Wednesday, 10 September 2014

Is PayWave picking your pocket at the checkout?

Tweed Daily News 3 September 2014:

PAYWAVE card payments have improved efficiency at the checkout, but the experience of one South Grafton man suggests you should be vigilant near one of the terminals.
Last week, Don Booth, of South Grafton, was waiting behind another customer at the cash register of a Grafton business.
As he watched the cashier, he noticed she did something different and asked her what happened.
He was shocked to find that instead of billing the customer in front of him, the terminal had picked up the card in his wallet and completed the transaction with his money.
"Because the girl at the checkout noticed it, we were able to fix it up straight away," Mr Booth said.
He said the girl at the checkout told him it was not her first experience of a payWave transaction going wrong.
"She said it happened in Coles to a customer, in the same way it happened to me," Mr Booth said.
Mr Booth said he would be taking extra care to check his next card statement.

Perhaps the rise in credit card fraud NSW Police Coffs Clarence Police Command has recently complained about may also be a result of flaws in wireless near field communication technology.

In October last year Among Tech posted this information on electronic pickpocketing:

The fact that you can use your smartphone to pay at a restaurant or a store is great and with NFC (Near Field Communication) technology you can do just that, but what else? Several months back a report from CBC showed us how easy it is to steal credit card credentials using an App and NFC technology which is integrated in most of the high end Android smartphones, but even after 6 months it is still possible to download one of these Apps and hack someone’s credit card and Google has made no changes to its software in order to make it harder for people to steal someone else’s credit card info.
Apps like SquareLess allow users to see a credit cards number, security code and expiration date which later can be used by hackers to purchase products online without the credit card holder to give them permission to do so. SquareLess is just one of the many apps available on the Play Store that allow you to do just this, which is a very serious issue. A study done by xdadevelopers that any of the following credit cards can be hacked using NFC:
American Express Blue Cards
Chase Credit Cards
MasterCard PayPass
Visa payWave Cards
So, How can an App and NFC read credit card credentials? NFC technology is also what is used in stores to read our credit card, a credit card will give its information which allows you to make the transaction once it finds a valid payment terminal device but the credit card doesn’t look at what type of terminal device this is (since it doesn’t know this information), it is just interested in finding one. Making the smartphone function like a payment terminal can allow you to “fool” the credit card making it think it is what it is looking for, easily allow the app to read all the necessary credentials. In order to do so, all that is required is for the smartphone with NFC to be approximately 10cm close to the credit card. Here is a video demonstrating just how easy it can be done……

Channel 7 Today Tonight also broadcast an item on this subject in July this year.

Internet websites are now offering RFID-shielding passport holders/wallets/sleeves to prevent remote scanning and skimming of Paywave or touch-and-go-credit cards, although the effectiveness of these products is open to question.

No comments: