Researchers use shopping cart to put mobile, NFC payment theft on wheels

Researchers use shopping cart to put mobile, NFC payment theft on wheels

Summary: Hiding an antenna in a shopping cart, researchers tested the success rates of stealing sensitive customer data in near-field contactless payments - and got "consistently good results."

SHARE:

Using a shopping cart turned into an antenna, security researchers captured sensitive data from contactless payment cards, and concluded the wireless theft gear could easily be concealed in a backpack.

contactless payment hacked

In a recently published paper called Eavesdropping near-field contactless payments: a quantitative analysis, the researchers assessed eavesdropping attacks on contactless payment transaction for ease and success rates.

They specifically made their easily concealable antenna using low-cost electronics.

The researchers explained,

A near-field communication inductive loop antenna was used to emulate an ISO 14443 transmission.

For eavesdropping, an identical inductive loop antenna as well as a shopping trolley modified to act like an antenna were used.

Despite widespread adoption in Europe and the UK, the researchers found that contactless payments are more vulnerable then previously believed.

Hacking into NFC payment transmission and covertly skimming, relaying or eavesdropping on the transmission of sensitive customer information isn't new; researchers began to make these three types of vulnerabilities public around 2008.

Yet making it easy and reliable was not a known quantity until now - four security researchers from the University of Surrey have examined success rates, distance and more, using cheap store-bought electronics.

NFC Shopping Cart

 

If an attacker used their gear to go "shopping" for credit card data, it would be as easy as the thief standing in line with a shopping cart while the victim paid for their purchases, none the wiser.

Their paper explains,

What is missing, although, is practical results showing how reliably eavesdropping can be carried out, quantifying how much of a transmitted sequence can be recovered at the eavesdropping end at various distances.

Measurements (...) relied on often expensive or bulky equipment that cannot be easily replicated in a portable system. In our paper, we determined how reliably information from an ISO 14443 Type A device could be recovered by an eavesdropper, in a way that could be used to obtain sensitive information from the victim using a covert antenna and low-cost electronics.

Emphasis was on frame error rate (FER) as in order to recover meaningful information that could lead to compromising a victim's financial security or privacy, data need to be recovered in the form and structure that was originally transmitted.

They found that their rig produced "consistently good results" and "performed well across most distances."

In conclusion they wrote:

Depending on the H-field strength, eavesdropping distance can be within the 20–90 cm range in a shielded environment. Such an environment is not unrealistic as similar conditions could be found in an underground station.

All of our work has been carried out using inexpensive and off-the-shelf electronics along with a DAQ card.

This card costs £1500, but in a system designed to be deployed, it can be replaced with a considerably less expensive FPGA-based system or a laptop-based DAQ.

An attacker could assemble our receiver at low cost and easily conceal it in a backpack.

In addition to this, by making use of Gaussian filtering and variance computation in software an attacker can achieve frame synchronisation in a robust way. We have shown that a good pair of fixed parameters works consistently regardless of the eavesdropping distance or the H-field strength and only depends on the characteristics of the eavesdropping antenna.

The researchers next plan to extend their experiment to smartphones using NFC (Near Field Communications technology).

NFC Shopping Cart Graph

 

As more and more companies compete for customer dollars in the mobile wallet space, encouraging "frictionless payments" over the holidays, shoppers should be aware of the risks that come with using contactless payments or an Android phone's Near Field Communications (NFC) for purchases.

Google Wallet, MasterCard PayPass and Visa Wave are three widely known NFC payment services.

To use them, smartphone users only need to sign up, enable NFC communications on their phones, and go shopping.

Americans to NFC payments: We're not that into you

Google Wallet, initially focused on contactless payments and available on most Android phones via NFC (and with an app on iPhones), has been one of Google's least successful services.

In May this year, the chief of Google Wallet resigned, a move that was widely considered "another sign of continuing troubles in convincing U.S. smartphone users to adopt mobile wallets using NFC technology."

Contactless payments aren't yet as popular in the US as they are in Europe and the UK, but Visa states that adoption is growing so quickly that it has reached "a watershed moment." 

Anne Van Schrader, Head of Contactless and Mobile NFC at Visa Europe, said:

By the end of 2013, Europeans will be making over 52 million contactless transactions every month.

Still, Americans seem suspicious of contactless payments and transactions over NFC. Last December, analysts observed its glacial adoption in the US and announced that it would be a decade until mobile payments are in widespread use.

Computerworld reported,

NFC will take a minimum of three more years to grab hold as a technology that enables so-called mobile wallets as a replacement for credit cards and cash in the U.S., according to a consensus of five analysts.

And by "grab hold," these analysts mean being used by only 10% of mobile phone users to make digital purchases.

Despite the slow adoption, it's highly likely that contactless payments and transactions over NFC will slowly seep into use - between Google and Visa, it's only a matter of winning hearts and minds.

The contactless payment thieves, however, will most certainly be early adopters.

Topics: Security, Mobile OS, Mobility, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • This scenario

    is why most Americans are highly suspicious of a payment method that they do not have to actively authorize or hand over in person, and bluntly I am only shocked that this sort of method wasn't worked out some time ago.
    thecactusman17
  • Yeah, there's been some problems.

    Yeah, I've heard there's been some problems. There's also the issue of registers picking up and charging the wrong card/device. It has a few things to work out before I'd recommend it to anybody.
    CobraA1
  • a better idea

    implementing commerce on phones -- or other computer devices -- that are easily updated creates a hackers' playground . they will have a heyday . commerce should be implemented on a dedicated device, preferably a smart-card -- that is replaced ( not updated ) -- at least once a year .

    the point of sale terminals (POST) should be changed so that the smart card does not send the customer's card number to the POST. Rather the POST should submit an invoice to the customer's card

    on receipt of the invoice the customer's card should encrypt the invoice together with authorization for payment to the PCI -- not to the POST, not to the merchant -- to the PCI/processor.

    the cipher text is then forwarded to the merchant's POST. Neither the merchant not the POST can read the cipher text -- the cipher text is encrypted for the PCI/processor.

    so the POST forwards the cipher text to the PCI processor. on approval the PCI will send approval to the POST and EFT from the customer's account to the merchant's account . the POST prints the paid invoice ( receipt ) for the customer .


    note: this process is the same as cash: merchant never know who the customer is .
    Mike~Acker
    • use what already exists

      Instead of something complicated, how about instead of transmitting the actual credit card information, why not a HASH? This is used everyday in computing and is very simple to implement...of course, the POST machines will need to be modified to generate and accept a HASH, but it simple and reliable!
      tech_ed@...
  • Using mobile

    there are a few innovative companies out there that look at this in a similar-ish fashion. NFC or technology that broadcasts is potentially very dangerous for reasons illustrated like this. In addition, there has been issues with wrong cards getting charged in the UK or worse, multiple cards getting charged at the same time...

    Look at digital solutions like www.zwallet.me and you can see a great shopping experience with no NFC being used at all...
    AndrewOneDegree
  • Just say *NO* to NFC transactions

    NFC is OK for some stuff, but completely wrong for others.
    I have an NFC ID badge that lets me into my building and into my office. This is fine...for most stuff. But for more secure locations, a secondary identification is needed like fingerprint or hand scanning.
    In a recent experiment, I purchased from Radio Shack an NFC kit. I was able to successfully replicate my NFC ID badge. But because the communication between the badge and the building NFC scanners is encrypted, I was not able to enter the building. And there's the RUB!
    NFC communications with money cards or credit cards is not encrypted. It's plain text that anybody can mimic and use in any other kind of device...magnetic strip or another NFC card...BTW, the NFC kit that I got from Radio Shack? $59...came with everything I needed, cards, readers, programmers. The whole works.
    So, until the credit card companies start to use encryption in the transmission of credit card data, NFC will just be a risk not worth taking!

    Now...here's a more omminous thought of this NFC reading happening 3 feet away from the subject.
    US Passports are all equipped with NFC chips that allow for remote reading of your passport data. Now, let's say you are in a country that is not friendly to Americans. You have your American passport in your pocket. Some unfriendly citizen uses this technology to target Americans and as such, NFC becomes the means to your death! Or you become a kidnap victim. Even friendly countries love to kidnap Americans...we're the ones with all the money!
    tech_ed@...