reddragdiva: (geek)
[personal profile] reddragdiva

"GREAT NEWS!" said my bank. "WE'RE SENDING YOU A NEW NFC CASH CARD! BUY STUFF WITH JUST A SWIPE, NO PIN! YOU LUCKY THING!"

As a computer professional, I was not entirely thrilled. Not much can be nicked from an Oyster card (which has long been known skimmable), but a bank card is rather a different matter.

And guess what, it's been done: Channel 4 report, researcher's piece with more details. They can get everything off the card except the three-digit security code on the back, and there's enough online retailers (e.g., Amazon) that don't require that. (And though I've yet to see reports, it strikes me as really obvious to skim a card and get an NFC-enabled phone to pretend to be that card. Ker-ching.) The card owner's name is definitely on Barclaybank cards, others may or may not include it.

You can buy expensive anti-skimming wallets (with a wire mesh that forms a Faraday cage) — or you can just give your cash cards a fetching tinfoil hat.

Double layer of tinfoil, folded, about the size of the card. Note wifi symbol on card.

Put your Oyster, which you probably want still skimmable, at the other end of the card wallet from the tinfoil cash card, so that reflections from the tinfoil don't mess up its signal.

The above has worked well for me in practice for the past few weeks — I just keep an eye on which side I swipe on the Oyster reader. The tinfoil absolutely blocks the Oyster, so I'm pretty confident it blocks the cash card.

Edit: American Express Blue cards are also reported to give full customer details, unencrypted. If you have an NFC-capable Android phone, test your card with Electronic Pickpocket. (The crooks already have this app and better ones.) Then call your bank and scream blue murder if usable amounts of personal details are skimmable.

From:
Anonymous (will be screened)
OpenID (will be screened if not on Access List)
Identity URL: 
User (will be screened if not on Access List)
Account name:
Password:
If you don't have an account you can create one now.
Subject:
HTML doesn't work in the subject.

Message:

 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

Profile

reddragdiva: (Default)
Red Drag Diva

December 2014

S M T W T F S
 1 23456
78910111213
14151617181920
21222324252627
28293031   

Style Credit

Expand Cut Tags

No cut tags