Bump into someone and lose up to £30 from your contactless card

Contactless cardAnyone who has travelled on public transport in crowded cities like London will be only too aware of how you can end up pushed up tight against complete strangers in conditions which we would probably feel uncomfortable subjecting animals to.

But, if it gets us to work on time, we somehow seem prepared to put up with the risk of having people with only the vaguest notion of bodily hygiene thrust inside our personal space as we trundle between tube stations.

But what if that person who just lurched into you, as the train began to move again, took those few seconds of close to contact to steal money from your bank account?

That appears to be what happened recently to Roi Perez, one of the team who works at SC Magazine.

In his report, Perez explains how he became the victim of contactless card theft - where a thief took the opportunity of being in close contact to his RFID-chipped payment card to surreptitiously deduct the sum of £20.

Fortunately, Perez was suspicious that something strange had occurred - and after calling his bank was able to get the twenty quid reimbursed.

Tube train crush

Contactless payments are becoming more commonplace, requiring just a wave of a card to make a modest payment and none of the hassle of entering a PIN code.

It never feels as secure to me as a payment made alongside a PIN code, but that presumably is why the banking industry has put a tight limit on the maximum that can be purchased through this means.

I imagine the banks feel that they have weighed up what they believe to be the risks, and that they have limited their exposure to an acceptable level by stopping anything other than small amounts from being paid in such transactions.

(In the UK, the limit per transaction for contactless cards was raised to £30 last month. Your mileage may vary depending on where you are in the world.)

Furthermore, the contactless payment process is not supposed to transmit payment information more than that about 10cm from a reader - although some researchers have claimed to intercept payment data from further distances.

But if you're in the middle of the hustle and bustle of a big city, crammed on public transport, there clearly are opportunities for criminals to try to take a payment from you without your knowledge, just as if you were buying a quick coffee in a cafe.

Is this something you are concerned about? Have you shielded your RFID contactless card with some tin foil layers to block out unauthorised transactions, or asked your bank to provide you with a card *without* the ability for contactless payments?

Leave a comment below with your thoughts.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

23 Responses

  1. Alan Henness

    October 21, 2015 at 4:14 pm #

    I did ask The UK Cards Association about this a year ago, but I can't say I was completely convinced by the reply I got (it took quite a few emails back and forth to get even this answer):

    "The card and the reader are essentially access points into the payment network. The card in the hands of a banks customer is a token that says I am a member of this particular scheme (Visa / MasterCard) and if you, the merchant, are also a member of this scheme and accept these cards we can undertake a transaction. The process at the point of sale is such that the POS device checks the validity of the token (using the EMV protocol which is designed to validate that the card is genuine) and the two swap cryptographic data that binds the exchange to a single transaction. For the exchange to work and for monies to be passed from the cardholders account to the merchant both parties must be connected to the scheme.

    If a bad actor were to attempt to use a bogus reader to carry out transactions they would have to try and monetise the attack by setting up a merchant account through which the bogus transactions could be settled before any money could be paid. The risk of detection is extremely high and any transactions reported as bogus would be charged back to the account.

    This is a very simplistic view of the exchange and there are several other layers of security that ensure that the card issuer can validate the cryptographic exchange, to monitor for unusual activity and to ensure that there are funds to cover the transaction before money is paid."

    I'm also not convinced aluminium foil would be sufficient (although they are likely to cut down the effective range quite a bit). There are many RFID shield wallets available for sale but not convinced about their shielding efficacy. Do you know if anyone has done any decent tests on them?

    • Tony in reply to Alan Henness.

      October 30, 2015 at 11:31 pm #

      Bang a sharp instrument through the chip. You can't use it contactless, but neither can anyone else

  2. Geoff

    October 21, 2015 at 4:19 pm #

    If your bank say they can't supply a contactless card then there is always the "Cut";
    http://www.g8dhe.net/images/cut_card_1.jpg
    http://www.g8dhe.net/images/cut_card_2.jpg

  3. Joep

    October 21, 2015 at 4:32 pm #

    I'm a master student cyber-security and quite risk aware of (contactless) payment schemes. Though, I am a huge advocate of this technique. Often the critics of this method argue with comments like: "it's insecure because you don't need to enter a PIN". In my opinion contactless payment schemes are more secure because you don't need to enter a PIN. Each time I need to enter my PIN forms a risk to be the victim of shoulder surfing. As stated in your article as well, the relative small losses due to theft are covered by the bank, which is assuring enough for me. Though, I'm very happy with my shielded wallet :-). A different payment method comes with different vulnerabilities; shielding my wallet seems more convenient then secretly enter my PIN at a busy store counter.

  4. Peter Auber

    October 21, 2015 at 6:02 pm #

    I shield my contactless cards with foil-lined paper wallets. Plus I got a TfL inspector to check he couldn't read my Oysrer card through one. And I also bought a lined wallet for my Passport. I drew a line at foil-wrapping the dog after he'd been chipped, however.

  5. Niels

    October 21, 2015 at 6:40 pm #

    Here in The Netherlands almost all banks issue contactless debit cards. However you can disable this online if you want.

    My card is protected by a Secrid cardprotector wallet but even if someone managed to copy my card, my bank (ING) will cover the cost in full. There is no own risk. Max. is 25 euro. If you exceed that limit, a PIN code is required.

  6. Anne

    October 22, 2015 at 12:58 am #

    Banks refuse to supply non-contact less cards now. And they don't give you any control either. As a minimum it should be possible to set a limit on both the maximum size of a contactless transaction and the maximum number of transactions in a day.

    Retailers aren't any better. I put my card into a Waitrose chip and pin machine but it took a contactless payment – that amounts to taking a payment without customer consent, since by putting the card INTO the machine I was expressing quite clearly that I wanted to make a secure transaction.

    • Tim in reply to Anne.

      October 22, 2015 at 12:27 pm #

      Not all banks, I sent a letter to my bank stating that if they refuse to supply a 'non contactless' card I will move my account to another bank; courier delivered a 'non contactless' two days later.

      Probably depends on your balance.

    • Elaine in reply to Anne.

      October 22, 2015 at 2:24 pm #

      I bank with Halifax, my husband with Santander. We both recently received new debit cards with the Contactless technology on them, We both rang our banks to say we didn't want it. We both then received new debit cards without Contactless. I really don't like this option being given without the customer's prior consent

  7. Stuart McHattie

    October 22, 2015 at 8:04 am #

    Frankly, someone can only take a contactless payment from you by first registering themselves as a merchant with a card handling authority. Then all transactions they make are traceable back to them. So why shield your card? If some money gets taken from it fraudulently, that registered merchant is going to jail, do not pass go, do not collect £20!

    • Joep in reply to Stuart McHattie.

      October 22, 2015 at 11:36 am #

      The main reason to shield your card is to be protected against relay attacks where a attackers set up a communication channel between your card and a payment terminal. This way payments in a store elsewhere can be made with your card still in your pocket. Simple proof of concepts have been build which only use two NFC enabled smartphones. One attacker keeps his scanner device near your wallet, while his companion replays the information from your card to the payment terminal.

      • Joep in reply to Joep.

        October 22, 2015 at 11:45 am #

        By the way, the only way to mitigate this threat is by means of timing constraints on the communication channel. If a card takes too long to respond, cancel the transaction. The problem here is that relay attacks are known that actual respond quicker then some cheaper NFC chips implemented in bank cards. This becomes a cat and mouse game between attackers and banks. I'm fairly convinced that you can't overcome the need to shield your card if you want to be risk free for relay attacks.

  8. Simon

    October 22, 2015 at 10:57 am #

    I can see a new invention coming down the pike, lead wallets.

  9. Kevin

    October 22, 2015 at 1:32 pm #

    4 points:
    1) the NFC tags can be read up to 214 feet away, with specialist equipment.
    2) setting up a merchant account adds a level of trace-back security, but the whole approach has not yet stopped ordinary credit card theft. Worse, it tends just to dump liability onto legitimate merchants.
    3) relay attacks are entirely possible using just 2 NFC-enabled android phones. (My accomplice walks alongside you as I pay for goods, your card pays… :)
    3) aluminium foil, or copper foil, same size as the card works very well.
    4) you would have to open the wallet to separate the card and the foil, or take the card out, for it to work.
    this should protect you from all the possible attacks, your card cannot exchange any data.

  10. Jane

    October 22, 2015 at 2:00 pm #

    As a rule of thumb the easier it is for the customer, the easier it is for hackers to access your account.

  11. Terry D

    October 22, 2015 at 2:10 pm #

    In my opinion this is a pointless gimmick that puts people's account details needlessly at risk. I argued the point with my bank to no avail, their best argument in favour was that it would save me the time needed to input a PIN number. If I get that bad at managing my time that 4 seconds will make a difference to my life I'll give up! Still not trusting this technology, I went on eBay & purchased a good quality, aluminium business card wallet. I keep my card in this at all times now & at least FEEL more secure.

  12. john

    October 22, 2015 at 2:26 pm #

    My bank recently sent me a contactless card in replacement for an expired normal one , so I took it in and asked for a normal one which they sent me without any argument , sending a link to this article to those who said it couldn't happen. Also much appreciation form the email "heads up" you send out regarding Adobe etc.

  13. john

    October 22, 2015 at 2:40 pm #

    A firm who produces business cards ( they advertise on television) give away a neat little steel card holder with your purchase , not sure what shielding properties it would have but it's a sturdy job and would probably work in that way, I use mine for mechanical protection of electronic type cards , they tend to stop working if bent in your pocket I've found.

  14. Andrew Doukanaris

    October 22, 2015 at 4:23 pm #

    As the former head of acceptance (including contactless) at Visa Europe I know of no cases where this has happened. All this foil protection is a little Dr Who like. Stuart McHattie is right. So what if the alleged victim had their cash stolen? No change of getting any money back from the bank – so cards are much safer. It's clear most people are living in the 1930's still. Next some one is going to tell me the BBC TV licence van is outside and they know I haven't paid my fee – circa 1978 ads on TV!

  15. John

    October 23, 2015 at 9:16 am #

    On the bright side of things:

    I know of one sector with close physical contact that will keep accepting your cash money, and will even reject your NFC card alltogether: prostitutes. I would pity those, that would find their NFC cards emptied after some "close contact" (or whatever you might call it) and thereby getting screwed in the process twice :o)

    • Graham Cluley in reply to John.

      October 23, 2015 at 9:20 am #

      Bump n' grind?

      So, basically we're all agreeing that to keep it safe we should wrap it up in tin foil? Could be uncomfortable.

  16. Chris Meggs

    October 23, 2015 at 1:51 pm #

    This position will last while the card, the bank account number and the transfer technology remain in the same physical space. Divide and conquer.

  17. George Pace

    October 23, 2015 at 2:42 pm #

    Hype and scaremongering. Relays??? for £30? Wrapping in tin-foil? isn't it the point that you don't have to take it out of your wallet? As for the initial story about having £20 taken… so the thief has gone to the trouble of setting up a merchant account with an acquirer, going through the AML and KYC process as well as the security checks and has a POS terminal, ok it may be mPOS, but really… and there's also the fact that the Issuer is liable for NFC transactions not the cardholder.

Leave a Reply