- This topic has 93 replies, 47 voices, and was last updated 8 years ago by aracer.
-
RFID skimming. Something to worry about?
-
brooessFree Member
Having worked in the payments industry I don’t remember ever seeing any data which suggested increased rates of fraud on contactless above the rate on chip and PIN… but plenty of media scaremongering playing to people’s unfounded fears of new tech.
3 things to remember:
1. The limit is there specifically to cap the fraud risk and to not make it worth criminals efforts
2. Even if you are defrauded, tell your bank and you should get it refunded (I’m not 100% sure on this, but ask your bank if you’re concerned
3. If crims want your cash then they’ll be finding more efficient ways of going after it than in £30 chunks! e.g. online banking or ecommerce fraud…If I were you, I’d be more worried about the potential threat of removing cash completely out of circulation if and when we go to negative interest rates. EU has already begun this process by removing 500 Euro notes…
Negative interest rates incentivises us to remove all our funds from the banks and use cash instead, so banning cash becomes essential to stop runs on the banks and another total collapse…retro83Free Memberbrooess – Member
1. The limit is there specifically to cap the fraud risk and to not make it worth criminals efforts
I think that if you go round for a while on a busy Circle line train, you could gather enough at £30 a pop to make it worthwhile. Busy enough that it’d be easy to hide/use the device as well.
zippykonaFull MemberBrooess, maybe you can answer me a question?
If as a retailer a contactless card is fraudulently used and the card owner notifies the bank does the retailer still get paid?
The credit card companies are really pushing contactless by offering lower transaction fees , I’m just wondering how it benefits the card company.simon_gFull MemberBut RFID skimming is a thing though isn’t it? Or is it?
Reading the RFID stuff from a card is easy. Doing nefarious things with it is hard.
maccruiskeenFull Memberit used to be the case that when you received a new card from the bank you had to call and confirm (via a pin) that you’d received it and were the legitimate owner of if before you could use it
never, ever had to do that.Maybe just my bank then (coop / smile)
allthegearFree MemberGiven coop just managed to send me a new card in the wrongly spelled name, I wouldn’t use them as a bastion of security… :-/
mogrimFull MemberIf I were you, I’d be more worried about the potential threat of removing cash completely out of circulation if and when we go to negative interest rates. EU has already begun this process by removing 500 Euro notes…
Apparently they haven’t yet, but are considering it. Not particularly surprised, it’s widely known/suspected round here in Spain that the only people with 500€ notes are corrupt business(wo)men/politicians.
plyphonFree MemberI think it’s best put this way –
If was actually was that easy to just do a lap on the tube and skim £££ in £30 chunks from peoples contactless cards, it would of been done, exposed, and fixed by now. If it was that easy, they’d all be at it.
brooessFree MemberBrooess, maybe you can answer me a question?
If as a retailer a contactless card is fraudulently used and the card owner notifies the bank does the retailer still get paid?
The credit card companies are really pushing contactless by offering lower transaction fees , I’m just wondering how it benefits the card company.I don’t see why the retailer wouldn’t get their cash but I don’t know the rules for sure – check with your Acquirer. I suspect they would have to reimburse the retailer otherwise there’d be limited takeup of contactless.
Contactless benefits the issuing bank because it means consumers will use card instead of cash – they don’t get revenue from a cash transaction, and neither do the acquiring bank.
brooessFree MemberIf was actually was that easy to just do a lap on the tube and skim £££ in £30 chunks from peoples contactless cards, it would of been done, exposed, and fixed by now. If it was that easy, they’d all be at it.
Correct. There are literally millions more contactless transactions per day on TFL than there were just two years ago after cash was banned on the busses, and the big push to contactless by TFL last year. We would quite definitely know if there’d been a big rise in fraud as a result
MrSalmonFree MemberI wouldn’t be surprised if there’s some clever way you could get done/cloned/skimmed or whatever through contactless, and that real people might have lost actual money. But for me it’s a long way from being enough of a concern that I’d actually take extra steps to secure against it.
wreckerFree Memberthat I’d actually take extra steps to secure against it.
Not even a RFID safe wallet?
MrSalmonFree MemberNot even a RFID safe wallet?
I don’t even have a non-RFID safe wallet, so that kind of investment is far too much for me 😉
TurnerGuyFree MemberWe would quite definitely know if there’d been a big rise in fraud as a result
unless it was masked by the massive increase in contactless activity. There may have been a big increase in the amount of fraud, but its percentage of all contactless activity would be shrinking.
milky1980Free MemberI used to work for barclays at the time they introduced this tech to their cards. At the launch have meeting I told the presentation guy it was too easy to clone the card and spend money without you knowing. He said it was secure so I asked him for u is card and cloned it within a few minutes using my new NFC phone then used it to pay for stuff on the demo terminal. He went rather white and made a phone call. They still launched the cards.
I won’t have a contact less card for this reason.
TurnerGuyFree MemberHe went rather white and made a phone call. They still launched the cards.
was that the reason you used to work for Barclays ?
one_happy_hippyFree MemberWhen I lived in Australia they had contactless a few years before it was common over here and and before PIN codes were mandatory.
I had over AU$6000 dollars stolen from a bank account and the bank reckoned it was from an RFID skim / clone of my card from the contactless that was then used to systematically empty the account.
CougarFull Membercloned it within a few minutes using my new NFC phone then used it to pay for stuff on the demo terminal
You used a new technology to clone another new technology during its presentation? You’ll forgive me if I’m sceptical.
Assuming you did do that, I’d be very interested to know if you still could.
CougarFull Memberthe bank reckoned it was from an RFID skim / clone of my card from the contactless
By “the bank reckoned,” do you mean that some random person working at the bank guessed? Even if that scenario is exactly what happened, I’m at a loss as to how the bank could possibly ascertain that beyond speculation.
grumFree Membermilky1980 are your hands registered with the government as lethal weapons? Just wondering…
nealgloverFree MemberYou used a new technology to clone another new technology during its presentation? You’ll forgive me if I’m sceptical.
I was thinking exactly the same thing.
How did you clone the three digit code off the back of the card onto your phone ?
footflapsFull MemberIt’s hardly a very scalable crime as you need an account linked to a card payment machine from a bank, which makes the perpetrator easily traceable.
brooessFree MemberI used to work for barclays at the time they introduced this tech to their cards. At the launch have meeting I told the presentation guy it was too easy to clone the card and spend money without you knowing. He said it was secure so I asked him for u is card and cloned it within a few minutes using my new NFC phone then used it to pay for stuff on the demo terminal. He went rather white and made a phone call. They still launched the cards.
I won’t have a contact less card for this reason.
Would you mind telling us what year this was? We can easily check when Barclays launched contactless. And also, maybe you could tell us what phone it was and we can do a little research to see if NFC was available on that handset model at that time…
There have been a lot of media scare stories about contactless over the years, but funnily enough there’s been very few anecdotes or data since the massive increase in transactions seen from 2014 onwards which sugggests any increase in rates of fraud… with a massive increase in use, you’d expect a commensurate increase in fraud, if fraud was in fact an issue…
nealgloverFree MemberBarclays launched contactless cards in March 2009.
Fist android phone with NFC launched in 2010 🙂
TurnerGuyFree MemberNext you’ll be telling me that Barclays PingIt doesn’t have any flaws…
brooessFree MemberNext you’ll be telling me that Barclays PingIt doesn’t have any flaws…
Next you’ll be telling us that cash is 100% safe from criminals 🙂
The point is that there’s no evidence so far that Contactless fraud rates are significantly higher than Chip and PIN, not that it’s flawless… Of course there’s a risk, that’s why the £30 limit was set. But the calculation was that the extra gain for the banks in revenues from additional card transactions which were previously made with cash would be greater than the costs of any fraud…
daniel_owen_ukFree MemberSimple solution to this problem, carry more than one contactless card. Tried a few times to pay with my wallet without removing a card, simply doesn’t work. So unless they take out my wallet, extract a card, and then skim it; it’s not going to happen (and I think I that point I might notice).
GrahamSFull MemberI dont have contactless payment
The luddite fix is foolproofLatest issues of my debit and credit cards have all been contactless without me requesting it.
So you may be getting one anyway.As I understand it RFID scanning and cloning is pretty trivial. What milky describes sounds technically feasible.
How did you clone the three digit code off the back of the card onto your phone ?
Why would he need that? You don’t need any codes for contactless payments – that’s kind of the point.
iamtheresurrectionFull MemberSo, who’s offering the merchant services to these terminals? I can’t believe the merchant account would be kept open for long with lots of contested contactless payments and no payments verified by chip and pin.
The whole thing sounds very unlikely to me.
zippykonaFull MemberWe now have to pay the credit card people some money and fill in a form saying we won’t be naughty so everyone can rest easy.
gravity-slaveFree MemberI don’t know about card and RFID but I stayed in a hotel in Oslo that used NFC keycards for the rooms. I used my Nexus 5 to see if I could read a card and it worked. I then set it to delete and managed to wipe a colleagues card that he put in his back pocket. Did it a few times and he was back and forward to reception to get his ‘faulty’ card replaced. Minutes of fun. Not beyond belief that I could have copied rather than wiped I guess.
nealgloverFree MemberHow did you clone the three digit code off the back of the card onto your phone ?
Why would he need that? You don’t need any codes for contactless payments – that’s kind of the point.Fair enough, I misunderstood and thought he claimed to use the cloned card details to put a sale through manually on the terminal.
Doesn’t matter either way, I still don’t believe it happened 🙂
GrahamSFull MemberSo, who’s offering the merchant services to these terminals?
That’s the tricky bit, but given how prevalent Chip&Pin fraud is then there must be some nefarious ways around it. I’m guessing they get set up as merchants, do a bunch of fraudulent activity then scarper? Not sure how they avoid a very obvious paper trail?
GrahamSFull MemberDoesn’t matter either way, I still don’t believe it happened
It’s technically very feasible – read RFID data from card onto your device, then present that same RFID data. That part isn’t tricky, it’s the merchant bit that is.
If I were one of these guys on the tube I’d set myself as a pop-up coffee stand then skim people on the tube for a relatively small amount. Even folk who check their accounts carefully are unlikely to pick up on a sub £5 transaction at a cafe.
nealgloverFree MemberIt’s technically very feasible – read RFID data from card onto your device, then present that same RFID data. That part isn’t tricky
It is when the phone tech wasn’t available until the following year.
Apart from the lack of a time machine, I’m sure it’s a simple task.
beejFull MemberAnd I’m pretty sure you need Host Card Emulation as well as NFC to be able to read/re-present secure credentials without using a hardware based secure element (SIM or phone). Post-2012 for HCE availability.
So… what was this magic phone you had in 2010 that had a feature that hadn’t been invented yet?
Essentially, the banks accept there will be fraud, but if a merchant presents transactions that get flagged by customer as fraudulent in any significant number, I don’t think the bank would actually pay up.
milky1980Free MemberWould have been around he end of 2007 as I quit in the beginning of 2008 (refused to sell credit cards and stuff to people who couldn’t afford it etc anymore). As for the phone, it was a company supplied no-name thing with various attachments for stuff, the reader was an attachment used for reading the new cards. More a small computer than a phone really. Could also read the login cards use for signing into the till/POD machines. I just used the read/write thing on it to clone his card.
aracerFree MemberHmm, reading this it appears the hack to make something with much better range is fairy simple, so I certainly wouldn’t rely on lack of range for security – though of course you do then have the mentioned issue of multiple responses confusing the device.
CountZeroFull Memberwrecker – Member
that I’d actually take extra steps to secure against it.Not even a RFID safe wallet?
What’s the point? You then have to fanny around taking the card out of the wallet every time you want to use it, in which case you may as well just stick it in the slot.
I just use my phone now anyway, that can’t be spoofed by anything.
The topic ‘RFID skimming. Something to worry about?’ is closed to new replies.