Shmoocon hackers showed over the weekend that with the conveniences that come from moving toward a more digital world, also come new vulnerabilities waiting to be exploited.
Saturday, Kristin Paget, chief Hacker for Recursion Ventures, a consulting and development company, showed in a live demonstration that security features for contactless payment cards can be exploited relatively cheaply and easily.
Over the past few years, companies have been adding a feature to payment cards that allows purchasers to “wave” the card over an RFID reader instead of swiping them in a machine. High profile busts of credit card fraud rings and the increased awareness of ATM skimmers may lead people to feel that contactless features are safer, but that’s a false sense of security, Paget says. “The industry would like you to believe that these cards are secure, but contactless transactions actually have less security,” she said.
The new “pay pass” feature available on credit cards makes it that much easier for even a novice hacker to swipe a person’s credit card information without them ever having to pull it out.
In a live demonstration, Paget used an RFID reader purchased from eBay and a magstripe reader/writer to successfully perform several transactions on a card volunteered by a Shmoocon attendee. She was able to complete five separate transactions, without ever seeing his card, before his bank caught on and contacted him by phone.
“She never had any control of it. She never saw my card. She never had any details on it, but just from being near the reader it was done--and that’s a problem,” the volunteer, Jeffrey Ferland said. “You want convenience, but you don’t want to get bumped on the subway and your card’s gone.” Ferland, a security consultant, said it shows the need for more security when it comes to making contactless payment.
For one, there is no uniform symbol for contactless cards or contactless payments, so many people don’t realize they have contactless cards so they aren’t protecting them while banks roll them out by the millions. Additionally, the contactless feature can’t be turned off and there are no sufficient RFID protectors that will defend from unwanted contacted, Paget said.
“It’s the payment infrastructure in this country that causes the vulnerability,” Paget says.