Smartphone payment systems like Google Wallet give Android users the futuristic ability to use their phones to make payments with their credit cards. Research Eddie Lee has taken that trick a step further: Using an Android phone to make payments from a credit card that belongs to an unwitting stranger.
In a talk at the Defcon hacker conference in
Las Vegas Friday, Lee demonstrated an
Android software tool called NFCProxy that’s capable of both reading and “replaying” data from contactless credit cards–any of the common payment cards with embedded
RFID chips that allow payments at
retail outlets’ wireless point-of-sale devices
like these.
After using a
Nexus S phone to read his own contactless Visa card onstage at Defcon, he then used his tool to relay the data a moment later to a point-of-sale device, where it was accepted as a payment. “I’ve just skimmed, abused and spent someone’s credit card within a couple minutes. It’s really simple,” he told the crowd.
Eddie Lee's Android phone, displaying data it has wirelessly read from his credit card. I've blocked the credit card number on the phone's screen in orange. The symbol of nested arcs on the card shows that it one of the 100 million RFID-enabled cards in circulation.
Researchers have long warned that the 100 million contactless credit cards currently in circulation, branded with names like
PayPass, Zip,
payWave, and
ExpressPay by Visa, MasterCard, Discover and American Express, are susceptible to a stealthy attack: A fraudster could brush by a target and stealthily pickpocket his or her card’s data with an RFID reader without ever touching him or her, through the victim’s clothes and wallet.
But using that victim’s data hasn’t been quite so simple. The data wirelessly sent from contactless credit cards doesn’t include the user’s name, PIN or the three-digit CVV. Some researchers have demonstrated ways of abusing the cards nonetheless: Hacker Kristin Paget
showed onstage at the Shmoocon conference in January that she could use a magnetizing device to write the stolen data to a new card and make a payment to herself using a Square attachment on a phone.
Lee demonstrating a card reader lighting up to show that it's accepted the payment data he read from a credit card with his phone.
Lee’s attack is far easier still: NFCProxy, whose code he
published online, allows anyone to both read and use a victim’s data with a cheap and inconspicuous phone, spending the stolen money at retail stores who would have little way of knowing that the phone isn’t simply running Google Wallet or a similar service. “The form factor makes a big difference. The phone is a very innocuous device,” he says. “This isn’t a new attack. It’s just making it really easy to use and abuse.”
NFCProxy requires that a user root his or her Android phone and install a very specific version of the Cyanogen modified operating system from earlier this year, one from a brief period when one of Cyanogen’s open source developers added the ability to emulate a credit card reader. (The feature was likely deleted later because it conflicted with the functionality of Google Wallet.) Lee also acknowledges that reading the credit cards with a phone often takes multiple tries, though an attacker wearing headphones could listen for the telltale beep that signals a card has been successfully read.
Lee designed his tool to be able to send credit card data across networks to other phones, so that the skimming and spending of a user’s account can be performed in different locations. And NFCProxy can also act as a more general tool for analysis of so-called “near-field communications,” potentially allowing users to analyze and find vulnerabilities in other wireless technology like corporate ID badges and mass transit passes.
Lee says he isn’t trying to enable credit card theft or other crime. Instead, he’s trying to make credit card holders aware of the danger of contactless cards, and to drive home the point that researchers have argued for years, that the payment card industry needs to shore up the security of contactless payment systems or ditch them in favor of old-fashioned magstripe cards. “If credit card companies see how easy this is to use, maybe it will incentivize them to finally fix my credit card,” he says.
I reached out to the Smart Card Alliance, the industry group responsible for the contactless card standard, but didn’t immediately receive a response.
When I spoke with the group’s executive director Randy Vanderhoof in January, he defended the cards’ safety, pointing to a security feature that generates a unique code that changes with every transaction. If a single code is used multiple times or multiple codes are used in the wrong order, all transactions on a card can be blocked. “The truth is that consumers should be embracing this technology because it’s making them safer,” said Vanderhoof. “Efforts to try to discredit the use of chip technology in cards is only making the users of the existing technology more vulnerable.”
But it’s worth noting that security feature is far from foolproof. It merely requires the user of NFCProxy to make a payment using a card’s stolen data a single time, and to do it before it’s used by the card’s legitimate owner.
Vanderhoof also pointed to the fact that there’s been no known cases of criminal exploitation of the cards since they launched in 2006. “We’ve got six years of history, a hundred million users of these cards, and we haven’t seen any documented cases of this kind of fraudulent transaction,” he told me. “The reason we think that’s the case is that it’s very difficult to monetize this as a criminal.”
With tools like NFCProxy making contactless card fraud more practical all the time, that difficulty is starting to seem like less of a safeguard.