Shielded wallets not necessary: Banks

Shielded wallets not necessary: Banks

Summary: Commonwealth Bank of Australia has said it was not necessary for customers to enclose their new contactless payment cards in a wallet that stops the card from being read by rogue scanners on the street.

SHARE:

Commonwealth Bank of Australia has said it was not necessary for customers to enclose their new contactless payment cards in a wallet that stops the card from being read by rogue scanners on the street.

One of the new readers
(Credit: NAB)

Yesterday, CBA said it will roll-out 15,000 terminals this year that are capable of taking payments less than $100 from certain cards without the card being swiped or the customer entering a PIN or signing. National Australia Bank has rolled out 2500 similar readers.

There has been some concern voiced about whether unauthorised payments could be made by rogue scanners. Some companies even sell wallets with a metal fibre mesh that acts like a Faraday cage so that similar cards can't be read.

But Commonwealth Bank executive general manager of business products and development Kelly Bayer-Rosmarin considered such measures totally unnecessary for the MasterCard PayPass or Visa payWave. "They've got triple DES encryption on them," she said. Triple DES is the encryption used as the base for the standard used in chip cards.

There wasn't any stored value on the card, so money couldn't be taken directly, according to Bayer-Rosmarin. In order for someone to carry out a fraudulent transaction, they would have to build a scanner, get the encryption software and hook it into the bank, she said.

National Australia Bank said that it wasn't necessary to use a blocking wallet since the card didn't have transmitting or receiving ability. It only became active when it was in range of a Visa contactless payment terminal during a transaction. Like the CBA, the bank also emphasised the encryption protection.

"Each Visa payWave-enabled card contains a tiny embedded computer chip that sends payment information to a contactless card reader via short-range radio frequency waves," a spokesperson for the bank said. "The information includes an encrypted security code that is unique to each transaction, making counterfeit fraud virtually impossible."

However, according to Wade Alcorn, NGSSoftware general manager Australasia, the scammer doesn't need to break the encryption for a relay attack to work. In a relay attack, a fake reader is put in proximity to a real card, and a fake card is put in proximity to a real reader.

"The [legitimate] reader and the [legitimate] card are tricked into thinking they are in close proximity," Alcorn said.

I'd consider buying one based upon their cost and availability.

Wade Alcorn, NGSSoftware general manager Australasia

Gerhard Hancke from Cambridge University carried out a project (PDF link) that showed how such an attack could be carried out successfully.

The attack plays on the fact that a card and reader generally confirm that they have a secret shared key to authenticate a transaction, after which all communications are encrypted, according to Hancke. The payment institutions assume that even if authentication is breached, the attacker wouldn't have access to the secret key and any data received would be protected.

However, with the relay attack, the fake reader can relay information via the fake card to the real reader which will make the real reader think it is close to an actual card. It doesn't matter that the attacker can't read the information flowing between the two, in essence he has access to the card and is able to make a payment using it at the real reader.

The condition for this sort of attack is, according to Alcorn, that the attack occurs in real-time.

Commonwealth Bank's Bayer-Rosmarin said that even if a hacker was able to sidestep the encryption, the rogue reader would have to be within four centimetres of a customer's card for the reader to be able to access the card. For National Australia Bank it was five centimetres. The card also needed to be correctly oriented, the NAB spokesperson said.

Hancke's investigation showed that although the nominal range of the contactless cards that the project looked at was 10 centimetres, the range was actually dependent on factors such as the transmitted power and the antenna diameter of the rogue scanner.

"An attacker should therefore have no problem in increasing the operating range of contactless cards," Hancke said. Hancke and his group successfully executed a relay attack up to a distance of 50 metres.

Commonwealth Bank and National Australia Bank said that even if the encryption and proximity difficulties were overcome by a fraudster, the bank covered its customers against attacks which breached their defences.

Commonwealth Bank pointed out that, in any case, the cards were only allowed to make transactions of up to $100, although any number of those could potentially be made in a day as there was no limit. The small scale of the payments that were able to be made has made it unlikely that the card would become a victim of criminals, according to Bayer-Rosmarin. In other countries that had introduced the technology, she said fraud levels had been low. She considered there to be a much higher risk of someone taking down the details of a customer's credit card in a restaurant.

Despite Bayer-Rosmarin's belief that it was useless to use protective wallets out of fear for being defrauded, she admitted that some people would do it anyway. She didn't know if they would work, as the bank hadn't tested them.

Hancke said in his report that companies like banks could look to checking delays due to the distance between readers and the real card to protect against a relay scam. He also said that enclosing a card in a Faraday cage consisting of metal or foil could prevent access, although it would need to be extracted for use which would provide a window of opportunity for attackers.

Alcorn said that blocking wallets available on the market weren't perfect. "They try to be Faraday cages and they're not," he said, although he admitted that they did inhibit the RFID, making it more difficult for criminals as they would have to spend more money on expensive equipment to get access to the card.

"I'd consider buying one based upon their cost and availability," he said.

Of course, if the card was stolen, the attack would not be necessary at all, as the person who had stolen it would not have to provide a PIN or signature to make payments. Bayer-Rosmarin believed people would cancel their cards in such an event, and that the low transaction value would provide little incentive for thieves.

Intelligent Business Research Services analyst James Turner said that current cards use two factors, something you have and either something you know (a PIN) or something you are (your handwritten signature). With a contactless smart card, it's brought back to one factor authentication — something you have.

"This is a classic example where the organisation has done the maths and considers that the risk is worth lowering security. The dilemma is obvious, the easier you make a transaction for a consumer, the easier it is for the transaction process to be abused. Even disregarding rogue readers or dodgy merchants, there will also be excellent social engineering opportunities for the criminally inclined," Turner said.

Topics: Banking, E-Commerce, Hardware, Security

Suzanne Tindal

About Suzanne Tindal

Suzanne Tindal cut her teeth at ZDNet.com.au as the site's telecommunications reporter, a role that saw her break some of the biggest stories associated with the National Broadband Network process. She then turned her attention to all matters in government and corporate ICT circles. Now she's taking on the whole gamut as news editor for the site.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • And the fine print reads ...

    "the bank covered its customers against attacks which breached their defences", however "counterfeit fraud virtually impossible" ... put the two together and we have "the bank covered its customers against attacks, virtually impossible". Read the fine print, would not want to be the first person to push for a refund and provide proof of "virtually impossible" fraud.
    anonymous
  • Encryption

    I'm happy to stick my card into a reader, even if that OK's the payment. Everything is fine about the card, it's just the antenna which sucks. They can put timing constraints in (and most likely have) which would defeat any relay attacks, the cost of performing one would far outweigh the value of the transaction...
    anonymous
  • they "can" do a lot of things

    Its not about what the criminals "can" do. Its about how much time and effort is involved in doing it and whether or not the return is worth that. I put an alarm system in my house - not because it will stop a burglar, but because it makes my house that little bit less attractive than the one next door without an alarm.

    Having said that, I am not sure why you wouldnt just go with a chip reader like the current EFTPOS machines but would guess its more to do with political rather than technical reasons (e.g. someone trying to muscle in on EFTPOS territory).
    anonymous
  • Contactless vs Chip Reader

    Having used both, the time saved on the Contactless card is not worth the reduction in perceived security to me as an individual. Despite the fact that I know the technology is secure, the preference for me will be Chip Reader.

    I'm all for introduction of another layer of security on the contactless payment systems.....fingerprint readers anyone? Although I guess if you introduce this you don't really have a "contactless" payment system.

    Hey, at least then the wife can't use the card....and that's got to be good.
    anonymous
  • Say that again....

    "...the card didn't have transmitting or receiving ability. It only became active when it was in range of a Visa contactless payment terminal..."

    Umm, something has to transmit and receive for this system to work.
    anonymous
  • Say that again ...

    The card has not power supply of its own, it uses transmitted power from the terminal (like a florescent tube will glow from power picked up from overhead power lines). This is what limits the range mentioned in the article.

    But yes, this power can be sources up from the cloned device just as easy. Even the close range pickup is possible - just sit next to someone with card/clone in pockets. The clone acts as a relay - jist like putting another piece of string between the old two cans.

    The delay with a relay is not sufficient to be detected, the device is not changing the signal, just transmitting your cards signature through a second fake card - it would look to you as if the guy sitting next to you is using his own card.
    anonymous
  • But prefer to do it anonymously

    The criminals would prefer this method as it will be anonymous - different to fronting up to a counter to buy something with a fake card, which has cameras as a record of the transactions, plus the risk of being challenged on the spot.
    How will they identify the person comitting the fraud, even if they have a date/time/camera the speed of these type of transactions generally means high throughput, you could have 20+ people through in the minutes (given that the transaction date/time is even close to that of the camera).
    anonymous
  • 3DES is encryption, not authentication

    It could be 100DES but that's only encryption, what about authentication?

    Once authenticated, encryption just to stops eavesdroppers, i.e. no-one can snoop on your card be strip of only less-than-$100-so-doesn't-matter
    anonymous
  • Multiple credit cards in wallet?

    Has anyone seen information on how an individual card is selected? Clearly the range is sufficient to read through a wallet. I keep both a personal and corporate card in my wallet - it would cause me a real mess to have the wrong card charged.
    anonymous
  • Contactless transaction

    Interesting article & comments. I am aware that the Australian Bankers Association ,representing the licensed banks in Australia, have recently lobbied the government to relax their responsibility for fraudulent use of bank issued cards. Funny timing. PS: $100 x 1000 transactions via relay attacks is a nice little earner.
    anonymous
  • Liberty rights and security

    No reader can trace the card if holder has it in a shield or even easier press a switch on the card to activate the antenna which increase the price of the card of 10 cts much less than a shield, just a thought...
    anonymous
  • Prelude to the Mark

    This is just another step toward implanting everyone with a microchip. I can see the sales pitch now... Passports have RFID, Cash is RFID, Work Passes are RFID. So why not combine them all into a single chip, and imbed it under your skin where you can't lose it.

    The interesting thing is that something like this was predicted in the book of Revelation 1900 years ago. Known as the mark of the beast (i.e. 666), no-one will be able to buy or sell with out it. When cash disappears completely, you won't be able to buy or sell without a chip, just as the Bible predicted.
    anonymous