But in current versions of the cards, the user's name, PIN and the three-digit CVV on the back of the card aren't included in the wirelessly-read information, which the industry has argued means the attack isn't practical. The security industry has known since 2006 that contactless credit cards can be read wirelessly without the owner's knowledge. The attack Paget demonstrated is far from new. This is an embarrassingly simple hack, but it works." "The reader just spits out the number as if I’m the point-of-sales terminal, which is totally stupid. "Whatever encryption or other security there might be, it doesn't matter," she says. The scheme, Paget points out, doesn't involve any hidden bug in the system, but rather the more fundamental problem that any commercially-available RFID reader can read the data from a contactless card as easily as a store's point-of-sale device does.
In a demonstration just before her talk, Paget read a card in my wallet through my back pocket without touching me, successfully obtaining the card's information. (That's the striped panel pictured above.) In one practical version of the scam, Paget says, a fraudster could simply bump up against his victim with that reader in a coat pocket and invisibly scan the RFID signal through material like a leather wallet or cloth pants.
Paget, a well-known security researcher for the consultancy Recursion Ventures who was known as Christopher Paget until a gender change last May, used a simple method for her hack: impersonating a legitimate contactless point-of-sale terminal with her own RFID card reader. According to a show of hands among Shmoocon's audience, dozens of the several hundred conference attendees in the room had contactless cards, and about a quarter of those weren't aware of it until Paget asked them pull out their cards and check for contactless symbols. Visa calls its technology payWave, MasterCard dubs it PayPass, Discover brands it Zip, and American Express calls it ExpressPay.
"You were planning on cancelling that card, weren't you?" she added somewhat sheepishly.Ĭontactless cards are far more common than they might seem: According to the Smart Card Association, about 100 million of the RFID-enabled cards are in circulation. Everyone else can snag one for $29.If anyone still doubted that the trick had worked, Paget accidentally flashed the volunteer's credit card number on a screen in front of an audience of hundreds of hackers and security researchers. It's only available in the US and is being offered to new Shopify point-of-sale merchants for free.
To use Shopify's card reader, you'll have to have nothing older than an iPhone 5 or iPad Gen 3 running iOS 9 or higher or an Android device running version 4.4 at minimum. Today, the reader is available to all Shopify merchants. Shopify unveiled its new reader in April and began taking select pre-orders last month. PayPal and Intuit also have mobile card readers, while Amazon's short-lived version is no more. Shopify's reader is an alternative to the popular version sold by Square, which just introduced a prepaid debit card that lets users tap into their Square Cash while shopping at brick-and-mortar stores.
It connects wirelessly to Android and Apple phones via Bluetooth and at full charge can carry out 400 chip dips and 700 swipe transactions. The reader accepts chip dips or swipes and works with Visa, Mastercard, American Express and Discover. Shopify just released its new card reader that makes it easy for merchants to complete credit or debit card-based sales on the go.