Figure 1 -
http://www.rfcafe.com/references/electrical/ew-radar-handbook/images/imgx1B.gif |
Paypass (MasterCard)/payWave(Visa) technology is
storming the banking industry. All Polish banks want to jump on to the
bandwagon to bring their customers the newest debit/credit cards with RFID
tags. RFID (Radio Frequency Identification) is a technology that originates
from the military use during the II World War. Tags were used in airplanes for
radar identification – the so called IFF (identification friend or foe). As the
radar beam would hit an Allie plan the RFID tag would reflect a modified signal
back to the station and on the radar screen a green dot (for friendly aircraft)
would appear.
Nowadays RFID is used just about everywhere, also in banking cards. But
just how safe is this technology? Simply have a look at a video from
MythBusters where they tried to test it out.
As you can see something is going on. This technology is extremely
vulnerable as tags transmit unencrypted information to the receiver that
anybody (even using a smartphone with NFC) can read simply just standing next
to you. The scary thing is just how easy it is and everybody with newly issued
cards (about last 2 years) can be “robbed”. Just have a look how it’s done…
Figure 2 -
http://corporatesnobs.com/blog/wp-content/ uploads/2013/10/sleeves-rfid.png |
How to protect yourself from theft? Well it’s quite easy;
simply protect your card in an aluminum case which doesn’t allow radio waves to
pass though. An alternative might be a specialized RFID protection certified
wallet – which might look like an ordinary wallet but has aluminum casing
inside the leather.
How do you protect your bank cards? Were you aware of
the risk?
My husband is somehow paranoid about this. These special wallets seem to be the best birthday present I can give him, so thanks for giving me the idea :)
ReplyDeleteI would be highly concerned if I was a suited-up gentleman in mid-40, hence, it would be easy to assume I'm rich. Fortunately, my looks ressemble of poor 16-year old still craving for some bucks from my parents, so I hope no-one will try this method on me. Well, I don't just "hope", I'm sure of it.
It's another reason to keep in mind that private space in public places is something very important. Maybe raising the awareness of this problem will lead to less people standing few centimetres from me in the bus, while the whole vehicle is empty. Just keep your bag close and stay away from strangers and you should be OK.
I wouldn't sign off the comfort of using PayPass card just to prevent me from this risk, to be honest.
We can hear a lof about this kind of theft. Member of my family was robbed that way. Information recieved from her paypass card was transfered to someone in Thailand!
ReplyDeleteIt was a shock, when the bank called and asked "Are you in Thailand right now?". Of course she wasn't. Dealing with bank security also wasn't realy easy. At first they didn't want to believe it's a theft and they weren't eager to return money. I know it's a difficult situation, even if everything turned out all right.
I never had anything like aluminium wallet, but I discover my own way of protection. Simply, place 2 cards with chips in the same case and all info readers are going crazy. They receiving information from two cards, so they can't read it properly. I hope it works :)
A.Rymuza:
ReplyDeletePlacing 2 cards next to each other will only work at the metro or tram/bus city card checking machines as they are very primitive and the cheapest versions. If you have a smartphone with NFC (Near Frequency Communication)functionality and you download an appropriate app that reads card data you will see that it does not matter if you place 2 or 3 cards it will read all of them at the same time and display information... so brace yourself ;)
Przemyslaw Galus:
ReplyDeleteThanks for the info. It's true that usually it happens to me in metro station. Now I will be more careful :)
According to what you said the best way is to refuse the offer of new paypass card. I'm not sure how it works but as first, is it possible to perform international transfer of money using contactless payment? I know that in most of banks each payment over 50 zloty is additionally secured by pin code, in such unusual payments it should be also doubly protected.
ReplyDeleteGood solution is to use similar technology which involves smartphones. Whole procedure looks same, only card is replaced by phone. After transaction we can simply turn off the NFC module which makes our sensitive data inaccessible. However, that technology is being supported by only a few banks in Poland
yoshi:
ReplyDeleteIts not really an international transfer of money, they simply put near your pocket a scanner (just like one in the supermarket) which reads your card information - the transaction on the bank side looks like you simply bought something in Germany using PayPass. The 50PLN limit is not really a problem as they will make 5 or 10 transactions within couple of seconds, only way to protect yourself is to limit amount of daily PayPass transactions or keep your card in a faraday's cage.
That's the point, I wonder if transaction that even pretends to be like regular payment in supermarket in different country isn't secured. It's associated with currency exchange during transaction.
ReplyDeleteNot sure but I think that multiple transactions in short time are blocked by default
Few months ago for one of my assignments I had to write a short report on contactless payments in Poland. Most of sources I found also identified the vulnerability of the technology but at the same time pointed out that many banks had improvidently implemented it. I agree that such cards are prone to thief. On the other hand, card operators designed several way to reduce harsh consequences. For instance, in a card there are counters that could block transactions that would exceed a specific limit. The limit could specify the maximum value of a single transaction, daily budget, number of contactless operations that can be performed without pin authorisation and other combinations. Moreover, MasterCard (I’m not sure what about Visa) allows to personalise these limits for every single card so, in theory, each client should be able to modify the limits or even turn off that functionality. The problem is that most banks didn't enable such options for their clients and set limits to their maximum possible values. Moreover, many banks stopped offering cards without contactless feature and now on the internet you can find a lot of instructions how to remove RFID tags. I realise that it has been changing and due to many complaints in some banks you can now disable contactless feature. However, it doesn't change the fact that the technology itself is not secure. I must admit that I use PayPass very often, but I am aware of the risk and use aluminium case to protect my card and set rational limits on it.
ReplyDeleteI don't use paypass at all. I think it is too dangerous. I am not convinced that paying should be that easy.
ReplyDeleteFirlsty, you can lose it extremely easly, secondly it can be stolen from you. In both situations person who has your card can spend your money absolutely as he pleassed because he doesn't need password.
I even try not to use the "normal"credit card" if I really don't have to. Of course there are some situations in which card is necessary and very convinient but I don't recommend using it every day...
So I was aware of the danger but it is always good to talk about this stuff.
I'm always doing a payment by cash. I use an electronic card only to ATM withdrawals. I think paypass and nfc technology are still not safe enough..
ReplyDeleteI had no idea such danger existed!
ReplyDeleteI actually got such a wallet as a Christmas gift last year! Total coincidence. I guess that Santa Clause didn’t know the present would be so useful. I liked it because it was nice, but now I know it has other advantages.
A. Rymuza: amazing story. It’s comforting that the bank asked “are you in Thailand right now?”, which means that they track transactions, and are able to spot deviations from the norm.
So we – clients – have some security.
Of course I'm aware of the risk and that is why I'm trying to protect myself mostly by limiting the number of PayPass transactions per day. I also try to scan the news the biggest banks post on their webpages about another new version of some security feature. And then I ask myself: Does it really work? For a while maybe, but there will always be one guy who will manage to crack it. The awerness of this risk is somehow upsetting - I'm not sure if there's ever enough protection that makes us truly free of frauds. But it may be the price we pay for comfort of contactless paying.
ReplyDeleteLet's not forget about the ways to recover your lost money. If your paypass card is scanned without your knowledge, a bank can easily trace back the stealing terminal and get your money back. It's really not that dangerous, especially with given limits to paypass transactions.
ReplyDeleteCredit card payments has only one issue it takes too long. Thanks God we have PayPal. This is very simple, flexible and fast. It's a new technology (in Poland since 2005) and we known that there are sometimes problems with security. All transactions and places associated with money is not safe. In the past, people were afraid to bank accounts, then transfers and payment and now it's time for paypal.
ReplyDeleteI'm a programmer and I love new technologies so hard keeping my fingers crossed for the further development of this evolutionary technology.
Nothing is perfect. If you want to keep your cash under your pillow, then you just found solution to the issue. I believe that everything can be hacked if you know the right technology and you know the spots in the system. If you know any safe way of payment method please enlighten me. In my opinion there is no perfect system to do so. And when bugs like this comes out, it is up from producent to try to patch the issue as soon as possible and hope that this will last a bit longer before again someone will get a way to crack it or skip on security.
ReplyDeleteIn my opinion paypass is one step backward in safety.
ReplyDeletePaypass do not authorize person which is using card.
There is a lot of videos in YT showing how to steal money from the this technology. Despite the fact that we gain a little bit of time it is at the expense of safety guarantees for me is not worth it. Amuse me people who fall into paranoia and wrap your cards in aluminum foil. Effective, but how strange it when you checkout in MCD and you pull out the aluminum foil :D
This technology requires a little improvement. For example, by adding a button that closes the circuit and to activate a system only if we allow it. Simple? and provides temporary authorizations.
Human laziness leads to the fact that this technology is accepted by the world .. so sad
In my opinion paypass is one step backward in safety.
ReplyDeletePaypass do not authorize person which is using card.
There is a lot of videos in YT showing how to steal money from the this technology. Despite the fact that we gain a little bit of time it is at the expense of safety guarantees for me is not worth it. Amuse me people who fall into paranoia and wrap your cards in aluminum foil. Effective, but how strange it when you checkout in MCD and you pull out the aluminum foil :D
This technology requires a little improvement. For example, by adding a button that closes the circuit and to activate a system only if we allow it. Simple? and provides temporary authorizations.
Human laziness leads to the fact that this technology is accepted by the world .. so sad
In my opinion paypass is one step backward in safety.
ReplyDeletePaypass do not authorize person which is using card.
There is a lot of videos in YT showing how to steal money from the this technology. Despite the fact that we gain a little bit of time it is at the expense of safety guarantees for me is not worth it. Amuse me people who fall into paranoia and wrap your cards in aluminum foil. Effective, but how strange it when you checkout in MCD and you pull out the aluminum foil :D
This technology requires a little improvement. For example, by adding a button that closes the circuit and to activate a system only if we allow it. Simple? and provides temporary authorizations.
Human laziness leads to the fact that this technology is accepted by the world .. so sad
This comment has been removed by the author.
ReplyDeleteAnd only for that simple fact, that my bank didn't give me a card with paypass, I'm glad I'm in Inteligo.
ReplyDeleteFrom the beggining I thought "that might be problematic". And not only in lack of security (although Martyna opened my eyes about banks policies).
But security actually is not the biggest problem. It's the money. You loose track of how much do you spend them. Some of us "counts" them in head, and so we know approximately how much do we have left in a bank, but my mother always forgets. She was using paypass for one month, than suddenly stopped. She even tried to exchange the card for one without this technology, but, no can do.
It's just silly. Every corporation will always find easier way for us to spend our money... Sometimes I really hate capitalism.....
I have a card with PayPass. I got it a few years ago when it was something new on the market. Back then, I knew it might be a bit risky to use it but I didn't know that I can be robbed so easily! I think that someone should make an information campaign about it, because everyday banks encourage a lot of people to change normal credit card to PayPass and usually without telling them honestly about the risk involved. For me, PayPass has both advantages and disadvantages. The main benefit is a fast way of paying. And you can pay even small amount. In my opinion the biggest disadvantage is that it doesn't charge my account right away, so I can make a big debit without even knowing about it. Unfortunately it has happened to me already. Right now, my PayPass card is broken and after this article I'm not sure if I want to have a new one.
ReplyDeleteI really like using paypass and other new method of paying, it's faster, you mussn't remember of taking money from atm or from home. For me they could do something they planned - i mean made special chip under skin. U will never have problem to lose it, it can have your all data, u can code everything on it. Technology comming really fast this days. If someone wanna do robbery, they will do it, there always some more inteligent people who will made a method to robber something from you.
ReplyDeleteI'm not really that concerned about it. Paypass limits are like.. 50zlotys? I've never been "robbed" that way and I feel like the risk isn't really big for me, as even if it does somehow happen, it's only 50 zlotys and probably possible to get them refunded.
ReplyDeleteDamn it.... I was happy too soon. Just received new card, with bloody paypass on it.... The world hates me....
ReplyDelete