The potential vulnerabilities of RFID devices have been described and researched for a while now. Using NFC (Near Field Communication) technologies is one method of accessing RFID-stored data. With the renewed popularity of NFC tech, this type of vulnerabilities deserves enhanced vigilance.
EMV cards just marked their adoption deadline in U.S. and although they come with many cyber-security benefits, they also have inherent vulnerabilities, associated to chip data storage. This especially concerns the contactless payment cards – which do not require terminal insertion in order to perform operations. Using RFID technology for their embedded microchip that stores all the customer information and transfers the information to a reader via a radio frequency antenna, this type of EMV card are currently gaining traction and popularity, and in the same time become targets for hackers. Malicious attacks can retrieve card data and decipher encryption keys. Further data segments manipulation results in similar outcome as in card cloning.
Examples of contactless cards cyber-attacks
SC Magazine featured an article on how a member of their staff had money stolen from her bank account via his EMV card, after a stranger “bumped” into her “a bit too long”, aiming to reach a certain proximity with the targeted RFID device. This attack described is beyond a simple card details theft; therefore it involved a certain degree of sophistication. Facilitated by the contactless characteristic of the card and opening possibilities of continued exploit after-the-fact, it raises questions about payments security when such EMV cards are involved.
Another account of RFID payment cards hacking dates from late 2014, and it involves a high-risk Android app. The target was a MIFARE-based smartcard. Running the app on an NFC device enabled the attacker to read a card, as well as manipulate its data (in the case described, the card limit was modified to allow the attacker to extract a larger amount of money). It was however an older MIFARE card version, documented to be seriously vulnerable in early 2000s.
Nevertheless, the concept of the attack might theoretically be replicated in association with enhanced tools and different card types. In addition, it only takes about 10 seconds for the data exchange to be competed – and the attacker to alter the original card. Cheaper cards tend to be more likely to come with embedded vulnerabilities, so this kind of exploit is not to be neglected.
Demo exploits of RFID vulnerabilities
EMV cards already have a history, in Europe and globally. U.S. just officially adopted this type of chip-enabled cards, but the rest of world gradually shifted from magnetic stripe cards to EMV cards for some time. Concerns regarding the security of contactless cards have been voiced in the past, and some of them were tested by researchers.
1. In 2013 researchers from the University of Surrey warned about fraudulent attacks that might target and successfully hack contactless payment cards. Although banks denied the risk of mistaken payments, one UK bank advised customers to remove the card from the wallet while executing banking operations, which was interpreted as an admission of possible errors.
The researchers’ demonstration was conducted with relatively cheap equipment, and based upon the idea that technological eavesdropping is possible when dealing with EMV contactless cards. The technology gear enhanced the NFC signal and increased the physical proximity necessary for interacting with the EMV chip (1 to 3 meters, depending on the environment). The target consisted of sensitive information stored on the card – so it was mostly about proving the possibility of an after-the-fact exploit.
2. Another demonstration belongs to Kristin Paget. Forbes published an article describing how the demo proved that RFID-enabled credit cards could be “pickpocketed” through clothes and wallets. The article mentions the contactless card supplementary security featured that might just block the fraudulent operation, it the timing is right. The card offers a one-time CVV code with every scan, whose repeated usage blocks the card. The attacker can use the CVV code once and it the victim also employs the replicated code before the malicious transaction is perfected, the card id disabled.
Page used a credit-card reader purchased on eBay and basically read the card data and the one-time CVV number; the card data was not instantly manipulated as in the SC Magazine example, therefore the card limit was not affected.
It is maybe useful to remember at this point that contactless cards were used in U.S. previous to the 1 October EMV deadline, but in the form of transit cards. The amounts of money associated with the card and the limit of withdrawal made such transit cards less attractive for hackers – but this is changing once contactless EMV cards are associated with usual bank accounts. Such cards may become more attractive targets, which, combined with the possibility of increasing the card limit – increases the risks.
3.The Prezi demonstration that we quoted before deployed an attack on a MIFARE Classic/DESFire RFID card (the most used RFID card type globally) and managed to read/write and also gain access to the card by using a smartphone, the Banking Card reader NFC (EMV) app for Android and a touchatag NFC reader with NFC millionaire application, from a distance of 4 cm. As a serious risk, the exploit found that “CVC/CVV code is not possible to read from the cards, but this may not be a problem because many online portals still do not require CVC/CVV code”.
Proposed solutions for contactless cards
RFID shields to protect the contactless credit cards when the owner is not using them for transactions are recommended. Secure protector sleeves block RFID signals from being read or manipulated and can be purchased online or in stores, or even integrated in regular looking wallets.
Other more sophisticated solutions are for the moment only theoretical or at maximum in the prototype phase.
The Avoine RFID section provides interesting links on both security vulnerabilities and possible solutions. For example, a secure transaction verification scheme was one of the proposed solutions – but such a procedure would defy the simplicity of contactless payment.
Dynamic tokens, biometric RFID authentication or private and secure public-key distance bounding would be another 2015-ventured precautionary measures.