German security researcher Thomas Skora has developed an app that can read the details off a contactless credit / bank card using an NFC-enabled (near field communications) handset. The app, which appeared briefly in Google Play before Google removed it, can read the card number, issue date, expiry date, and bank code from contactless cards.
Skora was only able to test his app using German PayPass Mastercards, but it is also believed to work on Germany’s popular GeldKarte. However, the technology behind the different cards is very similar, and if he managed it with one bank’s card then it is probably possible with them all! Once news broke about the app, Google quickly removed it from the Play store. Thomas Skora’s reaction was one of annoyance: “Grrr… Google just removed my app from their play store!” he wrote on Twitter.
As a security researcher, Skora’ job is to test and probe the weaknesses in mobile and Internet technology. The fact that he could write such an app using no special equipment other than an NFC-enabled phone shows the vulnerabilities in using contactless payments. The app was only intended to demonstrate the fragility of the system. The original app description included the following caveat (translated from German):
This app is only for technical demonstration to show that data can be read by NFC from a debit or credit card. Do not use this app to read cards without the consent of the owner!
For the security minded among you, the good news is that the source code for the app is available here: https://github.com/thomasskora/android-nfc-paycardreader
According to an FAQ on the Smart Card Alliance web site: Contactless payment devices are designed to be read when in close proximity to a capable payment terminal device… In the event that a motivated individual did read the information from a contactless payment device, the security features designed into the device, the payment terminal and the payment system would mitigate against the information being used for fraudulent transactions. In reality, the industry has only seen this attack carried out in demonstrations, not used to conduct actual fraud.
But somehow that doesn’t comfort me. Do you have a contactless card? Do you trust it? Leave a comment below.
Like this post? Share it!
He’s an idiot. Fine if he wants to create it for himself, but to put it on the play store,then be pissed that they remove it wow. Customers the statement in the app description will definitely stop people from illegal using it. What an idiot.
I want to be able to put it on my phone to test my CC, and if it can be read, then contact the CC company to fix their security problem.
I’ve already had my card compromised once, and in all likelihood due to the contactless payment system chip … if there is a way to prove it can be done, then the only thing ‘illegal’ would be for the CC company to continue to use an insure system.
I agree with you.
I do not trust my smartphone for such things at this point in time, nor do I trust the companies behind the software, thus I won’t be using it any time soon for such things as a payment system.
I have been cutting the chip out for years, glad to see my paranoia is still justified :)
There is an app that checks if your card can be read using the same method (the cc number is not fully displayed): https://play.google.com/store/apps/details?id=com.samj.CardTest
My phone used to make a little noise every time I sat it on top of my wallet.
I turned off NFC as soon as I realised what the sound indicated.
I’m not suggesting I was in any danger of fraud, but it’s enough to cause some discomfort