Contactless payment data picked up at a distance
Posted: Wed Oct 30, 2013 9:58 pmBBC News
Contactless payment data picked up at a distance. Data transmitted during contactless payments can be picked up from almost half a metre, researchers have warned.
Inconspicuous equipment including a shopping trolley, a backpack and a small antenna were used to intercept synthesised payments card data.
The information was detected at more than four times the distance it should have been, according to researchers.
The UK Cards Association said that fraudsters would not be able to harvest enough details to be dangerous.
During a wave-and go transaction, customers tap or hold a card near a reader to pay for purchases of up to £20, without entering a PIN code.
Reliably eavesdrop
A key security feature of contactless cards is that they should not transmit payment information further than 10cm from a reader.
Thomas P Diakos, a researcher at the University of Surrey, built equipment that could reliably eavesdrop on synthesised payment data from a distance of 45cm.
"The results we found have an impact on how much we can rely on physical proximity as a security feature", said lead academic superviser Dr Johann Briffa. "The intended short range of the channel is no defence against a determined eavesdropper."
At that distance, fraudsters could harvest information without arousing suspicion, the researchers said.
The team published details of their research in a paper in the Institution of Engineering and Technology's Journal of Engineering website on Tuesday.
Hide banking details
Mr Diakos used a pocket-sized cylindrical antenna, equipment in a backpack, and a shopping trolley to pick up data that had been fabricated to behave exactly like payments card information.
The test equipment was "compact and relatively inexpensive", Mr Briffa told the BBC.
"The test demonstrated that payments data can be received," he said. "What can be done with it is another question."
The research team has started to look at how wave-and-go card security mechanisms can be cracked and payment information revealed, he added.
Contactless cards systems use different security features to hide banking details, including encryption, and authentication mechanisms to check whether details should be transmitted.
Full Article:
http://www.bbc.co.uk/news/technology-24743920
Contactless payment data picked up at a distance. Data transmitted during contactless payments can be picked up from almost half a metre, researchers have warned.
Inconspicuous equipment including a shopping trolley, a backpack and a small antenna were used to intercept synthesised payments card data.
The information was detected at more than four times the distance it should have been, according to researchers.
The UK Cards Association said that fraudsters would not be able to harvest enough details to be dangerous.
During a wave-and go transaction, customers tap or hold a card near a reader to pay for purchases of up to £20, without entering a PIN code.
Reliably eavesdrop
A key security feature of contactless cards is that they should not transmit payment information further than 10cm from a reader.
Thomas P Diakos, a researcher at the University of Surrey, built equipment that could reliably eavesdrop on synthesised payment data from a distance of 45cm.
"The results we found have an impact on how much we can rely on physical proximity as a security feature", said lead academic superviser Dr Johann Briffa. "The intended short range of the channel is no defence against a determined eavesdropper."
At that distance, fraudsters could harvest information without arousing suspicion, the researchers said.
The team published details of their research in a paper in the Institution of Engineering and Technology's Journal of Engineering website on Tuesday.
Hide banking details
Mr Diakos used a pocket-sized cylindrical antenna, equipment in a backpack, and a shopping trolley to pick up data that had been fabricated to behave exactly like payments card information.
The test equipment was "compact and relatively inexpensive", Mr Briffa told the BBC.
"The test demonstrated that payments data can be received," he said. "What can be done with it is another question."
The research team has started to look at how wave-and-go card security mechanisms can be cracked and payment information revealed, he added.
Contactless cards systems use different security features to hide banking details, including encryption, and authentication mechanisms to check whether details should be transmitted.
Full Article:
http://www.bbc.co.uk/news/technology-24743920