Saturday, 18 December 2010

PayPass hacked?

Wireless Pickpocketing demonstrated on the street using PayPass technology:

After watching the video or reading the transcript you may have a few questions:
  • Is this really a compromise?
  • Is PayPass hacked?
  • What about my liability?
  • Why all the fuss?

There are several views to take on the information in the story. The banks have responded and their take is that PayPass technology is secure.

That all depends on your definition of secure.

Lets get things straight, this video shows that without your knowledge, participation or assistance your card details can be retrieved. In some cases your name as well. Unlike handing your card to a shop-employee, where you're aware of the potential for compromise, you can be walking down the street and have your card read.

The banks almost universally point out that this does not compromise the verification code physically printed on your card and they go on to say that you cannot make a transaction without such a verification code. Of course, that's how it's intended to be, but the reality is that there are thousands of merchants who can and do transact without a verification code, so the banks are telling a half-truth at best.

So, to answer the first point, yes, this is really a compromise.

On to the second point, does this mean that PayPass is hacked?

Well, yes and no. The methodology used does not appear to actually create a PayPass level transaction, there is no information about this in the story.

However, there is no information the other way either.

The reader shown in the video appears to be a standard PayPass reader connected to a computer. Once you can monitor the link that has been created between the card and the reader, the next level of compromise is orders of magnitude simpler.

There are countless hacks in the wild today that rely on the ability to see the information as it flows. This video doesn't show a transaction being processed, but that doesn't mean that it cannot happen, or that it hasn't happened already.

The thing to take away from this is that the probability of a full-blown untraceable compromise has just shot up and the likelihood of it happening is much higher.

What about your liability?

If you printed a t-shirt with your credit-card details on it, your bank is unlikely to protect you against any unauthorised transactions since you didn't protect your card details. This video shows the same level of exposure, only this is invisible.

Some commentators attempting to detract from this story are saying that the only type of transactions that can be made by this level of exposure are the same as can be achieved by reading the magnetic strip on your card, and that may well be true - depending on what information is available from the chip on the card.

These same commentators miss the salient point, that your card can be read without you ever knowing - well, until the information is used that is.

Why all the fuss?

If the bank maintains that PayPass cannot be compromised - which is what they're saying today, then by definition, any transactions have to be made by you. If PayPass is hacked and fraudulent transactions are made by someone else, the bank can decline to protect you on the grounds that in their opinion the system is secure, and thus you made the transaction.

A system such as PayPass relies on all elements being secure. If one part of the chain breaks, the whole thing falls apart.

This video shows that the ends are fraying.

What can you do?

Fundamentally, this system is broken. No amount of sugar-coating can make it otherwise. Talk to your bank and make them aware of your concerns. Be aware that many bank employees are completely unaware of any issues with this technology and that many happy PayPass users exist today. Unfortunately, the same could be said for smokers 40 years ago.

1 comment:

Anonymous said...

Its disappointing that the banks are foisting payWave on us.

On the upside, its a matter of time before Today Tonight does a scary story on the issue. Then the banks will be falling over each other to provide 'non-payWave' option.