RFID Payment Ring Made from Dissolved Credit Card

RFID payment systems are one of those things that the community seems to be divided on. Some only see the technology as a potential security liability, and will go a far as to disable the RFID chip in their card so that it can’t be read by a would-be attacker. Others think the ease and convenience of paying for goods by tapping their card or smartphone on the register more than makes up for the relatively remote risk of RFID sniffers. Given the time and effort [David Sikes] put into creating this contactless payment ring, we think it’s pretty clear which camp he’s in.

Alright, so the whole ring making part sounds easy enough, but how does one get an RFID chip that’s linked to their account? Easy. Just call the bank and ask them for one. Of course, they won’t just send you out a little RFID chip and antenna to mount in your hacked up project. (If only things were so simple!) But they will send you a new card if you tell them your old one is getting worn out and needs a replacement. All you have to do when it gets there is liberate the electronics without damaging them.

[David] found that an hour or so in an acetone bath was enough to dissolve the plastic and expose the epoxy-encased RFID chip, assuming you scrape the outer layers of the card off first. He notes that you can speed this part of the process up considerably if you know the exact placement and size of the RFID chip; that way you can cut out just the area you’re interested in rather than having to liquefy the whole card.

Once you have your chip, you just need to mount it into a ring. [David] has designed a 3D printable frame (if you’ve got a high-resolution SLA machine, that is) which accepts the chip and a new antenna made from a coil of 38 AWG magnet wire. With the components settled into the printed frame, its off to a silicone mold and the liberal application of epoxy resin to encapsulate the whole thing in a durable shell.

If a ring is not personal enough for you, then the next step is getting the RFID chip implanted directly into your hand. There are even folks at hacker cons who will do that sort of thing for you, if you’re squeamish.

Continue reading “RFID Payment Ring Made from Dissolved Credit Card”

“Borrow” Payment Cards with NFC Proxy Hardware

Contactless payments are growing in popularity. Often the term will bring to mind the ability to pay by holding your phone over a reader, but the system can also use NFC tags embedded in credit cards, ID card, passports, and the like. NFC is a reasonably secure method of validating payments as it employs encryption and the functional distance between client and reader is in the tens of centimeters, and often much less. [Haoqi Shan] and the Unicorn team have reduced the security of the distance component by using a hardware proxy to relay NFC interactions over longer distances.

The talk, give on Sunday at DEF CON, outlined some incredibly simple hardware: an NFC antenna connected to a PN7462AU, an NRF24L01 wireless transceiver, and some power regulation. The exploit works by using a pair of these hardware modules. A master interfaces with the NFC reader, and a slave reads the card. The scenario goes something like this: a victim NFC card is placed near the slave hardware. The master hardware is placed over a payment kiosk as if making a normal payment. As the payment kiosk reader begins the process to read an NFC card, all of the communications between it and the actual card are forwarded over the 24L01 wireless connection.

The demo video during the talk showed a fast-food purchase made on the Apple Pay network while the card was still at a table out in the dining area (resting on the slave hardware module). The card used was a QuickPass contactless payment card from China UnionPay. According to a 2016 press release from the company, over two billion of these cards had been issued at the time. With that kind of adoption rate there is a huge incentive to find and patch any vulnerabilities in the system.

The hardware components in this build aren’t really anything special. We’ve seen these Nordic wireless modules used in numerous projects over they years, and the NXP chip is just NFC build around an ARM core. The leaps that tie this together are the speed-ups to make it work. NFC has tight timing and a delay between the master and slave would invalidate the handshake and subsequent interactions. The Unicorn team found some speedups by ensuring the chip was waking from suspend mode (150 µS) and not a deeper sleep. Furthermore, [Haoqi] mentioned they are only transmitting “I/S/R Block Data” and not the entirety of the interaction to save on time transmitting over the 24L01 wireless link. He didn’t expand on that so if you have details about what those blocks actually consist of please let us know in the comments below.

To the card reader, the emulated payment card is valid and the payment goes through. But one caveat to the system is that [Haoqi] was unable to alter the UID of the emulator — it doesn’t spoof the UID of the payment card being exploited. Current readers don’t check the UID and this could be one possible defense against this exploit. But to be honest, since you need close physical proximity of the master to the reader and the slave to the payment card simultaneously, we don’t see mayhem in the future. It’s more likely that we’ll see hacker cred when someone builds a long-range link that lets you leave your NFC cards at home and take one emulator with you for wireless door access or contactless payments in a single device. If you want to get working on this, check out the talk slides for program flow and some sourcecode hints.