In the absence of an “official” download link for these so far (although I’m sure they’ll be up on the Shmoocon page soon enough), my slides from Shmoocon this year. Seems it got a little press coverage and a whole bunch of attention on Twitter, so I figured I should get these out ASAP.
Hopefully video will be up soon but if anyone has questions about the talk in the meantime please ping me (ideally on twitter) and I’ll update the FAQ as and when I can.
What hardware / software were you using?
I used a Vivopay 4500 contactless card reader, an MSE-750 magstripe reader/writer, a Square dongle for my cellphone (on Android, not iPhone), and some code I wrote based on 3ricj‘s PwnPass code (no longer publicly available, afaik).
How did you get magstripe data from a contactless read?
The contactless reader spits out magstripe-formatted data as its intended mode of operation. I get valid Track1 / Track2 info (lacking only the name, which is usually “Valued Cardmember” or some such), which I just copy and paste to T1 / T2 on the MSR. There’s really not much to it – and yes, I’m processing credit card transactions without knowing the cardholder’s name.
Can you use the resultant card data online?
I get a valid cardnumber and expiry date (both usually the same as printed on the face of the card) and a single-use CVV value. If you can find somewhere online that’ll let you process a transaction with nothing but a card number and expiry date then yes you could, but otherwise you’re restricted to writing a magstripe and using that.
This is old news – XYZ did this years ago
I’m certainly not the first person to demo RFID vulnerabilities in payment cards. I haven’t heard of a full end-to-end demo before (RFID -> magstripe -> Square -> Profit!) but that doesn’t mean it’s not been done; I won’t be the last either as long as the industry keeps denying the problems. Now that it’s been irrefutably proven live on-stage that contactless fraud is possible I’m hoping that some of these issues can be addressed; if not don’t expect me to be the last person to talk about it either.
So what’s the deal with the CVV?
Credit cards have 3 CVV codes, one printed on the back of the card, a second encoded onto the magstripe, and a third from the RFID which changes with each read. Square (as well as some other combinations of PoS terminal + backend processor) is unable to tell the difference between an RFID transaction and a magstripe transaction, so as long as the CVV is valid (i.e. it’s being played back in-sequence with no repeats) the transaction goes through.