Skip to content
Naked Security Naked Security

NFC card skimming – is it really a thing? [VIDEO]

We opened a can of worms when we wrote about NFC card skimming last week - so here's a live discussion of the controversy we stirred up...

Last week we published an article entitled Does your credit card need a tinfoil hat to keep it safe on the train?
Sophos expert Matt Boddy set out to answer some modern-day concerns we hear surprisingly frequently: if you’ve got a contactless payment card or passport, could you get digitally pickpocketed, and, if so, can you prevent it happening?
Well, now!
Lots of readers messaged us to say they really enjoyed Matt’s entertaining and practical style (and thanks for your kind words, everyone), but we also managed to stir up a whole load of controversy that we didn’t expect.
So we took to Facebook Live to work through all the talking points we’ve been confronted with since last week…

(Can’t see the video directly above this line, or getting an error such as “no longer available”? Watch on Facebook instead.)

Note. With most browsers, you don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. If you can’t hear the sound, try clicking on the speaker icon in the bottom right corner of the video player to unmute.

10 Comments

With regards to “fraud” there seems to be a major aspect which is missed in this video. And that is the ability to “clone” an NFC card. For example. the fact that a credit card just has the long number and expiry if irrelevant to the CVV validation when it comes to the NFC terminal processing (accepting) that card.. IF you can clone a card to present the exact same information to the terminal, then the terminal will accept that cloned card as “valid” and perform what ever transaction it was supposed to do with the original. that aspect is the true validation of exposure on NFC cards. if you can “read” but not “reproduce” then there is no exposure. (Eg the terminal may also be looking at other aspects of the card, such as the serial number (all serials must start with abc123…..) and not just the data payload, then cloning becomes harder, as you need to create physical NFC cards with specific ranges of serial numbers (which credit card companies can do, but hard for the “average” hacker)

You can’t clone an NFC card such as the Mifare Ultralight you see in the video. It’s not like a magstripe where you can read all the data off one card (less the CVV code) and write it back to another. The chip isn’t just a passive data store that is world-readable. It’s a tiny computer with its own CPU and a restricted I/O system to the outside world that means you only get the view of its internal state that the CPU is willing to provide.

THANK YOU. Working in the finance industry, I get a little tired of the scaremongering around NFC cards (especially when accompanied by a lax attitude to mag stripe security). Some people just can’t be convinced that these new payment technologies were built from the ground up with security as a priority.
Just one NFC security feature that doesn’t get mentioned often is the transaction counter that forms part of the cryptogram created between the card and the payment terminal – so even if it were possible to create a perfect replica of the internal state of a card (spoiler: it isn’t, because the card’s private key is unreadable) the transaction counters would get out of sync and shut the card down anyway.
But the intrepid reporter walking around with an NFC reader and showing people their PANs to scare them makes for good TV, while someone from EMV saying ‘these new cards are secure’ doesn’t, so the FUD persists.

To amplify this comment a bit, if I may…
It’s worth remembering that there are, very loosely speaking, two main sorts of secure crypto storage (wireless or wired, doesn’t matter) – one sort that just stores data, and one that essentially stores “computational ability”. An example of a query you might do against the former is: “open the file with the crypto key in it and let me read the raw key out”. But in the case of the latter, it might be: “here is some data – encrypt it with the key that was generated inside the device and let me read the scrambled data out”.
Mifares and similar devices have a bit of both – data that can be cloned, and data that is unique to the card – data that affects its external behaviour – but can’t be copied. OK, never say never – especially if you are a crook with an electron microscope – but, at least by design, trying to dig the secret internal data out of a secure device like a Mifare is supposed to destroy it.
That’s why it is possible to claim to have “unclonable” devices – there’s a Catch 22, because the only way to make a perfect copy is to trash the device first, thus giving you an imperfect copy instead.

I’m not too concerned as I just keep 2 contactless cards together in the same pocket. Something called “ card clash” by Transport for London suggests 2 cards will interfere with each other if both are being scanned at the same time when they’re in close proximity

Well, if you watch the video, we address this very point – in fact, we actually try reading two cards next to each other on camera.
They don’t always interfere – TfL is right to warn you that it might happen (which would prevent your Oyster card from working), but it is not a reliable precaution to prevent either card being read. Sometimes it reads neither card, sometimes it reads the one further away, sometimes it reads the closer one.

Sorry, but exposing the long credit card number and expiry date is a BIG security breach. CVV is only 3 digits. All any hacking crew needs to do is purchase 1000 (say) long numbers plus expiry dates on the dark web, then pump into their bot all 1000 numbers plus the weblinks of 1000 retailers, then assign 1000 sequentially assigned CVVs to target each retailer just once. And each card is a winner eventually. 1000 winners, 1000 frauds.
Not to mention the obvious optimizations to the attack, which can reduce the attack surface, or the benefits of scaling up.
You were way too near-field focused to see the obvious.

I don’t think we said that exposing long number and expiry date wasn’t a breach. In fact, I seem to recall myself saying in the video, “If you think long numbers are no big deal to expose, why don’t you put yours in your email signature?” (That was satire. Please don’t try it – your financial institution will not be impressed!)
Nevertheless, evidence of systematic NFC skimming is rare. So, although we want to give the impression that it genuinely “is a thing”, we don’t want people to infer that it is a major type of cybercrime.
I think the video does reach a reasonable and balanced assessment overall… that’s my self-assessment.

BTW, instead of buying anything, you can simply make you own super slim portable faraday cage…
Take some aluminium tin-foil you typically use at home, fold it and wrap it around n cards stacked together, bind it with some simple scotch paper, leaving only one short side opened to slide the cards in and out… and voilà !
Works perfectly well, tested through and through with different phones’ readers.
Haven’t thought of testing it against a more powerful reader, e.g. for doors or a merchant’s one, but that can totally be done, and although I’m no expert, I’m pretty much sure it’ll do.

Foil worked for us, but at a price of a cup of coffee (that you’d pay with for contactlessly anyway) we figured a sleeve not bodged together out of foil would [a] be less likely to scrtach out cards and [b] be less likely to tear or split during use.
If you can keep the foil close enough, our tests say that just having a sheet of foil next to one side of your card is enough.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?