Author Topic: Contactless card account protection...  (Read 3722 times)

Contactless card account protection...
« on: 05 September, 2019, 05:37:07 pm »
Are the RFID/NFC Card Protectors that you put 'next to' any contactless cards to supposedly jam any scanning any use?  Anyone have them?  I see they can be bought for ~£3+
Cycle and recycle.   SS Wilson

Kim

  • Timelord
    • Fediverse
Re: Contactless card account protection...
« Reply #1 on: 05 September, 2019, 05:45:49 pm »
Hadn't seen those.  (Rather than the foil-lined wallets to shield your card.)  Looks awfully like a compatible RFID card with some arbitrary data on it, the idea being to cause a collision when they're read at the same time, the way two legitimate contactless cards would.  The specification requires than the reader must not proceed with the transaction when there's a card collision, in order to prevent "oh no, it debited the wrong card" complaints.

Since the theoretical card-skimming thief has control of their reader, I wouldn't rely on it implementing the specification properly.

quixoticgeek

  • Mostly Harmless
Re: Contactless card account protection...
« Reply #2 on: 05 September, 2019, 05:55:00 pm »

I have a pair of them which I have either side of a card in my wallet cos the OV Chipkaart readers got confused by it.

They seem to work well. I have one on each side of the card. Not cheap considering they are basically just a metalised piece of plastic...

J
--
Beer, bikes, and backpacking
http://b.42q.eu/

hellymedic

  • Just do it!
Re: Contactless card account protection...
« Reply #3 on: 05 September, 2019, 07:07:46 pm »
Would the RFID label from some costly supermarket item do the same job free of charge?

Kim

  • Timelord
    • Fediverse
Re: Contactless card account protection...
« Reply #4 on: 05 September, 2019, 07:19:04 pm »
Would the RFID label from some costly supermarket item do the same job free of charge?

I doubt it, but a second contactless payment card should.

I think you're better off with the foil wallet approach (ie. actually preventing your card from being read, rather than hoping to confuse the reader into ignoring it).  Or just not bothering.  Depends how much time you spend in random stranger's armpits on the tube or similar, where people could reasonably get a reader up close and personal with your card undetected...

Re: Contactless card account protection...
« Reply #5 on: 05 September, 2019, 07:47:45 pm »
From one on amazon...

Quote
HOW DOES IT WORK? - The Attenuo card contains an antenna and chip. When radio waves from an incoming scan pass through your wallet, the Attenuo card draws power from the waves and creates a jamming signal.
Cycle and recycle.   SS Wilson

ian

Re: Contactless card account protection...
« Reply #6 on: 05 September, 2019, 07:48:36 pm »
I couldn't find any evidence that significant amounts of contactless fraud arise from the card being casually scanned (contactless is a bit of a misnomer, they require close contact with the reader usually). If you're that close, you may as well nick the card, at which point it becomes a lot more useful, there's lot more to be made from cloning it and/or bunging some online purchases on it.

quixoticgeek

  • Mostly Harmless
Re: Contactless card account protection...
« Reply #7 on: 05 September, 2019, 08:17:24 pm »
Would the RFID label from some costly supermarket item do the same job free of charge?

I doubt it, but a second contactless payment card should.

I think you're better off with the foil wallet approach (ie. actually preventing your card from being read, rather than hoping to confuse the reader into ignoring it).  Or just not bothering.  Depends how much time you spend in random stranger's armpits on the tube or similar, where people could reasonably get a reader up close and personal with your card undetected...

Depends what you're trying to achieve. I had issues that one card, and my OV chipkaart in the same wallet would confuse the scanner for the metro. So the solution was to get the RFID shield thingies. I put 1 on each side. I believe the ones I have aren't active, but basically create a Faraday cage effect round the protected card.

The reader was already confused. I needed it to only see one card.

Tho I agree that contactless card fraud/cloning us rare. The bigger issues are things like confusing scanners, and the possibility to track a specific wallet (tho I think this is also rare as fsck too...)

One of the things that annoys me about tfl now supporti every contactless out there is that no longer can you just wave a wallet at the scanner, but must then find the right card, and scan it. This causes a lot of faffing at the barriers. It's nearly as bad as muggles with no fscking clue who get to the barrier, then rummage around in their bag for their ov chipkaart rather thanan having it ready. That said the ergonomics of the of chipkaart barriers at Dutch stations is awful. If they were installed in London, you'd have a full on revolt.

But I digress...

J
--
Beer, bikes, and backpacking
http://b.42q.eu/

Re: Contactless card account protection...
« Reply #8 on: 05 September, 2019, 08:19:59 pm »
https://www.independent.co.uk/money/spend-save/contactless-card-fraud-increase-money-security-bank-account-a8722361.html

As for the security from having your cards scanned by someone in a busy train/tube or bus (where you can press up against people with little suspicion):-

https://www.equifax.co.uk/resources/identity_protection/how-to-avoid-contactless-card-fraud.html

Quote
A 2015 test by the consumer group Which? found that it was possible to steal details from contactless cards using an easy-to-buy card reader and free software. They were able to extract a card number and expiry date from 10 different contactless cards, but not the name or CVV code on the back. Typically, this would not be enough information to make a purchase online, but Which? where able to purchase goods from certain online retailers using the limited card information and a fake name and address.
"Yes please" said Squirrel "biscuits are our favourite things."

Re: Contactless card account protection...
« Reply #9 on: 05 September, 2019, 08:27:11 pm »
That said the ergonomics of the of chipkaart barriers at Dutch stations is awful. If they were installed in London, you'd have a full on revolt.

The chip reading barriers at London stations (rail/tube and on the bus) are great (they've been around for many years and there's been no revolt). I read somewhere that they design/aim for sub 100msec from reading the card to knowing whether to trigger the barrier to open or not.

Given what is involved in that[1] and the size of the network involved, that's pretty bloody amazing.

1. Matching it up with the entry scan somewhere else in the network (which could have been several hours ago and possibly more than 60 miles away), checking balances or authorisations (travelcards, etc).
"Yes please" said Squirrel "biscuits are our favourite things."

Re: Contactless card account protection...
« Reply #10 on: 05 September, 2019, 08:38:30 pm »
1. Matching it up with the entry scan somewhere else in the network (which could have been several hours ago and possibly more than 60 miles away), checking balances or authorisations (travelcards, etc).

None of this happens. Oyster is evaluated entirely on the balance and journey history stored on the card, and bank cards are done just by noting the serial number and matching up all the records later. Everything is logged and reconciled by the backend and serious anomalies get the card blacklisted. The blacklist is sent to every ticket gate, so no online lookup is needed.

(there's surely a bit more to it than this, but that's the basic model)

TheLurker

  • Goes well with magnolia.
Re: Contactless card account protection...
« Reply #11 on: 05 September, 2019, 08:39:00 pm »
Quote from: Kim
I think you're better off with the foil wallet approach ...

This pisses me off so much I can't find the words to express just how pissed off I am. We have a perfectly servicable way of making payments with bank* cards that doesn't require people to go and buy _extra_ fucking crap to stop NFC cards being jemmied open by crims just because a bearded hipster wanker high on some organic herbal thought it would be all "wooo" and "Harry Potter" to make payments with a "magic wand".  If ever meet him (and I bet it was a bloke) he is a _dead_ man.

*Travel cards are different kettle of shit.
Τα πιο όμορφα ταξίδια γίνονται με τις δικές μας δυνάμεις - Φίλοι του Ποδήλατου

quixoticgeek

  • Mostly Harmless
Re: Contactless card account protection...
« Reply #12 on: 05 September, 2019, 08:45:31 pm »
That said the ergonomics of the of chipkaart barriers at Dutch stations is awful. If they were installed in London, you'd have a full on revolt.

The chip reading barriers at London stations (rail/tube and on the bus) are great (they've been around for many years and there's been no revolt). I read somewhere that they design/aim for sub 100msec from reading the card to knowing whether to trigger the barrier to open or not.


Amazingly, the barriers slowed down recently. They used to be driving by the network wide compressed air system, but as that was being phased out they had to be migrated. This results in the barriers being ever so slightly slower to open/close. The London barriers are possibly the best design I've used. The Paris barriers literally tried to kill me (they closed on my 30kg backpack, which crushed my chest so I couldn't breathe, it took 5 people to get me out!). They also have the policy that all closed barriers must have staff supervising them (which would prevent something like what happened in Paris as staff would be on hand to open them. The Dutch barriers feel like they've been designed from first principles, rather than based on best practices from other countries/installations. The number of tourists and even locals that I have to help out at stations is just crazy.
Quote

Given what is involved in that[1] and the size of the network involved, that's pretty bloody amazing.

1. Matching it up with the entry scan somewhere else in the network (which could have been several hours ago and possibly more than 60 miles away), checking balances or authorisations (travelcards, etc).

100km, is 0.0003 light seconds. Give it take. Tho it's not actually going from a barrier 100km away to the one next to you. When you check in, it tells the central system that its checked in. When you check out it tells the central system that its trying to check out. Keep that DC close enough to reduce RTT. A 100ms budget for such a transaction is actually pretty good. To me the bit I find most impressive is the system wide data integrity and the SLO. This is a system operating at 5 9s plus, and it copes with server failures and all sorts. It's impressive.

Wish the Amsterdam metro had sub 100ms response time...

Wish people would have their card ready before they get to the barrier too...

J
--
Beer, bikes, and backpacking
http://b.42q.eu/

Kim

  • Timelord
    • Fediverse
Re: Contactless card account protection...
« Reply #13 on: 05 September, 2019, 08:52:56 pm »
Quote from: Kim
I think you're better off with the foil wallet approach ...

This pisses me off so much I can't find the words to express just how pissed off I am. We have a perfectly servicable way of making payments with bank* cards that doesn't require people to go and buy _extra_ fucking crap to stop NFC cards being jemmied open by crims just because a bearded hipster wanker high on some organic herbal thought it would be all "wooo" and "Harry Potter" to make payments with a "magic wand".  If ever meet him (and I bet it was a bloke) he is a _dead_ man.

The bearded hipster wanker[1] accidentally made small payments a massive pile less faff (and more secure against petty fraud) for people with hand disabilities and visual impairments.  Like other inadvertently assistive mainstream technologies, bring it on, I say.

If you really don't want contactless, just ask your bank to give you a card without it?


[1] Suspect it was actually a joint effort by a Big Data overlord and a wunch of liability-dodging bankers.

quixoticgeek

  • Mostly Harmless
Re: Contactless card account protection...
« Reply #14 on: 05 September, 2019, 09:01:54 pm »
This pisses me off so much I can't find the words to express just how pissed off I am. We have a perfectly servicable way of making payments with bank* cards that doesn't require people to go and buy _extra_ fucking crap to stop NFC cards being jemmied open by crims just because a bearded hipster wanker high on some organic herbal thought it would be all "wooo" and "Harry Potter" to make payments with a "magic wand".  If ever meet him (and I bet it was a bloke) he is a _dead_ man.

*Travel cards are different kettle of shit.

There are a lot of people in tech who don't spend enough time asking "Should we do this?" rather than "can we do this?"

The move to contactless for small payments is driven by a necessity to speed up transactions. If you can take payment from 35 seconds per customer (Put card in, wiggle it, make contact, type in pin, wait for validation, take it out, put it away, etc...) to 5 seconds per customer, it doesn't sound like much. But over 120 customers, that's an hour saved, or rather, you can process x more transactions per hour. Which means you can have less people on the checkouts as the through put of each checkout goes up. etc...

In Amsterdam contactless, and maestro payments are almost ubiquitous. In fact as ACME will discover next week when they are in .nl, unless you have a Maestro (or v-pay) card, your card doesn't work in about 95% of Dutch shops/bars/restaurants. Increasingly shops are also going totally card only, effectively making themselves Locals Only™. GVB, the transport company for Amsterdam went card only a couple of summers back, you could only pay on buses and trams using Maestro and vpay. At which point the Dutch got a quick lesson in how noone other than the Dutch actually uses fucking maestro so stop assuming the whole fucking world has it*, within 2 weeks they had to change this so that you could use visa and mastercard, and the associated debit cards.

I can understand why they do this, maestro, at 500 transactions per month, costs about €0.02 per transaction, where as mastercard at the same level is about €0.20 + 3.4%. Not much if you're buying a €200 phone, but if you're buying a €1 mars bar, that makes a difference. I just wish the Dutch would realise the rest of the world don't issue maestro cards, (infact they have actively phased it out in most countries), and just cos a maestro card works when you're on holiday, doesn't mean the reverse is true...

But I digress.

One of the "security" measures that contactless has is that every x transactions you have to authenticate with pin. Which is fine, where the terminal has a pin pad. Contactless is now installed on everything from vending machines, to toilets. Infact on one motorway service station I was at recently contactless (DUTCH ONLY!!) cards were the only accepted way to pay the 50c to spend a penny (gotta love inflation). Only I'd done 4 contactless transactions, going to the loo was my 5th. Bank said "oi, you gotta enter a pin". Only there was no pin pad to enter it on. The bank of course not able to work this one out. I was *NOT* impressed...

The bigger issue of a move to a cashless society, is that a cashless society is effectively a surveillance society...  The same as a Smart City is a surveillance city...

Just because we can, doesn't mean we should...

J

*I may be really pissed off at how bad the Dutch are at assuming that the world is entirely like them at times...
--
Beer, bikes, and backpacking
http://b.42q.eu/

TheLurker

  • Goes well with magnolia.
Re: Contactless card account protection...
« Reply #15 on: 05 September, 2019, 09:07:56 pm »
Quote from: Kim
... accidentally made small payments a massive pile less faff... with hand disabilities and visual impairments.  Like other
inadvertently assistive mainstream technologies, bring it on, I say.

Fair point and if they'd set out with that aim inmind I'd feel a bloody sight more charitable about it, but I doubt that idea ever crossed whatever they were using for minds. 

Quote from: Kim
Suspect it was actually a joint effort by a Big Data overlord and a wunch of liability-dodging bankers.
Yes. This.

Quote from: Kim
If you really don't want contactless, just ask your bank to give you a card without it?
Did that a couple of years ago when they first tried to foist one on me.


Quote from: quixoticgeek
The bigger issue of a move to a cashless society, is that a cashless society is effectively a surveillance society..
Yeah. 
Τα πιο όμορφα ταξίδια γίνονται με τις δικές μας δυνάμεις - Φίλοι του Ποδήλατου

Kim

  • Timelord
    • Fediverse
Re: Contactless card account protection...
« Reply #16 on: 05 September, 2019, 09:09:39 pm »
The bigger issue of a move to a cashless society, is that a cashless society is effectively a surveillance society...  The same as a Smart City is a surveillance city...

Just because we can, doesn't mean we should...

The main issue with a cashless society beyond that is that they can deny you access to your money remotely:  The Prophet Atwood covered this one back in the 80s.

But I think the surveillance ship sailed some time ago.  It seems largely academic that you can be tracked by your mars-bar-level transactions when you're walking around with an active tracking device in your pocket anyway. 

TheLurker

  • Goes well with magnolia.
Re: Contactless card account protection...
« Reply #17 on: 05 September, 2019, 09:14:49 pm »
Quote from: Kim
...walking around with an active tracking device in your pocket anyway. 
Not all of us.

Quote from: Kim
The main issue with a cashless society beyond that is that they can deny you access to your money remotely.
Funny how few people have twigged that isn't it?  That and smart meters - load balancing won't just be for industry.

Anyone else been watching what's happening in China, the "social points" thing?  Very troubling.   
Τα πιο όμορφα ταξίδια γίνονται με τις δικές μας δυνάμεις - Φίλοι του Ποδήλατου

Kim

  • Timelord
    • Fediverse
Re: Contactless card account protection...
« Reply #18 on: 05 September, 2019, 09:16:43 pm »
Quote from: Kim
...walking around with an active tracking device in your pocket anyway. 
Not all of us.

It's okay:  Your family, friends and acquaintances will track you for them.

TheLurker

  • Goes well with magnolia.
Re: Contactless card account protection...
« Reply #19 on: 05 September, 2019, 09:27:20 pm »
Quote from: Kim
...walking around with an active tracking device in your pocket anyway. 
Not all of us.

It's okay:  Your family, friends and acquaintances will track you for them.
Lessee now...
Acquaintences.   Hmm the nearest to those would be colleagues at work and if I'm with them then using a portable telephone as a tracker would be massive overkill.  I don't attend work socials either.

Friends.  Ermmm.  Nooo don't think I have any of those.  If I'm out and about it's almost always entirely on my own.  You don't look surprised by that. Why? :)

Family.   See them once or twice a year, usually at home so a portable telephone would again be a waste of electrons and they're so ancient they still think telegrams are a thing and wouldn't know a portable 'phone from a hole in the ground.  MrsLurker's portable telephone is usually left at home and switched off into the bargain.
Τα πιο όμορφα ταξίδια γίνονται με τις δικές μας δυνάμεις - Φίλοι του Ποδήλατου

ian

Re: Contactless card account protection...
« Reply #20 on: 05 September, 2019, 09:50:02 pm »
https://www.independent.co.uk/money/spend-save/contactless-card-fraud-increase-money-security-bank-account-a8722361.html

As for the security from having your cards scanned by someone in a busy train/tube or bus (where you can press up against people with little suspicion):-

https://www.equifax.co.uk/resources/identity_protection/how-to-avoid-contactless-card-fraud.html

Quote
A 2015 test by the consumer group Which? found that it was possible to steal details from contactless cards using an easy-to-buy card reader and free software. They were able to extract a card number and expiry date from 10 different contactless cards, but not the name or CVV code on the back. Typically, this would not be enough information to make a purchase online, but Which? where able to purchase goods from certain online retailers using the limited card information and a fake name and address.

I wasn't questioning that it was possible, just that it happens in the wild and with a level of regularity that makes it worth worrying about. Most of the reported fraud seems to be from physical card theft (which is cheaper and easier).

I confess to being a contact hipster bastard because I'm lazy and it's convenient as it saves faffing for a wallet or phone, especially in crowded places or on transport or I'm balancing a Brompton (for added hipster points). That said, I do care about the fact can you can be remotely excluded from access to your money, so I think cash should always be part of the mix. I griped a while back about TfL arbitrarily cancelling (with no notice) my contactless card on their network because they claimed I'd failed a revenue check. All I knew about this was my card (well, watch) failing when I tried to swipe in. That was that. Took several days to reactivate*. Fortunately, I have several cards, but had I been dependent on the single card, I would have been locked out of the entire travel network (OK, you can still buy an Oyster card, but for how long will that be an option?)

*I still don't think they fixed the problem, though call centre fatigue set in, as the gates still often insist 'use the same card' – which was the reason I failed the revenue check even though, as now, I am using the same card and device. Persistence is successful.

quixoticgeek

  • Mostly Harmless
Re: Contactless card account protection...
« Reply #21 on: 05 September, 2019, 09:53:26 pm »
The main issue with a cashless society beyond that is that they can deny you access to your money remotely:  The Prophet Atwood covered this one back in the 80s.

But I think the surveillance ship sailed some time ago.  It seems largely academic that you can be tracked by your mars-bar-level transactions when you're walking around with an active tracking device in your pocket anyway.

I can turn my phone off when I want to go off the Radar.

But these days, the act of doing that is almost as incriminating as having the phone with you at the crime scene...

The tracking of devices can be used for non sinister purposes. TFL used the MAC address of the wifi in your phone to track what routes people took underground between various stations. This allows them to grasp a much better idea of what route people were taking between stations where there are multiple options of changes. I'd put that into the "good use of data" category. But the downside is there was no easy way to opt in. It was kinda opt in by default. During the trial I did make a point of airplane moding my phone every time I went on the tube, just incase. My understanding is that what was once a trial, is now standard deployment on the underground :(

Lessee now...
Acquaintences.   Hmm the nearest to those would be colleagues at work and if I'm with them then using a portable telephone as a tracker would be massive overkill.  I don't attend work socials either.

Cool, let's look at proxy data sources instead then. We can tell you're at home based on the way your network usage changes on the DSL... or by looking at the increased power usage...

Many cars have a built in sim card and 4g networking that leaks info...

We can look at your transactions on your payment cards...

Do you have a Garmin or wahoo like device that has blue tooth? Maybe we can detect that going by.

What about your car number plate?

Quote
Friends.  Ermmm.  Nooo don't think I have any of those.  If I'm out and about it's almost always entirely on my own.  You don't look surprised by that. Why? :)

Not at all surprised. I spend 90% of my time on my own. This surprises muggles. But I long ago resigned myself that if I am to do the things I want to do (mostly big rides, or geeky stuff), I either do them on my own, or not at all. No point waiting to find someone else crazy enough.

When I lived in the UK, I worked from home (ran my own business), the only times I ventured out were to the library and the supermarket. Once the self check out was rolled out in both the library and the supermarket, I'd go days without talking to anyone, I would talk to myself or sing along to stuff just to remind me that I can speak...

Quote

Family.   See them once or twice a year, usually at home so a portable telephone would again be a waste of electrons and they're so ancient they still think telegrams are a thing and wouldn't know a portable 'phone from a hole in the ground.  MrsLurker's portable telephone is usually left at home and switched off into the bargain.

How novel, that's on average  20 times a year more than I see mine. Tho this is apparently not abnormal for QUILTBAG types, after all, who want's to talk to the lesbian in the family?

But we digress. Noones alone with the internet... or something...

and you're still leaking info, even if you don't realise it...

Which reminds me, I went to a MeetUp event of Girl Geeks in Amsterdam. We were doing icebreaker get to know you type stuff. I turn to one girl. "So you're a Ruby programmer" turned to the next one "You're from Utrecht and like creative writing" to the next "you're also from Utrecht and like knitting". Everyone just stared at me. "That's creepy". "No, that's the Meetup app leaking information and you lot not setting your privacy properly. Oh, and I can tell that 4 of you are Bi or lesbian too, this thing is better than gaydar!"

All of this from information the meetup app leaks...

anyway, digression etc...

Sorry.

J
--
Beer, bikes, and backpacking
http://b.42q.eu/

Mrs Pingu

  • Who ate all the pies? Me
    • Twitter
Re: Contactless card account protection...
« Reply #22 on: 05 September, 2019, 09:57:40 pm »
Maestro in NL - yes, I noticed the same in Belgium last month. What a pain in the arse it was having to keep going and getting cash out.
Do not clench. It only makes it worse.

TheLurker

  • Goes well with magnolia.
Re: Contactless card account protection...
« Reply #23 on: 06 September, 2019, 06:22:00 am »
Quote from: quixoticgeek
Cool, let's look at proxy data sources instead then.

>We can tell you're at home based on the way your network usage changes on the DSL
Again with the overkill.  Are the lights on?  I'm at home.

> ... or by looking at the increased power usage...
"Smart" meter refusenik.

> Many cars have a built in sim card and 4g networking that leaks info...
Nope.

>We can look at your transactions on your payment cards...
Once or twice a week I withdraw cash from a hole in the wall.  I rarely pay for anything by card.

> Do you have a Garmin or wahoo like device that has blue tooth?
Nope.  Paper maps don't need batteries or software "updates" and you really only need to buy a new map of any area about once every 10 years to keep up to date enough with the frenzied (ha ha ha) road building programme. 

> What about your car number plate?
Almost all of my trips are on back roads without ANPR.  Use the motorway a few times a year.  The back roads thing isn't to avoid ANPR, I just find it much more pleasant to potter along knowing that I'm not going to get caught up in 5 miles of stationary traffic. Besides which the scenery on the back roads is usually much nicer.  Of course with the EU mandated trackers that are to be fitted to all new cars ANPR goes the way of the Dodo sooner rather than later and it won't matter where you are.

> and you're still leaking info...
Oh I'm perfectly aware of that. Simply withdrawing cash pinpoints me, but it is only a pinpoint and as I tend to use the same small set of cash machines close to home all it says is "Lurk's at home".  Which is one of two default states, the other being "at work", for most people most of the time and you don't need an Electronic Panopticon to work that out.

Just because the mesh on the net gets finer each year doesn't mean I have to roll over and let the world and his brother have unrestricted access to my life. 
Τα πιο όμορφα ταξίδια γίνονται με τις δικές μας δυνάμεις - Φίλοι του Ποδήλατου

hellymedic

  • Just do it!
Re: Contactless card account protection...
« Reply #24 on: 06 September, 2019, 10:33:34 am »
I am too Luddite to have activated contactless on my cards.

I REALLY don't want my bank or credit cards out or accessible in a crowd at all.

I would not mind a 'sacrificial' type payment card (which I do not currently hold) for up to £100-200, whose loss I could manage, or an Oyster, but I want control of the Big Stuff without the hassle of having to replace lost/hacked/dropped/stolen cards.