Jump to content

Recommended Posts

Posted

If someone was seriously interested in this, they would simply buy an RFID receiver and transmitter, and do a series of experiments...

One thing might be fake and other not, you have no idea with what you are dealing with, until you will check it.. apparently not so obvious to some... I would don't trust even brand name stuff (just today I found it does not want to work with Bluetooth speakers...)

 

Posted

Couldn't you just put the credit card inside the wallet and then drag it across an RFID scanner/reader?  Just go to an automated checkout at a supermarket where you won't be mystifying a clerk.   If any signal got through, you would know it was not really RFID protected.  

Posted

It’s a gimmick in the sense that they’re offering a product based on the fear of a low-risk scenario, but you can attenuate RF signals. There are independent reviews of such products, but the few I’ve seen don’t seem to go into much detail about how they were tested.

Posted

The more paranoid shopper will often just insert any cards of concern or items from wallets into a Faraday pouch which uses a mesh to help block EM signals. I've seen them in use with electronic key fobs for vehicles (so larcenous thieves cannot so easily create those fancy Lambo griefs), and technically any payment card with an RFID would enjoy similar reduction in risk. 

Whether or not it's worth it sort of depends on how frequent and common these sorts of crimes are where you spend your hours, but IMO most of the time this is overkill and intended just to bilk money from paranoid people. 

Posted (edited)
1 hour ago, iNow said:

Whether or not it's worth it sort of depends on how frequent and common these sorts of crimes are where you spend your hours, but IMO most of the time this is overkill and intended just to bilk money from paranoid people. 

..The same could be said of the IT antivirus industry.. or the condom producers industry.. insurance industry (even more!)..

 

Hackers are installing card readers on ATMs around the world, and local newspapers frequently warn about it. Such things are detected only if they immediately start taking money from stolen cards. If they did it six months later or later, no one would know how they got the data.

How can a hacker install a card reader/camera recorder on devices? Simply by being employed in a store, restaurant or hotel..

How did you get infected with HIV? Who have you had sex with in the last few years? If someone has sex every day, the answer is almost impossible..

The same goes for cards. You insert them into unknown devices several times a day..

 

Have you checked where your, family members, and friends data get leaked in hacker attack by now?

https://haveibeenpwned.com/
 

 

Edited by Sensei
Posted
24 minutes ago, Sensei said:

..The same could be said of the IT antivirus industry.. or the condom producers industry.. insurance industry (even more!)..

But one would be wrong to claim this.

24 minutes ago, Sensei said:

 

Hackers are installing card readers on ATMs around the world, and local newspapers frequently warn about it. Such things are detected only if they immediately start taking money from stolen cards. If they did it six months later or later, no one would know how they got the data.

How did you get infected with HIV? Who have you had sex with in the last few years? If someone has sex every day, the answer is almost impossible..

The same goes for cards. You insert them into unknown devices several times a day..

Which has nothing to do with having an RFID wallet

 

 

Posted (edited)

Your response is too ambiguous. What are your objections at all?

According to my country statistics (national bank data and police data from Google), there were 1:190 chance (0.5%) of losing money from stolen debit/credit card data ("unauthorized usage of credit/debit card data") in my country in 2021..

 

Edited by Sensei
Posted
10 minutes ago, Sensei said:

Your response is too ambiguous. What are your objections at all?

According to my country statistics (national bank data and police data from Google), there were 1:190 chance (0.5%) of losing money from stolen debit/credit card data in my country in 2021..

 

And what fraction of these losses came from someone scanning the card while it’s in a wallet?

Posted (edited)

Found this little factoid from one of our UK police forces:

Quote

There have never been any confirmed reports of money being ‘stolen’ from a contactless card still in a cardholder’s possession in the UK.

Common misconceptions about contactless payments
1.) A fraudster can steal my details from my contactless card

You have to be extremely close to someone for their gadget to be able to read your card. Even then, they would only get the card number and expiry date which is the same information you see by simply looking at the front of any card.

There’s no way anyone can access to the important details such as the security code on the back of the card, your name and address, or bank account details.

As the vast majority of online retailers require additional details like these to make a purchase, there is very little chance of a fraudster being able to make online transactions.

 

2.) A fraudster could take money from my card just by bumping into me in the street or on public transport

It’s not possible to simply ‘steal’ cash from a contactless card as money has to go through the card system.

First of all, you must have a retail account to get any money from a card payment. There are thorough security checks before these can be set up and new accounts are continuously monitored for any suspicious activity.
Moreover, as every card payment is fully traceable, right through to the recipient account, if any fraudulent activity was reported the recipient could be easily identifiable and the money would be taken back.

Finally, a contactless card has to be used in a specific way to work. That means it can only be a few centimetres away from the card reader and not near any metal objects, like keys and mobile phones, or indeed any other contactless card. The fraudster would also need to know where your card is.

So waving a card reader about in the street or on a train couldn’t take a payment from passers-by and there’s never been any verified report of this ever happening in the UK.

 

3.) If I lose my card all of my money can be taken through contactless transactions

Every card has an in-built security check which means from time-to-time you have to enter your PIN to verify that you are the genuine cardholder. You can also only spend a maximum of £30 in any single contactless transaction.

However, if you lose your card, or think it might have been stolen, then you should contact your bank straight away.

You are fully protected against fraud, so you get all of your money back and will never be left out of pocket.

 

4.) I could accidentally pay for someone else's shopping by walking past them at the till.

Contactless cards only work when they are just a few centimetres from the card machine, so there’s no chance you could end up paying for someone else’s shopping.

5.) If I've got two contactless cards in my purse or wallet, I might pay for my shopping twice.

There’s no way you can pay for the same purchase on two cards at once. That’s because card machines can only ever do a transaction with one card at a time. Every individual transaction has to be keyed in separately by the sales assistant.

To make sure that you pay with the right card, we always recommend taking the card you want to pay with out of your purse or wallet and touching it against the card reader. If you present your purse or wallet to the device and it contains more than one contactless card, the cards will clash and no payment will be taken.

https://www.westyorkshire.police.uk/contactless-card-payments#:~:text=Even then%2C they would only,address%2C or bank account details.

Most of this technology is American, so I imagine the risks, or not, are the same as in the UK/Europe.

Edited by StringJunky
Posted

Losing money from a credit/debit card that has a magnetic stripe (which one doesn't?) is as easy as this guy shows:

You still have CC/debit card at hand, but somebody else has unlimited number of copies, so you have no idea how this all happened, if they will use it after months..

6 hours ago, StringJunky said:

You have to be extremely close to someone for their gadget to be able to read your card. Even then, they would only get the card number and expiry date which is the same information you see by simply looking at the front of any card.

People frequently give their credit/debit cards to bartenders, salesmans, waiters, receptionists etc. etc. They can duplicate your CC and/or make photos and then use anywhere else, Internet or regular shop. CCTV installed in the shop with 4k/8k may be enough to record all CC details when person do contactless operation.. If they are not greedy, you won't notice for days or months, or never.

A 70-plus-year-old woman found another woman's debit card here. She started using it for her daily grocery shopping contactless. The limit at the time was set at $12.5 per day, now it has been extended to $25 per day. Grandma used the card for several months. She was not greedy - used just $5 per day or so. The card's owner discovered the operations on the card by accident after several months and contacted the police. Those waited for the thief in the store, as she daily appeared in the same place, and caught her. A greedy thief will be detected immediately, while a non-greedy thief will remain undetected because his/her operations mix with all the other operations that people perform on a daily basis.

 

Going back to the RFID/NFC topic:

https://www.youtube.com/results?search_query=hacking+contactless+cards

The first video I have here for this query string shows how such "action" in the shop will look like from thief POV. It happens so fast that you don't even know what happened. I don't want to advertise the device name, but it is just $330 at Amazon. Once you have the device name see Linus Tech Tips about the device (more technical and more professional discussion).

 

Posted
8 hours ago, StringJunky said:

Most of this technology is American, so I imagine the risks, or not, are the same as in the UK/Europe.

I’ve read that UK/European standard is to have a PIN you enter for these transactions. Is that correct?

Posted (edited)
14 minutes ago, swansont said:

I’ve read that UK/European standard is to have a PIN you enter for these transactions. Is that correct?

In the shops, not every time, around every fifth time you use a card scanner it will ask you to key in your PIN. That limits how much can be stolen. £100 is the maximum you can pay flashing your card  without using your PIN. These limits are across all banking institutions. I think any changes have to be government approved iirc. In online transactions there is a 3-digit number you add as evidence you are in possession of the card.

Edited by StringJunky
Posted
8 minutes ago, StringJunky said:

In the shops, not every time, around every fifth time you use a card scanner it will ask you to key in your PIN. That limits how much can be stolen. £100 is the maximum you can pay flashing your card  without using your PIN.

That’s probably why it’s not seen there, since the PIN wouldn’t be something you can scan.

In the US, AFAIK PINs are not required. Yet.

It used to be that transactions at the self-checkout at my grocery store were limited to $50 and they checked your ID if you went to the regular checkout, but they stopped doing that after a few years.

 

(edit: if I want cash back with my transaction, the self-checkout wants a PIN if I use the chip)

Posted
5 minutes ago, swansont said:

That’s probably why it’s not seen there, since the PIN wouldn’t be something you can scan.

In the US, AFAIK PINs are not required. Yet.

It used to be that transactions at the self-checkout at my grocery store were limited to $50 and they checked your ID if you went to the regular checkout, but they stopped doing that after a few years.

 

(edit: if I want cash back with my transaction, the self-checkout wants a PIN if I use the chip)

Right. Does that mean the US is slightly behind us then in applying newer security technologies?

1 hour ago, Sensei said:

Losing money from a credit/debit card that has a magnetic stripe (which one doesn't?) is as easy as this guy shows:

You still have CC/debit card at hand, but somebody else has unlimited number of copies, so you have no idea how this all happened, if they will use it after months..

People frequently give their credit/debit cards to bartenders, salesmans, waiters, receptionists etc. etc. They can duplicate your CC and/or make photos and then use anywhere else, Internet or regular shop. CCTV installed in the shop with 4k/8k may be enough to record all CC details when person do contactless operation.. If they are not greedy, you won't notice for days or months, or never.

A 70-plus-year-old woman found another woman's debit card here. She started using it for her daily grocery shopping contactless. The limit at the time was set at $12.5 per day, now it has been extended to $25 per day. Grandma used the card for several months. She was not greedy - used just $5 per day or so. The card's owner discovered the operations on the card by accident after several months and contacted the police. Those waited for the thief in the store, as she daily appeared in the same place, and caught her. A greedy thief will be detected immediately, while a non-greedy thief will remain undetected because his/her operations mix with all the other operations that people perform on a daily basis.

 

Going back to the RFID/NFC topic:

https://www.youtube.com/results?search_query=hacking+contactless+cards

The first video I have here for this query string shows how such "action" in the shop will look like from thief POV. It happens so fast that you don't even know what happened. I don't want to advertise the device name, but it is just $330 at Amazon. Once you have the device name see Linus Tech Tips about the device (more technical and more professional discussion).

 

I'm not sure handing your card to a service person is standard practice here. They come to you with portable chip and pin units. You are more often than not filmed in any transaction you undertake in a commercial premises. I had my card stolen last week. I know the staff in my local supermarket pretty well and they said any transaction is fully traceable.

Posted
27 minutes ago, StringJunky said:

Right. Does that mean the US is slightly behind us then in applying newer security technologies?

Yes, because of pushback from customers who put convenience above security.

Posted
50 minutes ago, swansont said:

I’ve read that UK/European standard is to have a PIN you enter for these transactions. Is that correct?

After 5th transaction in a day or exceeding day limit you have to authorize by PIN (the same which is used in ATM, so pretty much constant - and easy to intercept by camera). But it generally depends on the bank you use. Different banks have different default settings. The customer can adjust these settings or turn them off.

People here commonly use a one-time-generated number in a specialized application to confirm transactions. It is non refundable. If you entered a PIN, it is final, you cannot get a refund. Thieves have learned how to trick people into giving them this one-time-generated number by pretending to be friends - basically, they steal someone's Facebook account and write to their friends asking for a small loan, the unsuspecting people give them the code and the money disappears.

 

4 minutes ago, swansont said:

Yes, because of pushback from customers who put convenience above security.

If someone cares about security, they should use:

1) virtual cards with one-time generated data..

2) Have two accounts with independent cards. When he/she needs to pay for something, he/she transfers money from his/her main account to the other and pays for the item immediately (online or in a regular store). Then the account remains empty until the next transaction. Even if the data is lost, in any way, online or offline, by a camera or a rogue merchant, it doesn't matter. They can't take money from the empty account.

Posted (edited)
8 minutes ago, Sensei said:

After 5th transaction in a day or exceeding day limit you have to authorize by PIN (the same which is used in ATM, so pretty much constant - and easy to intercept by camera). But it generally depends on the bank you use. Different banks have different default settings. The customer can adjust these settings or turn them off.

People here commonly use a one-time-generated number in a specialized application to confirm transactions. It is non refundable. If you entered a PIN, it is final, you cannot get a refund. Thieves have learned how to trick people into giving them this one-time-generated number by pretending to be friends - basically, they steal someone's Facebook account and write to their friends asking for a small loan, the unsuspecting people give them the code and the money disappears.

 

Slight correction, it is the fifth transaction, regardless of time length, although it does seem to be more random now when you are prompted to PIN. The cases you cite are examples of exploitative social engineering, rather than inherent technology flaws, I think.

Edited by StringJunky
Posted (edited)
59 minutes ago, StringJunky said:

The cases you cite are examples of exploitative social engineering, rather than inherent technology flaws, I think.

First they had to hack the FB account. Later, there was a trick. How is this different from, say, Mitnick? Mitnick called people in the company pretending to be an IT administrator.

Edited by Sensei
Posted
5 hours ago, Sensei said:

People frequently give their credit/debit cards to bartenders, salesmans, waiters, receptionists etc. etc. They can duplicate your CC and/or make photos and then use anywhere else, Internet or regular shop.

And depending upon your habits and which bank you use, their AI algorithms will tend to identify transactions that don’t fit your usual patterns or come from a different region or IP address. They’ll automate processes which temporarily suspend payments, deactivate the card, and notify the customer from whom it was stolen. If any vendors got paid before this took place, the fraud departments at most banks will eat that cost so it’s not passed on to the consumer. 

I suspect you know much of that, so mostly posting for others who may not. 

Posted
4 hours ago, Sensei said:

First they had to hack the FB account. Later, there was a trick. How is this different from, say, Mitnick? Mitnick called people in the company pretending to be an IT administrator.

We are talking about technical issues, not human ones.

Posted
2 hours ago, iNow said:

And depending upon your habits and which bank you use, their AI algorithms will tend to identify transactions that don’t fit your usual patterns or come from a different region or IP address. They’ll automate processes which temporarily suspend payments, deactivate the card, and notify the customer from whom it was stolen. If any vendors got paid before this took place, the fraud departments at most banks will eat that cost so it’s not passed on to the consumer. 

Do you truly believe/buy this marketing BS...? Seriously? You just repeated what they say in their marketing materials as if you work in bank marketing..

2 hours ago, iNow said:

I suspect you know much of that, so mostly posting for others who may not. 

Not really. I know people who have been denied refunds. I will keep the details to myself, otherwise I will influence the thieves what/how to do it..

3 hours ago, iNow said:

their AI algorithms will tend to identify transactions that don’t fit your usual patterns or come from a different region or IP address.

..professionals do it from your current IP address..

1 hour ago, StringJunky said:

We are talking about technical issues, not human ones.

 

If someone doesn't bother to cover their credit/debit card when it is used to authorize a contactless transaction (thus cameras won't work), is that a technical issue or a human issue? If someone doesn't take the trouble to buy RFID/NFC protection shield (which doesn't protect against cameras BTW!), is it a technical or human issue... ?

I read OP, "gimmicks" as "fakes", and responded accordingly in 3rd post, by saying each such protection "shield" should be checked independently by the owner using appropriate devices/environment..

People here started to say that it is unneeded fake for paranoid people, so I objected.

 

Posted (edited)

@Sensei Bear in mind, implementation of security features varies across continents and countries. US aren't using Chip and Pin yet, for instance. The relative risk between nations is not uniform.

Edited by StringJunky

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.