The security community has been demonstrating successful cloning of contactless transactions since at least 2012. Full cloning of cards is not possible, and current cloning methods can only rely on copying an out-of-date implementation of the contactless standard to be successful. By Niel van der Walt
There are two standards that contactless cards generally support: a legacy magnetic stripe compatible mode and an EMV compliant mode. The magnetic strip compatibility allows contactless cards to be used in the place of old swipe-to-pay technology. While such backwards compatibility makes upgrading to contactless technology easier, it means that the security flaws inherent in the old technology are still present in contactless cards.
The EMV complaint implementations use secure cryptography and transaction checks that make even the most advanced cloning techniques obsolete. Contactless cards also support the new EMV complaint standards and therefore the entire card cannot be cloned, only the legacy implementation part of the card can be cloned.
How is cloning of transactions done?
A criminal needs to get a contactless reader within close proximity to the card he intends to copy. While reading of contactless data should be possible up to 10 cm, in practice this distance needs to be less than 5 cm to be reliable. The reason for the range limitation is that the contactless card receives its power directly from the reader, and sufficient power transfer is only possible at short range.
The contactless card reader presents the victim’s card with a payment request that mimics that of a payment terminal. Different payment processors such as MasterCard and VISA have their own security implementations to attempt to provide security. The standards between these payment processors differ, however, and the cloning process is unique to the type of card.
The criminal’s contactless reader will query the victim’s card many times, using a new random number for the transaction each time. The card’s response is recorded each time and stored in a table for later use in cloning transactions. The attack ends when the criminal has gathered all of the responses to the possible random numbers. It can take between 10 seconds and 10 minutes to complete this process since between 100 to 10000 random numbers need to be tried.
The criminal will then transfer the data to a programmable contactless card or to a cellphone with contactless capabilities. The criminal will then buy goods to just below the value the contactless payments allow, which is about R200.00 in South Africa, and present the programmed card or cellphone for payment. The payment terminal generates a unique random number that it sends to the card to attempt to verify that the payment method is not a clone. Because the clone contains all the valid responses to all the possible random numbers, it looks up the correct response and sends it to the terminal. The payment proceeds using the card details that were copied from the victim and the payment usually succeeds.
Depending on the implementation, the victim’s card may only use a static CVV to authenticate a contactless payment. This means that copying one transaction gives enough information to clone the legacy transaction implementation of a VISA card. The criminal will bring a contactless reader close to the victim’s card and issue a standard processing request to it. The victim’s card will respond with the card details and the CVV number. The criminal will then write this data to a programmable contactless card or to his cellphone with contactless capabilities. Presenting the cloned details for a transaction will most likely be successful. The same payment limit exists as for the MasterCard implementation.
What can be done to prevent my card transactions from being cloned?
At present customers need to insist that banks provide them with safe contactless cards that conform to up-to-date international security standards. Secure contactless card implementations do exist, but many banks are currently not making use of these methods. While the legacy modes are sometimes required for successful transactions, there exist secure implementations of these modes that are not easily cloneable.
Furthermore, payment processors can update their systems to detect cloned cards and block them. Any cloning method will cause a detectable change in the payment details due to the sequential nature of payments. A break in the sequence is an indication that card cloning may have occurred.
Until improvements to the way contactless cards implement transactions are made and payment terminals are programmed to detect and reject cloned cards, contactless technology will remain at risk.
Is contactless technology safe?
Contactless card crime is currently on the increase, but thus far the statistics show that it is of much less concern than other payment methods. Having said that, contactless fraud may increase significantly as criminals gain access to hardware and software that allow them to steal contactless information.
It is the responsibility of the banks and payment processors to make sure they stay one step ahead of criminals by updating their contactless cards to use secure transaction standards.
The response of MasterCard to the issue is that their standards already contain sophisticated countermeasures to cloning attacks.
The failure at this point is not that the contactless standards are insecure, but rather that outdated standards are used. Implementing the available countermeasures to card cloning and other attacks would improve contactless card technology to a very high level of security.
- Niel van der Walt at MWR Infosecurity