Zer0ne A cut version of this video is available at th-cam.com/video/VlAwxUs1ZFo/w-d-xo.html The full length version was just meant to show how long things actually take (and, thus, that you can't simply use this attack while passing by someone).
+Michael Roland - can the attack be used against a mailed new card (where time sensitivity is less)?? not sure if any banks allow first transactions to be contactless - I know some send the PIN down to card on the first one so it would have to be inserted (which should then prevent the pre-play because it's counters would be off)...but many banks have chosen Signature instead of PIN, so maybe they don't care if the first tranasactions are contactless....very interesting, hopefully consumers don't end up paying for any fraud transactions (banks may try to push back if the card is not reported lost - as 'officially' there is no counterfeit fraud on EMV).
+crowdquest I would hope that the first transaction would need to be made through the contact interface. At least that's the case here in Austria for Maestro cards. I'm not sure if thats a requirement by the schemes though.
Nice work. That's the first time I see an actual exploit of a credit card NFC. (Rather than "check this, I can read a card's number with a phone, you're not safe")
No it's not. This is an attack scenario (one that is, hopefully, considered and prevented by most card issuers by now, though I did not check) and trying this out for anything other than reasearch purposes may lead you into serious trouble.
The "copying" is exactly the important point. With NFCProxy, you can relay communication between a genuine payment terminal and a genuine card over a long distance. However, both (the terminal and the card) must be available simultaneously which makes it rather difficult to perform an attack as the attacker needs access to the card right in the moment a payment transaction is performed. With the pre-play attack, an attacker can scan a card *at any time* (note the limitations described in the paper) and *later* pay using the card clone created from that data.
pablo gutierrez You can record and replay the communication between the card and the terminal in NFCProxy, but EMV transactions employ protections against such simple replay where the responses sent by the card are simply reused at a later time.
Samo762 This attack is using the "smart chip". In current credit cards (that have an NFC interface), both the contact interface and the contactless (NFC) interface share the SAME chip. There is no separate "RFID chip" inside the card.
wow...I imagine this will also easily work with things like Apple and Android Pay (extraction of pre-play card data from legitimate card in transit/wallet etc, then replay of active card using an NFC phone). Thanks for sharing...people should keep an eye on their cards, and FIs should keep an eye on first contactless transactions of newly activated cards. I imagine this would stop working once the real card went online again (the fake clone would be using an out of sequence counter - and should therefore be declined???)
Apple Pay uses a different scheme where this exact attack vector does not exist (at least I'm not aware of any similar form of attack). Android Pay uses the affected scheme. However, they now use a form of tokenization which should(?) prevent mass pre-generation of authorization codes (though I have not tested this).
I downloaded the application on my android device , once opened it said reader mode enabled , i attempted to read the data off a standard debit card with box chip and magnetic strip however nothing was read , do only contactless cards work? I am from the Uk and used a barclays debit Please do help out bro :) Cheers Michael -
I love it how you don't fast-forward the video at all on the read/write (collective 3 mins).
Zer0ne A cut version of this video is available at th-cam.com/video/VlAwxUs1ZFo/w-d-xo.html The full length version was just meant to show how long things actually take (and, thus, that you can't simply use this attack while passing by someone).
+Michael Roland - can the attack be used against a mailed new card (where time sensitivity is less)?? not sure if any banks allow first transactions to be contactless - I know some send the PIN down to card on the first one so it would have to be inserted (which should then prevent the pre-play because it's counters would be off)...but many banks have chosen Signature instead of PIN, so maybe they don't care if the first tranasactions are contactless....very interesting, hopefully consumers don't end up paying for any fraud transactions (banks may try to push back if the card is not reported lost - as 'officially' there is no counterfeit fraud on EMV).
+crowdquest I would hope that the first transaction would need to be made through the contact interface. At least that's the case here in Austria for Maestro cards. I'm not sure if thats a requirement by the schemes though.
How was this done, I'm trying to closely analyze it but I'm a bit confused
Hi, do you sell this app? I'm interested in buying them. Tks
Nice work. That's the first time I see an actual exploit of a credit card NFC.
(Rather than "check this, I can read a card's number with a phone, you're not safe")
You can find further details on the implementation in the paper. I added a link to the paper and presentation in the video description above.
I have an nfc capable implant. Is this method a viable way to copy my card data onto my implant?
No it's not. This is an attack scenario (one that is, hopefully, considered and prevented by most card issuers by now, though I did not check) and trying this out for anything other than reasearch purposes may lead you into serious trouble.
what is the difference between this and NFCproxy, besides the copying? they both take advantage of NFC phone and a RFID enabled card right?
The "copying" is exactly the important point. With NFCProxy, you can relay communication between a genuine payment terminal and a genuine card over a long distance. However, both (the terminal and the card) must be available simultaneously which makes it rather difficult to perform an attack as the attacker needs access to the card right in the moment a payment transaction is performed. With the pre-play attack, an attacker can scan a card *at any time* (note the limitations described in the paper) and *later* pay using the card clone created from that data.
Oh but can't I just save a credit card in nfcproxy? It shows an option but frankly haven't tried it yet
pablo gutierrez You can record and replay the communication between the card and the terminal in NFCProxy, but EMV transactions employ protections against such simple replay where the responses sent by the card are simply reused at a later time.
***** from where i can buy this app
You cannot pull or copy anything from a chip on a card
Well, as you can read in the paper & watch in the video this is not (or at most partially) true.
ROFL your funny mate, go do some research LOLOLOLOL
A guy at my work got caught using this and now we cant keep our phones in our pocket because of this.... Sorry Gus you are wrong IT IS 100% POSSIBLE
are you guys serious? this has nothing to do with the smart chip... he's using the rfid chip inside the card (paywave)
Samo762
This attack is using the "smart chip". In current credit cards (that have an NFC interface), both the contact interface and the contactless (NFC) interface share the SAME chip. There is no separate "RFID chip" inside the card.
where to get the application for android. or your the Might provide or sell?
There is an implementation with limited functionality available at github.com/MatusKysel/EMVemulator
Where can I buy this app?
Nice apps. How can I get this apps.
I would also like to know what software
Anyone know what gear & software he's using here?
wow...I imagine this will also easily work with things like Apple and Android Pay (extraction of pre-play card data from legitimate card in transit/wallet etc, then replay of active card using an NFC phone). Thanks for sharing...people should keep an eye on their cards, and FIs should keep an eye on first contactless transactions of newly activated cards. I imagine this would stop working once the real card went online again (the fake clone would be using an out of sequence counter - and should therefore be declined???)
Apple Pay uses a different scheme where this exact attack vector does not exist (at least I'm not aware of any similar form of attack). Android Pay uses the affected scheme. However, they now use a form of tokenization which should(?) prevent mass pre-generation of authorization codes (though I have not tested this).
I downloaded the application on my android device , once opened it said reader mode enabled , i attempted to read the data off a standard debit card with box chip and magnetic strip however nothing was read , do only contactless cards work? I am from the Uk and used a barclays debit
Please do help out bro :)
Cheers Michael
-
only RFID enabled cards with emv chip based
ohFUTURED what app did you use ?
Amit Singh What do you do after it says "Done". There are no buttons or anything.
fantastic video.
nice video
The fuck you just cant put your phone to a magnetic strip to extract it's data. this is so wrong in so many levels.
I'm not quite sure what you mean. This attack uses the NFC interface of the credit card chip. There is no magnetic stripe involved in this attack.