Unfortunately the article stops short of actually stating how this would be useful as you couldn't really do this in real time on an unsuspecting card holder (Hey, can I casually hold my phone over your credit card while my buddy over there buys a TV?). My best guess is that you physically control a compromised card and use the reader-emulator setup to drain the card as quickly as possible. Think of a scenario where you are holding the card at your secret hideout and then send out a team of goons, each with an emulator, to buy gift cards using the stolen card a la NFC. This just feels like a much more complicated version of card cloning.
I'm not thinking of the card as the weak point, more the reader.
a rogue employee putting a false reader that relays to the real reader.
Back when I worked in retail we had an issue in our local area where a group impersonated our support department and came on site to install altered versions of our readers.
I'd imagine things like the readers in our public transport ticketing machines are a pretty easy target too to hide a nearby relay.
In Australia our NFC limits are pretty high at ~$100, readers are nearly everywhere and the readers are sometimes display-less plastic discs.
Even the local animal shelter has a tap to make a donation thing now.
That's a great question, so I tried it. Its pretty uncommon to be issued an NFC card from a bank in the US so I stuffed my wallet with a Metro card and a couple Hilton hotel keys. I used NFC Tools on my Pixel 2 and tried to read the wallet. The cards do scan, but you never know which one you will get. I put my wallet in my pocket and tried to read it - there is absolutely no way someone is going to read my wallet in my pocket without me noticing (using a standard reader). I needed direct contact and had to move the phone around to get a read. If the wallet were inside a purse or bag, forget about it.
Keep your Metro card or an NFC hotel key on the outside of your payment cards and chances of getting scanned reduce quite sharply (based on my small non-scientific experiment).
Relying on non tuned antennas for your test is a mistake. Check out the war driving peeps who connect to WiFi networks from miles away. Your phone's antenna is intentionally not tuned well to avoid picking up random devices that it's not near.
When I was working on an RFID board, we intentionally tuned it for such poor distance that the FCC was willing to not call it an intentional transmitter, but instead one half of an air core transformer. That's pretty standard for the product space.
How useful is the info gathered from an attack like this? Does it depend on the specific method (e.g., contactless card versus something like Google Pay) how compromising the information is? I was under the impression that by having virtual cards and the service itself to contact, Google Pay had something of a buffer from attacks like this.
The privacy angle is only part of it - the other part is someone else spending my money, and they can do that just as easily with something like Google Pay.
I've carried a Datasafe wallet made by Kena Kai for ten years or so. It includes a metallic mesh next to the leather that is durable enough that the wallet is still in good shape. I have no idea how well the protection truly works (it's marketed as complying with "FIPS-201 guidelines," which might not mean a lot) but it's been an excellent wallet in its own right.
There don't seem to be nearly as many of these for sale now as there were ten years ago, which is interesting.
Many cards are programmed to stop working if their antenna is disconnected/broken. Not sure why, but I assume it's an anti-reverse-engineering thing. Or perhaps the antenna has another use like a power supply smoothing inductor.
Secrid wallets prevent this attack, and are quite popular here in the Netherlands (where almost all bank cards are NFC enabled). Funny enough they are more popular for their form factor, than the NFC shielding that was their core feature.
There are many door access control systems vulnerable to this same kind of attack. I'm currently working on open source red team tools for exploiting this.
The best way to protect yourself from these type of attacks is to have a Faraday-shielded wallet.
Fellow red teamer here. I've got a proxmark3 and a keysy! :D Unfortunately I don't get to use them much, but they never fail to impress whenever I give a demo.
Because they can stop the scanners from picking them up. Some of these people buy a long range scanner made for drive up gates because you can glean the info from a block away.
You mean by default? because here by default if the purchase is <= 20 no pin is required, but this is something my bank at least allows you to remove so you get asked the PIN always.
In the UK yeah, and I think the limit is going up. If someone uses your card fraudulently the banks have pay you back the money, and they (the banks) can get in trouble for kicking up a fuss.
There's a sweet spot between making it easy for the customer to pay (and thereby increasing the volume of sales and therefore card charges) vs. anti-fraud measures. It's the old adage of security vs. usability.
