My finances - with the protection of dancing
Have you met people with a sticking piece of foil out of their wallet? Not? Very soon you will see them in all cities of the country! Who are these people? The most ordinary citizens who are worried about their finances. The reason for their concern - contactless payment cards technology PayWave and PayPass.
Contactless bank cards are already familiar and familiar pieces of plastic for us, with the only difference being that they have an antenna for transmitting information over the air. Their most common types are VISA PayWave and MasterCard PayPass. These cards can be distinguished by the corresponding symbol in the form of a wave in the corner and the name of the contactless technology next to the logo of the payment system. To pay for the purchase, you just need to bring such a card to a payment terminal equipped with a special radio receiver. And all - the payment is made. No passwords and no autographs. The speed increases - the queues are reduced.
But both in everything beautiful and in contactless payments there are some controversial points. Seeing how the cards of this type work, the question arises: if the seller can get the data necessary for carrying out the transaction from the card, what prevents an attacker from scanning the card and withdrawing money from it? Is it safe or not to carry a contactless bank card in your pocket?
')
For the first time, the issue of bank card security arose at the beginning of the 70s of the twentieth century, when banks faced an acute shortage of workers. Operators did not have time to handle the shaft of papers, which were accompanied by requests for loans and their approval.
This situation prompted banks to organize customer self-service using ATMs. To ensure the trust of new equipment, engineers needed to propose a way by which users could easily, quickly and safely identify themselves. So there were cards with a magnetic stripe.
However, in such cards with magnetic media, there was and still is a serious problem called skimming. In the case of "plastic" through the skimmer, a special reader disguised as regular ATM elements, attackers can make a copy of the magnetic strip, and then transfer the received information to a blank card.
In response to this, smart cards appeared in the 1980s. In appearance, they are very similar to their ancestors. Along with the magnetic strip, which is used where reading devices for smart cards are not available, a microprocessor chip is built into the plastic of the body of such a card - in fact, a full-fledged computer. In the context of banking applications, it is often referred to as an EMV chip.
EMV is a standard created by the joint efforts of Europay, MasterCard and Visa to increase the security of bank payments. Shortly after its creation, Europay and MasterCard merged into one company, but the name of the document was not changed.
So, how does the security level go up?
First, the complexity of the fake. Two minutes of searching on the Internet and you will be offered the most detailed instruction on cloning cards with a magnetic stripe, as well as several dozen options for acquiring the equipment necessary for this. Counterfeiting a chip card is currently considered impossible.
The second security factor is the use of dynamic data. For each bank transaction, the EMV chip generates an individual confirmation code. In this regard, the interception of data transmitted during payment becomes meaningless.
Thirdly, the emergence of subject verification holder. When using a magnetic card to confirm the payment, you need to put your signature, which in most cases no one compares with the original. And that it is also necessary to verify the name of the owner of the "plastic" with the identity card of its holder, and there is no need to say. When using a chip card, each payment is confirmed by entering a PIN code.
Although the EMV chip has become a serious alternative to the magnetic strip, nevertheless, it also has several disadvantages. The most important of them is the need to ensure compatibility with the giant magnetic strip infrastructure. To solve this problem, banks issue hybrid cards that provide both payment access options. But when servicing such a combined card on a magnetic strip, the security question again arises. The threat of skimming appears again.
It is worth noting that copying data is still possible from a chip. From smart cards issued before 2008 (MasterCard) and until 2009 (Visa), one can consider information sufficient to manufacture a corresponding magnetic strip, namely: number, expiration date, service code, information about the bank. For cards issued after these dates, this problem no longer exists.
Whether the fraudster will be able to use such a copy or not is the question. As well as cards, terminals are of various types. If a cheater with a “clone” contacts a terminal equipped only with a magnetic strip reader, then there will be no problems with use. When recognizing the code received from the card, the hybrid terminal is able to establish that, in addition to the magnetic strip, it must also contain a chip. In this case, the transaction will not be carried out.
The second serious problem of an EMV chip is the low speed of the contact interface. The time required to access the chip, authorize and perform the necessary procedures is much longer than the time of the transaction on the card with a magnetic stripe. In the case of queuing systems, this fact may be much more critical than the risks of fraud.
All this necessitated the creation of payment technologies that would combine the best aspects of both magnetic and chip cards and at the same time have a minimum of drawbacks. Contactless NFC bank cards are claimed to play this role.
NFC technology is used as the physical basis of the contactless bank payment mechanism. NFC (Near Field Communication) is a short-range, high-frequency wireless communication that allows data exchange between devices located at a distance of about 10 centimeters. In fact, this is a simple extension of the standard of contactless cards (ISO 14443) RFID, combining the interface of a smart card and a reader into a single device. NFC technology in the field of banking applications allows you to replace the outdated, but familiar magnetic stripe with a more modern solution, without being limited to bank cards. Payment can also be made by other payment tools, whether it be a cell phone or an RFID sticker pasted on any convenient item.
In contactless cards, the information necessary for conducting transactions is stored on the card's chip. There are two types of such cards.
For the first version, only a contactless interface located on a magnetic stripe card is characteristic. This species is intended mainly for the United States. In fact, the contactless module is static and duplicates information stored on the magnetic strip.
The second option is more secure than the first. In such a card, there must be two interfaces that interact with the chip: a contact (soldered element resembling a SIM card) and a contactless (RFID tag). Cards of this type conform to the EMV standard. They not only retained the advantages of their “chip-mated brethren”, but also became more convenient:
- Contactless card always remains with its owner. It is not necessary to transfer it to the seller for carrying through the reader or insert it into the terminal. Particularly pleased is the termination of the practice in which, when paying for lunch, you must accept the fact that the waiter took the card and left to pay for your order, serve other visitors, drink tea, etc.
- For contactless cards, in order to increase the speed of service, payments are allowed without additional authentication. For Russia, this amount is 1,000 rubles, for Ukraine - 200 hryvnia, and, for example, for Thailand - 700 Thai baht. This does not mean that you can not make contactless payment for purchases, whose cost exceeds this amount, just in this case you will have to go through the authentication procedure.
Making payments on small amounts without authorization became possible due to the fact that international payment systems set a course to increase the speed of payment. So Visa set the maximum allowed transaction time to be 30 seconds. With the same purpose, Visa launched the Visa Easy Payment Service program, according to which all points of sales should not require identification of customers when buying for an amount less than 1,000 rubles.
New technology of payment becomes irreplaceable in queuing points where speed is critical, for example, in transport. The seconds saved by using contactless cards significantly reduce the queues and customer waiting times.
The PayPass and PayWave cards use an RFID chip operating at 13.56 MHz. It is thanks to him that data is exchanged between the card and the terminal. However, an attacker can easily intercept this information with an alternative RFID scanner.
Manufacturers of contactless cards name the fact that the range of RFID tags is 3-5 cm. But this argument is very controversial, because long-range readers already exist with a range of more than 30 cm. As long as they have sufficiently large antennas, this does not detract from the fact of their existence.
Thus, having an RFID scanner, you can form a transaction request and carry out an attack on the card. Of course, this data is not enough to create a clone, but a number of phishing attacks can be quite successful.
Meanwhile, both legislators and payment systems in this matter support the holder of funds. The amount of payments up to 1 000 rubles, disputed by the cardholder returns without additional investigation and as soon as possible. This is largely due to the interest in the development of micropayments and the constant increase in money turnover. This is clearly indicated by one of the most debated adopted laws - 161- “On the national payment system”. If earlier during frauds with bank cards one had to prove his innocence to the owner of the compromised card that in Russian courts most often did not end with anything good, then from January 1, 2014. the situation is changing dramatically. In accordance with Article 9 of the aforementioned law, the bank is obliged to refund to the client the amount of the transaction made without his consent, after receiving the notification of unauthorized transfer of funds. And only after that proceed to investigate the incident. Modern fraud monitoring systems, however, will not prevent the customers of banks from abusing the right to constantly challenge transactions. Those wishing to cash in on false claims can be quickly identified.
So is it worth using contactless bank cards or not? Most likely worth it. It is not only convenient, it is almost safe. But if doubts about the safety of data transmission of your card over a radio frequency channel still remain, then shielding the card with an envelope made of foil will resolve this issue. And we will increasingly meet people with a sticking corner of the foil out of their wallet.
Contactless bank cards are already familiar and familiar pieces of plastic for us, with the only difference being that they have an antenna for transmitting information over the air. Their most common types are VISA PayWave and MasterCard PayPass. These cards can be distinguished by the corresponding symbol in the form of a wave in the corner and the name of the contactless technology next to the logo of the payment system. To pay for the purchase, you just need to bring such a card to a payment terminal equipped with a special radio receiver. And all - the payment is made. No passwords and no autographs. The speed increases - the queues are reduced.
But both in everything beautiful and in contactless payments there are some controversial points. Seeing how the cards of this type work, the question arises: if the seller can get the data necessary for carrying out the transaction from the card, what prevents an attacker from scanning the card and withdrawing money from it? Is it safe or not to carry a contactless bank card in your pocket?
')
A bit of history
For the first time, the issue of bank card security arose at the beginning of the 70s of the twentieth century, when banks faced an acute shortage of workers. Operators did not have time to handle the shaft of papers, which were accompanied by requests for loans and their approval.
This situation prompted banks to organize customer self-service using ATMs. To ensure the trust of new equipment, engineers needed to propose a way by which users could easily, quickly and safely identify themselves. So there were cards with a magnetic stripe.
However, in such cards with magnetic media, there was and still is a serious problem called skimming. In the case of "plastic" through the skimmer, a special reader disguised as regular ATM elements, attackers can make a copy of the magnetic strip, and then transfer the received information to a blank card.
In response to this, smart cards appeared in the 1980s. In appearance, they are very similar to their ancestors. Along with the magnetic strip, which is used where reading devices for smart cards are not available, a microprocessor chip is built into the plastic of the body of such a card - in fact, a full-fledged computer. In the context of banking applications, it is often referred to as an EMV chip.
EMV is a standard created by the joint efforts of Europay, MasterCard and Visa to increase the security of bank payments. Shortly after its creation, Europay and MasterCard merged into one company, but the name of the document was not changed.
So, how does the security level go up?
First, the complexity of the fake. Two minutes of searching on the Internet and you will be offered the most detailed instruction on cloning cards with a magnetic stripe, as well as several dozen options for acquiring the equipment necessary for this. Counterfeiting a chip card is currently considered impossible.
The second security factor is the use of dynamic data. For each bank transaction, the EMV chip generates an individual confirmation code. In this regard, the interception of data transmitted during payment becomes meaningless.
Thirdly, the emergence of subject verification holder. When using a magnetic card to confirm the payment, you need to put your signature, which in most cases no one compares with the original. And that it is also necessary to verify the name of the owner of the "plastic" with the identity card of its holder, and there is no need to say. When using a chip card, each payment is confirmed by entering a PIN code.
Although the EMV chip has become a serious alternative to the magnetic strip, nevertheless, it also has several disadvantages. The most important of them is the need to ensure compatibility with the giant magnetic strip infrastructure. To solve this problem, banks issue hybrid cards that provide both payment access options. But when servicing such a combined card on a magnetic strip, the security question again arises. The threat of skimming appears again.
It is worth noting that copying data is still possible from a chip. From smart cards issued before 2008 (MasterCard) and until 2009 (Visa), one can consider information sufficient to manufacture a corresponding magnetic strip, namely: number, expiration date, service code, information about the bank. For cards issued after these dates, this problem no longer exists.
Whether the fraudster will be able to use such a copy or not is the question. As well as cards, terminals are of various types. If a cheater with a “clone” contacts a terminal equipped only with a magnetic strip reader, then there will be no problems with use. When recognizing the code received from the card, the hybrid terminal is able to establish that, in addition to the magnetic strip, it must also contain a chip. In this case, the transaction will not be carried out.
The second serious problem of an EMV chip is the low speed of the contact interface. The time required to access the chip, authorize and perform the necessary procedures is much longer than the time of the transaction on the card with a magnetic stripe. In the case of queuing systems, this fact may be much more critical than the risks of fraud.
All this necessitated the creation of payment technologies that would combine the best aspects of both magnetic and chip cards and at the same time have a minimum of drawbacks. Contactless NFC bank cards are claimed to play this role.
About contactless technology
NFC technology is used as the physical basis of the contactless bank payment mechanism. NFC (Near Field Communication) is a short-range, high-frequency wireless communication that allows data exchange between devices located at a distance of about 10 centimeters. In fact, this is a simple extension of the standard of contactless cards (ISO 14443) RFID, combining the interface of a smart card and a reader into a single device. NFC technology in the field of banking applications allows you to replace the outdated, but familiar magnetic stripe with a more modern solution, without being limited to bank cards. Payment can also be made by other payment tools, whether it be a cell phone or an RFID sticker pasted on any convenient item.
In contactless cards, the information necessary for conducting transactions is stored on the card's chip. There are two types of such cards.
For the first version, only a contactless interface located on a magnetic stripe card is characteristic. This species is intended mainly for the United States. In fact, the contactless module is static and duplicates information stored on the magnetic strip.
The second option is more secure than the first. In such a card, there must be two interfaces that interact with the chip: a contact (soldered element resembling a SIM card) and a contactless (RFID tag). Cards of this type conform to the EMV standard. They not only retained the advantages of their “chip-mated brethren”, but also became more convenient:
- Contactless card always remains with its owner. It is not necessary to transfer it to the seller for carrying through the reader or insert it into the terminal. Particularly pleased is the termination of the practice in which, when paying for lunch, you must accept the fact that the waiter took the card and left to pay for your order, serve other visitors, drink tea, etc.
- For contactless cards, in order to increase the speed of service, payments are allowed without additional authentication. For Russia, this amount is 1,000 rubles, for Ukraine - 200 hryvnia, and, for example, for Thailand - 700 Thai baht. This does not mean that you can not make contactless payment for purchases, whose cost exceeds this amount, just in this case you will have to go through the authentication procedure.
Making payments on small amounts without authorization became possible due to the fact that international payment systems set a course to increase the speed of payment. So Visa set the maximum allowed transaction time to be 30 seconds. With the same purpose, Visa launched the Visa Easy Payment Service program, according to which all points of sales should not require identification of customers when buying for an amount less than 1,000 rubles.
New technology of payment becomes irreplaceable in queuing points where speed is critical, for example, in transport. The seconds saved by using contactless cards significantly reduce the queues and customer waiting times.
But what about security?
The PayPass and PayWave cards use an RFID chip operating at 13.56 MHz. It is thanks to him that data is exchanged between the card and the terminal. However, an attacker can easily intercept this information with an alternative RFID scanner.
Manufacturers of contactless cards name the fact that the range of RFID tags is 3-5 cm. But this argument is very controversial, because long-range readers already exist with a range of more than 30 cm. As long as they have sufficiently large antennas, this does not detract from the fact of their existence.
Thus, having an RFID scanner, you can form a transaction request and carry out an attack on the card. Of course, this data is not enough to create a clone, but a number of phishing attacks can be quite successful.
Meanwhile, both legislators and payment systems in this matter support the holder of funds. The amount of payments up to 1 000 rubles, disputed by the cardholder returns without additional investigation and as soon as possible. This is largely due to the interest in the development of micropayments and the constant increase in money turnover. This is clearly indicated by one of the most debated adopted laws - 161- “On the national payment system”. If earlier during frauds with bank cards one had to prove his innocence to the owner of the compromised card that in Russian courts most often did not end with anything good, then from January 1, 2014. the situation is changing dramatically. In accordance with Article 9 of the aforementioned law, the bank is obliged to refund to the client the amount of the transaction made without his consent, after receiving the notification of unauthorized transfer of funds. And only after that proceed to investigate the incident. Modern fraud monitoring systems, however, will not prevent the customers of banks from abusing the right to constantly challenge transactions. Those wishing to cash in on false claims can be quickly identified.
So is it worth using contactless bank cards or not? Most likely worth it. It is not only convenient, it is almost safe. But if doubts about the safety of data transmission of your card over a radio frequency channel still remain, then shielding the card with an envelope made of foil will resolve this issue. And we will increasingly meet people with a sticking corner of the foil out of their wallet.
Source: https://habr.com/ru/post/188316/
All Articles