The Security of NFC Cards Again Debated
- in the beginning of April at the 2012 Hackito Ergo Sum conference Renaud Lifchitz, engineer at BT and member of the ARCSI (Association des Réservistes du Chiffre et de la Sécurité de l’Information) demonstrated the vulnerability of contactless cards and possible data retrieval without particularly sophisticated equipment. For instance, a simple NFC USB key has been used for demonstration purposes.
- With this key and a specially crafted app the research worker managed to retrieve the cardholders’ last and first names, the card’s PAN, expiration date, all mag-stripe data and the twenty latest recorded transactions (including country, currency, amount and date). As a copy of the magnetic stripe is stored in the chip, the card could be copied without using a compromised reader.
- The researcher blames the absence of user authentication and data encryption; he explains that a three centimetres distance is required for optimal data retrieval. However, if additional equipment is used (a dedicated amplifier and a 50cm antenna), this distance could reach 1.50 metre, and even more with a radio receiver with standard telescopic antenna (full card numbers and expiration date).
- Public organisations have been notified (French Ministry of finances, Ministry of the Interior, CNIL). The CNIL explains it is now conducting its own investigations and can already confirm the absence of encryption, possible compromising of the transaction data and possible impact on cardholders’ personal information. Also, it explains that the 3 to 5 centimetres distance is only “theoretical” and may vary depending on equipment.
Source: PC INpact
- The 20 euros limit (and maximum four successive transactions before PIN entry) does not apply if a copy of the mag-stripe card has enabled its duplication. It should be reminded that the French Law on information technology and civil liberties imposes that dedicated measures be applied to secure personal data and that PCI-DSS requires encryption of all payment data transmissions. For security reasons, Cartes Bancaires recommends that portable Faraday cages be distributed (also recommended by Renaud Lifchitz). In addition, some banks may envisage the implementation of cryptographic keys invalidating the use of the magnetic stripe if stolen.
- Renaud Lifchitz also explains that the measures implemented on the pass Navigo make it safer however it is “only” a transportation ticket.
- The CNIL, for its part, reminds that it is entitled to check on banking institutions’ compliance and, if they fail to comply, a formal notice can be issued, or processing interruption can be asked for. According to the commission, simple measures may suffice to remedy this situation: PIN code entry, possible deactivation of the contactless feature by the cardholder.
- These disclosures made public in France also remind one of the issues raised in March in the UK, where the contactless model carries on developing: comparatively, its adoption in France remains limited (see March 2012 Insight).