Thursday, 27 August 2015

Disabling contactless cards - paranoia or reason?

My bank sent me one of these cards, which in my opinion is about as safe as walking around with an infinite number of £20’s in your pocket to be taken by everyone walking past. So I thought I’d look into the security.

The flaw is fairly simple: they say the cards can only be read close up. However if you get a more sensitive receiver or jack up power of a transmitter, this increases the range. The TJX hack occurred from outside the shop. The card terminals were thought safe because the base unit could only pick them up within three feet or so. The hackers used a parabolic microphone hooked to a laptop that could listen in from much further away. (http://www.wsj.com/articles/SB117824446226991797)

Likewise there was an entire symposium on the ways to hack bluetooth pacemakers, which were suppose to be safe due to short range. (Read Here: http://science.slashdot.org/story/08/03/12/1232206/hacking-a-pacemaker)

Range, as has been shown repeatedly, is not a protection:
Backpack picks up all cards within 45cm: http://www.bbc.co.uk/news/technology-24743920
M&S debits cards far further away: http://www.bbc.co.uk/news/business-22545804
Fact: Detection and reporting rates for fraud are low. £2.1 Billion is estimated as undetected (http://www.almr.org.uk/undetected-fraud-growing-burden-business/).

So here’s a security test case: Case a) Direct fraud.
They have set up a card account under false details: Mike’s News and Coffee.
Each card that comes into range is debited for between 1.49 and 3.99: the price of newspaper, coffee, or snack.
How much will they make, and how many of these people will notice it on their statement?

21,000 cards x (2.74 – 1.25 (average card charges)) = £31,290 for 1 hour’s work.
Note that the bank makes £26,560 from transaction charges. They are unlikely to believe that a coffee is a fraud even if it is reported.

Case b) A TJX clone.

They simply copy the data down and walk away.
Then they can clone the cards and use to buy gift cards. They then use the gift cards to launder their takings.
How many cards will they get data from, and how much can they make before the fraud is noticed?

Now the loss to TJX itself was around £10.9 per card (http://www.zdnet.com/article/the-tjx-data-breach-why-loss-estimates-are-overblown/). Assume the same rate, and you get £228,900.

The loss to cardholders and retailers was greater. The data was passed to an $8 Million crime ring (http://www.computerworld.com/article/2544011/security0/stolen-tjx-data-used-in-florida-crime-spree.html), this one of $75 Million (http://www.informationweek.com/secret-service-busts-four-fraudsters-with-ties-to-tj-maxx-attack/d/d-id/1057036?) and worldwide. One user found a £45,000 bill, which was thankfully reversed. (http://www.wsj.com/articles/SB117824446226991797) The total loss to card holders is unknown, due to the amount of undetected fraud.

So no, I don’t think contactless cards are safe, as they make this sort of thing far too easy. A card is now vulnerable just because it exists, not only when it is used.

I wasn’t particularly happy to find out my bank no longer issue non-contactless, nor that my bank telling me last year that contactless must be enabled turned out to be rubbish. I found that out when it was debited from six feet away, making me really not happy.

I should tell you my personal experiences with my first tests.
1) Contactless cards could be read by a supermarket reader from six feet (tested in Waitrose as their card readers are easier for customers to move).
2) Contactless cards could be read by London transport readers. I have a travel pass not an oyster, and yet a contactless card in my pocket got billed for walking past the reader.
And the range one is definitely over 4 to 5 cm.
I ended up talking to a drone (most customer service staff are good: he wasn’t.) who kept telling me these things were safe and I was technophobic, and yet didn’t know any of the IT security cases I brought up.

So I’ve paid off the card. Before I close the account, I intend to do some experimentation on how easy it is to disable it.

So to conclude, in my opinion, not wanting to walk around wirelessly broadcasting your card details is not paranoid.


This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Disabling contactless cards - paranoia or reason? - http://rablogs.co.uk/tirial/2015/08/27/disabling-contactless-cards-paranoia-or-reason/ was published on August 27, 2015 at 11:00 am.

No comments: