Cash is dead, and tap-to-pay cards can finally save us the trouble of swiping a credit card and keep the wheels of capitalism rolling. But a researcher at the Black Hat conference said these cards are not as safe as they seem and, surprisingly, Apple Pay is excellent.

Peter Fillmore broke down exactly how credit cards perform wireless transactions. To the person using the card, it seems fairly straightforward: tap the card against the terminal and the payment is complete. Of course, we don't just use cards for that anymore. Apple Pay, Android Pay, Google Wallet, and others run on Near Field Communications or NFC. This technology requires that the device have special radios and be equipped to use them, which is why it's found only on some mobile devices.

Tap, Tap, Clone

Fillmore said that initially, he didn't think his exploit would work. He knew that the EMV chips embedded in credit cards that make these tap payments work were well-tested and provided a very small attack surface. "You've also got crypto keys embedded in these cards," Fillmore told Black Hat attendees. "Even if you broke open the card to get the key, you only get the key for that card not others."

But it turned out that he didn't need to worry about EMV chips at all because credit cards still have magnetic strips for swiping, and credit card readers still have the hardware and software to read those strips. "You need all these legacy systems in place to ensure we can use our cards wherever without much hassle," said Fillmore. These legacy systems, he discovered, were far less secure than the tap-to-pay systems.

For example, most credit cards include an Unpredictable Number that's designed to prevent card cloning. Ideally, this should be a random number, but Fillmore found that the limitations of magnetic stripe cards meant that in some cases, only random numbers between 0 and 99 were being used. That's not very random.

In his presentation, Fillmore showed how he tapped a Via and MasterCard credit card against his Android phone. Fillmore had written special software that, taking what he'd learned, could grab the information from a tap card, generate the necessary credentials, and be used at a payment terminal.

"You can't clone [these] cards economically, but you can clone transactions," Fillmore concluded.

Apple Pay

"I want to kick at Apple Pay but I can't," Fillmore joked. "It's one of the best methods for these transactions," and is generally "more secure than your cards."

Fillmore said that Apple Pay has a lot going for it since it has a separate secure element chip and performs the transactions on that secure chip. But Fillmore reasoned that Apple Pay is susceptible to the attacks he demonstrated because the cards themselves are insecure. It would depend on the cards loaded into Apple Pay and if an attacker found a way to force someone to make a particular transaction in order to snag the data.

Fillmore advised Apple users to not jailbreak their phones. He did not mention Google Wallet or the forthcoming Android Pay, nor did he comment on the security of Android phones as payment platforms. He did, however, say that the tools offered by Android were excellent for this kind of research.

Fix It!

To actually fix these problems, Fillmore said we have to change how credit cards work. "Legacy modes need to be removed from the system," he said. "Legacy support reduces security." Removing support for the legacy magnetic stripe would allow for other fixes, like including more complex random numbers into transactions to prevent card cloning.

Related How to Spot and Avoid Credit Card Skimmers

He also voiced concern about payment terminals. These are the machines where you tap, swipe, or dip your cards to pay for things. Fillmore said he found a shocking lack of physical security in these devices, creating opportunities for hackers, thieves, and disreputable business owners to rip you off.

What surprised Fillmore most was that he was able to clone his own credit card, which was issued in Australia. "This is shocking considering how long we've had EMV workflows," he said. "I have a gut feeling that it's a lot more of an issue in the U.S. because of existing technology and a love of magstripes."

The U.S. has resisted EMV cards for years, but that will be changing. New rules going into effect in October are expected to spur widespread adoption of chip cards in this country. Hopefully, this will help Americans break up with the magnetic strip card and embrace the security of better payments.

Further Reading

Security Reviews