German security researcher Thomas Skora has developed an app that can read the details off a contactless credit / bank card using an NFC-enabled (near field communications) handset. The app, which appeared briefly in Google Play before Google removed it, can read the card number, issue date, expiry date, and bank code from contactless cards.
Skora was only able to test his app using German PayPass Mastercards, but it is also believed to work on Germany’s popular GeldKarte. However, the technology behind the different cards is very similar, and if he managed it with one bank’s card then it is probably possible with them all! Once news broke about the app, Google quickly removed it from the Play store. Thomas Skora’s reaction was one of annoyance: “Grrr… Google just removed my app from their play store!” he wrote on Twitter.
As a security researcher, Skora’ job is to test and probe the weaknesses in mobile and Internet technology. The fact that he could write such an app using no special equipment other than an NFC-enabled phone shows the vulnerabilities in using contactless payments. The app was only intended to demonstrate the fragility of the system. The original app description included the following caveat (translated from German):
This app is only for technical demonstration to show that data can be read by NFC from a debit or credit card. Do not use this app to read cards without the consent of the owner!
For the security minded among you, the good news is that the source code for the app is available here: https://github.com/thomasskora/android-nfc-paycardreader
According to an FAQ on the Smart Card Alliance web site: Contactless payment devices are designed to be read when in close proximity to a capable payment terminal device… In the event that a motivated individual did read the information from a contactless payment device, the security features designed into the device, the payment terminal and the payment system would mitigate against the information being used for fraudulent transactions. In reality, the industry has only seen this attack carried out in demonstrations, not used to conduct actual fraud.
But somehow that doesn’t comfort me. Do you have a contactless card? Do you trust it? Leave a comment below.