Jump to content

Mobile Phone Payment Theft


ReconRat

Recommended Posts

And you wonder why I have a stainless steel metal wallet...

Security guy wrote an app to steal your credit card by waving his phone at your wallet. It's then his to spend using his phone payment.

Mobile payments open new door to thieves

http://www.sfgate.com/business/article/Mobile-payments-open-new-door-to-thieves-3925013.php

http://www.stltoday.com/business/local/fraud-threatens-mobile-payment-system/article_e49cfb01-9cbe-5b68-93f2-38578183fc5b.html

this type of theft is estimated to be 1.5 in 100 people, in a few years time.

Link to comment
Share on other sites

And you wonder why I have a stainless steel metal wallet...
I have no NFC cards so I'm safe.

I thought you were in the computer field Recon? Of all people, you should know this is fearmongering for the un-tech savvy among us. You don't need a stainless steel wallet to avoid this -- like Scruit said, you either disable NFC from your phone when you're not actively using it, or don't use any unsecured RFID devices (which the vast majority of consumers don't have). The articles are very vague -- they aren't after your wallet and the stuff in it... they're after your phone (which you may or may not have linked credit cards and stuff from your wallet to it). They really do a poor job making that explicitly clear.

Right from one of the articles:

Criminals can access a mobile wallet by stealing the handset or tricking its owner into downloading a piece of malicious software.
1) Password protect and encrypt your phone

2) Don't download malicious code or visit malicious websites

3) Don't let your kids play around with your phone that has credit card information buried in it

Problem solved.

It's not asking anyone to take anymore personal responsibility for their data or security than we ask for those using a computer or "Don't lose your wallet"

Here's an article from July showing that someone else did an even more 'scary' proof of concept code specifically targeting NFC phones:

http://www.bgr.com/2012/07/26/nfc-hack-android-beam-charlie-miller/

Edited by JRMMiii
Link to comment
Share on other sites

Yes, JRMiii, now stand back and let me troll...

The market place wants us to spend our money this way. It's in their favor, I suspect.

Magstripe cards, what we have now, are end of life soon. Europe no longer accepts them, and China by 2015. All our cards will be RFID soon. And as vulnerabilities go, this is only the start. If it can be done, some one will do it.

"By 2017, consumers worldwide will buy $1.3 trillion worth of goods with their phones and tablets"

"The U.S. and some nonindustrialized countries in Africa are among the only nations still relying on magstripe payment cards,"

"So why is the U.S. so far behind? It seems to come down to money. The losses for banks do not yet exceed the costs of a switch-over, although merchants say that’s because they usually shoulder much of the cost burden from fraud."

So basically if the seller or the buyer takes the loss instead of the bank, nothing will change.

edit: Thief doesn't even have to use it, here's the going prices for selling the info to Euro criminal groups. They would be the major players in all card theft. Theft has gone up 500% in the last 5 years.

$1,000 Name and password for an online bank account (and additional information in some cases).

$80 Magstripe data on a premium-level credit card.

$6 Mother’s maiden name.

$3 Social Security number.

Edited by ReconRat
Link to comment
Share on other sites

Hacker Demos Android App That Can Wirelessly Steal And Use Credit Cards' Data

Your phone isn't involved. This is a theft directly from your RFID card that most people don't have yet.

"In a talk at the Defcon hacker conference in Las Vegas Friday, Lee demonstrated an Android software tool called NFCProxy that’s capable of both reading and “replaying” data from contactless credit cards–any of the common payment cards with embedded RFID chips that allow payments at retail outlets’ wireless point-of-sale devices like these."

And yes, I already downloaded the apk to play with.

edit: And yes, I found the correct CyanogenMod 9.

Edited by ReconRat
Link to comment
Share on other sites

People today are still making a ton of money on skimming magstripes onto hotel key cards and using them for pin-less transactions like uscan and gas pumps.

The UK has chip and pin - the card looks like a satellite TV card (square gold chip contacts on surface) with a pin number. Two-phase auth. Even if you skimmed the data you need the pin.

Link to comment
Share on other sites

People today are still making a ton of money on skimming magstripes onto hotel key cards and using them for pin-less transactions like uscan and gas pumps.

The UK has chip and pin - the card looks like a satellite TV card (square gold chip contacts on surface) with a pin number. Two-phase auth. Even if you skimmed the data you need the pin.

Correct. It's almost entirely magstripe scamming currently. And the PIN is a vital part of avoiding loss. PIN cards are much less likely to suffer losses.

But the RFID scam was able to transact the card once, without the PIN. Bad.

Link to comment
Share on other sites

I hacked a fingerprint scanner using some play-doh and RTV gasket maker. Used the play-doh to make an impression of my finger which served as the mold for the RTV. Left it overnight and tried it the next day. Took a couple tries, cleaning the ridge detail and eventually licking it to make the plastic fingertip work. Did this right after watching the Mythbusters show about it. The difference was that they stole a fingerprint for theirs whereas I used my own and used a technique that would not "steal" someone's fingerprint.

What it COULD be used for, though, is establishing an alibi. Work at a company that uses fingerprint scanners that you can use after hours? Have a trusted buddy use your badge/fake finger to move around the building while you are on the other side of town doing some crime. If they trace the crime back to you then ask your company to produce fingerprint scanner access logs that "prove" you were elsewhere.... Then hope they don't have equally "good" evidence of the crime... u mad, cops?

Link to comment
Share on other sites

Yes, but the jig is up when forensics finds play-doh DNA on something. j/k

No, I don't have an RFID scanner. But wait for it... I'll find a DIY schematic...

edit: didn't like the DIY, and found a kit instead.

But really, you need one that attaches to your phone for this (bluetooth will work).

http://www.robotshop.com/cytron-rfid-reader-writer-kit.html

http://www.adafruit.com/products/923

Edited by ReconRat
Link to comment
Share on other sites

Correct. It's almost entirely magstripe scamming currently. And the PIN is a vital part of avoiding loss. PIN cards are much less likely to suffer losses.

But the RFID scam was able to transact the card once, without the PIN. Bad.

If I use a uscan and select the credit option I can charge a lot of money with just a signature and no human involvement from the store employees. The signature is not compared with your real signature...

How do I know the sig is not compared? I always sign uscans with a smiley face. Started as a joke when I was with my grandmother and she saw me sign the smiley face and she thought I was going to get arrested or something - complete flip-out mode activated! Since then I only ever sign with a smiley face, waiting for someone to catch it. It have been at least 5 years and nothing yet.

Link to comment
Share on other sites

Yes, but the jig is up when forensics finds play-doh DNA on something. j/k

No, I don't have an RFID scanner. But wait for it... I'll find a DIY schematic...

edit: didn't like the DIY, and found a kit instead.

But really, you need one that attaches to your phone for this.

http://www.robotshop.com/cytron-rfid-reader-writer-kit.html

http://www.ebay.com/itm/New-Security-Silvery-USB-RFID-ID-Proximity-Sensor-Smart-Card-Reader-/180991496840?pt=LH_DefaultDomain_0&hash=item2a23ef1288

$14.35.

EDIT: You edited your post to add a URL between me reading it and hitting reply. Then added a second URL. The reader I listed above goes to a PC. You can get an app and a converter to connect USB devices to an iphone. CameraConnector, it's called. http://www.redmondpie.com/this-tweak-allows-you-to-connect-usb-devices-to-your-iphone-using-ipad-camera-connection-kit/

Edited by Scruit
Link to comment
Share on other sites

My point still being that many of these proof of concept hacks still require a very specific chain of events or circumstances for the hacks to work (unsecured unencrypted communication of RFID for instance -- I think that was mentioned already). In theory it's possible to intercept the lock/unlock and remote start codes for late model vehicles too, but that's not stopping people from buying remote or keyless entry systems on their new cars.

So, it's still not enough to make me feel the need to buy a stainless steel wallet because 1) RFID isn't prevalent enough yet to make the business case for the hack to be worth the effort, 2) I know I personally have no passive or active RFID items in my wallet, and 3) When RFID is finally mainstream, many of these issues with security will have been addressed to the level where they're as good or better than the current fraud prevention processes. The major difference I see is that a lot of the onus will now be put on the user to maintain the responsibility of appropriately setting up and using all the security measures available to them.

Edited by JRMMiii
Link to comment
Share on other sites

wut? switch to the SpaceX launch JRMiii, it goes up in 20 minutes.

All true JRMiii, and fixes will be found for vulnerabilities. And hacks will be found for theft.

The real reason to have a metal wallet, is to prevent wiping your cards out if you sit on a magnet. Everyone knows that.

Edited by ReconRat
Link to comment
Share on other sites

If I use a uscan and select the credit option I can charge a lot of money with just a signature and no human involvement from the store employees. The signature is not compared with your real signature...

How do I know the sig is not compared? I always sign uscans with a smiley face. Started as a joke when I was with my grandmother and she saw me sign the smiley face and she thought I was going to get arrested or something - complete flip-out mode activated! Since then I only ever sign with a smiley face, waiting for someone to catch it. It have been at least 5 years and nothing yet.

I signed my as uncle sam, smiles, and god know what else I've used lol.

Link to comment
Share on other sites

The real reason to have a metal wallet, is to prevent wiping your cards out if you sit on a magnet. Everyone knows that.

Well, if someone puts a magnet on a chair where I'm gonna sit, then they better hope I'm not ingesting a diet high in iron or they might erase my colon along with those magnetic strips. :p

Link to comment
Share on other sites

If I use a uscan and select the credit option I can charge a lot of money with just a signature and no human involvement from the store employees. The signature is not compared with your real signature...

How do I know the sig is not compared? I always sign uscans with a smiley face. Started as a joke when I was with my grandmother and she saw me sign the smiley face and she thought I was going to get arrested or something - complete flip-out mode activated! Since then I only ever sign with a smiley face, waiting for someone to catch it. It have been at least 5 years and nothing yet.

I went on a beer run once and my friend only had his card so he said to give him our cash for what we owed for the beer and use his card. He didn't go for whatever reason. Went to the gas station bought the beer and signed his name (with his permission). The next day his card got declined / shut off by Chase Bank do to suspected fraud.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...