back to article Who wants to be a millionaire? Not so fast, Visa tells wannabe pay-by-bonk thieves

Visa Europe has downplayed a new attack that could steal hundreds of thousands in foreign currency over the air from contactless credit cards. The electronic robbery was devised by researchers at Newcastle University in the UK, but the banking giant claims the techniques used aren't feasible in the real world. The researchers …

  1. Enrico Vanni

    Who'd-a-thunk it? Contactless cards being read 'contactlessly' pose a security risk? The attack vector is obvious.

    Exactly why I immediately sent my contactless debit card back and demanded a standard one.

    1. Anonymous Coward
      Anonymous Coward

      They are very handy though. They should have put a small button or similar on it to activate though.

      No need to send your card back. You can disable the chip by putting a small nail through it.

      1. DaLo

        Unless you have an amazing knowledge, aim and a *very* small nail you are also going to disable the standard chip functionality at the same time?

        You could cut the antennae with a scalpel though.

        1. chr0m4t1c

          Or just keep it inside one of the readily available card carriers that block the reader when you're not using it.

          Search for "RFID blocking" on eBay and there are lots of options from complete card wallets to things that you can put in your existing card carrier.

          In reality, "New security measure" != "100% effective" does not mean that "Old security measure" > "New security measure".

          Seatbelts don't prevent all injuries, but for real world examples they are generally better than no seatbelt.

          1. John Brown (no body) Silver badge

            "Or just keep it inside one of the readily available card carriers that block the reader when you're not using it."

            ...which defeats the object of the system, ie quick and convenient. Now it's about as convenient as getting cash out in the first place.

            The best option IMO is to simply ask your card issuer to disable NFC payments. Co-Op bank will certainly do it.

  2. cantankerous swineherd

    the old "only possible in a lab" routine.

    seems to me the best attack is to get one of these doofer dangles and start doing the rush hour on the tube. plenty of scope for unobtrusively rubbing up to people's wallets at £19.99 a pop. nice work if you can get it.

  3. Zola

    Same old response

    Banks and payment processors are once again in denial - they said the same about Chip & Pin even though the flaws are being actively exploited by criminals.

    Visa are focusing on the headline 999,999.99 figure in this case and saying their systems will spot it which spectacularly misses the point as criminals are hardly likely to be so stupid as to go for the jackpot each time when they can take hundreds or maybe thousands at a time without risking detection.

    I suppose the next step is a live, public demonstration. Keep up the good work, Newcastle!

    1. VinceH

      Re: Same old response

      "Banks and payment processors are once again in denial - they said the same about Chip & Pin even though the flaws are being actively exploited by criminals."

      Yeah - but there is a benefit with fraud committed with contactless payments: With Chip & PIN, the card issuers could try to argue that the punter was the weak link, and somehow allowed his or her PIN to be known to others - but with contactless payments, they don't have anything to try to hide behind.

      1. nevstah

        Re: Same old response

        but what will stop the banks from saying 'its your fault, you should have kept your card in a secure wallet that prevents nfc transmission'?

        1. DaLo

          Re: Same old response

          They would have to state that clearly with every card sent out and probably provide the secure wallet or shield as well.

          1. g e

            Re: Same old response

            Which would then be acknowledging a vulnerability in the system

          2. waldo kitty

            Re: Same old response

            They would have to state that clearly with every card sent out and probably provide the secure wallet or shield as well.

            which means that they should provide such protection at no charge when they send the cards out... if they go the cheap way, then a new one with each card... but that's going to be more costly in the long run as it is with everything else cheap...

            eg: i'd rather pay $120 for a pair of boots that last 2 or 3 years than $10 a month for a new pair of cheap boots... once you pass 12 months, you're spending more... sadly way too many folks can't fathom that...

  4. Christoph

    Visa's reassuring response would be a lot more reassuring if the banks didn't do it every single time a security flaw ir reported, until they are eventually forced to admit that there really is a problem.

    They have been known to have their customers jailed for fraud rather than admit they have a problem.

  5. Anonymous Coward
    Anonymous Coward

    Snake oil

    "Visa Europe told The Register it spends €100m (£78m) a year on security"

    So? Without a context on comparable costs etc etc etc this is just the usual meaningless PR drivel. Is the money effectively spent on preventing fraud that affects users? Or is it hoovered up with regulatory box ticking exercises and extensive research into loopholes allowing Visa to push liability back to the user more often?

    Personally I have more faith in parliaments ability to write good law (ha!) than card company's security prowess.

  6. Velv
    Pirate

    "We spent £78m on security so we're safe" said some mouthpiece who clearly knows nothing about Security.

    It's not what you spend that counts, it's what you implement. Some of the most secure systems on the planet are dirt cheap, just not particular convenient to use. And there in lies the rub. Contactless is about convenience at the expense of some of the security controls.

    1. Patrick Moody

      "Contactless is about convenience at the expense of some of the security controls." but it's only convenient when you only have one (including Oyster cards for London Transport). As soon as there's more than one in your wallet, it becomes equally inconvenient to chip and pin, as you still have to remove the card from the wallet to make sure you're using the right one.

      At that point the only remaining advantage is not having to key in the PIN number - something that could easily have been done via the existing chip-and-PIN system, simply modifying it not to require a PIN for purchases less than £20. Modifying the chip-and-PIN system this way wouldn't have introduced the security vulnerabilities of contact-less, or the inconvenience of card-clash with Oyster.

  7. Steve Graham

    La-la-la, I Can't Hear You

    "We are confident that our contactless system remains a safe, convenient way to pay."

    == "We are not going to bother to fix this vulnerability."

  8. Paul Kinsler

    pay by bonk?

    but with the right sort of embedded vibration sensor, they could have made it a pay-by-tap card,

    where the transaction would have to be done within a short (enough) time after the tap ... and where the tap would have to be within some suitable parameter range as well.

  9. Anonymous Coward
    Anonymous Coward

    Am I Missing Something?

    Surely any criminal would need to bank account to receive all these fraudulent payments. That bank account would be part of the sign up process to receive contactless payments (like receiving CC payments). OK, a criminal might be able to skim a few hundred pounds before all the complaints came in, but that's it.

  10. BristolBachelor Gold badge

    Smaller payments better

    There was a case in the US of a gang stealing 20¢ or similar at a time. It was ages before anyone bothered complaining and they investigated. By then, they had netted millions.

    1. Bloakey1

      Re: Smaller payments better

      Back in the day we called that a salami fraud. Small slices at a time often taken from SWIFT payments and the like, also small amounts that were floating around from rounding up and down.

      Personally I would not miss 20 quid here or there.

  11. artbristol

    Tinfoil wallet

    That's why I have one of these

    http://www.zippo.com/product.aspx?id=1025738

  12. Anonymous Coward
    Anonymous Coward

    .005%?

    5p on every £100 lost to fraud?

    I'll take that thanks.

  13. Anonymous Coward
    Anonymous Coward

    Tinfoil stock options!!!

    I will keep under my tinfoil hat!

  14. Anonymous Coward
    Anonymous Coward

    This is my industry, so pardon me if I remain AC.

    There are so many holes in this I don't know where to start. So maybe I'll address the most glaring ones.

    This "new attack" or "vulnerability" is not new at all, and maybe it's a weakness at most. But have any of you bedroom geniuses paused to think how it can be rectified?

    The fact is it can't. As the article points out, the whole point of contactless is to operate, as best can be achieved, independently. In order to calculate the foreign currency equivalent of £20 the chip on the card would need a foreign exchange system on-board AND constant access to the continually-changing values of the exchange rates. Which ain't gonna happen.

    When we engage with a bank on a project to issue contactless cards, we discuss this with them. The bank not only has to design the pretty pattern on the plastic, it ALSO has to design the way it wants the chip to "function"; this is called a profile (which must be certified by Visa/Mastercard), and JUST ONE of the parameters in this profile is what to do with these foreign currency transactions. They can choose not to allow them at all. Or they can limit them to a certain number a day, but what they cannot do is limit them to an amount, say 30. Because as the article quite rightly points out, 30 Euros may be acceptable but you won't get much for 30 Zim Dollars.

    This is a decision for the bank's risk department - and you may be surprised to hear that banks actually quite like the idea of prioritising customer convenience and so they will often decide to allow some foreign currency transactions, because the benefit of this to the cardholder outweighs the risk involved.

    Now did you all notice something? When the Newcastle students did all these transactions, they didn't mention their pockets filling up with money did they? No, because these all have to be "offline" transactions and "We have not yet tested the back end of the system, and we appreciate that banks will have a number of security systems in place to prevent fraud".

    Well maybe they should tested that have before getting all excited with this bollocks. Because programming "a handheld gadget to act as a pay-by-wave shopping till" is one thing, but setting it up as belonging to a live merchant, who then has to get those transactions through an acquiring bank (who run checks) and then through Visa or MasterCard (who run checks) and then through the card-issuing banks (who run checks) is another thing entirely.

    And there's the point, because now the issue is not whether these are big foreign-currency transactions, or smaller sterling transactions, the point is how you get the money out of the cardholder's accounts and into your filthy swindling hands. (Let's face it, it doesn't matter if you're spending an hour at the airport "pinching" foreign currency transactions or 20 minutes walking up and down Oxford Street around Xmas stealing sterling - you've still got nothing unless you can get the harvested transactions cleared by the issuer).

    And even if this DID actually happen - and cardholders notice money gone missing - the chargeback liabilities will not be with the cardholder, or the Network - they will be at the merchant or the acquiring bank - because that's where the security breakdown actually happens. (How did the swindler manage to set themselves up as a valid merchant?)

    I could go on, but I have work to do. In summary - there's nothing to see here. Students should spend more time studying and less time playing with toys.

    1. Looper
      FAIL

      What a crock of...

      What is your industry? Contactless tech manager? Sales? Marketing? One thing is certian, it's not security if you think that being AC hides your identity.

      As for the rest of your 50 lines of verbiage, every "issue" was addressed in the article, which you obviously did not read.

  15. Roadcrew

    'Tinfoil' is good, in some cases.

    Re-lining my card wallet with aluminium cooking foil does inhibit certain RF links. Worth a try, anyway.

    Of course, my wallet has a Palm E2 in it as well, which probably helps.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like