Are the contactless cards really safe?

Read cards over 3 meters using NFC? The real risk with contactless cards is technical ignorance

COMMENT / RANT3. January 2018
Rudolf Linsenbarth 3. January 2018Current, Strategy

An initiative by the White Ring has been taken up in a wide variety of media. In this context, it is claimed that contactless bank cards can be read out from a distance of 3 meters using an NFC smartphone using an app. Is that true and are there new dangers and risks with the new contactless cards from AMEX, Mastercard, VISA and the girocard of the Deutsche Kreditwirtschaft?

by Rudolf Linsenbarth

Unnoticed reading of the contactless card (e.g. via NFC smartphone app)

First of all, NFC is an induction-based wireless technology. The smartphone as the initiator creates an electromagnetic field for this purpose. As a target, the card itself does not actively transmit, but changes the amplitude of the field. The initiator reads these amplitude changes and thus receives its information from the target. The frequency of this electromagnetic field is 13.56 MHz, the specified range of such a field is 10 cm. Most readers fall well below this value. With a card terminal at the cash register, it is less than 4 cm. This can be tried out by slowly approaching the card during a contactless payment process until it beeps. A smartphone, on the other hand, usually does not create more than 2 cm.

Or to put it another way: Anyone who manages to generate such a field with a smartphone that extends 3 meters is the next candidate for the Nobel Prize in Physics. "

Everyone can try this out for themselves. The app required for this is called a credit card reader and can be downloaded from Google Play. Anyone who installs the app will find that it is possible to hold a card directly to the smartphone and then read out data that is already printed out on the card without contact. But as soon as the card is in your wallet, it becomes much more difficult. The metal of the coins located there or another contactless card, such as the new identity card, make communication with a smartphone almost impossible, even if you put the smartphone directly on your wallet.

So it should be much easier to steal the card, but then you no longer have to read the card contactlessly! "

Of course, the "better" protection is to wrap the card in aluminum foil beforehand. It would be even safer to leave the card at home right away. Then it is also safe from pickpockets (irony off!).

Unnoticed debiting?

The myth persists that it would be possible to make undetected debits. What is it about In order to debit something from a contactless card, you need a certified payment terminal with a connection to a payment service provider. With that one is known and no longer in anonymity. All transactions are traceable, fraudulent attempts are returned immediately. The effort from the fraudster's point of view is also out of proportion to the potential return!

What happens if the card is lost or stolen?

Here the banks say they are taking the risk. With the restriction, of course, that the customer does not act with gross negligence. But even then the risk is capped.

With the PSD2, the banks are obliged to ask for a PIN at certain intervals, even for small amounts. "

Rudolf Linsenbarth deals with mobile payment, NFC, customer loyalty and digital identity. He has been working in the banking, consulting, IT and retail sectors for over 15 years. Linsenbarth is a prominent blogger on the financial scene and comments on Twitter at @holimuk the current developments. Rudolf Linsenbarth writes all articles in his own name.
The threshold values ​​are accumulated after 5 transactions or when reaching € 150, depending on which threshold is reached first. In addition, it is not permitted to authorize a single transaction over € 50 without a PIN.

Do-it-yourself conspiracy theory: "Contactless transaction at 3 meters for 51 euros"

Not every topic can be explained in Twitter length. Unfortunately, even with over 99% of bank employees, the knowledge in this area is below what this article conveys.

The old banking simple communication strategy of lulling the customer instead of giving technically correct answers, totally fails here! ”Rudolf Linsenbarth


You can find this article on the Internet on the website:
https://itfm.link/63303

(61 Votes, average: 4,26 of a maximum of 5)
Loading ...

Interesting too

37 responses to "Read cards over 3 meters using NFC? The real risk with contactless cards is technical ignorance"

  1. Unnoticed Withdrawal: What About Relay Attacks? Example: an accomplice is on the bus and connects his cell phone contactlessly with a third-party card, the other is at the checkout and holds his cell phone to the checkout terminal via HCE. Both cell phones are connected in real time via the Internet. Is a relay attack, i.e. paying with someone else's card, possible via the 2 cell phones?

    1. Yes, you can also consider that, but here too the transaction is traceable and can be returned at any time! But the return is disproportionate to the effort. In addition, if reading out unnoticed with the smartphone is almost impossible, it becomes an order of magnitude more difficult for a transaction!

    2. No. Here again: the fraudster has to get so close to the card on the bus (or elsewhere) that he should also be able to steal it. And as already indicated above: if the card is in the wallet, the radio network will be heavily shielded by this, plus coins, etc. So there is virtually no chance of trying to carry out a transaction in this way.

  2. Have you ever thought that a smartphone also has a USB port and that hardware can be connected that also allows transmission over greater distances?

      1. This answer is misleading.
        Even if USB has nothing to do with NFC, the aim of the smartphone is to use a stronger receiver via USB, which could have a greater range for reading the NFC than the smartphone alone.

        The answer is therefore deliberately misleading and belittling.

  3. The future (for some), the reality (for some) today is payment by smartphone or watch via NFC. The topic simply doesn't exist. Transactions are confirmed biometrically, a PIN is never required, a physical credit card that was stored in a stolen cell phone can still be used.

    1. A retailer who operates a web shop and accepts credit card payments without cvc / cvv acts with gross negligence and should be warned in case of doubt. Again cvc / cvv cannot be read out contactlessly. It's really easier to steal the card !!! There is no business case for the contactless reading of credit card data. Everything else is mind games from conspiracy theorists!

          1. Probably true. Actually, it would be assumed that the implementation of the CVC / CVV exam at Amazon would have to be a business case. Since they still do not have it, I suspect that the chargebacks are not paid by Amazon, but ultimately get stuck with the issuer.

        1. As a regular customer of an online retailer, repeated (!) Credit card payments are marked as so-called "recurring payments" and processed without CVC / CVV. Not only does Amazon do this, it is a standard functionality for credit cards. As soon as a different delivery address is given, the online retailer should completely re-query the card details.

    2. You can get bank details by stealing the card or by phishing ... Not by the nfc of a card ... The card number, validity ... are read out ... That's it

      Name is not included, neither is the verification code, and neither is the iban.

      Merchants who do not match the name or check digit are stupid and are liable themselves. In addition, there is now Mastercard 3d secure and its successor, where customers have to confirm the card payment separately, for example in the bank app or by mtan.

      As already said in the article ... It is best to leave your card at home, theft is easier and more dangerous ... Ah yes, the alternative of cash is also not safer, it can be wrong and can be stolen anonymously ...

  4. For me it is enough that I have two different cards with NFC on top of each other. It has never worked with any reader. I always had to separate the cards. Only then has the reader accepted the card.

  5. According to my information from 2017, contactless card payments without entering the PIN are only possible up to € 25 or up to 4 transactions. Have the specifications actually changed in this regard?

    1. A distinction must be made here between PSD2 specification and actual implementation. According to PSD2, the maximum limit without a PIN is € 50 for a single transaction. In Germany, the Mastercard and girocard issuing banks have set a limit of € 25. With VISA, the limit at most banks is still € 25, but some banks should use the € 50.
      For the other limits, tap a maximum of times or € 150 accumulated amount, this requirement is probably implemented for the girocard. This doesn't seem to be the case with Mastercard and VISA. We will then see whether and how this will be readjusted.

    2. Hello,
      perfectly correct NFC cannot be read from more than 3 meters, as mentioned in this article, such statements are usually dangerous half-knowledge or simply stupid!
      NFC is an RFID specification!
      Some RFID frequencies are used in logistics and can be read over more than 3 meters, while NFC can be read up to a maximum of 5 cm! Confusion often occurs here. On this (url = https: //rfid-schutz.org/wp-admin/) website (/ url) I found further interesting and true information on this topic, such as attack methods and protection methods!
      MFG Juergen

      1. Hello, I received my new golden VB card with WiFi sign on it a fortnight ago. Was on Friday morning at the Toom hardware store in Espelkamp and bought 3 items for a total of 19.76 €. This WLan symbol was also emblazoned on the cash register and so I pulled the card out of my wallet, about a handspan away from the reading unit. The cash register pinged and the receipt was printed. The cashier, visibly shocked, indicated that the cash register was probably only in operation in the morning. She lacks experience. I was astonished that the NF obviously goes further on the hardware side than indicated, at least about 5-6 times as much! In the RFID shop, devices are offered that can read and save bank cards, personal documents, etc. in a range of up to one meter, depending on the antenna and the day-to-day circumstances.?! First I got blocker cards, I can't trust the system!

        1. Hello Mr. Priesnitz,

          I don't know how wide your hands are and what you mean by a hand span. I would estimate about 4 cm that would be perfectly within the specification of 10 cm. If the terminal has already triggered within this distance, it would be the front runner in the list of devices I have used so far.
          As for the devices that read an NFC at a distance of 1 meter. I would like to see the link to the product. Is this quality guaranteed and how big is the antenna? Probably at least 1 m as well.
          Best regards

          Rudolf Linsenbarth

      2. When I read this rubbish ..... all impossible. Was the author even paid by the banks and card-issuing institutions?

        I hold my cell phone up to 20cm away from the terminal and it works perfectly, Huawei technology and PayPal as well as credit cards linked.
        I almost have to put a CARD on it.

        Now it has even been possible to lift the limit on Visa ...... So it is also possible.

        It's difficult in passing, yes, but I am able to simulate a terminal and anyone who has NFC on and leaves their cell phone lying around can lose their data to me (I am now fictitious, my job is more IT security)

        So people, long story short, protect yourselves. Switch off NFC cards in protective cover and mobile phone as long as there is no payment ...... everything else is possible and I will take the Nobel Prize because it really works. With appropriate scripts etc pp everything can be strengthened.

      3. So it was a long time ago - now I've tried it out. In my wallet there are various other customer cards in credit card format (some with magnetic strips and in plastic sleeves) and four NFC chip cards. And of course banknotes and coins. So, I held the wallet at a distance of about 10 cm from a cash register terminal - it replied with the hint 'Please only use one card'. Okay so far. But is the card data now read out / saved or is it blocked immediately? And what happens at the exits of department stores with their large 'antennas'? You walk with a distance of ~ 50 cm between ...

        PS: Nevertheless, I think handling NFC cards is much more practical and faster than using smartphones (power supply? Battery? Crashed and broken? Well, if you need to hold up your 1000 euro smartphone at the Aldi checkout ... they get it Manufacturers and platforms actually something for promotion by the banking industry? It doesn't matter, in the end it is always the consumer who pays.

        1. In the case you described with the message "Please only use one card", the terminal has recognized that there are several cards in the field. NFC is always only a point-to-point connection, so no connection is established at all and therefore no data is read.

          The antennas at the exits of the department stores work on a different frequency and are therefore not even able to read an NFC card.

        2. You can hear about RFID and NFC everywhere now. Until then I always thought it was the same, but after a long research on the Internet I found out that it is probably just similar. But you can protect yourself with the same means.

          I found the most accurate description of both technologies at https://rfidschutz.org.

          “RFID is a technology that transmits data contactlessly by radio. NFC works similarly to this system, whereby the transmission devices can communicate with each other, the range is usually less and the frequency is always 13.56 MHz. "

        3. What "bothers" me most about the text is that the probability that someone will read my card data - in a crowd, by chance, however - is simply dismissed as "improbable" and therefore not worthy of attention.

          Or formulated as a question: Is it now - in principle - possible that someone stranger can read my data on the card - in whatever way and whatever data - or not?

          If that can be answered with YES, then the case is clear to me: This is a risk!
          Even if there is a greater chance that my card will be stolen, the physical theft is usually my own negligence.

          In short: It sounds to me as if reading out by third parties - with little chance - is possible.
          So I don't want this feature!

          1. ... as an addition: I am basically talking about data - not about the chance that money will be withdrawn.
            So the tone of the article annoys me because certain data is treated as negligible per se.

            1. The article aims to correct that it is not possible to read the cards in the wallet remotely. So far there have also been a lot of reports on public broadcasting. It was pretended that suitable devices could be used to read the cards unnoticed from a distance of half a meter or more.
              This is definitely still possible - the antennas that are necessary for this cannot be moved so easily in a crowd.
              ... as already said, reading the card unnoticed is almost as difficult as stealing it. If you want to prevent this, it is best to leave your card at home.

        4. For that here someone with "years of experience" in the IT security area says he is pretty much behind ....
          I really have to laugh, luckily nobody can hear me….
          A few years ago, for example, a hobby hacker in the USA sniffed thousands of credit card data with the help of a self-made Cantenna and other toys from the car park. Targeted with the toys on the checkout area. Because the data that are sent between the card and the terminal during the purchase are, to put it simply, nothing else like WiFi signals. And these shine in all directions. The data packets are sniffed via Wireshark and then analyzed…. who can and the stupid normal consumer freaks out one day when he realizes: UPPS, my account is empty !!!!!
          And by the way, all this fake about security. The fact is, there is no such thing as security. No system is safe !!!!! ... because just like, for example, antivirus manufacturers only react and not act, first a new virus then the update ....
          As for the relationship, you can imagine it like an iceberg in the sea. What is underwater is the "criminal" part. The visible the so-called SECURITY EXPERTS….
          Everything clear so far….