[LINK] RFI: PayWave/PayPass Contactless Chip Cards
Alex (Maxious) Sadleir
maxious at gmail.com
Wed Apr 11 17:31:33 AEST 2012
On Wed, Apr 11, 2012 at 4:35 PM, Alex (Maxious) Sadleir
<maxious at gmail.com> wrote:
> On Wed, Apr 11, 2012 at 4:20 PM, Stephen Wilson <swilson at lockstep.com.au> wrote:
>> On 11/04/2012 3:33 PM, Roger Clarke wrote:
>>> 2. The contactless chip that
>>> supports Visa PayWave and MasterCard PayPass is embedded in the card
>>> (along with the induction coil), and can't be seen.
>>
>> Actually no, it's all in the one chip now. A single "dual interface"
>> chip talks to the outside world through either the gold plated contacts
>> you see on the surface, or an antenna buried in the plastic. Scratching
>> off the contacts need not affect the wireless channel. Very
>> sophisticated smartcards can detect damage to the contacts or other
>> elements of the electronics and respond by self-destructing, but banks
>> don't invest in that level of security.
>
> Barclays (and just Barclays it should be emphasised - this is not best
> practice by any standard) didn't even invest in encryption or
> obfuscating the card holder's name
> http://www.channel4.com/news/millions-of-barclays-card-users-exposed-to-fraud
> (March 2012!)
>
> Interestingly Channel 4 decided to end their investigation by
> (successfully they claim) using only the transmitted details to order
> items on Amazon.
And a little closer to home, ANZ seems to have mucked up payPass
student ID cards. "Sydney University has locked down the prepaid
function on the debit cards it issues to students as student IDs,
after detecting a number of unauthorised transactions."
http://www.zdnet.com.au/sydney-uni-locks-down-prepaid-cards-339335729.htm
Quite good when you are both the card issuer and the victim of the
fraud caused by those cards. "It has also temporarily barred the card
from use in the university's libraries for printing and photocopying."
More information about the Link
mailing list