It is possible to sniff data but what can thieves do with it?
Contactless smart cards have been touted for their speed and convenience. But does the technology make it easier for pickpockets to be contactless, too?
Experts say that although it’s possible for a fraudster to buy a card reader on eBay and use it to scan people’s pockets on a subway, there are numerous protection mechanisms in place to keep stolen data from being used as well as new, emerging encryption standards that will further limit such threats.
The pickpocket issue garnered media attention in December, when a CBS affiliate in Memphis, Tenn., followed a man who was able to swipe credit card information from unsuspecting passers-by. Using an off-the-shelf card reader that he bought online for less than $100 and a mini laptop, the man was able to obtain credit card numbers, expiration dates and some cardholder names.
But that is likely as far as a thief will get, experts say. It is possible to use a contactless reader to pick up information from a card on the subway or in an elevator, but it is unlikely that he could use the information to go on a shopping spree.
That is because the account number and other information obtained from a contactless card is not enough to complete a financial transaction. Unlike magnetic stripe cards, most contactless payment cards use a dynamic element to authenticate each transaction.
Large payment brands employ dynamic card verification codes to ensure that transactions cannot be recorded and then simply replayed again and again. Data transmitted for each transaction is unique and can only be used once. Thus, the card number and expiration date alone are not enough to conduct contactless transactions.
“It’s one thing to obtain the information. It’s another to be able to use it,” says Jack Jania, secure transactions general manager for North America for digital security provider Gemalto.
The information is of even less use on encrypted cards. “If you look at the card’s memory, you’re just going to see a bunch of ones and zeroes. You need to know what to do with it,” says Kevin Graebel, product line manager for HID credentials at Irvine, Calif.-based HID Global.
Several other variables come into play for potential pickpockets. To be able to even scan a contactless card’s information, a thief would first have to be at very close range, between one to four inches. “So someone would have to know where your card is and put the reader within about an inch of the contactless card,” Jania says.
A thief would also need to buy a reader capable of reading the appropriate card technology, Graebel says. For instance, to read a MIFARE contactless smart card, a thief would need to have a MIFARE reader.
If it’s a dual-interface government PIV card, the thief could obtain the cardholder’s unique identifier, or CHUID, a number that uniquely identifies an individual within the PIV system, according to experts with Exponent, a Menlo Park, Calif.-based engineering and scientific consulting firm. The remaining chip information would only be accessible via the contact interface so it is not at risk from such attacks.
On payment cards, a thief could obtain the card number, expiration date and in some cases the cardholder’s name. “This information will typically not allow a normal payment transaction,” says Brad McGoran, principal engineer of technology development for Exponent.
Although most contactless smart cards don’t offer thieves enough information to go on a shopping spree, experts acknowledge that this is not enough–they want to avoid having credit card numbers at risk in the first place.
“The loss of such unencrypted information without the cardholder’s knowledge can present a privacy risk, notably in cases where additional efforts are made on behalf of an attacker to tie the unique identifier to a specific individual,” McGoran says.
Pinpointing weak spots
To advance security levels, experts have identified a number of vulnerabilities that exist with contactless cards. That’s according to McGoran and a team of experts at Exponent.
The first vulnerability is in the area of tracking. It would require physically large antennae to read a contactless card at distances greater than a few inches. A mobile attacker would find it less than discreet to take to the subway with a giant antenna in an attempt to scan a large audience. But insiders at a facility might be able to pull this off, McGoran says. A large antenna could be concealed within an advertising billboard, doorway or other area where crowds bottleneck.
“Such high-power concealed readers would allow adversaries to scan people passing through, not just tracking their movements within the facility but potentially collecting demographic information such as credit card data,” McGoran says. Still he stresses such scenarios are unlikely.
Encryption levels can also dictate a card’s vulnerability. If a card’s encryption uses a weak algorithm or no encryption at all, the information may be easily read. Advanced techniques for extracting a card’s encryption key are possible, but they typically require the physical possession of the card and access to highly specialized equipment, McGoran says.
For unencrypted air interfaces, data can be read by off-the-shelf readers and then programmed into a different physical card. Then an attacker could use the stolen card information to perform transactions that are identical to those performed by the legitimate card. In the case of payment cards, however, this process is complicated by the use of additional security mechanisms such as dCVCs.
Adding security measures
Efforts are under way to encrypt the data on contactless cards to further protect personal information.
Encrypting the card adds another layer of safety. “If encrypted,” says McGoran, “the data snooped by an attacker is useless, as it appears as gibberish without the decryption key.”
Shielding a card offers another level of security, reducing a fraudster’s ability to read a card from even a short distance. Shielding a card can be as simple as placing a card into a paper sleeve with a metal layer or mesh to interrupt the RF field.
The sheer nature of being contactless is a security measure in and of itself because intelligence doesn’t exist for magnetic stripe cards, Jania says. “They were never designed to be secure. The data on a mag-stripe card is wide open, hence all the skimming attacks,” Jania says.
As encryption standards evolve, experts expect continued growth in the contactless smart card segment. “PIN-protected smart cards incorporating encryption algorithms provide a much higher level of security (than) traditional magnetic stripe cards,” McGoran says. “Despite the vulnerabilities … smart cards, when implemented correctly, represent one of the best tools for greatly enhancing security and privacy.”
Card verification codes curb usefulness of skimmed data
CVC2–Printed on card but not encoded on mag stripe or transmitted by contactless
CVC3–Dynamic code created with each contactless transaction but not printed on card or encoded on mag stripe
To secure contactless transactions, the large payment brands employ dynamic card verification codes that change for each transaction. In this way, the data that is sent from the card, through the POS and to the authorization system is unique for every transaction. This technique is known by different names including dCVC, CVC3 or CVV3.
Here’s how it works.
A unique secret key stored in each card’s chip creates a unique value, called a dCVC, for each transaction. If a transaction is sniffed or copied, the dCVC makes the copied data unusable for future transactions because the backend authorization system will decline it when it recognizes that the transaction has already been processed. In short, it means transactions cannot be replayed.
The card’s secret key that creates the dCVC is securely stored in the chip and never transmitted out of the card. Thus, even if a thief knew other data such as card number, expiration date and cardholder name, it would not be possible to generate additional valid dCVCs to use for other transactions.
There are two older types of card verification codes used to secure payment transactions, and each still has value with new contactless systems. The best known of these is the CVC2 or CVV2 that is printed on the card itself. For MasterCard, Visa and Discover, it is a three-digit security code printed on the back of the card. In the case of American Express, it is a four-digit code on the front of the card.
The CVC2 is intended to secure card-not-present transactions such as mail order, telephone and online purchases. Reputable merchants require the code in addition to the card number and expiration date to complete transactions that do not occur face-to-face.
The CVC2 is not encoded on the magnetic stripe nor stored on the contactless chip. Thus it cannot be skimmed surreptitiously or captured during normal card-present transactions. If a thief skimmed card data via the contactless interface, it could not be used for a card-not-present transaction because there would not be a CVC2.
The CVC1 is a unique number that is encoded on the magnetic stripe but not printed on the face of the card. It is generated by applying a secret key known only to the card issuer to a string of cardholder data. The CVC1 was designed to enable backend systems to ensure that the card initiating a transaction is valid. It also helps to keep fraudsters from encoding a complete magnetic stripe using data obtained from a visual inspection of a valid card.
If the card issuer did not use a CVC1 it would be possible for a thief to inspect a card and recreate a working copy of the magnetic stripe on a blank card. The CVC1 prevents this because it cannot be determined via visual inspection. Similarly, because the CVC1 is not transmitted during a contactless transaction it hinders the ability to create a working copy of a magnetic stripe from the data obtained in a contactless transaction.
Augustinowicz: “Contactless payment threat is real”
At the center of the controversy surrounding contactless pickpocketing is Walt Augustinowicz, founder and CEO of Identity Stronghold.
Last fall, Augustinowicz appeared on a number of newscasts demonstrating his ability to obtain contactless payment card numbers on the sly. The video segments have been viewed by millions of consumers to the dismay of many in the payments industry.
While consumers were shocked that their cards could be read without their knowledge, many industry observers were only surprised to see that the compromised data was apparently used to make actual transactions.
It is widely known in the industry that cardholder data can be obtained via techniques such as those used by Augustinowicz. But payment experts downplay the ability to use that data to make fraudulent transactions. There is an array of protections in place designed to keep this from occurring.
But the demonstrations themselves are not without controversy. Industry representatives express skepticism that the fraudulent transaction occurred as they appeared on camera, suggesting there might be a bit of smoke and mirrors involved.
Augustinowicz, however, insists that all aspects of the demonstrations are real including his ability to encode data to a magnetic stripe and conduct a transaction at the point of sale. He says he wants the payments industry to admit the problem and offer a solution to keep consumers safe.
Identity Stronghold sells card sleeves that shield contactless cards from unintended access. Because the company could benefit from consumer concern over electronic pickpocketing, some have suggested these demonstrations are financially motivated.
Augustinowicz downplays this telling Re:ID that his team found this weakness and thinks it should be fixed. When asked to provide details on the weakness, he told Re:ID that he is opting not to publicly disclose details at this time.