Skip to content

NFC Point Of Sale Readers

Featured Replies

Is it possible for a person who has access to one of the above devices to deduct money from people's accounts merely by typing in a given amount, and walking in close proximity to someone's wallet or purse on a train or other busy environment?

I've just received a post on fb (yeah, I know!) which claims to show a member of the public on a bus or train with one of the above devices in his possession. I don't know enough about this process,

So, is it possible, and is it something to be aware of?

I believe I've seen the same post that you have and it did make me wonder;

I came to the conclusion that yes, it is possible.

When you walk into a shop and pay with NFC enabled card there's no other interaction other than you walking in, taking goods, them entering an amount (NFC so usually no receipt) you presenting card and off you go.

I'd consider also turning off Android NFC apps too. (If you have an iPhone, leave them on, you deserve all you get) << ;) :p

I saw the same post on Facebook and LinkedIn. As a little trial I tried my phone on my wallet and it did pick up something. But it turns out I have three cards in my wallet with nfc. 2 are payment cards the other isn't. The phone seemed to get confused by the 3 together and wouldn't read any one correctly until I separated the cards.

Not sure how sensitive and similar the POS machines are compared to my phone though.

Sent from my D5803 using Tapatalk

I've seen nothing in the security press about it so I take this as a bit of hype.

 

Suspect it is possibly but a bit like Chip and Pin fraud it's technically possible but quite difficult and the rewards are limited with NFC right now because of the transaction limit.

 

Much more profitable ways to con you than NFC.

I saw this post:  http://metro.co.uk/2016/02/17/use-a-contactless-bank-card-watch-out-for-thieves-bumping-against-you-on-trains-5700472/

 

However as pointed out it isn't a UK train, however PayPal and the like will allow you to buy a card reader, which I assume support Contactless Payments.  If the transaction is sub £30 then in theory it should work.

 

You can pick up NFC 'protected' wallets, or a sleeve to drop your credit card into.  My experience of the card readers is that card needs to be very close (rubbed on the screen), so if someone was rubbing a card reader up and down my body looking for my cards/wallet I might notice.  Suspect most ladies with hand bags would be more likely to have their bags stolen then their cards read using this technique.

I've read about demos from Defcon etc where they have been able to read NFC cards from a distance using specilised antennas.

 

You might see gangs investing in developing tech like that if the transaction limit gets upped but for now the  cost / benefit doesn't work out for them.

 

Still much more profitable to put a knife to your neck and tell you to empty your account from the ATM, or to put a skimmer and a camera on a card reader / ATM.

I saw this post:  http://metro.co.uk/2016/02/17/use-a-contactless-bank-card-watch-out-for-thieves-bumping-against-you-on-trains-5700472/

 

However as pointed out it isn't a UK train, however PayPal and the like will allow you to buy a card reader, which I assume support Contactless Payments.  If the transaction is sub £30 then in theory it should work.

 

 

Getting hold of the physical device would be easy enough, but you also need to be registered with a payment processing firm to be able to actually charge anyone's card and this is where it gets tricky.

To sign up for a merchant account you need to go through a validation process to prove who you are.

http://www.sagepay.co.uk/file/637/download-document/ms_guide_july2012_web_0.pdf?token=lKIdh11qg86N7L5ip7TYwkY1A_ZJEWyTEo1v-0MIGbg

If you then started "stealing" money from people like this the transactions would be traced straight back to you.

If you then started "stealing" money from people like this the transactions would be traced straight back to you.

 

 

That was my thought too, although I didn't say it previously as I wasn't sure.  Plus if there were sufficient charge backs made to a single vendor then I am sure the payment provider would soon have a look to see what was going on.

Many smartphones can read NFC and with the right App you can copy an oyster card then replay it.

Same goes for NFC door entry fobs and one would assume also credit cards or passports.

 

Of course as pointed out, if you've got lots of NFC cards in close proximity, then things will probably get confused.

Edited by cheezemonkhai

Surely if said device was purchased in another country say Russia and the payment details sent through a proxy so the NFC device thought it was in Russia then they could steal your money.

More social media scaremongering.

It's BS.

I was always told 'keep it under your hat' which is why I've always kept my cards under my hat.

Finally, I've a reason to buy a tin foil hat.

Still available here if anyone's interested; Don't PM me for prices/ group buys etc

I was always told 'keep it under your hat' which is why I've always kept my cards under my hat.

Finally, I've a reason to buy a tin foil hat.

Still available here if anyone's interested; Don't PM me for prices/ group buys etc

That's where you supposed to keep marmalade sandwiches.

Sent from my D5803 using Tapatalk

That's where you supposed to keep marmalade sandwiches.

Sent from my D5803 using Tapatalk

images_zpsabw2yjt5.jpg

There were a few reports in the papers about peoples cards being picked up by the NFC till machine while the customer in front was trying to pay; so it can happen. As for the phone nfc reader getting confused, the people doing this wouldnt be bothered, they would be harvesting thousands a day, then selling them on to the gangs that sorted out the numbers with their own software packages, then THEY would sell them on to the people who would use the numbers to empty your bank account.

 

Much in the same way they used to sit in a van over the motorway and harvest mobile phone data back in the days of analogue phones.

The range of a retail & mobile phone NFC reader is 2" (apple pay I believe is 1" maximum range), so the person behind won't get their card read. It's daily mail-esque scaremongering.

Even proof of concept long range grabbing by experts/white hats hasn't achieved much further than 8-12" from a card, but the antenna needed would be obvious to anyone. The most likely method is a modified mobile in a crowd 2-4" from your pocket (ie crowded tube, lift etc)

It is true swiping a wallet on a reader that the wrong card can be selected as has been proven extensively with oyster and credit cards being debited as you can also use them on the tube/bus readers.

An NFC reader will latch onto the first card/chip it can successfully read, so it's always recommended to remove the card and place only that one within range of a reader.

Whilst NFC cards suffer from this method of attack, both Apple & Google payment services employ encryption and GPS terminal verification so grabbing their data is useless.

Based on the amount of trouble I have getting the reader on the till to pick up my card at the local coop, anything more than a few inches seems ridiculous.

Sent from my D5803 using Tapatalk

The range of a retail & mobile phone NFC reader is 2" (apple pay I believe is 1" maximum range), so the person behind won't get their card read. It's daily mail-esque scaremongering.

Even proof of concept long range grabbing by experts/white hats hasn't achieved much further than 8-12" from a card, but the antenna needed would be obvious to anyone. The most likely method is a modified mobile in a crowd 2-4" from your pocket (ie crowded tube, lift etc)

It is true swiping a wallet on a reader that the wrong card can be selected as has been proven extensively with oyster and credit cards being debited as you can also use them on the tube/bus readers.

An NFC reader will latch onto the first card/chip it can successfully read, so it's always recommended to remove the card and place only that one within range of a reader.

Whilst NFC cards suffer from this method of attack, both Apple & Google payment services employ encryption and GPS terminal verification so grabbing their data is useless.

 

The Range of the NFC readers is not maximum its has been de-tuned and calibrated to be this distance from the Card. The antenna inside is capable of reading further with

adjustment. I don't want to say to much to help the crims but there is probably an adjustable pot inside. I have had some success at work adjusting Time and motion RFID tag readers to work through a glass door so the door doesn't need opening to clock in. that's Perhaps 1ft / 12" Same principle. So don't just tell everyone not to worry because you read a blog that said its not possible. I would always err on the side of caution.

Like all tech, It is possible but rare.

 

I have an NFC phone and Read / Write tags that with an app i can read / write these tags to activate apps & setting on the phone as i scan it past the tag, at present it is just a gimmick & not something i use day to day.

 

The contactless cards can be read by some apps, but the better contactless cards just read rubbish on the phone, so must have an encryption key built in to identify it. ( i did try it  with my own cards ).

 

Does anyone remember the story that hit the press in the early days of contactless about the M&S card readers picking up payment from other contactless card close by while the person was paying by Chip & Pin ? Of course M&S denied this, but the story could be true as it was very early days for this tech.

More social media scaremongering.

It's BS.

Which bit.

There are many factors and some cards are less secure than others (eg oyster vs bank etc).

You are spot on about the range and the best way being a phone on a crowded tube/gig etc.

I can't imagine it's done very much, because nicking £30 at a time isn't the best way to make money, but it is technically possible (at least currently)

Edited by cheezemonkhai

The Range of the NFC readers is not maximum its has been de-tuned and calibrated to be this distance from the Card. The antenna inside is capable of reading further with

adjustment. I don't want to say to much to help the crims but there is probably an adjustable pot inside. I have had some success at work adjusting Time and motion RFID tag readers to work through a glass door so the door doesn't need opening to clock in. that's Perhaps 1ft / 12" Same principle. So don't just tell everyone not to worry because you read a blog that said its not possible. I would always err on the side of caution.

The nfc readers in phones and payment modules aren't as powerful as ones used on access control systems.

Depending on the system, those can read chips at the ranges you mentioned.

One site I go to with work staff can walk up to the entrance and the doors open, visitors or contractors are issued with cards which must physically be within 1" of the wall reader to work and open doors up.

Create an account or sign in to comment

Recently Browsing 0

  • No registered users viewing this page.

Important Information

Welcome to BRISKODA. Please note the following important links Terms of Use. We have a comprehensive Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Account

Navigation

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.