Almost as bad as ZWE: http://thefinanser.co.uk/fsclub/2013/07/zimbabwes-currency-crisis-and-the-100-trillion-dollar-note.html
1 Like
From the actual paper:
In our experiments, EMV cards have been found to approve
contactless transactions up to ā¬999,999.99 without requesting
the PIN [ā¦] In testing we have also obtained transaction approvals in US Dollars
for $999,999.99 (currency code 0840)
So euros and dollars at least. I have to admit that itās pure speculation on my part regarding Bahraini dinars.
1 Like
awesome work! thanks for getting to the bottom of that.
bonus points for the link to the actual paper which was a very interesting read.
1 Like
Okay, so it is possible to perform a contactless transaction of up to ā¬999,999.99 or $999,999.99 USD without requesting a PIN.
Itās interesting from a theoretical standpoint, but practically, under what circumstances would it be possible to do so? ATMs sure arenāt contactless (right?), and wouldnāt there be some sort of restriction in the licensing for POS machines to prevent such transactions? (They are still licensed under fairly stringent and often stifling conditions, arenāt they?)
My point was that AFAIK itās not been screwed up here, where transactions in foreign currency are an everyday part of life. Someone screwed up bad because itās been done elsewhere, without this problem.
Also: if this is an implementation fault then thereās no way a person could be held liable for the loss since it was in no way their fault.
Before the era of ChipānāPin, you could just stick the card in the microwave for a few seconds until the contactless chip got fried with a satisfying āpopā.
Back then the cards were magstrip only, no contactless, no chips to fry. I however have suspicion that the magnetic material in the magstrip could be thermally damaged.
To start with, my apologies for my reply being so unnecessarily aggressive. Iād had a hell of a couple of nights and had my reply-gun firmly set to grump. Sorry about that.
Keeping more then one card together doesnāt offer any protection at all
it just triggers a failsafe recently added to the legitimate machines.
Well Iāll be damned. To be honest, that wasnāt actually what I was relying on for security (for that, I have nothing heh) - Iām part of the ālook at your balance online/on your phone all the timeā generation, so Iād know pretty fast if someone had tapped my card (though Iāve noticed it takes a lot longer for a Paywaved transaction to show up on my online transaction lists than an old fashioned swipe+pin or chip+pin purchase). Iām surprised that it would be feasible for a card reader to trigger more than one card at a time and tell them apart, thatās pretty neat.
1 Like
no worriesā¦iāve been there myself! thanks for explaining, believe it or not that actually meant a lot as Iāve also had a pretty rough week. the little things, eh?
they do sell wallets and wallet inserts that shield the chip from being read unless it is removed. a metal sheath around the cards. while it is theoretically possible to make a reader that can read from much farther range or read cards that have been shielded, it would require much more sophisticated hardware that a hacker would be unlikely to be carrying around with them.
the worst part about these over the air touchless hacks is exactly that, the person stealing from you never has to interact with you, just sit or stand within 4ft for less then a minute.
This topic was automatically closed after 5 days. New replies are no longer allowed.
