July 18, 2014
Many people got new debit cards (called “Bankomatkarte in Austria) from the various bankings institutes in the last months and years. Many cards are PayPass enabled for wireless money transactions. PayPass is based on NFC, which is also integrated in some of the modern smart phones. The default setting is that five 25 Euro transactions can be done without entering a PIN. So a possible damage can be up to 125 Euro. You’ll verify if your debit card supports that standard by checking it has PayPass printed on it.
Picture: Maestro PayPass
But I’ve seen some cards with only this symbol (at least on the front side):
Anyway in therapy the card needs to be within 10cm of the reader and therefore an attack is not that easy. But already at Defcon 20 in 2012 Eddie Lee presented the possible of a NFCProxy which allows to misuse a card. The attack setup looks like this:
Picture: Eddie Lee @ Defcon 20
So this allows following attack vector. You’re standing in a crow or in a line and have your debit card in your back pocket. One of the attacker stands behind you …. and the other can be e.g. hundred meters away (only limited by the delay and reach of the network connection). They will be able to get your money with much less risk than with pocket picketing. And to make it even better – you can download the App for Android as an .apk file, ready to install and use, from Sourceforge.
So now you know of the problem, what can you to mitigate that problem?
- If you don’t need that feature at all, try to talk to your bank to disable that function. Some will do it for free, others will charge you. Some banks allow to you to choose if you want one with or without at renewal of your card.
- You basically like the feature, but you would like to have more control over it – thats also possible:
- Search for RFID/NFC blocking sleeves for credit card or payment cards
- You can get also wallets with RFID/NFC blocking feature … but currently they look not that great .. at least the ones I found