New credit cards pose security problem

Anyone can buy an RFID credit card reader online, where second-hand units sometimes go for under $10, and start scanning cards in public, without cardholders knowing.

Hacker shows CBC how to crack 'contactless' MasterCard

All new MasterCards in Canada, as well as Visa cards from two of the big banks, supply cardholder info over radio waves. ((Canadian Press))

Most newly issued credit cards pose major fraud and privacy concerns because of how they're designed to be scanned through the air, some cyber-security experts warn.

"Contactless" MasterCards and Visa cards have been available in Canada for several years, but they've only recently reached the bulk of consumers as the country's biggest banks adopt them.

The credit cards have an embedded computer chip called a radio frequency identification, or RFID, tag. When waved near a payment terminal in a store, the chip supplies the card's number and expiry date through radio waves, avoiding the need to swipe or insert the card or have a cashier handle it.

And that's the first problem, U.S. cyber-security expert Pablos Holman says.

Anyone can buy an RFID credit card reader online, where second-hand units sometimes sell for under $10, and start scanning cards in public — without cardholders knowing.

"It's not encrypted, which is not what we were expecting," said Holman, who has gone on U.S. TV newscasts to demonstrate the security gap. "It's really easy to read. … Now you can get a generic RFID reader and use open-source programs available on the web and read cards."

RFID credit cards surfaced in Canada in 2006, when MasterCard started aggressively pushing its PayPass cards. Today, about 90 per cent of MasterCards in the country are RFID-enabled and the company aims for 100 per cent by the end of the year, said Scott Lapstra, vice-president of market development for MasterCard Canada.

Visa has been slower to market such "proximity cards" under its own brand, payWave.

Royal Bank decided only this year to make all its Visas payWave-enabled and all newly issued TD Visa cards have the feature. But most Visa cards in Canada, including those from CIBC and Scotiabank, don't have RFID.

Both credit-card companies limit contactless purchases to $50 each and have pushed to have reader terminals installed mainly in high-volume, low-price businesses like big-chain coffee shops, fast-food outlets, gas stations and grocery stores.  

The benefit for customers, the card companies say, is faster, more convenient shopping and less fumbling for cash. Merchants, on the other hand, can cut down on lineups and boost their average sale value.

"A person who uses PayPass spends about 25 per cent more on their card on a monthly basis," MasterCard's Lapstra said. "We launched this product to … have our cards be used more."

Fraud risk

Lapstra and other financial executives insist the system is safe.

The PayPass website vaunts the card's "secure encryption technology" and says the card "never leaves your hand to make a payment," making it difficult for someone to copy it clandestinely. Visa's site boasts it's "one of the most secure payment solutions available today," while TD Canada Trust promises "payment details are securely transmitted."

"It's encrypted information that is specific to that one transaction. It is not your card number, it is not your PIN and it certainly is not going out into the open," said Anne Koski, head of payment innovations at Royal Bank's cards division. "It's encrypted information."

Information stolen from an early-generation RFID credit card can be encoded onto a traditional magnetic-stripe card and used to make counterfeit purchases, a security expert says.

Not so, says 3ric Johanson, an IT security expert from Seattle who gave CBC News an in-person demonstration of how to hack a MasterCard from President's Choice Financial. (Johanson had his first name legally changed from Eric.)

Using his laptop, a PayPass reader and some software, Johanson, sitting in the lobby of a downtown Toronto hotel, extracted a credit card's number and expiry date, using his own reader at close range. Earlier in his trip, he had pulled off a similar feat in front of a stunned audience at a security conference, using a random audience member's RFID credit card.

"When you go to read a card, you just take a reader and say, 'Give me your card number,' and it will do that," Johanson said.

"It's still very much transmitted over the air by the RFID interface. There's no message for the card to authenticate the reader it's about to talk to — it will talk to anyone."

Shirley Matthews, head of chip platforms at Visa Canada, acknowledged that payWave credit cards do not disguise the card number and expiry date when they send that data over the air to a card reader.

"We don't typically encrypt that," Matthews said.

The MasterCards in Johanson's demonstrations were of a later model and didn't cough up their cardholders' names. But most first-generation RFID credit cards, like the ones that Holman demonstrated on TV, will do so, and many are still in circulation, raising serious privacy concerns — in addition to fraud risks.

Credit-card company and bank executives played down these concerns, saying the cards can only be scanned from close range, even requiring physical contact with a reader sometimes.

"Typically, my experience has been you actually have to touch the card to the reader," Koski said.

Lapstra added: "The cards are actually powered from the reader and they have to be within four centimetres of that reader."

But that only means you need to boost the power of the reader to scan the cards from a greater distance, according to the security experts who spoke to CBC News.

Johanson said it's possible to use an RFID "gate antenna" — two electronic readers spanning a doorway, similar to the anti-theft gates in retail stores — to scan the credit cards of people passing through. 

With enough high-powered gates installed at key doorways in a city or across the country, someone could collect comprehensive information on people's movements, buying habits and social patterns.

"These days you can buy a $500 antenna to mount in doorways that can read every card that goes through it," Johanson said.

Several hacks possible

The newest generation of RFID credit cards transmit an encrypted, one-time security code alongside the card number and expiry date to authenticate each transaction, as Koski alluded to.

But Johanson said it's possible to circumvent that system by deploying what's called a replay attack: A fraudster scans the RFID card dozens of times in a public place in a matter of seconds, without the cardholder knowing, and captures the security codes that the card transmits. A cloned card is then programmed to "replay" those codes at a store's payment terminal.

The credit-card company would only catch on to the fraud when the real cardholder tried to make a subsequent payWave or PayPass purchase with a security code that had already been used by the scammer.

Several other kinds of information hacks are possible, Johanson said:

  • With a first-generation RFID credit card, a fraudster can secretly scan the card's number (including a security code called CVV1) and expiry date, then program a traditional magnetic-stripe Visa or MasterCard with that information. Even without the cardholder's name, the fraudulent, cloned card could be used in many retail locations.
  • Someone could scan RFID credit cards in the mail while they're being sent to cardholders. Issuing banks have typically disregarded privacy and security concerns and refused to use magnetically shielded envelopes for mailing payWave- and PayPass-enabled cards. The advantage of this hack is that a scammer would get the person's mailing address as well, a crucial piece of info for most online purchases.
  • A company could use the workplace's card-access doorways to scan employees' credit cards and compile information on their finances and lifestyle. For example, any credit card number beginning with "5192" is a U.S.-dollar MasterCard from Bank of Montreal — and an employee who started coming to work with one in his pocket one day, then went on a three-week "sick leave" the next, might raise a red flag.

Visa, MasterCard and their issuing banks stress that credit-card security is a multi-layered apparatus, relying on much more than just the integrity of card information. One factor is the effort required to pull off a swindle.

"Particularly when it comes to contactless, these are small-ticket transactions," Koski said. "I mean, what are you gonna do, take $50 worth of free coffee?"

"Where we see fraud in the credit-card industry in general is areas where it's a stolen card and highly fence-able goods, so electronics and things they can turn into cash," Lapstra added.

"PayPass is focused on lower-dollar value, high throughput: fast foods and coffees and those kinds of things. … We are not aware of or have any evidence that PayPass cards are able to be compromised."

Johanson said it's only a matter of time, though, before sophisticated criminals who have proven adept at wide-scale debit-card fraud turn their attention to RFID credit cards.

"As with most things, what's probably going to happen is they're going to wait for a high degree of market adoption before it gets interesting to attackers."

RFID cards

MasterCard: Aims to have all cards in Canada enabled with its PayPass contactless system by end of year. Major issuers include Bank of Montreal, National Bank, Capital One, President's Choice Financial, Canadian Tire Financial, Citigroup.

Visa: Has 31 million cardholders in Canada but would only disclose that "several million" of those contain its payWave RFID technology. Major issuers are Royal Bank and TD. Notable non-players are CIBC and Scotiabank.

He pointed to the example of the chip and PIN system, which Visa, MasterCard and their competitors began implementing in the early 2000s. Each credit card has a microchip in it, which works with a corresponding personal identification number, or PIN, entered by the cardholder to authenticate each purchase.

As chip-and-PIN cards become the norm, researchers at Cambridge University in Britain reported in a paper last month that the system is "broken." In a demonstration on BBC News, computer scientists fooled journalists' credit cards into making purchases without the valid PIN.

Such frauds are a bane to consumers, the researchers say, because to the banks it appears as though the correct PIN was used and it wasn't theft. Several British cardholders reporting counterfeit transactions on their accounts have had their claims rejected by their bank and been stuck with the bill.

Security expert Holman said the credit-card companies had a tremendous opportunity with the rollout of RFID, chips and PINs — the sector's biggest overhaul since "magstripe" cards were implemented in the early '80s — to implement a robust, safe payment system.

"What people don't understand is the credit-card industry isn't trying to make cards secure," Holman said. "They just have a risk-management problem where they try to control the amount of fraud on their system."

Click on the tabs to read about the different ways a scammer could get RFID credit-card info, and how they could exploit the data: