Contactless cards can be hacked with off-the shelf technology

30 October 2013
By Tereza Pultarova
Mobile version
Share |
ul hacking attack on a contactless transaction

All that you need to perform a successful hacking attack on a contactless transaction [Credit: University of Surrey]

Hackers can intercept data transmitted between contactless cards and payment terminals using easily available and portable electronic devices, a study of Surrey University researchers has found.

Focusing on the currently prevailing Near Field Communication (NFC) standards, used in most modern payment cards, the researchers have found that especially in crowded supermarkets, contactless data transmission is vulnerable to be intercepted by determined individuals. All that is required is a simple antenna, an off-the-shelf receiver and a laptop equipped with a digital acquisition card.

“In this study, we have proved what researchers have been talking about for some time – that contactless design in itself is by no means a security feature,” said Johann Briffa, the lead researcher of a study published in the latest issue of the Institution of Engineering and Technology’s Journal of Engineering.

“Despite the fact that the NFC standard officially requires about five centimetres, we have managed to receive the same information as the terminal at the distance of 50 to 60 centimetres.”

Although the reliability of the interception decreases with the distance, in the 50 - 60cm range, almost 100 per cent of the eavesdropping attempts performed by the researchers were successful. Even more disconcerting, however, is the fact that the equipment the team used was far from advanced.

“We haven’t used anything that is extremely sophisticated or extremely expensive,” said Briffa. “For example the receiver that we have basically fits into a rather small box.”

The receiver, comfortably hidden in a backpack, could be connected to a simple loop of wire, a small metallic cylinder or even to a cage of a shopping trolley that functions as an antenna intercepting the data without raising any suspicion.

It has been the first time such simple equipment has been used in a study focusing on vulnerabilities of NFC and the team hopes the results will stir the debate about the vulnerability of the popular standard and encourage application designers to delve into the security aspects of the technology.

“With banks routinely issuing contactless payment cards to customers, there is a need to raise awareness of the potential security threats,” said Eleanor Gendle, IET Managing Editor at The Journal of Engineering. “It will be interesting to see further research in this area and ascertain the implications for users of contactless technology with regards to theft, fraud and liability.”

Currently, some 23 million contactless cards are in use in the UK alone. The NFC standard is also frequently used by smartphones for short range radio communication.

As this method of stealing private data attacks in the moment when the device needs to be in use, there is little an individual user can do to protect himself.

“When the card is not at use, for example if it’s an NFC enabled mobile phone, one thing that can be done is to switch the NFC off until it’s actually needed,” Briffa said. “In the case of cards, there exist wallets that act as faraday cages and shield the device against the transmission, however, none of these would help in our setting,” he concluded.


Watch our video interview with Johann Briffa here: 

Latest Issue

E&T cover image 1607

"As the dust settles after the referendum result, we consider what happens next. We also look forward to an international summer of sport."

E&T jobs

  • Control System Engineer

    United Utilities
    • Lancaster, Lancashire
    • Up to £33415 + Comprehensive Benefits

    Provide ICA maintenance and engineering support to the Water & Wastewater Production

    • Recruiter: United Utilities

    Apply for this job

  • Signal Processing Engineer

    B&W Group
    • Steyning, West Sussex
    • Competitive Salary

    We are looking for a Signal Processing Engineer to support the R&D process on active loudspeaker products.

    • Recruiter: B&W Group

    Apply for this job

  • Principal Mechanical & Electrical Engineer

    De Montfort University
    • Leicestershire
    • Grade G: £36,672 - £46,414 per annum

    Join the Projects Team to develop and manage medium to large projects on the university estate.

    • Recruiter: De Montfort University

    Apply for this job

  • Advanced Commissioning Engineer

    National Grid
    • Nottinghamshire, Nottingham, England
    • £46000 - £57000 per year

    National Grid is at the heart of energy in the UK. The electricity we provide gets the nation to work, powers schools and lights everyone's way home. Our energy network connects the nation, so it's essential that it's continually evolving, advancing and i

    • Recruiter: National Grid

    Apply for this job

  • Electrical Design Engineer

    Oxford Instruments
    • Yatton, Bristol
    • Competitive salary plus excellent benefits

    We are looking for an electrical designer to join our engineering design team.

    • Recruiter: Oxford Instruments

    Apply for this job

  • Skilled Electrical Fitter

    • Bolton
    • Competitive Salary & Benefits

    What?s the opportunity?   The Electrical Fitter will carry out manufacturing and test tasks within the electrical department in accordance with product certification procedures, defined workmanship  ...

    • Recruiter: MBDA

    Apply for this job

  • Electrical Manufacturing Technician

    • Stevenage
    • Competitive Salary & Benefits

    What?s the opportunity?   As a qualified craftsman with experience in electrical manufacturing, the Manufacturing Technician will report to a Team Leader, receiving day to day ...

    • Recruiter: MBDA

    Apply for this job

  • Consultant Engineer (Electrical Power)

    BAE Systems
    • Cumbria, Barrow-In-Furness, England
    • Negotiable

    Consultant Engineer (Electrical Power) Would you like to play a key role in providing technical direction to the design of power systems on the Successor class submarines, which will replace the current Trident-equipped Vanguard class, currently in servic

    • Recruiter: BAE Systems

    Apply for this job

  • Supply Restoration Team Manager (HV/SAP)

    • Oxford, Oxfordshire
    • Salary: £37,588 to £49,645 + Car (SSE8) Depending on skills and experience

    SSE is looking to recruit a Supply Restoration Team Manager to join our existing team in Oxford.

    • Recruiter: SSE

    Apply for this job

  • Electrical Technical Lead - Global Operations, Engineering & Laboratory

    Pfizer Ltd
    • Kent

    An exciting opportunity has arisen to join a dynamic team of professional engineers, supporting the development of novel drugs.

    • Recruiter: Pfizer Ltd

    Apply for this job

More jobs ▶


Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T