Cybercrooks have developed an Android app that makes it possible to hack RFID payment cards, researchers discovered after a Chilean transport system was defrauded.
The app at the centre of the scam hacked into the user’s radio frequency ID (RFID) bus transit card in order to recharge credits. The fraud-enabling Android tool, found distributed through forums and blogs and circulating in Chile, was detected by Trend Micro and detected as STIP-A.
After a slow start, paying via RFID cards is gradually becoming more popular as more mobile devices add Near Field Communication (NFC) support. Banks, merchants or public services issue RFID cards to their customers with prepaid credits.
RFID cards have therefore become an interesting target for cybercriminals. The Tarjeta Bip card hacking incident in Chile involved a malicious app that writes predefined data onto the card, raising the user’s balance to 10,000 Chilean pesos (approximately $16, £10).
The Android app used to facilitate the scam runs on a device equipped with NFC that is capable of reading and writing to these cards. "This particular trick will only work with this particular fare card, since it relies on the format of the card in question," according to an analysis of the malware by Veo Zhang, a mobile threat analyst at Trend Micro. "Using widely available tools, the attacker cracked the card’s authentication key. With the cracked key and the native NFC support in Android and the device, cloning a card and adding credits can be easily implemented in a mobile app."
Hackers were able to rewrite the card’s information despite not having the correct authentication keys because the Chilean cards are based on an older version of the MIFARE series of cards (MIFARE Classic), which is known to have multiple security problems. "An attacker is able to clone or modify a MIFARE Classic card in under 10 seconds, and the equipment (such as the Proxmark3), together with any needed support, is sold online," Trend Micro concludes.
Don't fret, your contactless bank card is likely NOT susceptible
Rob Miller, security consultant at MWR InfoSecurity, said techniques for hacking this type of card have been known about for at least six years.
“The Bip card is based on the MIFARE classic card," Miller explained. "This card is one of a range of RFID cards, each offering different levels of security for a relative cost.
"This particular type is one of the lowest cost cards available, but is also one of the most insecure. Methods to exploit this type of card were shown as early as 2007," he added.
Miller agreed with Trend's analysis that the fraud-enabling hack was possible because of weak crypto on an antiquated smartcard.
"Normally contactless smartcards contain sensitive information, so they protect this data using cryptographic functions that require the reader to know a key," Miller said. "The exploits found allow an attacker to recover data from the device and write new data to the device without initially knowing the key.
"In Bip's case, this exploit was built in to an Android app, which uses Android's NFC functionality to communicate with and edit the id and money values held on the owner's Bip card," he added. ®