[LINK] contactless credit cards

[Alex (Maxious) Sadleir]

On Tue, Nov 9, 2010 at 3:51 PM,  <stephen at melbpc.org.au> wrote:
> McDonalds contactless card rollout to lower skimming risk
>
> By Liz Tay on Nov 9, 2010 http://www.itnews.com.au/News
>

>
> The spokesman expected Visa payWave cards to be an "unattractive target
> for criminals" as only smaller transactions would be processed via
> contactless technology.
The transaction limit is a good move but "payWave" transactions
probably are the least of consumer's problems.
>
> Visa payWave cards also would be less susceptible to counterfeit card
> fraud, the spokesman said, because the EMV chip technology was "virtually
> impossible to duplicate" and the card would not need to be passed to
> sales staff during contactless transactions.
Virtually impossible without opening your webbrowser to eBay to
purchase an off-the-shelf 13.56MHz RFID reader. As I think was
mentioned on this list in January, a 2007 paper found plain text
credit card numbers on the RFID transmissions amongst other issues:
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.9970&rep=rep1&type=pdf

 "Using samples from a variety of RFID-enabled credit cards, our study
observes that (1) the cardholder’s name and often credit card number
and expiration are leaked in plaintext to unauthenticated readers, (2)
our homemade device costing around $150 effectively clones one type of
skimmed cards thus providing a proof-of-concept implementation for the
RF replay attack, (3) information revealed by the RFID transmission
cross contaminates the security of RFID and non-RFID payment contexts,
and (4) RFID-enabled credit cards are susceptible in various degrees
to a range of other traditional RFID attacks such as skimming and
relaying."

Security may have improved since then but it doesn't send a good
signal (pun intentional) that so many things were not considered from
the start. I do sense that the article means using fake cards to
fraudulently purchase fast food from McDonalds over payWave, which is
surely easier to keep secure as new threats emerge, rather than cases
of criminals stealing money from card holders. The 2007 exploits would
have been applied by criminals through the existing credit card fraud
methodology.

>
> And it would be "very difficult" for criminals to make unauthorised
> transactions because readers were registered to approved merchants so any
> fraudulent claims would have to be routed through the merchant's
> financial institution.
Are all the reading devices (not just the ones Australian Banks are
rolling out) locked as well as the RFID cards were? Studies on the
older contact-smartcard terminals found numerous exploits despite the
best efforts of manufactures to make them tamper-proof:
http://www.cl.cam.ac.uk/research/security/banking/ped/

And I don't see why crooks would need the specific machines that the
banks provide when they could order less secure or even nefarious
devices from overseas (just as they do for ATM skimmers).. unless they
wanted to send money to a specific big-name merchant.