Jump to content

Recommended Posts

I have recently resorted to touch in/out with my debit card at ED Station since letting my travel card expire.


Never usually have my card out of the wallet and haven't used a cash machine for weeks but this evening found that, over the course of less than an hour, hundreds of pounds of transactions were attempted on my account.


Payments were attempted to Southern Trains, boohoo.com and billpay. I think my card details must've been captured on my commute. Either by someone taking a snap of it as I put in on the reader or perhaps by a device on the reader themselves.


Wanted to warn people and wondered if anyone had a similar experience. I will be topping up and using an oyster tomorrow and checking the readers.


Thanks to the very clever software at my bank all transactions were stopped.

Most likely your card was captured (as you think) during your swipe-in, but by a hand-held device close to, but not on, the Oyster reader itself. As more people carry cards in shielded wallets (or with an RFID interference device) it is only when they are exposed to readers for contactless payments that they are vulnerable. A busy station is a good place to capture card details like this. Oyster cards themselves cannot be used for payments other than travel, but credit and debit cards are far more vulnerable. Although such a facility (contactless credit card transactions) is a real boon to the honest person, it may be even more so to the dishonest! It is very unlikely to have been photographed - most people cover their cards naturally in the way they hold them on Oyster readers, or keep them in slim wallets, so that photographs would mainly not be of use. For other types of contactless payment photography might be more useful, as you present your card face up often to do it.


Were there to be CCTV in the station it might be possible to see someone lurking by the gates capturing details on a concealed device, but I doubt whether 'law enforcement' (and I use that phrase quite wrongly) could be bothered to look.

Unlikely to be a photograph, as a scammer would need both sides to get your security number as well. Card skimmers on Oyster machines are not uncommon, be good if you could text British Transport Police on 61016 or call on 0800 405040 to let them know - doubt they can do anything to catch the miscreants but they will go and check the card readers.

Thanks both. Whatever theyre doing it's pretty clever as they were able to start transacting very quickly and for much more than the contactless limit.


I had a quick look at the touch in scanners london bound and they looked in order. I would love to ask to see cctv but there's never anyone there.


The southern trains transaction indicates their proximity, too coincidental.

If there was an illicit card reader associated with the gate reader then the person stealing the card details would still have had to be quite close - these illicit readers must communicate using low range technology to a data store. So the 'perp' should be identifiable from CCTV. Once the details are stolen then they are fully available - the card transactions limits on contactless are associated with the card-reader software, not the card itself (which is why the limit can be so easily raised, as it was from ?20 to ?30 recently as I recall). If the RFID data is stolen, then it can be used without limit (other than any total spend limit associated with the card itself).


Luckily security algorithms seem quite good (with some card issuers) to pick up rogue usage - although the recent VISA failure allowed multiple deductions to be recorded for the same attempted transaction - i.e. when the card apparently failed and it was re-presented for payment.

Tfl directed me to BTP then on to a premium rate txt number via which I have reported it. I originally posted to warn people and see if they had similar experience which might confirm my suspicion it happened on the network somewhere.obviously I can't be 100% sure which is likely to be the response from BTP I fear.


Ps. I can only get cctv once the crime is reported so maybe I'll get to see that before they tpe over or whatever they do these days

Sorry to hear you might have been the victim of electronic pickpocketing - it's certainly possible but perhaps not quite like the others have suggested here.


Contactless cards contain secret information that can't be cloned (secret keys unique to the card) that, when combined with one-time per-transaction information from the card reader, securely authenticates your card as being present. Things like your card number and expiry can be cloned via contactless, but that's not enough to make a transaction these days. The passive cloning attacks Penguin68 described are sort-of possible against contactless cards (in limited circumstances where shoddy implementations of backwards compatibility features can be used to downgrade the security to old-fashioned mag-stripe levels), but they aren't very common.


The most likely way you were virtually pickpocketed was via a relay attack. All the thief needs is a partner in crime near a shop/payment terminal and two hacked Android phones running NFC relay software. The thief stands next to you in the platform or train, close enough to read your card through your wallet or bag, and his accomplice tries to make a purchase using the other phone (think like Apple Pay) which emulates your card via NFC. The payment terminal reader has a real-time conversation with your card over the thief's makeshift phone-to-phone relay so it's able to authenticate each transaction using your real secret key as if your card was really there. The reason your bank likely caught on was because of the number of transactions in quick succession ("velocity") and the impossible travel time between merchants, etc flagged their fraud detection systems. The way this stuff works means there could be multiple accomplices attempting transactions as fast as they can whilst the window of opportunity is open (i.e the thief is able to stay close enough to you to read your card).


Long story short, get an RFID proof wallet like the others suggested and be very wary of people who seem to want to hold their phone next to your bag/purse/wallet. If the BTP do follow up with you, if you do recall anyone following our standing closely (hard to tell on a London commute for sure), might be useful for CCTV.


Hope this explanation was interesting and maybe put your mind to rest a little about using the oyster readers - that part is pretty safe, generally speaking!


Jim

Pretty close - functionally, the maximum distance you might expect a phone-based reader to work is about 10cm at a push. Thankfully the design of NFC is such that the physics of any sort of long-range reader antenna would require it to be unconcealably large. It's pretty awkward to pull this off (although probably not much more than "traditional" pickpocketing) and is probably only really feasible at rush hour.


If you keep the bank card you use for contactless travel separate from other contactless cards, you might want to reconsider - the "card clash" problem TFL warn you about when tapping in would be pretty effective at stopping someone surreptitiously reading your card from outside your wallet.


Jim

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Latest Discussions

    • No and Wes Streeting is heading in this direction because he knows the NHS is broken and was never built to cope with the demands currently being placed on it. A paid-for approach in some shape or form, and massive reforms, is the only way the NHS can survive - neither of which the left or unions will be pleased about.  
    • Labour talks about, and hopefully will do something about, the determinants of poor health.  They're picked up the early Sunak policy on smoking and vapes.  Let's see how far they tackle obesity and inactivity. I'd rather the money was spent on these any other interventions eg mental health, social care and SEN, rather than seeing the NHS as income generating.
    • I think it's connected with the totem pole renovation celebrations They have passed now, but the notice has been there since then (at least that's when I first saw it - I passed it on the 484 and also took a photo!)
    • Labour was damned, no matter what it did, when it came to the budget. It loves go on about the black hole, but if Labour had had its way, we'd have been in lockdown for longer and the black hole would be even bigger.  Am I only the one who thinks it's time the NHS became revenue-generating? Not private, but charging small fees for GP appts, x-rays etc? People who don't turn up for GP and out-patient appointments should definitely be charged a cancellation fee. When I lived in Norway I got incredible medical treatment, including follow up appointments, drugs, x-rays, all for £200. I was more than happy to pay it and could afford to. For fairness, make it somehow means-tested.  I am sure there's a model in there somewhere that would be fair to everyone. It's time we stopped fetishising something that no longer works for patient or doctor.  As for major growth, it's a thing of the past, no matter where in the world you live, unless it's China. Or unless you want a Truss-style, totally de-regulated economy and love capitalism with a large C. 
Home
Events
Sign In

Sign In



Or sign in with one of these services

Search
×
    Search In
×
×
  • Create New...