This USB firmware vulnerability allows completely undetectable malware to be installed. It can spread from PC to device and vice versa.
So a few days ago I heard that Barclays Bank were giving away their new product for contactless RFID payments – the so called bPay wristband. Knowing that NFC-enabled chips for payment or otherwise are pretty unsecured, I decided that I would like to play with the new band and I ordered one. It was pretty easy to do and you don’t even need to be a Barclays customer or to provide them with real personal information for that matter.
The main goal of these bands is to be used as a replacement for your wallet during festivals – the idea being that you pay
for alcohol, but you don’t bring your wallet, which you are prone to lose after you get wasted. Sounds great in theory, I guess, but never mind that now; discussing how unsecured and ridiculous contactless chips for payment and in general are, may be a topic for another post. Barclays have already been called out for their unsecured chips, but to be fair they didn’t quite deserve to take the bad press – every NFC-enabled card is the same.
I received my wristband in the post and for some reason I decided to act as a user first and “woke up” the band on the website – this basically ties the chip number with your account so you can top up money, I guess. I decided not to top up right now, but to dig out the chip, examine it and see what I’ve got.
I wasn’t too surprised to find that the fancy bPay wristband was nothing more than a pre-paid MasterCard, save the magnetic strip and all the extra plastic – just in a form factor that you can wear.
I was originally planning to play with the wristband by cloning it on my phone and replaying the signature on a POS terminal – testing how unsafe these are and how I could buy drinks on you after shaking your hand in Hyde Park. Maybe just for fun I was going to replay it remotely via proxy – we’ve had that technology in the public domain for some time now, but it’s cool to see it in action. However, upon noticing the MasterCard logo it struck me – this little thing must have a card number. After all, these wristbands aren’t actually a new payment product, but just a mini card with NFC.
So instead of doing the obvious contactles shenanigans I could try to buy something online with this…
First step is to find out what the card details of this thing actually are. You can do this with your phone and an app that can read NFC. I’m not going to put any links here, but you can do a simple search and find what I’m talking about.
I already know, from reading previous research, that all “tap and go” payment chips contain pretty much everything that would be printed on your card and encoded in the magnetic strip, with the exception of the CVV number, usually seen on the back of the card. I scan the plastic with my phone and surprise, surprise – we have a number and an expiry date. Obviously, these mass-produced cards don’t hold name, address or other personal information, hence why you have to “wake them up” online in your account.
But that shouldn’t stop us – not having CVV or any money on the card doesn’t mean that we can’t prove that it can be used online. There are some merchants that don’t check your address and don’t even require a CVV. Notable examples? Amazon.
After quickly logging in to my account and heading over to the ‘Manage Payment Methods’ section, I find that Amazon is in fact pretty happy with me entering the details of my wristband as a new card and even using a complete nonsense name just to top it all off. Feeling pretty accomplished at this point, I wonder: can you actually complete a transaction using this thing? Because I’m not about to top up the minimum amount of £25 in the middle of the night just to do a silly test, I think: what requires a valid payment method, but doesn’t immediately cost any money? The answer? Audible. I had downloaded the app from an ad in Bacon Reader a few days ago as my way of saying “thank you” to the awesome developers who maintain it. Figured I was going to try the service when I got around to it… Now, the perfect time to start my trial, I click the confirmation button with bPay as my selected payment method and voilà – “Thank you for shopping at Audible”!
Amazon is happy and I have my trial – if I don’t want to continue I’ll cancel and they’ll be none the wiser. Of course I ought to change my payment method if I want to keep the service, because otherwise any request for funds will surely be denied with my modest balance of £0. Obviously if you top up your card you’ll be able to make actual purchases online. The Audible trial was simply a proof of concept using an empty account.