Content |
Main article: Contactless NFC payments
2019: The new method of theft of money from Visa proximity cards is detected
Experts in cyber security from Positive Technologies company told in July, 2019 about vulnerability which operation allows malefactors to bypass restriction for write-off of the large amounts with a contactless method from cards of Visa.
Usually proximity cards do not allow to carry out payment of a large sum without PIN code. For example, users in Great Britain need to enter the PIN code upon purchase from £30 (about 2300 rubles). If criminals steal the card and will try to carry out several transactions for large sums, then the bank will block the card.
According to experts from Positive Technologies, there are two methods to bypass this restriction. In the first case they used the device for interception and replacement of messages in a communication channel between the card and the reader device. With its help on the card the false signal about write-off of the amount less than £30, and was sent to the terminal — the message about the verification which is carried out in a different way. This vulnerability mentions only the Visa cards as in other payment systems big transactions are confirmed only by the PIN code.
In the second option researchers used two mobile phones. One phone collected the so-called cryptogram of payment guaranteeing authenticity of future transactions from the card. The second — accepted the cryptogram and imitated the card.
The Visa company is not going to take measures for suppression of these types of fraud. According to the company, for fraud implementation malefactors need to have the card, and it seldom happens. However researchers do not agree that the card needs to be stolen. As showed results of an experiment, it is enough to malefactor to approach for a while it is close to the card of the victim and to consider payment.
2017: The Central Bank told about contactless thefts from payment cards
Experts of FinCERT (FINTSERT) of the Central Bank told in September, 2017 about data of cards which interest malefactors at contactless thefts. It on Thursday, September 28, Rambler News Service with reference to materials of FINTSERT reports.
There are no confirmed data on successful creation in Russia of duplicates of payment cards yet, note in the center. Data on type of the used payment application, card expiration date, a name of the card holder, PAN (Primary Account Number, the main card number), the history of transactions, the number of the remained attempts of input of the PIN code become the purposes of thefts.
Besides, perhaps separate plunder of Track 2 of a magnetic band of the payment card.
Remain the most popular methods of thefts a skimming at which information on the bank card sneaks using the special device, a kind of a skimming — a shimming and Black Box (cracking and installation in ATMs of the malicious software).
2015: The protected modules SE and HCE
Safety of such transactions is performed by means of the protected module (SE) – the chip, steady against cracking, which provides the protected storage, commission of payment transactions and storage of confidential data. Such chip saves information, manages protection and provides the screen (Firewall) between the NFC applications and other modules[1].
When using the Host Card Emulation (HCE) technology allowing to emulate the bank card on phone or the tablet, the protected module is virtual and is in a cloud.
HCE has an open architecture that allows to emulate not only bank cards, but also cards of programs of loyalty, transport cards, the admission, etc. The technology allows to accelerate considerably process of implementation of payment NFC services as need for coordination and approval of actions of mobile phone manufacturers disappears, besides, many compatibility issues are solved.
SE and HCE technologies considerably differ, at the same time everyone has both advantages, and shortcomings. HCE allows not only to make payments on physical POS terminals as SE, but also to perform Internet transactions on the websites and in applications, however it is more vulnerable to the malware and is critical to existence of Internet connection.
Thus, the protected module can be built in the following elements:
- the SD card is the memory card which can be inserted into some phones as addition to already available SE/NFC functions;
- the external device – in this case the sticker or the device connected to phone gives the chance to use SE/NFC;
- the built-in device – the module SE/NFC is built already in some phones;
- SIM is adding of the NFC function in the identification module of the subscriber;
- a cloud – program approach which unties the protected element from the device.
2012: The NFC technology is a new era of security risks
On June 28, 2012 the Symantec corporation announced a new type of potential threats. Emergence of new NFC technology which provides wireless data exchange put to the beginning to emergence of new mobile applications on its base which can be potentially dangerous. The Android application.Ecardgrabber is capable to consider number of the plastic card, term of its action and also the bank account number of the user.
The German security researcher released the Android application capable to read out data of a limited number of proximity plastic cards on the radio interface on Play Google service. Proximity plastic cards are usually used for transactions for the amounts less than 10 euros without input of a PIN code – just it is necessary to bring the card to a point on the terminal of sales.
The Android application registrated by Symantec company under the name of Android.Ecardgrabber makes attempt of data reading using the protocol of communication of NFC (engl. Near Field Communication, the standard of short distance communication) — the technology implemented on the newest models of smartphones. The application was placed on Play Google service on June 13, 2012. Before removal from 100 to 500 users managed to download it.
You watch also Payment systems and services
- Apple Pay
- Samsung Pay
- Alipay
- WeChat Pay
- Garmin Pay
- PayPal and PayPal Russia
- Android Pay + Google Wallet = Google Pay
- Huawei Pay
- VK Pay
- SWIFT
- Visa International
- MasterCard
- UnionPay
- JCB Payment system
- Corda R3 Payment system on a blockchain
- NATIONAL PAYMENT CARD SYSTEM WORLD
- Service for transfer of financial messages (SPFS)
- Pro100 (payment system)
- Rapida
- ChronoPay
- Zolotaya Korona
- The leader - a money transfer system of NPO
- Yandex.Money
- Webmoney
- RBK Money
- Purse of MTS Money
- Multicard
- Multiservice Payment System (MPS)
- Comepay Payment system
- Contact (payment system)
- Pay.Travel
- Blizko payment system
- Universal Electronic Card (UEC)
- Services of mobile payments
- Contactless NFC payments
- Payment terminals (system of instant payments)
- Electronic payment systems in Azerbaijan
- Electronic payment systems in Kazakhstan
- Electronic payment systems in Russia
- Electronic payment systems in Ukraine
- Card payment systems
- Money transfers (market of Russia)
- Money transfers (world market)