RFID security is a joke – or how I “paid” Amazon with a wristband

bPay bands

bPay bands

So a few days ago I heard that Barclays Bank were giving away their new product for contactless RFID payments – the so called bPay wristband. Knowing that NFC-enabled chips for payment or otherwise are pretty unsecured, I decided that I would like to play with the new band and I ordered one. It was pretty easy to do and you don’t even need to be a Barclays customer or to provide them with real personal information for that matter.

The main goal of these bands is to be used as a replacement for your wallet during festivals – the idea being that you pay for alcohol, but you don’t bring your wallet, which you are prone to lose after you get wasted. Sounds great in theory, I guess, but never mind that now; discussing how unsecured and ridiculous contactless chips for payment and in general are, may be a topic for another post. Barclays have already been called out for their unsecured chips, but to be fair they didn’t quite deserve to take the bad press – every NFC-enabled card is the same.

I received my wristband in the post and for some reason I decided to act as a user first and “woke up” the band on the website – this basically ties the chip number with your account so you can top up money, I guess. I decided not to top up right now, but to dig out the chip, examine it and see what I’ve got.

bPay band chip

bPay band chip

I wasn’t too surprised to find that the fancy bPay wristband was nothing more than a pre-paid MasterCard, save the magnetic strip and all the extra plastic – just in a form factor that you can wear.

I was originally planning to play with the wristband by cloning it on my phone and replaying the signature on a POS terminal – testing how unsafe these are and how I could buy drinks on you after shaking your hand in Hyde Park. Maybe just for fun I was going to replay it remotely via proxy – we’ve had that technology in the public domain for some time now, but it’s cool to see it in action. However, upon noticing the MasterCard logo it struck me – this little thing must have a card number. After all, these wristbands aren’t actually a new payment product, but just a mini card with NFC.

So instead of doing the obvious contactles shenanigans I could try to buy something online with this…

First step is to find out what the card details of this thing actually are. You can do this with your phone and an app that can read NFC. I’m not going to put any links here, but you can do a simple search and find what I’m talking about.

I already know, from reading previous research, that all “tap and go” payment chips contain pretty much everything that would be printed on your card and encoded in the magnetic strip, with the exception of the CVV number, usually seen on the back of the card. I scan the plastic with my phone and surprise, surprise – we have a number and an expiry date. Obviously, these mass-produced cards don’t hold name, address or other personal information, hence why you have to “wake them up” online in your account.

But that shouldn’t stop us – not having CVV or any money on the card doesn’t mean that we can’t prove that it can be used online. There are some merchants that don’t check your address and don’t even require a CVV. Notable examples? Amazon.

After quickly logging in to my account and heading over to the ‘Manage Payment Methods’ section, I find that Amazon is in fact pretty happy with me entering the details of my wristband as a new card and even using a complete nonsense name just to top it all off. Feeling pretty accomplished at this point, I wonder: can you actually complete a transaction using this thing? Because I’m not about to top up the minimum amount of £25 in the middle of the night just to do a silly test, I think: what requires a valid payment method, but doesn’t immediately cost any money? The answer? Audible. I had downloaded the app from an ad in Bacon Reader a few days ago as my way of saying “thank you” to the awesome developers who maintain it. Figured I was going to try the service when I got around to it… Now, the perfect time to start my trial, I click the confirmation button with bPay as my selected payment method and voilà – “Thank you for shopping at Audible”!

Amazon is happy and I have my trial – if I don’t want to continue I’ll cancel and they’ll be none the wiser. Of course I ought to change my payment method if I want to keep the service, because otherwise any request for funds will surely be denied with my modest balance of £0. Obviously if you top up your card you’ll be able to make actual purchases online. The Audible trial was simply a proof of concept using an empty account.

TL;DR: bPay bands are in fact MasterCard(s). They are unsecured. You can use them online and register for an Audible trial by reading their card details with your phone.

TransferWise – the best way of sending money abroad

Moving money around the globe? Need to transfer funds abroad to an account in a different currency? Forget banks. They will have a tough time competing with TransferWise which is the innovative solution addressing these needs.

Instead of paying your bank(s) hefty transfer fees, only to find out that they are also ripping you off with their hefty exchange rates, you should check out TransferWise. The company, co-founded by an ex Skype employee and backed by PayPal founder Max Levchin and Richard Branson among others has a pretty unique value proposition.

They only charge you 0.5% for the transfer and use the central exchange rates. Combine more good news with some shameless promotion and you get your first transfer free if you sign up through my link above.

TransferWise saving vs banks

TransferWise sample saving vs banks

good, substantial curses

… and as they worked, they cursed us – not with a common cursory curse, but with long, carefully-thought-out, comprehensive curses, that embraced the whole of our career, and went away into the distant future, and included all our relations, and covered everything connected with us – good, substantial curses.

Jerome K. Jerome: Three Men in a Boat

Cloud servers are becoming the best dev learning tools of today

Warning: this post may get fairly technical and borderline cloud-evangelical, so proceed with caution.

There was an age in computer history when “servers”really only consisted of mainframes, people took turns to access them and virtually nobody owned a personal computer. It was a very different time – almost hard to imagine now; especially for younger generations.

Jump forward some 20 years – Linux is born, its success fuelling an open-source culture that is going to empower the world. Slowly, but surely the personal computer is picking up speed (no pun intended) and the internet grows bigger and bigger.

But where is the average tech enthusiast or, say, developer  during these years? You know, the one who wants to learn about computers and the internet; who wants to use them to create, to make something new. Well, being self-taught or majoring in computer science, people are doing just that, learning and creating. But they are missing access to a critical element of the internet – servers. If you want to run a server and learn all about this separate universe of computing, to learn how to bring your awesome apps and services to the world, you are stuck with some pretty limiting options… You have to be able and willing to pay for a blade (your own or rented) or at the very least you have to have a second PC to repurpose and play with. The obvious choice for learning, fiddling around with servers, different operating systems and applications, etc. is to use your old computer. Sure, it’s pretty slow, but you probably aren’t going to use a GUI OS anyway, so you proceed… Now you’re getting into Linux; you’ve installed some nice things, you’ve made some cool stuff and you want to share the results with your friends or you just want to be able to access it from work. You now have to deal with networking issues like port forwarding and firewalls; and things. You realize that if your friend is going to be testing the new service at their leisure, or if you want to do a small public beta, you have to keep the machine on 24/7. Well, that’s inconvenient – and what if the power goes out? Your home UPS can’t handle the extra load. Or what if the internet is interrupted, or if its performance suffers while you use it for other stuff? After all, the connection wasn’t all that suitable, even if you’re just pushing your weekend project through the home pipes. You deal with these problems, because there is no better way at this point.

Skip to present times – the cloud era. Virtualization is everywhere – on your PC and on the bare metal at the data center. Oracle’s VirtualBox gives you the ability to have as many virtual machines on your laptop as you wish at zero cost. Companies like Amazon, Linode and DigitalOcean are taking the cloud computing world by storm with their innovative offers, while there are many others who offer cheaper and cheaper VPS services. Today you can get a 512MB, 1TB/m, 20GB SSD “droplet” from DigitalOcean, which is only going to cost you $5/month. Compare that to anything else we had before. I mean, seriously, can you even pay the electricity of your old PC for that kind of money? In fact, after you’ve learned the very basics of a particular OS locally in VirtualBox, I don’t see a reason why you wouldn’t just work in the cloud. Amazon’s micro AWS is free for the first year and with the price of DigitalOcean there isn’t anything to think about, really. You can learn in a production environment and reimage the server as often as you want. You can make fatal mistakes and revert them in seconds. No flash drives, ISOs or CDs needed – no risk and no pain involved. You won’t be dealing with home routers or local hostnames, etc. – you can learn how to set up a server by doing it for real-real. But now, whoever has stuck reading for this long is going to say that you don’t actually need to be in the cloud to learn all these things – you can do everything locally and open your ports and show your setup to the world. Correct, but leaving aside the 24/7 availability and the independent bandwidth, let’s consider the following scenario:

I’m a Computer Science student, living on campus in my college or university and I have a module covering web development with PHP, databases and some JavaScript. In order to be able to do my exercises and assignments on my laptop, my teacher has suggested I download XAMPP and start coding. This is an excellent solution, because I don’t need anything more to complete the module and I can take my laptop anywhere and work on my stuff. Yes, but why shouldn’t I expose myself to the world of running an actual LAMP package on, say, CentOS or Debian. I hear Ubuntu Server is pretty cool – wonder how that works… After all, if I go on to work for a company or if I create my own app or even personal website, I won’t be using XAMPP.

Fictional student

Why not get the full experience of the complete stack and feel confident that you’re ahead of the game? Then send your friends and family a link to brag about your 1337 XP.
Also, consider this – how much easier is to just be able to reimage your server with a different distro or just do a 1-click install of LAMP, Docker or WordPress – all things that DigitalOcean can do, btw. With the service you can set up local networking, backups and you can take snapshots of your system which you can restore later.
You have a perfectly-functioning setup, but are curious to see the new features in the nightly build of the software you’re using? No problem; take a shapshot, update and revert back once you’ve satisfied your curiosity. You don’t need to worry about complicated downgrade procedures, uninstalling or you name it – just travel back in time.

Another situation may be if you’re learning about networking and VPNs, for example. You’ve set up your test server at home and you forwarded the ports on your router – good job, it works! Now you go work for your client and you realise that you have to do a bunch of things in iptables to secure the service – things your home setup never prompted you to think about before. I’m sure I can go one with these examples forever, but this already turned out to be quite long… you get the point 🙂

TL;DR: Nowadays we have cloud computing & virtualization, which makes it extremely cheap & easy to learn server, coding & development skills straight in a production environment. Using the cloud is easier than playing around at home and you learn skills that are more applicable to the workplace and the real world.