Stories
Slash Boxes
Comments

SoylentNews is people

Whatever You Do, Don't Give This Programmable Payment Card to Your Waiter

posted by chromas on Wednesday April 11 2018, @03:01PM   Printer-friendly
from the a-bluetooth-dong'l-do-ya dept.

"exec" writes:

Fuze card is wide open to data theft over Bluetooth. A fix is on the way.

The makers of the programmable Fuze smart card say it's powerful enough to be your wallet in one card yet secure enough to be used the same way as traditional payment cards—including trusting it to restaurant servers when paying the bill. But it turns out that convenience comes with a major catch. A flaw makes it possible for anyone with even brief physical control of the card to surreptitiously siphon all data stored on the device.

Fuze representatives said they're aware of the vulnerability and plan to fix it in an update scheduled for April 19. They also thanked the two researchers who, independent of one another, discovered the vulnerability and privately reported it. So far, however, Fuze officials have yet to fully inform users of the extent of the risk so they can prevent private data stored on the cards from being stolen or tampered with until the critical flaw is repaired.

Mike Ryan, one of the two researchers, said he created attack code that impersonated the Android app that uses a Bluetooth connection to load credit card data onto the smart cards. While the official Fuze app takes care to prevent pairing with cards that have already been set up with another device, Ryan's rogue app had no such restrictions. As a result, it allowed him to take complete control of a card, including reading, changing, or adding payment card numbers, expiration dates, and card-verification values.

https://arstechnica.com/?p=1290811

-- submitted from IRC

Original Submission

 
This discussion has been archived. No new comments can be posted.
Whatever You Do, Don't Give This Programmable Payment Card to Your Waiter | Log In/Create an Account | Top | 41 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by DeathMonkey on Wednesday April 11 2018, @05:49PM (3 children)

    by DeathMonkey (1380) on Wednesday April 11 2018, @05:49PM (#665444) Journal

    ...anyone with even brief physical control of the card [can intercept] all data stored on the device.

    Can't they do the same with a normal card too, though?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by FatPhil on Wednesday April 11 2018, @09:08PM (1 child)

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Wednesday April 11 2018, @09:08PM (#665549) Homepage
    With a normal magstripe card, yes, but not a chip'n'pin one. However, reading the ICE9 report on the hack, all this card seems to mimic is magstripe cards anyway, as the way you add those cards to the programmable one is by "swiping" them.

    I've been chip-only for well over a decade. Magstripe is a joke, security-wise. This whole card seems to be solving a problem that shouldn't even exist any more.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

    • (Score: 3, Interesting) by MichaelDavidCrawford on Wednesday April 11 2018, @10:41PM

      by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Wednesday April 11 2018, @10:41PM (#665597) Homepage Journal

      Americans started getting chipped cards after the Target POS terminal breach.

      If I swipe a non-chipped card it gets approved in just a few seconds.

      If I insert a chipped card, I have some time to sing:

      Row row row your boat

              Do Not Remove Card

      Gently down the stream

              Do Not Remove Card

      Merrily merrily merrily merrily

              Approved

      Live is but a dream

            Remove card

      --
      Yes I Have No Bananas. [gofundme.com]

  • (Score: 3, Interesting) by TheRaven on Thursday April 12 2018, @06:26AM

    by TheRaven (270) on Thursday April 12 2018, @06:26AM (#665773) Journal

    With the kind of card that's been common in France for over 30 years, in Europe for about 15, and is starting to be common in the USA, no. The chip acts as a hardware security module that will cryptographically sign transactions. Modulo bugs in the implementations, if you compromise the card (and PIN) you can make it sign arbitrary bits of data for you, but for those to be useful they need to include a random per-transaction number generated by the payment processor, so offline attacks are difficult (though they were made easier by the fact that some implementations thought that a simple incrementing counter was a good way of implementing what the spec described as an 'unpredictable number').

    One of the oddest things I find when going to the USA is that it's common in restaurants for waiters to take your card away from you. That's been against merchant bank T&Cs for about 20 years in the UK and any company that is caught doing it will have their ability to accept credit cards revoked. If you want to take card payments in a restaurant, you either get people to stand up and go to the till, or you bring a handheld terminal to their table. With chip-and-pin that's pretty much essential anyway, because you can't do anything useful with the card other than put it in the terminal that the cardholder enters the pin into. If someone takes the card out of my sight, I have no idea what attacks they are performing on it.

    --
    sudo mod me up