With the popularity of smart devices and NFC, payment with RFID cards has become more and more popular. Today's contactless cards (including but not limited to social security cards, meal cards, transportation cards, access cards, etc.) are all RFID technologies used. At the same time, RFID smart cards are getting more and more attention from attackers.
The Beijing subway ticket card was hacked, and the traffic card hacking incident that occurred in Chile not long ago was a typical example: the thief smashed the balance of the card by gently navigating the NFC phone to the traffic card.
Specialized in RFID smart card app
This is a name called PuntoBIP! Android app, it can be used to black out the NFC electronic payment system TarjetaBIP! And the cost of crime is very low, and people can download it even in major forums and blogs. Trend Micro has published an article explaining how to use the Android app to black out RFID payment cards, which specifically discusses the risks of RFID payments.
In the case of the traffic card in Chile, even if you don’t know the technical offender, you only need to install the app on the NFC-enabled Android phone, then put the traffic card close to the phone screen and press “Cargar10kâ€, then you can Immediately recharge the transportation card for 10,000 Chilean pesos (about $17). Although there is not much money, it is still a big gain in the long run.
This Android app has four main features:
1, número BIP: used to obtain the card number
2, saldo BIP: get the balance available in the card
3, Data carga: recharge available balance
4, número BIP: change the card number
The last function is particularly dangerous. The consequences of the card number being changed are very serious. Once this technology is maliciously exploited, it will cause great negative social and economic losses.
Principle analysis
Through the source code analysis of the Android program, we found that the attacker will write the data prepared in advance into the card, and then adjust the balance of the card at will. The reason why it can read and write data in the RFID card without restriction by the authentication mechanism is because the corresponding smart card has multiple security vulnerabilities in the old version of Mifare. These vulnerabilities allow hackers to clone and rewrite content on the Mifare Classic card using common devices such as Proxmark3.
Hackers can easily crack the card's authentication key by using common tools. With the support of the authentication key and local NFC, the attacker can easily rewrite the card, and it is a breeze to clone a new card.
In order to facilitate the security research, the malware download source obtained through the search engine is provided here. However, according to a foreign security researcher, the upgraded version has changed compared with the original program. Please be cautious if you want to download the research shoes.
Social security card, payment card and meal card are at risk
Not only is the MIFARE Classic card affected, but the MIFARE DESFire and MIFAREUltralight (described above) cards are also unfortunate.
Trend Micro said there are at least three cards currently affected: social security cards (associated banking services), payment cards and dining cards. The social security card (associated banking service) and the payment card are MIFAREDESFire cards, which are vulnerable to side channel attacks; the dining card is a Mifare Classic card, and the attacker can modify the amount;
If there is monitoring when information is leaked from the cryptosystems in these cards, the keys can be recovered within seven hours. If the keys are not random, these cards will be modified and cloned like MIFAREClassic. To make matters worse, even credit cards can be operated by Android apps equipped with NFC mobile devices.
Why is it so dangerous? In addition to the outdated technology used in these cards, there are also reasons for saving card manufacturing costs or "cheap and no good goods."
Expert advice
Pay attention to the card balance, set a charge reminder, and check if the RFID card you are using is the one described in the article.
Landscape Lamp lighting is decorative light source configuration of city garden landscape,cultural and recreational square and large-scale social activities widely used and essential,is a decorative lighting products.Our company's landscape lighting products mainly have Decorative landscape lamp,Alumiunm alloy Lawn lamp,Alumiunm profile Garden Lamp.
Rod material diverse use of flexible,light,sound,light,electricity three-in-one,structure and morphology in different poses and with different expressions,beautify,lighting,green organic combination,light and shadow,perfect crystal lamp and art.
Landscape Lighting Series,Landscape Lighting Kits,Landscape Lighting Led,Landscape Lighting Wire
Jiangsu chengxu Electric Group Co., Ltd , https://www.chengxulighting.com