Why you should keep your NFC debit card in a tinfoil wrapper.

[reddragdiva]

"GREAT NEWS!" said my bank. "WE'RE SENDING YOU A NEW NFC CASH CARD! BUY STUFF WITH JUST A SWIPE, NO PIN! YOU LUCKY THING!"

As a computer professional, I was not entirely thrilled. Not much can be nicked from an Oyster card (which has long been known skimmable), but a bank card is rather a different matter.

And guess what, it's been done: Channel 4 report, researcher's piece with more details. They can get everything off the card except the three-digit security code on the back, and there's enough online retailers (e.g., Amazon) that don't require that. (And though I've yet to see reports, it strikes me as really obvious to skim a card and get an NFC-enabled phone to pretend to be that card. Ker-ching.) The card owner's name is definitely on Barclaybank cards, others may or may not include it.

You can buy expensive anti-skimming wallets (with a wire mesh that forms a Faraday cage) — or you can just give your cash cards a fetching tinfoil hat.

Double layer of tinfoil, folded, about the size of the card. Note wifi symbol on card.

Put your Oyster, which you probably want still skimmable, at the other end of the card wallet from the tinfoil cash card, so that reflections from the tinfoil don't mess up its signal.

The above has worked well for me in practice for the past few weeks — I just keep an eye on which side I swipe on the Oyster reader. The tinfoil absolutely blocks the Oyster, so I'm pretty confident it blocks the cash card.

Edit: American Express Blue cards are also reported to give full customer details, unencrypted. If you have an NFC-capable Android phone, test your card with Electronic Pickpocket. (The crooks already have this app and better ones.) Then call your bank and scream blue murder if usable amounts of personal details are skimmable.

Comments

[alexmc]

Yeah - I just got one of those and used it for the first time...

Coincidentally Barclays just rang me up to tell me they didn't have security questions for me like whether I owned my own home or who employed me. This is despite them having my mortgage!

To their credit they didn't ask for this information over the phone - but suggested I go to my local branch to tell them.

[quiet000001]

Is that something they're sending out to everyone now, or as your existing card needs to be replaced anyway? Just wondering if I need to watch the mail since sometime the UK-US thing doesn't work so well...

[(Anonymous)]

I find that I resent having to make metal foil part of my personal data security plan.

-- random Firedrake

[venta.livejournal.com]

The power of words... amazing that you can write a perfectly sensible post about a genuine security issue, and a proposed solution, but sound like a paranoid delusionist just by using the phrase "tinfoil hat" :)

[reddragdiva]

How could I resist? An ACTUALLY USEFUL TINFOIL HAT!

[reddragdiva]

Everyone. "Here's a l33t new card! By the way, your old card's dead, we killed it."

[quiet000001]

Oh joy. They'd better not kill my old one until the new one arrives.

(I'm still cranky because you need some card reader thing to use online banking and do you know how many times I have asked for one to be re-sent since I never got it? No. Neither do I. BECAUSE I HAVE ASKED SO MANY TIMES NOW.) (To be fair, I should just call them sometime, but I tend to not have the energy to deal with the time zones and crap. I JUST WANT A CARD READER THING.)

[pir]

My plan was to cut the antennae wire in the card. I don't use nor want contactless payments,they interfere with my oyster card and getting cards out of tinfoil to use them is annoying.

[reddragdiva]

Now that would be an excellent thing to do. Where is said wire? (And do NFC readers in shops also do PIN?)

[pir]

The exact location of the wire varies by the card, shine a very bright light (I use my FireSword) through them and you can see part of the wire path.

They're usually along behind the signature strip and the magstripe, but you can see the wires between there and the chip.

I found a reference (that I now can't find again) recommending softening up the plastic in a small area with a drop of acetone to then cut the antenna wire beneath.

American contactless cards (I have one of them, too) internally look a lot like an Oystercard when dissolved. British cards are slightly more complicated since they have the smartcard interface for chip&pin as well.

Once you've worked out where the wires come out of the chip, if you soften up the area with acetone or not, cut carefully with a scalpel or Xacto blade andmake sure you take out enough wire so the ends won't just come into contact again afterwards. Damage the card as little as possible or people in shops get weird about it.

[damien_wise]

It would be awfully nice to be able to enhance your card with supplies from the stationery cupboard. By "enhance", I mean improve the security by using a hole-punch to clip a hole through the antenna.
This plan could be flawed if the antenna is integrated into the chip / hidden under the contacts.
I can hardly wait til someone figures how to remotely load malware onto your card.

[(Anonymous)]

I discovered a few years back that keeping my Oyster and my university card (which opens the doors at work) in the same wallet was hopeless - because they interfered with each other anyway. I like your tinfoil hat.

[lnr]

I discovered a few years back that keeping my Oyster and my university card (which opens the doors at work) in the same wallet was hopeless - because they interfered with each other anyway. I like your tinfoil hat.

[D'oh, sorry about the anonymous version - that was me]

[(Anonymous)]

thanks for this, I downloaded the app, one of my cards shows details eeep, the other card says "record found" but no details, do you think that means it's secure?
I'd already ordered non-nfc cards any way after a report on Watchdog, funny thing is that my card that showed details was one of the banks that claimed all their cards were safe.

[reddragdiva]

Does it show enough details that you could use the details on, e.g., Amazon? It's going to be readable so it can be used.

But yes, demanding a non-NFC card is the right thing to do. The entire idea is actually stupid. Banks already have two-factor authentication ("something you have and something you know", e.g. a card and its PIN) - presumably there's a reason they suddenly think one-factor is a good idea, but whatever it is it's not your interest they're thinking about.

[(Anonymous)]

yeah the first one does,I don't use it much, so don't usually take it anywhere any way but will be shouting at the bank any way. The other just says record found and no other info.
Though now I'm being paranoid about having used that app but apparently they're a well known company and I made sure internet connection was off when I used it and have now deleted it.
Vicki

[doug]

The story here - cards give out unencrypted details - is a minor, fixable issue, that probably will be fixed. Many card issuers have done this already. It's not that big of a deal: card details without PIN or CVV aren't exactly high-value on the black market, and for a reason.

More fundamental is the issue that 'near proximity' is an absolutely terrible authentication method for radio signals. It seems like just a technical small step from physical contact (e.g. with the chip in chip-and-PIN), but it's vast in security terms.

Imagine Alice is an ordinary punter and Bob is a retailer. Eve and Mallory are ... erm, security researchers.

Eve puts her modified reader near to Alice's. Mallory is holding his device near Bob's retailer terminal. Eve and Mallory's devices simply relay between them what they get from Alice and Bob's devices. Alice and Bob could actually be on other sides of the shop, or even in another city. The terrible beauty of this form of attack is that the encryption holds perfectly: a genuine card is having a genuine, secured conversation with a genuine reader. They're just further apart than they assume they are.

Add this to the issue that it's not hard to build NFC readers that work at much longer distances than retailer readers do - Eve doesn't have to be as close to Alice's device as a retailer terminal would be - and it looks like a Very Bad Idea.

[hairyears]

Yes, I'd wondered about 'proximity', too; and about those situations where the card is out of its tinfoil wallet and actually in use.

BTW, English retail banks have a very poor record in fixing *easily* fixable security flaws. Harder ones - and that includes any fix involving replacing large numbers of cards - are neither admitted to nor fixed until massive media exposure forces the bank to retract their accusations that the defrauded customers were careless with their PIN or lying.

[reddragdiva]

I don't understand what's in it for them to go from two-factor (chip and PIN) to one-factor (NFC).

[(Anonymous)]

I made a lovely tin foil 'hat' and retested the cards with the app and nothing registered so I think we can assume tin foil protects, can I now go into business making fetching tin foil hats for credit cards?

[morwen]

I don't think they see it as replacing two-factor, so much as replacing another one-factor (physical possession of tokens representing values). Imagine how much money they'll save once cash is abolished...

[reddragdiva]

There are people charging $80 for wallets with steel mesh in them, so that's your competition ...

[(Anonymous)]

What if there's no downside *at all* to banks if single-digit percentages of their cardholding customers get screwed? Or very little - say a hundred quid or so?

At that point, minor cost savings across the entire customer base add up to a profit.

Reputational damage doesn't seem to matter and it may well be the case that massive media expenditure can buy off any bad publicity.

I hope I'm wrong about that; but I suspect I'm right in speculating that senior managers in the retail banking sector really do think that way.

Also: broken decision-making structures. What if the technically-competent staff have no way, whatsoever, of communicating their converns to anybody capable of acting on it? Communicating *effectively* without getting labelled as a troublemaker and fired?

Worse decision structures exist... What if the decisuon-maker gets a bonus for the savings, but is insulated from the consequences of the flaws?

Worse...

There's no published research on how many private-sector purchasing decisions benefit the purchasing company, let alone their customers, but lots of anecdotal evidence that might suggest internal conflicts of interest accompanied by ex essive margins at the vendor.

In unrelated news, the hospitality industry makes a fortune from the banking sector.

[greylock]

So, cards now need to be wireless too?
Great, another things I need to worry about, as soon as Australian banks decide this is a thing they need to do.

I had no idea this tech had even been dreamt up, so thanks for this.

I guess I will add this to DW Memories so I can cut the wire ASAP whenever I do get one.

They can't even get a fully functional swipe *bus pass* system working, her or Melbourne.

on a similar note

[(Anonymous)]

anyone know any more about nfc security on mobile phones? I'm not even sure how the payments are made, are they charged to your mobile bill? I do have do go into settings to switch it on, would like to find an app that blocks access to settings but haven't been able to find one. Is there a 'bigger' problem with stuff being loaded onto your phone remotely?
Anyone any security advice for mobiles?
Cheers
Vicki

[theoda]

If tinfoil can protect cards from data theft then WHY CAN'T IT PROTECT MY BRAIN???
:P

[theoda]

We should be safe for a while then. ;)