Researchers at the UK’s University of Sussex have discovered how to hack into contactless payment cards, also known as near field communications. The process, known as skimming, was carried out with off-the-shelf equipment bought from a hardware store.
They published their findings in a technical paper which is a bit complex, but boiling it down they created a near-field inductive loop antenna for transmission to act like an antenna. They also used the same antenna and a modified shopping trolley for receiving information.
Apparently it could work up to a distance of 100cm. The financial services industry says contactless payments cannot be eavesdropped beyond 5cm.
The image gives you an idea of how rudimentary the equipment was and clearly a hacker is not going to wheel one of these into a store and park it up next to a payment point. However, that’s not the point, the researchers wanted to assess the security of near-field communications.
NFC is going to become commonplace – despite the risks
Unsurprisingly, the financial services industry bristled at the findings and the researchers conclusions that near-field communications had serious implications for consumers. But the industry’s reaction is hardly surprising. Many players have invested heavily.
Visa, Mastercard and Google have already developed platforms for contactless payments, banks are heavily promoting them and mobile manufacturers are equipping handsets with NFC technology. In short, contactless transactions ranging from access control to ticketing and financial payments are becoming increasingly popular in Europe, Asia and the United States.
Apparently a spokesman for the UK Card Association said the data obtained would only consist of the card number and expiry data. The PIN number and card security code cannot be harvested.
NFC flaws already exposed
That may be the case but the industry has also been adamant that eavesdropping over this range wasn’t previously possible. There is also the threat of relay attacks which essentially activate someone’s card from a distance and then transmit the card information to a legitimate reader to complete a transaction.
NFC payments have been dogged by errors. Shoppers at Marks and Spencers had money removed from their accounts without their permission. The cards were only supposed to work when at a short distance from the reader but a couple of customers said payments were taken when their cards were in their purses and not close to the reader.
Barclays VISA contactless payment cards were also exposed to risk when it was discovered that data from the cards could be stolen by special readers in mobile phones.
Growing need for identity theft protection
Despite the teething errors, NFC communications are clearly here to stay. The benefits for business are just too great to ignore; lower costs, faster processing and reduced staff headcounts to name but a few. As a result NFC is going to become increasingly pervasive and we’ll find ourselves using the technology by default.
However, as the University of Sussex researchers have shown, NFC is not as secure as sometimes claimed. If anything, this emphasises the need for good identity theft protection, so we have the peace of mind that should our details be stolen, we know about it and can take appropriate action.