Researchers use shopping cart to put mobile, NFC payment theft on wheels

Using a shopping cart turned into an antenna, security researchers captured sensitive data from contactless payment cards, and concluded the wireless theft gear could easily be concealed in a backpack.

In a recently published paper called Eavesdropping near-field contactless payments: a quantitative analysis, the researchers assessed eavesdropping attacks on contactless payment transaction for ease and success rates.

They specifically made their easily concealable antenna using low-cost electronics.

The researchers explained,

A near-field communication inductive loop antenna was used to emulate an ISO 14443 transmission.

For eavesdropping, an identical inductive loop antenna as well as a shopping trolley modified to act like an antenna were used.

Despite widespread adoption in Europe and the UK, the researchers found that contactless payments are more vulnerable then previously believed.

Hacking into NFC payment transmission and covertly skimming, relaying or eavesdropping on the transmission of sensitive customer information isn't new; researchers began to make these three types of vulnerabilities public around 2008.

Yet making it easy and reliable was not a known quantity until now - four security researchers from the University of Surrey have examined success rates, distance and more, using cheap store-bought electronics.

If an attacker used their gear to go "shopping" for credit card data, it would be as easy as the thief standing in line with a shopping cart while the victim paid for their purchases, none the wiser.

Their paper explains,

What is missing, although, is practical results showing how reliably eavesdropping can be carried out, quantifying how much of a transmitted sequence can be recovered at the eavesdropping end at various distances.

Measurements (...) relied on often expensive or bulky equipment that cannot be easily replicated in a portable system. In our paper, we determined how reliably information from an ISO 14443 Type A device could be recovered by an eavesdropper, in a way that could be used to obtain sensitive information from the victim using a covert antenna and low-cost electronics.

Emphasis was on frame error rate (FER) as in order to recover meaningful information that could lead to compromising a victim's financial security or privacy, data need to be recovered in the form and structure that was originally transmitted.

They found that their rig produced "consistently good results" and "performed well across most distances."

In conclusion they wrote:

Depending on the H-field strength, eavesdropping distance can be within the 20–90 cm range in a shielded environment. Such an environment is not unrealistic as similar conditions could be found in an underground station.

All of our work has been carried out using inexpensive and off-the-shelf electronics along with a DAQ card.

This card costs £1500, but in a system designed to be deployed, it can be replaced with a considerably less expensive FPGA-based system or a laptop-based DAQ.

An attacker could assemble our receiver at low cost and easily conceal it in a backpack.

In addition to this, by making use of Gaussian filtering and variance computation in software an attacker can achieve frame synchronisation in a robust way. We have shown that a good pair of fixed parameters works consistently regardless of the eavesdropping distance or the H-field strength and only depends on the characteristics of the eavesdropping antenna.

The researchers next plan to extend their experiment to smartphones using NFC (Near Field Communications technology).

As more and more companies compete for customer dollars in the mobile wallet space, encouraging "frictionless payments" over the holidays, shoppers should be aware of the risks that come with using contactless payments or an Android phone's Near Field Communications (NFC) for purchases.

Google Wallet, MasterCard PayPass and Visa Wave are three widely known NFC payment services.

To use them, smartphone users only need to sign up, enable NFC communications on their phones, and go shopping.

Americans to NFC payments: We're not that into you

Google Wallet, initially focused on contactless payments and available on most Android phones via NFC (and with an app on iPhones), has been one of Google's least successful services.

In May this year, the chief of Google Wallet resigned, a move that was widely considered "another sign of continuing troubles in convincing U.S. smartphone users to adopt mobile wallets using NFC technology."

Contactless payments aren't yet as popular in the US as they are in Europe and the UK, but Visa states that adoption is growing so quickly that it has reached "a watershed moment." 

Anne Van Schrader, Head of Contactless and Mobile NFC at Visa Europe, said:

By the end of 2013, Europeans will be making over 52 million contactless transactions every month.

Still, Americans seem suspicious of contactless payments and transactions over NFC. Last December, analysts observed its glacial adoption in the US and announced that it would be a decade until mobile payments are in widespread use.

Computerworld reported,

NFC will take a minimum of three more years to grab hold as a technology that enables so-called mobile wallets as a replacement for credit cards and cash in the U.S., according to a consensus of five analysts.

And by "grab hold," these analysts mean being used by only 10% of mobile phone users to make digital purchases.

Despite the slow adoption, it's highly likely that contactless payments and transactions over NFC will slowly seep into use - between Google and Visa, it's only a matter of winning hearts and minds.

The contactless payment thieves, however, will most certainly be early adopters.