Money hacker Peter Fillmore has created an Android app that can clone some of Australia's most popular contactless credit cards.

In attacks that slipped beneath banks' and credit card providers' radars, the Aussie boffin probed the protocols behind Visa and Mastercard payment cards and proved the viability of an attack by successfully using cloned versions of his credit cards to shop at supermarket chain Woolworths, and buy beer at a Sydney pub.

Fillmore (@typhoonfilsy) will today show at the Breakpoint security conference in Melbourne his modded Nexus 4 and how it steals data from Paywave and Paypass cards that could be introduced into cloned cards.

While the phone tactic is an inconspicuous attack, Fillmore told Vulture South that enterprising criminal gangs could make a killing by using his tactics with more powerful custom equipment to scam commuters on their way to work.

Peter Fillmore.

"The phone needs to be really close to someone's wallet to work so it's more of a proof-of-concept. [However], the attack I would be worried about is a criminal gang with a [reader] in a briefcase who captures a whole lot of cards on a tram and uploads them to a central server," Fillmore said.

"Someone located far away could then wait until their phone pings with the stolen information and start using the cards," he added.

"This is better than a relay attack because you can store the transactions and you don't have a timeframe," he said.

There's another advantage for the potential criminal, as when the trick fails, it appears to the retailers and banks to be a mundane error, rather than a fraud attempt, which could trigger a well-resourced bank and police investigation.

Fillmore's proof of concept

Large retailers are first choice targets for attack (rather than small new businesses) as they were likely, as in the case of Woolworths, to operate legacy point-of-sale payment equipment and therefore be more open to fraudulent moves.

The Nexus 4 (as Fillmore discovered) served as an efficient and discrete hardware fuzzer for contactless cards. The popular Cyanogen mod gave access to an otherwise inaccessible application programming interface called 'Host Card Emulation' that he said is a "great platform" for cloning cards.

Fillmore plans to write an exploit app for a popular but as yet unnamed card reader that would be delivered through the phone.

His attack worked in part by exploiting payment terminal's legacy support for magnetic stripe cards. The EMV (the gold chip on credit cards) protocol meant cards told terminals if it supported EMV, which then allowed an attacker to pushed payment processing back to mag stripes.

It captured details, including an application transaction counter, which was incremented each time a transaction was made. Attackers needed to conduct the fraud before the next transaction was made or an error would occur.

The attacks weren't due to particular problems with a given bank, although the Australia and New Zealand Banking Group (unlike the National Australia Bank) was found to have not implemented a randomisation number which while affording additional security, did not prevent the attack.

Fillmore said new startups may be harder targets as they may use new technology that could be, like one tested at a NAB ATM, capable of determining if a contactless credit card was 'lying' about not supporting EMV.

Blocking the attack would require the very slow process of dropping legacy support for non-EMV transactions, a feat that could be done faster in Australia than the US.

"I believe that EMV interfaces in general (both RFID and physical) is an area ripe for implementation bugs and errors," Fillmore said. "Its just the lack of available/affordable test equipment which has prevented researchers from exploiting this area."

He said the attack may work similar to Cupertino's Apple Pay platform which supported non-EMV transactions.

Fillmore's work built on the shoulders of Michael Roland and Josef Langer from NFC Research Lab detailed in the paper Cloning Credit Cards: A combined pre-play and downgrade attack on EMV Contactless.

Last year he reduced the Breakpoint crowd to tears of laughter by demonstrating how computer-generated music enjoyable 'only on class A drugs' could top music charts through custom scripts running on Amazon.®