In this post, I’ll go over what contactless fraud is, why you should care about it, and how you can prevent yourself from becoming a victim. Contactless fraud is a method of stealing someone’s credit card information remotely. The reason why this method is so high-risk is because of how undetectable and easy it can be (if done correctly) by someone who is savvy in the fraud and tech world, and has the time on their hands to create a relatively simple device that will silently sniff a person’s information from a long distance.
Many businesses today have PoS (Point of Sale) systems that support contactless payments. These systems often utilize RFID and NFC technologies. In this post, I will primarily be covering the exploitation of NFC payment methods. NFC stands for Near-Field Communication, and this technology is able to receive and transmit data in a very close proximity (about 3 – 10cm between transmitter and receiver). NFC technology is extremely similar to RFID. However, RFID is only able to receive and read data while NFC can both transmit and receive data. NFC is used in a variety of technologies today but one of the more common applications of NFC is using it to pay for something.
Apple and Android both have their own contactless payment systems; Apple’s being Apple Pay and Android’s Google Pay. There are alternative contactless payment applications on Android (such as Samsung Pay) and on Apple devices. Both Apple and Android systems utilize NFC to transmit payment data to the vendor from the device. Apple Pay does not actually transmit your card information as cleartext over NFC to make the payment, rather a “payment token” is sent over NFC to the payment terminal which then waits for verification of the transaction for the payment to be completed to the vendor. Google Pay’s method of transferring payment information is similar, but not exactly the same as Apple Pay. Google creates a temporary “virtual account number” with the user’s card or payment information encrypted inside, and then a one-use key is given to the vendor to authenticate the transaction. Basically, both companies encrypt your data before transmitting it to the NFC terminal. The real challenge is figuring out a way to receive the cleartext payment info. On top of the encryption, both Apple Pay and Google Pay require the phone to have a passcode or biometrics lock enabled on the device for the contactless payment services to be used. Although it may seem like these systems are secure and tamper-proof, it is always proved that this is never the case.
A presentation by Eddie Lee at DEFCON 20 (2012) demonstrated how two Android devices and some thinking outside-the-box could provide someone with a “bridge” or proxy from the payment terminal to a device, and back to another device. The idea proposed by Lee used WiFi to communicate between the two Androids. This means that one phone could be used to grab card information and then send the information to the second phone, which would act as if it were the actual card and could make a payment via NFC. This idea was then taken to the next level by Salvador Mendoza. Mendoza demonstrates how an individual with malicious intent can replicate the idea and create two devices that will communicate with one another over a much longer distance with the purpose of recording NFC transactions. The devices used by Mendoza allowed the bridge idea, originally demonstrated by Mr. Lee, to be taken to the next level and would allow someone to sniff and log information from individuals up to 50 meters away (or more) from the payment terminal using LoRa technology.
LoRa is a technology used for transmitting small amounts of data wirelessly over long distances. LoRa was created by Cycleo, a French company who is now owned by Semtech. A single LoRa module is about the size of a dime and can transmit data over 10km (~6.2 miles) while using little power and transmitting the data over a sub-gigahertz frequency. This technology is complex and with a little bit of time and hard work, a malicious person could replicate Mendoza’s creation. With the right code and tools, they could build a relay system to steal innocent people’s payment information and log it to their off-site PC or server anywhere in the world completely autonomously. On top of that, if the malicious person wanted to take the stolen information they had obtained and fabricate their own physical card with the stolen information, they could do so — using a mag stripe encoder and a blank card. Worst case scenario, this would create a swipeable card for the attacker to use as much as they like until the original card holder or bank froze the card and/or closed the account.
The applications of long range NFC sniffing are many, and all it takes is a little creativity to create your own sniffing tool or relay. There have been theories that directional antennas, paired with a device like Mendoza’s, could grab card info from an unsuspecting person a mile away or more, and then transmit the data to another phone to be used to make payments via NFC. A demonstration of Mendoza’s longer range NFC relay can be found here.
(This diagram created by Eddie Lee demonstrates how the NFC payment transmitting system works. The green line shows that if correctly exploited, the data sent is not being encrypted, but rather it communicates directly with the NFC chip which could allow for someone to pick up the data unencrypted.)
The reason why you should care about contactless card fraud is because of the rise in the use of contactless payment methods today. As paper money becomes something of the past, more plastic credit and debit cards are being compromised for lucrative rewards. Ultimately, there is a chance that contactless payment methods may become the new go-to for the world in the future. If this were to be the case, individuals need to understand the security risks they may face, and how they can help prevent themselves from falling victim to fraud.
Today, the only real solution to preventing your card from being stolen when using a contactless payment service such as Apple Pay or Google Pay would be to not use the service at all unless you absolutely must. The chance of someone stealing your information is very low but it could happen.Use a wallet that can block RFID and NFC signals while your card is not in use. Be aware of suspicious devices near a card reader, and limit your use of contactless payment methods.
(For more information please check out: https://salmg.net/ or Eddie Lee’s presentation at DEFCON 20 on YouTube)