Contactless cards can be hacked with off-the shelf technology

30 October 2013
By Tereza Pultarova
Mobile version
Share |
ul hacking attack on a contactless transaction

All that you need to perform a successful hacking attack on a contactless transaction [Credit: University of Surrey]

Hackers can intercept data transmitted between contactless cards and payment terminals using easily available and portable electronic devices, a study of Surrey University researchers has found.

Focusing on the currently prevailing Near Field Communication (NFC) standards, used in most modern payment cards, the researchers have found that especially in crowded supermarkets, contactless data transmission is vulnerable to be intercepted by determined individuals. All that is required is a simple antenna, an off-the-shelf receiver and a laptop equipped with a digital acquisition card.

“In this study, we have proved what researchers have been talking about for some time – that contactless design in itself is by no means a security feature,” said Johann Briffa, the lead researcher of a study published in the latest issue of the Institution of Engineering and Technology’s Journal of Engineering.

“Despite the fact that the NFC standard officially requires about five centimetres, we have managed to receive the same information as the terminal at the distance of 50 to 60 centimetres.”

Although the reliability of the interception decreases with the distance, in the 50 - 60cm range, almost 100 per cent of the eavesdropping attempts performed by the researchers were successful. Even more disconcerting, however, is the fact that the equipment the team used was far from advanced.

“We haven’t used anything that is extremely sophisticated or extremely expensive,” said Briffa. “For example the receiver that we have basically fits into a rather small box.”

The receiver, comfortably hidden in a backpack, could be connected to a simple loop of wire, a small metallic cylinder or even to a cage of a shopping trolley that functions as an antenna intercepting the data without raising any suspicion.

It has been the first time such simple equipment has been used in a study focusing on vulnerabilities of NFC and the team hopes the results will stir the debate about the vulnerability of the popular standard and encourage application designers to delve into the security aspects of the technology.

“With banks routinely issuing contactless payment cards to customers, there is a need to raise awareness of the potential security threats,” said Eleanor Gendle, IET Managing Editor at The Journal of Engineering. “It will be interesting to see further research in this area and ascertain the implications for users of contactless technology with regards to theft, fraud and liability.”

Currently, some 23 million contactless cards are in use in the UK alone. The NFC standard is also frequently used by smartphones for short range radio communication.

As this method of stealing private data attacks in the moment when the device needs to be in use, there is little an individual user can do to protect himself.

“When the card is not at use, for example if it’s an NFC enabled mobile phone, one thing that can be done is to switch the NFC off until it’s actually needed,” Briffa said. “In the case of cards, there exist wallets that act as faraday cages and shield the device against the transmission, however, none of these would help in our setting,” he concluded.

 

Watch our video interview with Johann Briffa here: 

Latest Issue

E&T cover image 1606

"Where would Frankenstein and his creative mind fit into today's workplace? Should we fear technological developments or embrace them?"

E&T jobs

  • Maritime Engineering Opportunities

    Defence Equipment & Support (DE&S)
    • Bristol
    • £30,424 - £35,285

    You will be working alongside a team of people who are immensely proud of what they do in providing the best possible service to our Armed Forces

    • Recruiter: Defence Equipment & Support (DE&S)

    Apply for this job

  • Engineering Manager

    BAE Systems
    • Hampshire, England, Portsmouth
    • Competitive package

    Would you like to play a vital role in managing and implementing the correct governance in order to enable BAE Systems to provide assurance and integrity of supply chain data? We currently have a vacancy for an Engineering Manager - Product Integrity

    • Recruiter: BAE Systems

    Apply for this job

  • Consultant Engineer - Test

    BAE Systems
    • Farnborough, Hampshire, England
    • Negotiable

    Consultant Engineer - Test Would you like to be a lead within an exciting team working on one of the UK's largest defence projects? We currently have a vacancy for a Consultant Engineer - Test at our site in Ash Vale. As a Consultant Engineer - Test, you

    • Recruiter: BAE Systems

    Apply for this job

  • Structural Designer

    BAE Systems
    • England, Barrow-In-Furness, Cumbria
    • Negotiable

    Structural Designer BAE Systems is looking to recruit multiple Structural Designers to join our Maritime Submarines unit to be based in our site in Barrow-in-Furness, as the Trident Replacement Programme progresses towards the start of the build stage in

    • Recruiter: BAE Systems

    Apply for this job

  • Mechanical Design Engineer

    BAE Systems
    • England, Hampshire, Portsmouth
    • Negotiable

    Mechanical Design Engineer Would you like to work in an interesting and challenging role with the chance to gain exposure to a number of maritime projects? We currently have a vacancy for a Mechanical Design Engineer at our site in Portsmouth. As a Design

    • Recruiter: BAE Systems

    Apply for this job

  • Operations Manager

    BAE Systems
    • England, Barrow-In-Furness, Cumbria
    • Negotiable

    Operations Manager We currently have an opportunity for an Operations Manager to join our Maritime - Submarines business area at our Barrow-In-Furness site. As the Operations Manager you will work within a Construction or Manufacturing Facility and be res

    • Recruiter: BAE Systems

    Apply for this job

  • Principal Chemist

    BAE Systems
    • Barrow-In-Furness, Cumbria, England
    • Negotiable

    Principal Chemist Would you like to play a key role in the safety and assurance of submarines for the Royal Navy? We currently have a vacancy for a Principal Chemist at our site in Barrow-in-Furness. As a Principal Chemist, you will be carrying out a rang

    • Recruiter: BAE Systems

    Apply for this job

  • Software Engineer

    BAE Systems
    • England, Hampshire, Portsmouth
    • Competitive package

    As a Software Engineer, you will be investigating how technology and data can be used to optimise the services we provide to our clients, including the Royal Navy, and will include unique pieces of equipment at the forefront of innovation.

    • Recruiter: BAE Systems

    Apply for this job

  • Principal Control Systems Engineer

    BAE Systems
    • England, Cumbria, Barrow-In-Furness
    • Competitive package

    As a Principal Engineer you will be responsible for the design and integration of control systems at a safety integrity level (SIL) 3. This will include requirements management, system design, and integration into the wider platform.

    • Recruiter: BAE Systems

    Apply for this job

  • Ship Refit Operations Manager

    BAE Systems
    • Jubail, Saudi Arabia
    • Negotiable

    Ship Refit Operations Manager Would you like to work with some of the largest defence projects in the world, with the chance to deploy on a contract basis to Jubail, Saudi Arabia with increased allowances? An exciting opportunity has arisen to join BAE Sy

    • Recruiter: BAE Systems

    Apply for this job

More jobs ▶

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T