Card Cloned on my commute today

[ED_moots]

I have recently resorted to touch in/out with my debit card at ED Station since letting my travel card expire.

Never usually have my card out of the wallet and haven't used a cash machine for weeks but this evening found that, over the course of less than an hour, hundreds of pounds of transactions were attempted on my account.

Payments were attempted to Southern Trains, boohoo.com and billpay. I think my card details must've been captured on my commute. Either by someone taking a snap of it as I put in on the reader or perhaps by a device on the reader themselves.

Wanted to warn people and wondered if anyone had a similar experience. I will be topping up and using an oyster tomorrow and checking the readers.

Thanks to the very clever software at my bank all transactions were stopped.

[Penguin68]

Most likely your card was captured (as you think) during your swipe-in, but by a hand-held device close to, but not on, the Oyster reader itself. As more people carry cards in shielded wallets (or with an RFID interference device) it is only when they are exposed to readers for contactless payments that they are vulnerable. A busy station is a good place to capture card details like this. Oyster cards themselves cannot be used for payments other than travel, but credit and debit cards are far more vulnerable. Although such a facility (contactless credit card transactions) is a real boon to the honest person, it may be even more so to the dishonest! It is very unlikely to have been photographed - most people cover their cards naturally in the way they hold them on Oyster readers, or keep them in slim wallets, so that photographs would mainly not be of use. For other types of contactless payment photography might be more useful, as you present your card face up often to do it.

Were there to be CCTV in the station it might be possible to see someone lurking by the gates capturing details on a concealed device, but I doubt whether 'law enforcement' (and I use that phrase quite wrongly) could be bothered to look.

[rendelharris]

Unlikely to be a photograph, as a scammer would need both sides to get your security number as well. Card skimmers on Oyster machines are not uncommon, be good if you could text British Transport Police on 61016 or call on 0800 405040 to let them know - doubt they can do anything to catch the miscreants but they will go and check the card readers.

[ED_moots]

Thanks both. Whatever theyre doing it's pretty clever as they were able to start transacting very quickly and for much more than the contactless limit.

I had a quick look at the touch in scanners london bound and they looked in order. I would love to ask to see cctv but there's never anyone there.

The southern trains transaction indicates their proximity, too coincidental.

[Penguin68]

If there was an illicit card reader associated with the gate reader then the person stealing the card details would still have had to be quite close - these illicit readers must communicate using low range technology to a data store. So the 'perp' should be identifiable from CCTV. Once the details are stolen then they are fully available - the card transactions limits on contactless are associated with the card-reader software, not the card itself (which is why the limit can be so easily raised, as it was from ?20 to ?30 recently as I recall). If the RFID data is stolen, then it can be used without limit (other than any total spend limit associated with the card itself).

Luckily security algorithms seem quite good (with some card issuers) to pick up rogue usage - although the recent VISA failure allowed multiple deductions to be recorded for the same attempted transaction - i.e. when the card apparently failed and it was re-presented for payment.

[Jules-and-Boo]

have you reported this to Transport for London?

They own the Oyster readers

[ED_moots]

Tfl directed me to BTP then on to a premium rate txt number via which I have reported it. I originally posted to warn people and see if they had similar experience which might confirm my suspicion it happened on the network somewhere.obviously I can't be 100% sure which is likely to be the response from BTP I fear.

Ps. I can only get cctv once the crime is reported so maybe I'll get to see that before they tpe over or whatever they do these days

[Bic Basher]

It may be worth using Google or Apple Pay in the future for public transport as you get a virtual card number which card skimmers can't see.

[NotionalLabs]

Sorry to hear you might have been the victim of electronic pickpocketing - it's certainly possible but perhaps not quite like the others have suggested here.

Contactless cards contain secret information that can't be cloned (secret keys unique to the card) that, when combined with one-time per-transaction information from the card reader, securely authenticates your card as being present. Things like your card number and expiry can be cloned via contactless, but that's not enough to make a transaction these days. The passive cloning attacks Penguin68 described are sort-of possible against contactless cards (in limited circumstances where shoddy implementations of backwards compatibility features can be used to downgrade the security to old-fashioned mag-stripe levels), but they aren't very common.

The most likely way you were virtually pickpocketed was via a relay attack. All the thief needs is a partner in crime near a shop/payment terminal and two hacked Android phones running NFC relay software. The thief stands next to you in the platform or train, close enough to read your card through your wallet or bag, and his accomplice tries to make a purchase using the other phone (think like Apple Pay) which emulates your card via NFC. The payment terminal reader has a real-time conversation with your card over the thief's makeshift phone-to-phone relay so it's able to authenticate each transaction using your real secret key as if your card was really there. The reason your bank likely caught on was because of the number of transactions in quick succession ("velocity") and the impossible travel time between merchants, etc flagged their fraud detection systems. The way this stuff works means there could be multiple accomplices attempting transactions as fast as they can whilst the window of opportunity is open (i.e the thief is able to stay close enough to you to read your card).

Long story short, get an RFID proof wallet like the others suggested and be very wary of people who seem to want to hold their phone next to your bag/purse/wallet. If the BTP do follow up with you, if you do recall anyone following our standing closely (hard to tell on a London commute for sure), might be useful for CCTV.

Hope this explanation was interesting and maybe put your mind to rest a little about using the oyster readers - that part is pretty safe, generally speaking!

Jim

[a_m]

Thanks for that very interesting info Jim. Out of interest, how close would someone have to be to you to read your card through a wallet or bag?

[NotionalLabs]

Pretty close - functionally, the maximum distance you might expect a phone-based reader to work is about 10cm at a push. Thankfully the design of NFC is such that the physics of any sort of long-range reader antenna would require it to be unconcealably large. It's pretty awkward to pull this off (although probably not much more than "traditional" pickpocketing) and is probably only really feasible at rush hour.

If you keep the bank card you use for contactless travel separate from other contactless cards, you might want to reconsider - the "card clash" problem TFL warn you about when tapping in would be pretty effective at stopping someone surreptitiously reading your card from outside your wallet.

Jim

[Windrush]

I now keep my card in a slip folder which is a Faraday cage. Stops all electro-magnetic activity. Adopted this after the card reader on a 37 bus debited the card of the person next to me.

[a_m]

Thanks Jim, that's really helpful. And good to know that card clash has its benefits!