS broadcasts payment card NFC data when your phone is locked (or even when it's unlocked--usually you need to enter the app and then enter your PIN first).
What you really should be getting is an RF-shielded wallet for NFC-enabled cards. Your phone doesn't need anything shielding it, and most phones have sane permission models around how you permit apps to use your GPS.
> What you really should be getting is an RF-shielded wallet for NFC-enabled cards.
And when you do, go with something that shields everything in the wallet. (I bought ID Stronghold wallets for myself and the family.)
Here in London it should be possible to market these wallets with an extra twist. Oyster cards are used everywhere, and for the last 4-5 months I've noticed a constant stream of announcements - "Please keep your oyster and contactless payment cards separate to prevent card clash." An enterprising individual with import and retail experience could tap into this market by selling wallets with one outside - unshielded - pocket for the Oyster card, and everything else inside fully shielded.
People in general don't care about privacy or security, but they do care about convenience. So, by way of introducing a convenient way to prevent card clash, they would also get automatic protection against these drive-by NFC payment card attacks.
My experience is that a fully-shielded wallet isn't so bad.
I just got back to the US from a month in Europe. The entire time, I was carrying passport, credit cards, transit-system cards, hotel key cards, etc. in a fully shielded wallet. It wasn't a problem at all to have to pull out the transit card when necessary in order to get on/off a tram or bus, or enter/leave a station (hotel key card has to come out anyway, since often you have to put it in the slot by the door to turn on the room's lights). And the peace of mind is worth it.
(my only actual complaint about the wallet is that I bought it because it had an internal zippered pouch for coins, something that's much more useful for EUR than for USD, but the zipper broke after less than a week)
But I'm not actually concerned about my credit card number getting stolen or being tracked by ne'er do wells with NFC readers. There are much easier ways to steal my credit card or track me. I just want to get through the turnstile without looking like a tourist.
I haven't tested it, but it's better than nothing, right? And much cheaper. I've a few cards, so I bought two (different colors). For those also in Toronto, you can pick them up at the Umbra showroom off Queen and John. For everyone else, there's Amazon, local stores...
That said, when I looked at this project, I saw it as something I wanted -- not for fraud, for personal convenience. I'm sick of carrying so many cards. I was like, crap, I only have Visa in my wallet, I wonder how hard it'd be to add PayWave support? Right now my hopes lie in rumoured iPhone 6 support of NFC which might in turn encourage global adoption of phones for payment ... and perhaps with one-time credit card numbers, right? One can dream...
SilentPocket-style cases also blocks wifi/3G/4G, it's much better privacy than simply blocking RFID/NFC. Preventing pervasive monitoring of cell phones is their target.
The transmission power of your phone is adjusted based on how well your phone can talk to the cell tower. The harder you make it for the phone, the harder it tries. That translates into a sizzling hot phone in your pocket that has a battery life of one hour.
>Preventing pervasive monitoring of cell phones is their target.
It doesn't matter what they think their target is. They're making the devices not cell phones anymore. Maybe you want to be unreachable, but I highly doubt you want everyone you call/text to also be unreachable.
It is 100% the point of a smartphone that its RF antennae work. If you're thinking of putting your smartphone in a Faraday cage whenever you're out in public, don't own one. Stick with the landline. It's cheaper anyway.
I guess you could argue that you still want to make outgoing calls and texts, but if people in general used these devices, there would be no point in making outgoing calls or texts because people would never receive them (except at home, where you have landlines and email anyway.)
If you're just worried about your cards, and given the time needed for the attack (as well as unfettered access to the card in that time), I'd imagine the only scenario where it would work currently, is if you leave your wallet out. In this case, even a shielded wallet wouldn't help?
Having said that - how well would just lining your wallet with tinfoil work? (inb4 tinfoil hat jokes)
That could work, but is cumbersome (there's a post about convenience here somewhere). Most wallets that look like a billfold, should be easy enough to modify with a piece of tinfoil in the bill section, which encloses most of the wallet when it's closed. I think some testing of this might be in order...
Works for me too - Nexus 5, MasterCard PayPass. The app in its current form isn't dangerous, it takes ~2 minutes to read the card and if the screen goes off or the reader loses contact you have to start again.
I wrote essentially the same proof of concept app two years ago after seeing that report pretty much just by reading the specs. From reading the paper mentioned on GitHub, the only real difference to what I wrote is that I didn't check for the CVC3 information (which I think is generally not included, or doesn't correspond to the actual security code on the back of the card).
But in any case, just the card number and expiry number are enough — as mentioned in the Channel 4 report — to make purchases from a lot of places.
If CVC3 is anything like CVV and CVV2, it's probably intentionally different than what's on the back of the card.
Mag-stripe VISA cards have a three-digit code embedded in the stripe (this is the CVV), and a different three-digit code on the back of the card (the CVV2). Different brands of cards use the same model, but they don't always call them CVV/CVV2, and the number of digits may be different.
The numbers are different so that use of the card is a magnetic reader can be differentiated from someone typing it in.
Doesn't this make it an impractical attack in most situations? I've never thought that buying RF shielding cases is of much use for 99% of situations, and this seems to support that theory.
Or should I rush out tomorrow and get one? (Australia, so yep, all of them are paywave, whether you want them or not).
Though as I understand from the source this also acts as an emulator, so if you scan your phone it may replay those card details, worth keeping in mind.
I'd love this. My bank wants me to pay $2.99 for a sticker to go on the back of my phone (to do contactless purchases) while supporting Galaxy S* phones natively...
Sounds to me like his bank is the Commonwealth Bank of Australia(1), so Google Wallet is a non-starter. Coin is interesting, but the payments landscape in .au is rapidly moving away from card swipes to Paywave/Paypass. I've seen quite a few places that offer Cash or Tap, no swipe (I presume because of the fee structure).
Commonwealth Bank charge $2.99 a year regardless of what you want to do. To use their Android app, they also bill you that to have the functionality turned on.
The annual fee is not applicable in case of the PayTag (https://www.commbank.com.au/personal/can/can-tap.html). Also, can you refer me to the doc that mentions the extra cost of using the Android app for that purpose?
I just tried this. Card: NAB Visa (payWave). Handset: Nexus 5. Merchant: 7-11.
The app read the card correctly and gave the card number and expiry. When I tried to use it in store the eftpos terminal returned roughly:
Err 226 contactless card not allowed. The terminal fell back to swipe/insert mode and the merchant told me 'contactless not allowed'. Inserted the (same) card and paid successfully.
I was disappointed because for me, being able to carry just mmy phone for day to day would be awesome, and NAB has no phone solution yet.
