How money can be stolen from contactless RFID and NFC cards

Recently, a fundamentally improved version of money theft has been discovered. A new method of stealing money from cards equipped with PayWave and PayPass technologies. Criminals intercept the signals from such bank cards “out of the air” using hand-made readers.

Plastic cards with contactless RFID chips can be used only by attaching them to a PoS bank terminal. In this case, such cards in a PoS terminal “are not swiped” and not inserted.

There are methods now of money withdrawal from credit cards using the latest smartphone models, with a modification, a kind of RFID technology — the NFC device. To withdraw funds from the card, hackers just need to know the full card number and a month/a year of the end of service.

The cards of the MasterCard international system are equipped with PayPass chips, and the cards of the Visa payment system are equipped with chips with the name of PayWave. At the same time, both companies allow using their contactless technologies both on magnetic stripe cards and on newer cards with a square chip.

The convenience of using MasterCard-PayPass and Visa-PayWave systems is to simplify and speed up payments in stores. When making payments for small amounts with the cards with RFID chips, there is no need to sign on the cash receipt or enter your PIN-code into the PoS terminal.

Image for post
Image for post

Fraudulent schemes are meant to intercept NFC signals using illegal reader devices. RFID interceptors are highly advanced analogues of conventional contactless card POS terminals with increased functionality that capture and process electromagnetic waves. Such a device is usually equipped with an antenna, a special controller, connectors for extracting information from the reader, and pirate computer software.

To read the payment data, the fraudster will only need to have the reader approximately ten centimeters near the victim’s card.

That means, in the subway or ground transport at rush hour it will be done very easily and unnoticed. The stolen information is subsequently transferred to other participants, which the performer often does not even know. And they make clone duplicates of bank cards, which are used for cashing out black money.

Image for post
Image for post

The cost of an illegal RFID reader for attacking PayWave and PayPass cards is about one hundred dollars, while “kulibins” can make them out of components that can be ordered on eBay or Aliexpress.

So how can you protect your money from a hacker attack on a contactless card?

The simplest and most effective way to protect the card from a contactless reader is to purchase a special RFID purse protecting the cards from being read. When attempting to read data, the swindlers’ machine will not be able to copy the information.

Image for post
Image for post

It is also advisable to have an alert set that informs of changes to the account balance using SMS messages or PUSH notifications. Alternatively, you can also reduce the amount that can be used when paying by card without specifying a PIN.

Image for post
Image for post

Be careful and get RFID Wallet on Kickstarter!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store