Are wireless card skimmers just fearmongering?

Question

I'm not sure about other countries but Australian Banks have been releasing cards with RFID Chips in them (for what reason is beyond me since around the same time there's been payway apps which swap the bank card for a phone). Also about the same time I have been seeing ads for Scan Blocker. The page explains how it works.

1. Scan Blocker's antenna detects a nearby sniffer
2. Scan Blocker draws energy from the sniffer to power up
3. Scan Blocker instantly creates an E-Field, a surround electronic field making all cards invisible to the sniffer
4. Scan Blocker repels and scrambles the sniffers' signals
5. Once a sniffer is out of range Scan Blocker de-powers

Before these chips were put in to my understanding someone needed the bank card itself to skim it and steal information from it a person would either need to steal the card itself or hook up a card skimmer to an ATM or Eftpos Machine. The ads for Scan Blocker and the like imply now someone can just walk past you with this "sniffer" to get all your card details.

But I find it hard to believe that multiple banks would force¹ a technology that would require third-party devices to make them secure. So I am wondering if there is any truth to what these Scan Blockers say? Have banks cards just been made more vulnerable thanks to these RFID chips?

---

^{1: I say forced because when I went to change banks once I asked for a card without a chip but I was told it wasn't an option}

Answer 1

ScanBlocker seems like overkill, and depending on how the transmitter works it may even be illegal in some places. RF blocking wallets are much cheaper, much smaller, and have fewer parts to go wrong. My paper passport has an RF blocking cover; it needs to be opened a bit in order to be read. My plastic passport card came in an RF-blocking Tyvek sleeve. I've tested both and they have proven highly effective at preventing NFC reads.

The ads are correct in that NFC skimmers do exist. Whether or not the card data that is visible to a skimmer is useful depends on the thief and the card. The cards transmit the account number in the clear, but a successful authentication also needs another value, called the CVV, CVV2, CVC, or others. If the card issuing bank used Static Data Authentication (SDA) to generate the CVV, the thief has everything he needs to create a working clone (most banks are smarter than that, however.) If the card uses Dynamic Data Authentication (DDA), the thief will get a cryptographically generated one-time-use CVV number, and even that won't work after your card generates another number. (The CVV2 is the short code printed on the face or back of the card, and the thief cannot read that electronically.)

Note that he still has the account number, but without a valid CVV it will severely limit the transactions where he can use the stolen number to primarily offline situations.

The larger question is if any of these measures are necessary. Yes, there are NFC skimming thieves on the planet, but not as many as a scary advertisement would have you believe. So the answer is "it depends." Do you live in a populous area? Do you frequently take mass transit, or sit in crowded public spaces? Do you spend a lot of time in shopping malls, or busy airports? The more people you expose yourself to, the higher the chances are that you could get skimmed. If you believe you are at risk, use an RF blocking wallet.

Answer 2

I wouldn't be too worried.

First off, to pull money from a card you'll need a terminal with your own merchant account to actually receive the money. It's not that easy to open such an account anonymously and the funds often take a few days to clear which means the banks would notice something naughty is going on and reverse the transactions before you can actually get the money.

There is another possible attack that would relay the signal between your card and a legitimate terminal over the internet. It would require crooks to hold one terminal at your card and the other one at some merchant's place at the exact same time the transaction is taking place, so that the crook would essentially be paying with your card, relayed over the network. Quite tricky to pull off and the gains are minimal as you can only pull a certain amount of money via contactless (30£ here in the UK).

Finally banks can and do reverse fraudulent transactions unless a PIN was entered, which isn't the case for contactless.

Answer 3

Well, https://www.youtube.com/watch?v=elBWoMXt3WY - early contactless implementations simply broadcasted the PAN in the NFC radius. A super-bad idea, with EMV, PIN etc things have improved.

CVV is a 3 number code, not really a security measure as such that a patient attacker will not break eventually, PAN is kept as sensitive data in the PCI DSS standard for a reason.

I don't want to give anybody any ideas, so just take me on my word when I tell you there is plenty of attack vectors available to a determined and patient attacker contrary to what some answers might lead you to believe.