The form of card data theft known as cyber-pickpocketing is back in the news after a demonstration last weekend at Schmoocon, a cyber hacking conference held in Washington D.C. Forbes.com has a piece describing the demonstration – contactless card skimming, counterfeit magstripe creation, and fraudulent purchase – and some comments from the industry. Kristin Paget of Recursion Ventures, the speaker running the demo, was sure to reimburse the volunteer whose card was skimmed and counterfeited.
The scheme, Paget points out, doesn’t involve any hidden bug in the system, but rather the more fundamental problem that any commercially-available RFID reader can read the data from a contactless card as easily as a store’s point-of-sale device does. “Whatever encryption or other security there might be, it doesn’t matter,” she says. “The reader just spits out the number as if I’m the point-of-sales terminal, which is totally stupid. This is an embarrassingly simple hack, but it works.”
This is the latest in a number of instances in which contactless cards have come under scrutiny for wireless skimming vulnerabilities. Randy Vanderhoof of the Smart Card Alliance is also quoted in the piece and the Forbes writer does communicate the pertinent facts reinforcing the viability of contactless card technology:
…Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. “We’ve got six years of history, a hundred million users of these cards, and we haven’t seen any documented cases of this kind of fraudulent transaction. The reason we think that’s the case is that it’s very difficult to monetize this as a criminal,” says Vanderhoof. “The premise that this is a new threat is absolutely false and isn’t supported by [Paget’s] demonstration.”
In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor that detects multiple transactions with the same code or codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number for one transaction, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.