Saturday, 18 December 2010

PayPass hacked?

Wireless Pickpocketing demonstrated on the street using PayPass technology:

After watching the video or reading the transcript you may have a few questions:
  • Is this really a compromise?
  • Is PayPass hacked?
  • What about my liability?
  • Why all the fuss?

There are several views to take on the information in the story. The banks have responded and their take is that PayPass technology is secure.

That all depends on your definition of secure.

Lets get things straight, this video shows that without your knowledge, participation or assistance your card details can be retrieved. In some cases your name as well. Unlike handing your card to a shop-employee, where you're aware of the potential for compromise, you can be walking down the street and have your card read.

The banks almost universally point out that this does not compromise the verification code physically printed on your card and they go on to say that you cannot make a transaction without such a verification code. Of course, that's how it's intended to be, but the reality is that there are thousands of merchants who can and do transact without a verification code, so the banks are telling a half-truth at best.

So, to answer the first point, yes, this is really a compromise.

On to the second point, does this mean that PayPass is hacked?

Well, yes and no. The methodology used does not appear to actually create a PayPass level transaction, there is no information about this in the story.

However, there is no information the other way either.

The reader shown in the video appears to be a standard PayPass reader connected to a computer. Once you can monitor the link that has been created between the card and the reader, the next level of compromise is orders of magnitude simpler.

There are countless hacks in the wild today that rely on the ability to see the information as it flows. This video doesn't show a transaction being processed, but that doesn't mean that it cannot happen, or that it hasn't happened already.

The thing to take away from this is that the probability of a full-blown untraceable compromise has just shot up and the likelihood of it happening is much higher.

What about your liability?

If you printed a t-shirt with your credit-card details on it, your bank is unlikely to protect you against any unauthorised transactions since you didn't protect your card details. This video shows the same level of exposure, only this is invisible.

Some commentators attempting to detract from this story are saying that the only type of transactions that can be made by this level of exposure are the same as can be achieved by reading the magnetic strip on your card, and that may well be true - depending on what information is available from the chip on the card.

These same commentators miss the salient point, that your card can be read without you ever knowing - well, until the information is used that is.

Why all the fuss?

If the bank maintains that PayPass cannot be compromised - which is what they're saying today, then by definition, any transactions have to be made by you. If PayPass is hacked and fraudulent transactions are made by someone else, the bank can decline to protect you on the grounds that in their opinion the system is secure, and thus you made the transaction.

A system such as PayPass relies on all elements being secure. If one part of the chain breaks, the whole thing falls apart.

This video shows that the ends are fraying.

What can you do?

Fundamentally, this system is broken. No amount of sugar-coating can make it otherwise. Talk to your bank and make them aware of your concerns. Be aware that many bank employees are completely unaware of any issues with this technology and that many happy PayPass users exist today. Unfortunately, the same could be said for smokers 40 years ago.

Thursday, 14 October 2010

PayPass - what's the problem?

The system is encrypted, the bank says it cannot be hacked and my funds are protected against unauthorised use if I abide to their terms and conditions.

So what's the big deal, why not chill out and deal with it - or even change banking institution?

First of all, this idea is broken. It's broken on more levels than I can count. I've only been highlighting some of the issues.

Here's some scenarios to consider:

Scenario 1:
What if someone hits me over the back of the head to get my card because it's as good as cash. Does the bank protect against that?

Suggestions have been made that thieves aren't interested in $100. My experience of theft - as in being a victim of theft - tells me that any amount of free cash is desirable.

Scenario 2:
What if someone manages to make a clone of my card. The bank can claim that any purchase made with that cloned card is in fact my card, and thus I'm liable for a purchase made on that cloned card - I have no recourse because according to the bank, I made the purchase with my card. Since I still have my card, I cannot claim it was stolen.

The bank claims that cloning isn't possible, but I've been in the IT industry too long to rely on such an assumption. There is a good financial incentive to clone a card. Since this system uses RFID, a wireless techology, people can access my card just by being in range with a strong enough antenna.

This means that my card can be cloned without my knowledge or participation.

Scenario 3:
If this technology takes off, then the number of transactions on a credit card statement will increase significantly. Typically this means that less people are likely to sit down and check every single transaction on their statement, making it easier for fraudulent transactions to slip through.

Scenario 4:
To deal with the increased volume of transactions, the bank could create "smarter" software to detect fraudulent transactions.

This means that you might have other side effect issues like getting on a plane in the morning and trying to pay for a taxi at your destination in a different country.

The bank might decide that you have never been to Nepal and that this transaction is fraudulent. With real-time banking making inroads, this makes it likely that the transaction will be caught in real-time, making it impossible for you to pay for your completely valid taxi-ride from the airport to base-camp.

PayPass - not so new kid on the block

It seems that the Commonwealth Bank has been playing with PayPass since 2006. I don't recall ever seeing any information about it, and only in the last couple of months have I seen TV advertising and seen readers sprouting like mushrooms in my neighbourhood.

There are others who have been raising concerns since 2009. Note that the statement on that page about Mythbusters has been retracted by Adam Savage.

There is also a ZDNet Patch Monday podcast (from 4'56" until 14'33") that discusses PayPas and PayWave (the Visa version of the Mastercard PayPass). They state $35 as the limit, which appears to be incorrect, I've been told $100. The podcast discusses some of my concerns - those to do with authentication and hack-ability. It also raises concerns about customer risk assesement, legal issues related to Card (Not) Present transactions, etc.

The podcast also goes on to discuss issues related to checking your statement, which contactless payments will make harder, since you're unlikely to get a receipt and the number of transactions per statement will increase markedly, making it even harder to spot an unsolicited transaction.

Wednesday, 13 October 2010

VM Workstation

Having now used my virtual workstation for many months, I can provide a meaningful update about the whole thing.

For those who want some background I wrote about what I'd like to achieve a while back. I ended up running VMware Fusion on a 17" MacBook Pro.

First of all, it works. I use my main virtual workstation all day every day. Deployment was as simple as creating a disk image of my ThinkPad, putting it on my MacBook drive and pointing VMware at it.

My only beef are three persistent bugs with VMware Fusion:
  1. Sometimes the keyboard doesn't work when I resume my workstation image. A keypress results in a beep. The only work-around is to go from full-screen to single window with Command-Option-Return and then maximizing the window to full-screen again. This is a PITA since my Gnome Toolbars then "helpfully" move around and don't get put back where they were.
  2. When I wake the workstation, sometimes for no particular reason the network is off and I need to re-enable it.
  3. I've stopped sleeping my MacBook with VMware running because there is a nasty bug that somehow causes VMware to freeze which results in data-loss - very unhappy. So now I quit Fusion, and then sleep my MacBook. Not ideal.
Things that work.
  1. I have the ability now to snapshot my workstation, or development server, or client image, or whatever and do an upgrade or driver install and then roll it back with no pain.
  2. I am running this with 3 external monitors and it just works. I'm using the DVI port and 2 x USB-DVI adapters with 3 x 1080p screens (Toshiba PA3768) - which also rotate - niiice.
  3. I'm using Afloat to keep a VM window floating above my "normal" desktop, so I can use Ubuntu as my workstation full-screen while still keeping an eye on another VM.
  4. My backups are using Time Machine on a sparse bundle drive, which VMware doesn't notice. So all my VM images are stored on this drive and Time Machine just backs up the sparse-bundle file.
  5. I pulled out all the apps from OS X and created an OS X guest machine where I can run iTunes etc. Sound is still buggy on this guest, but I'm working on that.
All in all, this has proven to be a little nerve racking in the early days, especially with the data-loss issue, but my productivity has increased no-end and I can say that this is a vast improvement on running my workstation on bare-metal for many many reasons.

Now if I had a few more hours in the day I could get back to doing more productive stuff for the Ubuntu Server Team.

Tuesday, 28 September 2010

CBA PayPas - the second response

Dear Mr Benschop,

I have again referred this matter to our Credit Card Product Team, the response is as follows:

Thank you for outlining your further concerns about the security of contactless payments, such as MasterCard PayPass. PayPass is a feature enjoyed by the majority of our customers due to the payment flexibility and convenience it provides PayPass has been designed to be as secure as other payment methods, such as magnetic stripe transactions. You will continue to be protected from liability on unauthorised transactions as long as you continue to adhere to the Conditions of Use.

We do not recommend any attempt at manipulation of your card plastic.


Commonwealth Bank
Customer Experience Consultant

Rapid Resolution Team

CBA Group Customer Relations
Group Sales & Service Support Team
Level 19, 150 George Street
Parramatta NSW 2150
P: 1800 805 605
F: 1800 028 542

Monday, 9 August 2010

CBA PayPas - my email to the bank

Dear {redacted},


In response to your email, you are correct that I am not happy with the response provided as it did not in any way address any of the concerns I raised on the phone with you and your colleague.

I'll state again, this time in writing, what the concerns are.

I am concerned about PayPass from a personal safety perspective. I'm concerned that you as a bank have created a personal security issue for me that I cannot remove or reduce. You did this without my permission and you provide no way for me as a consumer to opt-out, decrease my exposure or remove any such concerns.

You have advised me that PayPass allows for individual transactions of up to $100 per transaction. In addition you advised me, there is no limit on the number of transactions allowed. This means that in effect I am carrying in my wallet the total credit limit of my card in cash. This means that anyone observing that I have a PayPass card has the ability to gain access to those funds without my authorisation or participation.

The unlimited access to funds that the PayPass system represents provides ample incentive for the criminal element to become interested.

My concern is not the funds which you keep telling me are protected; my concern is my personal safety if force was used to obtain my card without my permission. If I need to spell it out, a thief could sit in a coffee shop and observe that I have a PayPass card. They can follow me out the door and take my wallet from me and have unlimited access to my funds. Common sense continues to prevent me from carrying large amounts of cash and I'm not prepared to start now.

In addition, the access need not even be forceful or physical as outlined above. Since PayPass uses RFID technology, access could be achieved using wireless access and a few dollars of equipment. 30 minutes on the Internet gave me several research papers and suggestions on how this might be achieved and examples were available showing access to such cards. I have found several scenarios which allow unfetted access to my card. With no limits on the card, there is ample incentive to develop solutions to circumvent any security measures. Just because Mastercard says that it cannot be hacked, doesn't make it so.

I've been in the IT industry for too long to believe that security through obscurity is sufficient and I expect better from my bank.

In addition the the above, I also asked you what the impact would be of disabling the RFID chip in my card, by inserting my card into a microwave or power drill.

I look forward to your response.

Kind regards,
Onno Benschop

Friday, 6 August 2010

CBA PayPas - the response

Dear Mr Benschop

Thank you for your call, which to this office 30 July 2010. In regards to the issues you have raised regarding the PayPass function on your credit card, I have requested review from the product area and they have provided a response as follows:

PayPass functionality is included with all CBA issued MasterCard credit and debit cards, and cannot be turned off. However if a customer would not like to use the technology, they can continue to sign/enter a PIN through the terminal, and can simply avoid tapping against PayPass readers.

PayPass is an extremely secure payment method, and is not more vulnerable to fraud than any other form of payment (such as signing for transactions).

Mr Benschop, I understand that you have already been provided with this response and that you will not be happy with this decision.

If you wish to discuss this matter further please contact me


Commonwealth Bank
Customer Experience Consultant

Rapid Resolution Team

CBA Group Customer Relations
Group Sales & Service Support Team
Level 19, 150 George Street
Parramatta NSW 2150
P: 1800 805 605
F: 1800 028 542

Friday, 30 July 2010

CBA PayPas

Today I found out that the Commonwealth Bank has a new "feature" called PayPass or Tap 'n Go. I'd recently seen it advertised on TV and wondered what the implementation was like.

The idea behind this technology is that you can make a transaction without needing to sign or enter your PIN when making a purchase. You just wave your card in front of a reader and the transaction is complete. There is no physical contact between your card and the reader - in fact you don't even need to take your card out of your wallet.

I learnt the following:
  1. The transaction limit is $100 per transaction.
  2. There is no limit to the number of transactions.
  3. You cannot set a limit.
  4. You cannot opt-out.
I contacted the bank customer service team via phone to confirm what I learnt. Initially there was some discussion about the $100 limit, but this was finally confirmed.

I asked the bank why I was unable to limit my exposure to this "feature" since I was concerned about my personal security as well as issues relating to RFID. The bank's response was: "You don't need to take your card with you, you can just leave it at home."

I asked to escalate the call and ended up speaking with a team leader in the Rapid Resolution Team who after some discussion began to understand my concerns and they created a case for me.

I've been promised a response in writing.