On 20/05/2013 17:44, John Rumm wrote: ...
My bank wrote to me to ask if I wanted them and also offered me a sticker to put on my mobile phone that would work as a contactless card. I said no to both and my personal cards from that bank are not contactless, although my business cards from the same bank are.
Colin Bignell
No, not really. It's not a massive issue for Oyster as the best you could do would be to clone a card and use it that day - it would get picked up overnight in the consolidation runs (if not before, they have some rather clever pattern detection software). They have other checks in place that make it tricky.
Mifare Classic cards are compromised now. It's not trivial. They do however carry various sectors that can be used and if what you put in there is encrypted then it's not a lot of use without the key to the encryption.
Got a modern smartphone with NFC built it? You can read a mifare card. Plenty of tools around to crack it. Ebay will supply all the tools and blank cards. It's pretty simple.
As pointed out, Mifare is a brand though - they have many other cards that are not (yet) compromised. Mifare DESFire is common (although IIRC, the original version of those have been broken).
Darren
Aluminium wallets are sposed to do the trick.
I've not tried this, but:
The loop antenna goes around the edge, so any cut sufficiently deep into the three edges furthest from the chip should do it. However that's not mechanically stable (ie is liable to turn into a larger tear).
X-rays:
Based on the sample I have here, I think the top two cards may be from TCT (look at the tiny print on the top right of the back of your card) - I think that's Thames Card Technology (who provide the cards to the bank, but aren't themselves the manufacturer). What's curious about these is the lack of visible antenna on the X-ray. However it may be a polymer antenna not metal.
Assuming the polymer antenna is in the same place as the copper on other cards, drilling about 5mm in from the long edge of the card should do the trick.
Theo
Something I read earlier today suggested keeping two (or more) cards close together as they interfere and cancel out any accidental transaction. This certainly works for my security passes - the correct card has to be removed from the stack in the card holder to work. A M&S PoS terminal was tested by I can't remember whom and found to have a maximum NFC range of 5cm.
I wouldn't rely on that. I regularly travel in London with both my Oyster card and my word ID card. Both are Mifare classics - if I have them both in my wallet about 75% of the time the oyster readers get it right, 25% of the time I get an error. Removing my id card cures it. Likewise the other way around - word security readers barf around 25% of the time if my oyster card is in my wallet.
So while it does appear to confuse it sometimes, it's far from a reliable method! (might be different for non-mifare classic cards, but I'd not rely on it).
Darren
If you want to use the contactless facility every now and then, store it in your wallet with an oyster card on top. The mifare system cannot differentiate between two co located cards.
Otherwise just disable it by cutting a part or all the way through with a Stanley knife as shown here on my barclaycard
This has no effect on the chip and pin function or the mag stripe swipe.
Neither the physical layer nor the discovery protocol depend on the encryption.
That's handled by the discovery protocol, which should try to establish the serial number of the card and address further requests to other cards. In theory it is supposed to be able to detect multiple numbers and abort the transaction, but it sounds like it might not be as good as it might be.
I believe the discovery protocol applies to all the ISO standard cards, on that frequency, not just NXP's Mifare ones.
>
That guy Dom on Fake Britain discussed this recently, and showed that there are numerous cases where the bank says that 'you must have given your PIN to somebody else', even though the card stayed with the account holder, and was not used. The Bank is now prosecutor, judge and jury.
is such a tosser, I wouldn't believe a word he says
After chip-n-pin was introduced, the banks started 'deciding' that if a correct PIN had been entered, the customer was liable by default.
The 2009 legislation was brought in partly to reverse that situation.
doesn't stop them still trying it on
there are even cases where they argue for months that you are liable because "the correct pin was entered on a C&P transaction" until you reach the end of the complaints procedure to find that they admit that it was a mag stripe transaction all along (and therefore open the standard cloned card fraud)
tim
Section 62. Unless the cardholder can be shown to have acted fraudulently, their liability is strictly limited to £50 for over-the-counter transactions where either the card has been stolen or the cardholder was negligent, and zero for any other wrongful use and all distance transactions (with a few, fairly limited, exceptions) even if the cardholder was negligent.
Mark
And they will, for sure.
They've moved the wires for the aerial away from the edge as far as I can tell. Whether this is to help stop them getting broken through flexing or whether it's to make it harder to disable them, I'm not sure.
But recent experiments have found that the aerial now passes close to the right hand end of the signature strip rather than the left hand edge.
Tim.
Ah that reminds me, I had about half a dozen barclays debit cards (from when they were apparently unable to issue me a working combination of card and PIN) ... did I keep them? ... Probably ... but *where* did I keep them? ...
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.