In: Card Skimming
December 27th, 2015
RFID Protective cards – understand the difference before you buy.
Over the past few months it has come to our attention that consumers are judging the effectiveness of the RFID protective cards they are purchasing against retail point of sale terminals.
Based on this method of testing these RFID Protective cards give the appearance of being very effective at blocking a transaction being processed and have received a number of very positive reviews.
The truth is that if you place two PayPass cards together and present them to a retail (tap & go) terminal the transaction will NOT go through. This is so the consumer can make the decision of which card they wish to present to the terminal. Don’t be fooled though, any standard reader (like the one in the image to the right) that can be purchased online will not give you this option and will take the information off the first card that responds to its requests. These readers have anti-collision software so it does not matter how many cards are being interrogated it will always get at least one.
The criminals who perpetrate this electronic pickpocket crime would rarely use a retail style (tap & go) terminal to skim, they are more likely to use a standard off the shelf reader and ‘amp up’ the antenna and signal strength.
The way in which some of these cards are marketed and the terms that they use to boost the hype imply that the cards are loaded with top secret and patented technology some even drop names such as “NASA” to increase their worth.
The truth is actually quite different. Often a standard programable RFID card worth about $0.75 is programmed with essentially garbage in an attempt to confuse the terminal which is trying to interrogate it. This has been shown to be inconsistent in its protective ability and thus cannot reliably support the claims that are being made.
As there is no regulatory body governing the standards of products in this field, it has been left open for anybody to jump on board and try to make a quick dollar. The few companies that have invested significantly in research and development to effectively protect the consumer have been left trying to defend and differentiate their products from those who have clearly blurred the lines and cannot support or prove the claims that are being made. The sooner this industry can be regulated the better.
Where does this leave you? the best advice is to research the product you are considering purchasing.
If it claims to Jam does it have FCC approval?
If it claims to have patented technology is there a reference to a patent? (don’t be fooled by a ™ next to a word, that does not constitute a patent but merely a logo or term being trademarked)
If it claims to be active does it have a battery?
As a consumer you must do your research and due diligence until there is a regulatory body who can help govern the claims being made. Protecting your identity from theft is a serious business and you should only look for companies and products who are serious about protecting your data & not who just want to jump on the band wagon for a quick dollar.
The decision is ultimately yours as to how much worth protecting your personal data is to you.
Beware, Be Aware and Stay Vigilant.
May 12th, 2015
iTwire asks Armourcard about electronic pickpockets and wireless skimming and what you need to know
In a recent video interview and story by Alex Zaharov-Reutt from iTwire and our CEO Tyler Harris whereby they candidly discuss and help consumers understand a little more about the vulnerabilities around this RFID technology roll-out and how to best protect yourself.
In the interview, Harris talks about the history of RFID from its origins as a ‘SpyTool’ from the cold war to current day and future applications that will be coming to a wallet near you soon.
If you know nothing about this technology this interview is a great place to start understanding what you can do to protect yourself.
Thanks, Alex from iTwire for taking the time with Tyler and supporting our Australian invention we really appreciate both yours and iTwire support.
Cloning credit cards today – 9 October 2014, its not hard to do as expert shows.
The new age of credit card skimming and cloning credit cards is on show today at the Breakpoint security conference in Melbourne.
Peter Fillmore an Australian money hacker & security boffin will demonstrate how he probed the protocols behind Visa and Mastercard payment cards and proved the viability of an attack by successfully using cloned versions of his credit cards to shop at supermarket chain Woolworths, and buy beer at a Sydney pub.
He will show today via modded Nexus 4 phone and how it steals data from Paywave and Paypass cards that could be introduced into cloned cards.
While the phone tactic is an inconspicuous attack, Fillmore told Vulture South that enterprising criminal gangs could make a killing by using his tactics with more powerful custom equipment to scam commuters on their way to work.
“The phone needs to be really close to someone’s wallet to work so it’s more of a proof-of-concept. [However], the attack I would be worried about is a criminal gang with a [reader] in a briefcase who captures a whole lot of cards on a tram and uploads them to a central server,” Fillmore said.
“Someone located far away could then wait until their phone pings with the stolen information and start using the cards,” he added.
“This is better than a relay attack because you can store the transactions and you don’t have a timeframe,” he said.
There’s another advantage for the potential criminal, as when the trick fails, it appears to the retailers and banks to be a mundane error, rather than a fraud attempt, which could trigger a well-resourced bank and police investigation.
Large retailers are first choice targets for attack (rather than small new businesses) as they were likely, as in the case of Woolworths, to operate legacy point-of-sale payment equipment and therefore be more open to fraudulent moves.
The Nexus 4 (as Fillmore discovered) served as an efficient and discrete hardware fuzzer for contactless cards. The popular Cyanogen mod gave access to an otherwise inaccessible application programming interface called ‘Host Card Emulation’ that he said is a “great platform” for cloning cards.
Fillmore plans to write an exploit app for a popular but as yet unnamed card reader that would be delivered through the phone.
His attack worked in part by exploiting payment terminal’s legacy support for magnetic stripe cards. The EMV (the gold chip on credit cards) protocol meant cards told terminals if it supported EMV, which then allowed an attacker to pushed payment processing back to mag stripes.
It captured details, including an application transaction counter, which was incremented each time a transaction was made. Attackers needed to conduct the fraud before the next transaction was made or an error would occur.
The attacks weren’t due to particular problems with a given bank, although the Australia and New Zealand Banking Group (unlike the National Australia Bank) was found to have not implemented a randomisation number which while affording additional security, did not prevent the attack.
Fillmore said new startups may be harder targets as they may use new technology that could be, like one tested at a NAB ATM, capable of determining if a contactless credit card was ‘lying’ about not supporting EMV.
Blocking the attack would require the very slow process of dropping legacy support for non-EMV transactions, a feat that could be done faster in Australia than the US.
“I believe that EMV interfaces in general (both RFID and physical) is an area ripe for implementation bugs and errors,” Fillmore said. “Its just the lack of available/affordable test equipment which has prevented researchers from exploiting this area.”
He said the attack may work similar to Cupertino’s Apple Pay platform which supported non-EMV transactions.
Fillmore’s work built on the shoulders of Michael Roland and Josef Langer from NFC Research Lab detailed in the paper
August 28th, 2014
Mythbusters Banned from airing RFID story
The hit Discovery channel show Mythbusters recently wanted to air an episode about how trackable and hackable RFID chips were. It’s still not clear as to why they were not allowed to proceed in airing the show but as Adam Savage the co-host of the hit show eludes to in this interview, some very powerful people / companies made sure that it would never air.
Everyone would’ve learned more about the technology that?s invisibly invading our lives and the vulnerabilities surrounding this global uptake and usage of these technologies on us by the big end of town.
Talk about shutting down and closing ranks…… it seems the card issuing companies and RFID manufacturers really don’t want us (we the people) to know how vulnerable this technology is and how easy it is to hack / skim.
Thanks Mythbusters for trying to expose this vulnerable technology and although your piece did not go live on the Mythbusters show the surrounding hype about the show being pulled shows just how vulnerable we are to skimming.
The only way to protect your personal data is with the latest technology found in an ARMOURCARD. The first Active RFID & NFC protective device.
By Tyler Harris
July 3rd, 2014
‘TAP & GO’ Broke – A Current Affair Report just needs a follow-up story highlighting the wireless skimming vulnerabilities surrounding these cards.
The renowned Australian news & current affairs program ‘A Current Affair’ has aired a report on some of the risks surrounding ‘Tap & Go’ credit cards & the technology that makes them work.
We applaud Tracy and the ACA team for helping educate the public on the vulnerabilities surrounding these RFID enabled cards.
However we believe that they may have missed a bigger opportunity to further explain how that a criminal does not even have to physically steal your credit card to use the ‘tap & go’ facility as these cards can easily be wirelessly skimmed by anyone with NFC enabled phone or someone who buys a RFID reader of ebay and search online for how to skim credit cards with it and download the free software to do it.
We have followed up with the ACA team this morning in the hope that we can help with a follow-up story on the wireless skimming that can happen easily with these RFID enabled cards.
We are open to be interviewed please contact via our contact us page
Don’t become a victim of this crime, buy Armourcard now and get protected today.
June 11th, 2014
How NOT to get skimmed in your next taxi ride!
Taxi rides and being skimmed is seeming to go hand in hand lately, with a huge amount of major media coverage, we have covered this crime in the past taxi skimming article see here.
- Photo of Cabbies Accreditation – A great idea is the take a photo with your phone camera of the drivers accreditation card, it should be visible on the front dash. This has the added benefit of subtly letting the cabby know that you are aware skimming goes on. If the cabby complains then alarm bells should start to sound, you have every right to take down this license detail.
- Sound Message – I also like to do a quick sound memo of time, where I collected the cab from and where I’m heading with the taxis number.
- Keep card in sight – Always keep your card in plain sight, never let the cabbie take your card out of your sight. Ask the cabbie to process the payment in-front of you in the centre console area.
- Also be wary of ‘Tap & Go’ payments – A lot of people are saying just use the ‘tap & go’ payment facility to pay, this also has its perils as just by the nature of this ‘contact-less’ technology your cards can be skimmed wirelessly if they are in the vicinity of a reader (any reader or NFC enabled phone). How easy would it be to have a second reader sitting in the centre console and it also picks up all your cards data wirelessly. The best way to protect yourself from this wireless skimming is an Armourcard. Read more about what is Armourcard here. When you do use the ‘wave & go’ terminal ensure you take it to the back seat with you.
- Watch out for mobile phones – Now with NFC (near field communication) enabled smartphones & a quick search in the App stores ANYONE can download FREE credit card skimming apps, so if you have a tap & go enabled credit card like MasterCard, PayPass* VisaCard, PayWave* Amex, XpressPay* these cards transmit your data over open airwaves (find out more here why RFID & NFC is a vulnerable technology) so look out to see that the cabbie isn’t putting his smartphone near your credit / debit cards as that could mean he is skimming the data of them into the phones skimming app.
Now we must say not all cab driver are sly and the majority are most probably fine, however if you arm yourself with even a few of these tips the next time your jump into a cab, then you can better protect your credit card data from being skimmed.
If you are wanting to find out about the best way to protect your ‘Tap & Go’ credit cards & ePassports from being skimmed look at Armourcard.
*Please note: Visa payWave, Mastercard PayPass & American Express ExpressPay are all registered trademarks of the afore mentioned relevant card issuing companies, These companies do not sponsor or officially endorse this website, Armourcard is independent & just helps to protect these cards from being skimmed.
May 19th, 2014
When does a simple pleasure like a hug turn into a world of identity theft pain.
Why not put an Armourcard in your wallet so hugging can still be a warm, fuzzy & safe thing to still do. Don’t let the criminals deny us this simple pleasure as well.
December 26th, 2013
How to “TARGET” 40 million credit and debit cards with a Target Breach
The large retail chain Target (USA) announced last week that about 40 million credit and debit cards may have been affected in a Target data breach from Nov. 27 to Dec. 15. Stolen information related to Target store cards and major credit cards, The Associated Press reported.
This breach was for in-store purchases not online according to Target.
This leads me to the reason for this post today.
Now you may or may not have been affected by this breach, but what is about to happen to the US credit cards & debit cards over the next 2 years you should be aware of.
The US plans to have all credit cards issued with the chip by 2015, many if not all as we have here in Australia will be RFID enabled.
The global roll-out of RFID (radio frequency identification) technologies used in the ‘Tap&Go’ credit cards or ePassports increases the chance of your personal data getting skimmed will be even greater.
The frightening thing is you will be not aware of it as no contact is needed to skim you nor will it be a breach of millions of credit cards, it will be yours and you will not find out until it’s too late.
As mentioned in the video, even with this know widespread breach the hassle at the very least to you as a cardholder is very real and could take some time to try and rectify the issues it has created for you.
I thought ‘chip’ or EMV cards are safer?
The financial institutions & card issuing companies tell us they are more secure than the mag stripe, which in many ways they may be, however, they have replaced one vulnerable technology with another. (yes a mag stripe card can be copied, but the criminal has to actually have the card in their possession to clone it even if for just a few seconds it takes to swipe the mag stripe, with the new RFID, enabled cards the criminal can electronically skim your card data without you ever knowing it)
This opens up an entirely new security issue as RFID enabled cards just by the nature of the technology are always open to transmitting your personal data over open airwaves & that means anyone & I mean anyone can skim it. In-fact many smartphones now come with NFC (near field communication) technology-enabled, which means they can in effect be used to skim your cards easy, just do a search in the google play store for credit card skimming apps and there are FREE ones to download.
Although NFC means you have to me ‘Nearer’ the mark (person your skimming) that usually is not an issue, think being in a shopping mall on an escalator in close proximity to others, bang a perfect way to use your NFC phone to skim the person wallet in there back pocket. Pretty scary when you think of how many smartphones are out there & how now not even harden ID thieves but opportunistic persons could skim your data that easy.
Now back to RFID technology (which allows you skim from a greater distance) you can buy a RFID off say eBay or Amazon for under $100, then its pretty easy to find a way to dial up the power on the reader and antenna strength (just google search how to do it) and now you can skim people from further away & if they are using ‘passive’ protection lets say like an RFID wallet or wrapping your credit cards in sleeves they can often still be penetrated by these hi powered reader (at the best they may limit the distance you get skimmed but you still could be skimmed)
The best defence is active defence.
1. Don’t just believe it will never happen to you
2. Don’t just blindly believe the institutions who issue these cards have your security interests in the best interest.
3. The time has come for you to be responsible for protecting your personal data, clearly, these breaches and the new wave of electronic skimming shows you that your personal data needs to be protected by you first. Gone are the days of working to have your data public when needed (PR) now you have to work to keep your personal data private.
It starts with ARMOURCARD the #1 Active RFID & NFC Protective device.
September 14th, 2013
Test your credit cards with FREE skimming APP.
Following up from a recent blog post about FREE smartphone Apps and skimming app that can read your credit cards. We have found an app that will show you how vulnerable you are now.
If you own a smartphone that has NFC on it, you can download this app & turn your phone into a skimmer to see if your credit cards can be skimmed.
If you have an ARMOURCARD in your wallet you are safe, perhaps its time to test it out yourself on your own credit cards, then come back a buy an ARMOURCARD to get protected.
I want to get protected now! BUY ARMOURCARD
July 3rd, 2013
APPetite for destruction, Apps that can Skim your credit card data
Not long ago I wrote a blog post on the new wave of smartphones that are NFC enabled that can use free apps to skim credit cards and the potential threat that anyone with a NFC enabled phone can potentially skim your credit cards. So protecting your credit cards from electronic pickpockets in this new age of NFC enabled phones just got a little bit more necessary.
Now you have to think about every APP you download.
Because every APP could hold a Trojan program inside that runs in the background and basically searches via your NFC enabled smartphone for credit cards details.
The credit cards that use the RFID chip like Visa cards PayWave, MasterCard PayPass or American Express’s ExpresPay.
So next time you drop your phone inside your handbag or by your wallet watch out it may be your skimmers best friend.
Your phone with the rogue App installed will locate the RFID enabled cards, interrogate them for their data and secretly email those credit card numbers to a criminal 3rd party without you ever knowing it.
Pretty scary stuff isn’t it.
Well, the only way to protect yourself truly is to put an ARMOURCARD inside your wallet alongside all your RFID enabled credit / debit cards.
ARMOURCARD’s patented ACTIVE RFID & NFC protection actually jams all RFID & NFC signals running on the most common bandwidth for contact-less devices of 13.56Mhz.
So even if you have a rogue APP there is NO chance it could get your credit card data, ARMOURCARD would instantly power up when the APP would try and communicate with the cards and jam the signals.
Isn’t it time you started to protect your own identity and data!
Walt, one of our US competitors is again on the PR trail and showing just how easy it is these days with trojan APPs.
We think Walt does a great job getting the message out there, so thanks, Walt.
We just don’t believe that passive RFID blocking wallets or shielding sleeves (like what Walt stocks) are the best way for protecting your data.
In-fact there are many reports by industries top hacking security experts* stating that these passive blocking wallets and sleeves at the very BEST may limit the distance too which a reader can read your cards but mostly if a reader is dialled up in power and antenna strength these passive RFID blocking wallets and sleeves WILL BE penetrated.
The choice is yours it’s your personal data, we chose active protection that is why we developed ARMOURCARD.
Get Protected Today BUY ARMOURCARD NOW!
Source^ Passive Shields or metallic wallets Only reduce the signal strength, this will not block a high-powered RFID reader Source: Credit Card Fraud The contactless Generation | Kristin Paget | Chief Hacker, Recursion Ventures. – See more at: https://armourcard.com/rfid-blocking/