NFC card skimming and stripping

NFC card skimming and stripping

It was a dark and sultry night when Rob went to the disco. Pulsating music, hot dancing partner, a bit of “bump-and-grind” stripping, and a very, very late trip home. All well and good until a few weeks later when he will get his bank statement—there are three mysterious 19.99 Euro deductions from his account from that night. Strange, as he had paid for all of his drinks with cash. Something quite unusual must have happened.

Carded on the dance floor

This nightmare scenario centers around Rob’s wallet—and the payment card in it. His bank card came all ready for contactless payments. Payment couldn’t be easier: just bring the card within a centimeter or so of the reader. No need to enter that pesky PIN. With these payments limited to 20 Euros what could possibly go wrong? In this Rob dance club scenario, something goes wrong. The question is whether this is purely imaginary, or it could happen to you in the disco, metro, or in about any crowded area.

Fast introduction to NFC

NFC card skimming and stripping - in-post

Stepping back, NFC stands for Near Field Communication. It’s a system of exchanging little bits of information between devices with a 13.56 MHz frequency current. When a device can send or receive information from, for example, the Google Pay system or the NFC card reader at the checkout counter, it’s an active device. If it’s like your NFC-enabled bank card and just broadcasts limited information about your account, it’s a passive device.

The three major ingredients to this Rob crime scenario do exist: NFC cards, cheap NFC readers, and increasing NFC transmission distances.

  1. NFC-enabled card—Rob’s bank card was set up for contactless payments—and yours probably is, as well. These types of cards are getting more common. According to the Deutsche Bundesbank, the majority of payment cards from international providers have a contactless payment function and the majority of new girocards should have this function by the end of 2019.
  2. NFC reader: A reader is much smaller than the average cash register. The latest models are about the size of a smartphone. In fact, with a few tweaks and some additional software, your phone might work as a NFC card reader.
  3. Transmission distances. Officially, the NFC Forum says the two devices need to be four centimeters or closer to exchange information. Researchers have claimed they can extend this communication range to 80 cm. That is well within tangoing distance.

Stripping is not just for dancers

The security world is full of threats that just don’t quite turn into reality. At first glance, NFC fraud is one of them. The internet is full of articles that describe it as the next big fraud vector. With this wave of criminality not arriving, The Register described reading the NFC card info as “easy and pointless.”

But then, strange things are happening. According to Financial Fraud Action UK, both fraud and spending with contactless cards increased in 2016. Almost £7 million was taken in 2016—up from £2.8 million the previous year—spending rose to £25.2 billion from £7.75 billion. A quick glance at the UK data shows that the fraud ratio is virtually unchanged—but that there is some improper activity going on.

Last dance starting in a moment

There seems to be two main reasons why this contactless account crime wave has not yet materialized:

  1. Limited merchant options – A fraudster would have to create a business entity to transform his illicit NFC card data into money from the bank. That would be a substantial risk.
  2. Not much of a money grab. With contactless payments capped at between 20 and 30 Euros, there is just not much to be gained from each individual transaction given the risk.

But don’t relax yet

If either condition changes, a wave could start. Hackers could learn how to collect NFC payments from the bank as easily as they once got payments for premium text messages. Or, bankers might decide that a 20-Euro limit is way too restrictive and raise the limit to 150 Euros. When either of these changes happen, consider buying a RFID blocker or RFID blocking card holder case.

This post is also available in: GermanFrenchItalian

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.