Contactless bank cards are very convenient: I put the card to the terminal, and after a couple of seconds the phone rang in my pocket - the purchase was paid. But this convenience has a downside: attackers can steal money from the holders of such “plastic”. Let's talk about ways to hack bank cards using NFC technology.
Technologically, NFC payments are a continuation of the EMV standard, so all the attacks that took place “in the wild” were already known to researchers. When I got into the topic of contactless payments, I still managed to find some new interesting cases, but such attacks still focus on backward compatibility and other shortcomings of the main EMV mechanisms - authorization, authentication, verification.
After running tests with dozens of cards, I was amazed at the scale of the problems in the banks. Since the early 2000s, they have not gone away, and with the advent of contactless payments, such problems simply became more. One of the characteristics of contactless card scams is that they are difficult to confirm because there is no need for an attacker to gain physical access to your cards. Therefore, banks often protest such customer complaints.
All Parts:
hellofhackers.com
hellofhackers.com
hellofhackers.com
hellofhackers.com
Technologically, NFC payments are a continuation of the EMV standard, so all the attacks that took place “in the wild” were already known to researchers. When I got into the topic of contactless payments, I still managed to find some new interesting cases, but such attacks still focus on backward compatibility and other shortcomings of the main EMV mechanisms - authorization, authentication, verification.
After running tests with dozens of cards, I was amazed at the scale of the problems in the banks. Since the early 2000s, they have not gone away, and with the advent of contactless payments, such problems simply became more. One of the characteristics of contactless card scams is that they are difficult to confirm because there is no need for an attacker to gain physical access to your cards. Therefore, banks often protest such customer complaints.
LEGACY
CLONING CARDS AND TRANSACTIONS
PAYER VERIFICATION BYPASS
Substitution between the terminal and the acquiring bank
Change between phone and terminal
Signature change
Change to a mobile wallet, or NoCVM
PSD2 AND CARD FRAUD IN EUROPE
CONCLUSION
For three years of close work with card transactions, I learned a lot. The risk-based approach in the payments industry forces banks and other market players to support legacy forms of payments simply “because it is necessary”. That is why in recent years I have been able to make an exciting journey into the wilds of card fraud, find dozens of vulnerabilities in various banks and payment systems, learn how to understand ISO-8583, emulate examples of transactional fraud and master other interesting and unusual attack methods.All Parts:
Attacking contactless cards [Part 1]
You probably have several cards of international payment systems in your wallet, such as Visa or MasterCard. Have you ever wondered what algorithms are used in these cards? How secure are payments? We pay with cards every day, but we know very little about them for certain. Even more myths...
hellofhackers.com
Attacking contactless cards [Part 2]
How hackers steal money from bank cards Hidden content THE MOST COMMON TYPES OF FRAUD Let's start with attacks that payment systems and banks have to deal with on a regular basis. Payments without 3-D Secure Hidden content What is 3-D Secure Hidden content Attack of the clones Hidden content...
hellofhackers.com
Attacking contactless cards [Part 3]
How chip card attacks work Almost all modern bank cards are equipped with a chip, which stores the information necessary for payments. In today's article, I will talk about the methods of fraud with such cards, as well as the methods used by banks to counter carders. CHIPOVOE LEGACY Hidden...
hellofhackers.com
Attacking contactless cards [Part 4]
Contactless bank cards are very convenient: I put the card to the terminal, and after a couple of seconds the phone rang in my pocket - the purchase was paid. But this convenience has a downside: attackers can steal money from the holders of such “plastic”. Let's talk about ways to hack bank...
hellofhackers.com