Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Wednesday April 11 2018, @03:01PM   Printer-friendly
from the a-bluetooth-dong'l-do-ya dept.

Fuze card is wide open to data theft over Bluetooth. A fix is on the way.

The makers of the programmable Fuze smart card say it's powerful enough to be your wallet in one card yet secure enough to be used the same way as traditional payment cards—including trusting it to restaurant servers when paying the bill. But it turns out that convenience comes with a major catch. A flaw makes it possible for anyone with even brief physical control of the card to surreptitiously siphon all data stored on the device.

Fuze representatives said they're aware of the vulnerability and plan to fix it in an update scheduled for April 19. They also thanked the two researchers who, independent of one another, discovered the vulnerability and privately reported it. So far, however, Fuze officials have yet to fully inform users of the extent of the risk so they can prevent private data stored on the cards from being stolen or tampered with until the critical flaw is repaired.

Mike Ryan, one of the two researchers, said he created attack code that impersonated the Android app that uses a Bluetooth connection to load credit card data onto the smart cards. While the official Fuze app takes care to prevent pairing with cards that have already been set up with another device, Ryan's rogue app had no such restrictions. As a result, it allowed him to take complete control of a card, including reading, changing, or adding payment card numbers, expiration dates, and card-verification values.

https://arstechnica.com/?p=1290811

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by rigrig on Wednesday April 11 2018, @04:07PM (10 children)

    by rigrig (5129) Subscriber Badge <soylentnews@tubul.net> on Wednesday April 11 2018, @04:07PM (#665408) Homepage

    Actually, I'm quite happy with tap and pay, but that's because someone at the bank properly thought about the risk-convenience balance:
    * It only works for amounts up to € 25
    * It only works for a cumulative total up to € 50
    After that it requires you to enter your PIN.
    I'm willing to risk € 50 for the convenience. (and arguably it also prevents people from snooping my PIN)

    It's just too bad there are a lot of idiots that try to come up with the most convenient way to part people and their money without bothering to really consider what possibly could go wrong.

    --
    No one remembers the singer.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by DannyB on Wednesday April 11 2018, @04:12PM (5 children)

    by DannyB (5839) Subscriber Badge on Wednesday April 11 2018, @04:12PM (#665411) Journal

    Why should you have to risk € 50 for the bank's insecure technology?

    If the bank experiences a physical robbery, and cash is taken from their vault or teller's drawer, do you share in that loss?

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 1, Informative) by Anonymous Coward on Wednesday April 11 2018, @07:03PM (4 children)

      by Anonymous Coward on Wednesday April 11 2018, @07:03PM (#665480)

      Why should you have to risk € 50 for the bank's insecure technology?

      You (as the holder of a credit card) don't. The entire risk of tap transactions, like essentially all credit card transactions, is assumed by the merchant.

      If the charge is not authorized by the cardholder then the cardholder is not responsible for it. If it happens to you, you call up the issuer and they reverse the payment. The merchant is then out the money and typically some product as well.

      Generally speaking, it is the merchant that sets limits on what they will accept for a tap transaction -- balancing the rather low risk of fraud against the convenience to customers.

      • (Score: 2) by FatPhil on Wednesday April 11 2018, @09:15PM (3 children)

        by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday April 11 2018, @09:15PM (#665553) Homepage
        > The entire risk of tap transactions, like essentially all credit card transactions, is assumed by the merchant.

        But they aren't credit card transactions, so rules that apply to credit card transactions need not apply to tap transactions. The only tap users I've known have, without exception, been performing debit transactions. It's not a big sample, as most people I know are smart, and have requested cards without the ability to be remotely read.
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
        • (Score: 2) by TheRaven on Thursday April 12 2018, @06:32AM (2 children)

          by TheRaven (270) on Thursday April 12 2018, @06:32AM (#665776) Journal
          The GP mentioned limits in Euros, so it's a fair bet that he's not in the EU, so two things:
          • In the EU, credit and debit card transactions are protected in exactly the same way, so there is no difference in liability.
          • This varies a bit within countries, but in ones where credit cards are more common than debit cards (most places that aren't France), contactless payments are usually made from credit cards.

          It's not a big sample, as most people I know are smart, and have requested cards without the ability to be remotely read.

          That's not smart, that's paranoid. I have a card that supports contactless payments and as a result I now carry less cash than I used to because it's more convenient for small payments (e.g. drinks in a pub). The risk from having my wallet stolen is lower. If there are any fraudulent transactions then they are the bank's liability and they are required by law to reverse them (which, because it's a credit card, they can do before the money has even left my account).

          --
          sudo mod me up
          • (Score: 2) by FatPhil on Thursday April 12 2018, @08:15AM

            by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Thursday April 12 2018, @08:15AM (#665797) Homepage
            > That's not smart, that's paranoid.

            Could be, several of them work for security related companies. Some have worked on hacks for such cards.

            > I have a card that supports contactless payments and as a result I now carry less cash

            What's cash? I remember that from way back last decade. Contactless is not an evolution of cash, it's an evolution of the current card payment mechanism.

            > than I used to because it's more convenient for small payments (e.g. drinks in a pub).

            That's not "small". "Small" is the extra 20c because your lunch voucher only goes to 9.50, and the lunch you want is 9.70. That's what cards have been used for for a decade in the countries where I've lived. And where people have happily tapped in their PIN, because the level of inconvenience is so low it's preferable over cash, which was the comparison you were making above.

            Oh, was it 7 drinks you bought, or 8? Are you going to question the 8th one on your statement? Well, if you had 8, then you probably had the 9th too, right?

            With more convenience comes less control. Sure, a swipe is more convenient, but someone needs to write an app for my phone that plays a "kerching" sound when I wave it near people's back pockets or handbags, to start sowing seeds. What's the MITM protection on tap-to-pay? The only security, as far as I can see, is that the bad guys have to chose their mark to see who's already tapping. But that's not "security", as they always have to chose their mark.
            --
            Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
          • (Score: 1, Informative) by Anonymous Coward on Thursday April 12 2018, @01:24PM

            by Anonymous Coward on Thursday April 12 2018, @01:24PM (#665898)

            In the EU, credit and debit card transactions are protected in exactly the same way, so there is no difference in liability.

            The results are probably the same in the end but there is one significant difference. If fraud occurs on your credit card you still have all your money. If fraud occurs on a debit card then your account is usually out the money until the issue is resolved.

            But debit card fraud is like one of the least scary things that can happen to your bank account. Cheque fraud is so much easier and basically the only information anyone needs to empty a bank account are the numbers printed on the bottom of your cheques. But fraud appears to be rare enough that nobody bothers to worry about it, and the banking system still seems to mostly work out OK.

  • (Score: 1, Funny) by Anonymous Coward on Wednesday April 11 2018, @04:26PM (2 children)

    by Anonymous Coward on Wednesday April 11 2018, @04:26PM (#665418)

    Actually, I'm quite happy with tap and pay

    Isn't that what escorts are calling it these days?

    • (Score: 4, Informative) by bob_super on Wednesday April 11 2018, @04:47PM

      by bob_super (1357) on Wednesday April 11 2018, @04:47PM (#665431)

      Only after a few meetings. Initially it's pay then tap.

    • (Score: 2) by EETech1 on Friday April 13 2018, @06:23AM

      by EETech1 (957) on Friday April 13 2018, @06:23AM (#666343)

      They are always pay then tap.

  • (Score: 3, Interesting) by Appalbarry on Wednesday April 11 2018, @05:43PM

    by Appalbarry (66) on Wednesday April 11 2018, @05:43PM (#665442) Journal

    I forgot to add, and where the terms, conditions, and limits can be changed or removed with no warning.