[LINK] RFI: PayWave/PayPass Contactless Chip Cards
Alex (Maxious) Sadleir
maxious at gmail.com
Wed Apr 11 16:35:00 AEST 2012
On Wed, Apr 11, 2012 at 4:20 PM, Stephen Wilson <swilson at lockstep.com.au> wrote:
> On 11/04/2012 3:33 PM, Roger Clarke wrote:
>> 2. The contactless chip that
>> supports Visa PayWave and MasterCard PayPass is embedded in the card
>> (along with the induction coil), and can't be seen.
>
> Actually no, it's all in the one chip now. A single "dual interface"
> chip talks to the outside world through either the gold plated contacts
> you see on the surface, or an antenna buried in the plastic. Scratching
> off the contacts need not affect the wireless channel. Very
> sophisticated smartcards can detect damage to the contacts or other
> elements of the electronics and respond by self-destructing, but banks
> don't invest in that level of security.
Barclays (and just Barclays it should be emphasised - this is not best
practice by any standard) didn't even invest in encryption or
obfuscating the card holder's name
http://www.channel4.com/news/millions-of-barclays-card-users-exposed-to-fraud
(March 2012!)
Interestingly Channel 4 decided to end their investigation by
(successfully they claim) using only the transmitted details to order
items on Amazon.
More information about the Link
mailing list