Using contactless payment, in the Netherlands, it is possible to pay up to 25 euro with your ATM card. But is it possible to pay with someone else’s ATM card? Yes you can, when you are willing to steel from others.
I want to invert the question, can I protect others from steeling my hard earned money. Yes you can as well. Let me first explain how the scheme works.
All new cards are based on the EMV (Europay, MasterCard en Visa) chip. This is the case for the contact chip and the wireless chip. When the card is wireless the following logo can be found:
The attack is based on a relay attack. When a person wants to pay, the wireless terminal will look for the response of a wireless EMV chip. The protocol is open source and everyone can look what is being communicated. In the case of an attacker, he will hold his phone to the wireless terminal and this phone will react as if it is an EMV card. In the background it will communicate over the internet to the phone of the accomplice. This phone is placed in the neighborhood of a ATM card under attack and will start a dialog with the ATM card. The dialog consists of the original requests received by the attacker from the wireless terminal. The internet is just a way to relay all the requests from the wireless terminal and the responses from the EMV chip. The wireless terminal will think it is talking to the original ATM card of the victim. There is no way for it to know the requests and responses are relayed to a different location.
Do you want to prevent that this happens to yourselves, here is how. Take a thin metal plate and place it besides your ATM card in your wallet. Now it is impossible (or at lease much harder) for an attacker to read the NFC which is embedded in the bank card. You can also buy a wallet which shields a couple of cards like the Secrid wallet. I did have a look at that, but I am quite fond of my current wallet and I wanted to upgrade it.
The guys from AESC have sent me a stack of cards for protection. I have a couple left and the first two persons who leave a reaction on this page will get one shield on their doorstep. You need to include your email address and I will be able to contact you (don’t worry, visitors of the site will not be able to see your email address). Unfortunately I did not enable comment on this article (till now) but that is fixed now.