SoylentNews is people
SoylentNews
Fuze card is wide open to data theft over Bluetooth. A fix is on the way.
The makers of the programmable Fuze smart card say it's powerful enough to be your wallet in one card yet secure enough to be used the same way as traditional payment cards—including trusting it to restaurant servers when paying the bill. But it turns out that convenience comes with a major catch. A flaw makes it possible for anyone with even brief physical control of the card to surreptitiously siphon all data stored on the device.
Fuze representatives said they're aware of the vulnerability and plan to fix it in an update scheduled for April 19. They also thanked the two researchers who, independent of one another, discovered the vulnerability and privately reported it. So far, however, Fuze officials have yet to fully inform users of the extent of the risk so they can prevent private data stored on the cards from being stolen or tampered with until the critical flaw is repaired.
Mike Ryan, one of the two researchers, said he created attack code that impersonated the Android app that uses a Bluetooth connection to load credit card data onto the smart cards. While the official Fuze app takes care to prevent pairing with cards that have already been set up with another device, Ryan's rogue app had no such restrictions. As a result, it allowed him to take complete control of a card, including reading, changing, or adding payment card numbers, expiration dates, and card-verification values.
https://arstechnica.com/?p=1290811
-- submitted from IRC
(Score: 2) by FatPhil on Wednesday April 11 2018, @09:15PM (3 children)
But they aren't credit card transactions, so rules that apply to credit card transactions need not apply to tap transactions. The only tap users I've known have, without exception, been performing debit transactions. It's not a big sample, as most people I know are smart, and have requested cards without the ability to be remotely read.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by TheRaven on Thursday April 12 2018, @06:32AM (2 children)
That's not smart, that's paranoid. I have a card that supports contactless payments and as a result I now carry less cash than I used to because it's more convenient for small payments (e.g. drinks in a pub). The risk from having my wallet stolen is lower. If there are any fraudulent transactions then they are the bank's liability and they are required by law to reverse them (which, because it's a credit card, they can do before the money has even left my account).
sudo mod me up
(Score: 2) by FatPhil on Thursday April 12 2018, @08:15AM
Could be, several of them work for security related companies. Some have worked on hacks for such cards.
> I have a card that supports contactless payments and as a result I now carry less cash
What's cash? I remember that from way back last decade. Contactless is not an evolution of cash, it's an evolution of the current card payment mechanism.
> than I used to because it's more convenient for small payments (e.g. drinks in a pub).
That's not "small". "Small" is the extra 20c because your lunch voucher only goes to 9.50, and the lunch you want is 9.70. That's what cards have been used for for a decade in the countries where I've lived. And where people have happily tapped in their PIN, because the level of inconvenience is so low it's preferable over cash, which was the comparison you were making above.
Oh, was it 7 drinks you bought, or 8? Are you going to question the 8th one on your statement? Well, if you had 8, then you probably had the 9th too, right?
With more convenience comes less control. Sure, a swipe is more convenient, but someone needs to write an app for my phone that plays a "kerching" sound when I wave it near people's back pockets or handbags, to start sowing seeds. What's the MITM protection on tap-to-pay? The only security, as far as I can see, is that the bad guys have to chose their mark to see who's already tapping. But that's not "security", as they always have to chose their mark.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Informative) by Anonymous Coward on Thursday April 12 2018, @01:24PM
The results are probably the same in the end but there is one significant difference. If fraud occurs on your credit card you still have all your money. If fraud occurs on a debit card then your account is usually out the money until the issue is resolved.
But debit card fraud is like one of the least scary things that can happen to your bank account. Cheque fraud is so much easier and basically the only information anyone needs to empty a bank account are the numbers printed on the bottom of your cheques. But fraud appears to be rare enough that nobody bothers to worry about it, and the banking system still seems to mostly work out OK.