16

Can an android app read my credit card's NFC data, store it and then send this data to a contactless pay point (PayPass)? Thus I would use my Nexus to pay for my coffee, conveniently.

If yes, is there an app for this? If not, why not?

William C
  • 1,484
  • 6
  • 21
  • 28
  • 2
    Interesting question.. :) – iOS Apr 18 '12 at 19:15
  • Never thought of that question. What happens, if say, the data that "represents" the nfc data gets duplicated, or is that tied to the device id to generate an encryption key? (Have no idea as a lot of my handsets do not have NFC built in),Nonetheless, that's a good question :) +1 from me :) – t0mm13b Jun 28 '12 at 23:51

4 Answers4

16

No, you can't. To oversimplify - wireless payments (NFC, RFID chips on cards, etc) aren't a simple 'what's your card number' transaction (because that would be insecure beyond belief), they are more of a 'here, encrypt this block of data with your secret numbers and return it' type of thing.

The block of data to be encrypted changes for each transaction, and there's (supposed to be) no way to get the device to spit out it's secret numbers.

So you can't EASILY clone your cards onto your phone (if you could, then so could anyone else who walked near you).

That's not to say it can't be done at all (if, perhaps, you found a flaw in the way the crypto works, you could perhaps deduce the secret numbers of a device), but it's not something you're going be buying an app for.

Michael Kohne
  • 1,798
  • 15
  • 24
  • 1
    Just on a side note up until 2008(ish, in the UK) transactions did used be a 'what's your card number' type and it was possible to clone chip cards. The clones only worked when the point of sale terminal didn't contact the bank to authenticate the card though. – Peanut May 04 '12 at 09:21
  • I'm not fully up to date, but the last I heard (last year sometime) there are still issues with chip-and-pin due to the specified fallback behavior of the terminals - if they can't talk to the chip, they fall back to older behaviors, which some attackers may have exploited. That's a rather nasty spec-level bug, unfortunately. – Michael Kohne May 04 '12 at 12:33
  • Yeah if the chip is damaged then the terminal will ask for a mag stripe transaction still, even in the UK where we haven't had them for years. It could be got rid of completely but the banks don't seem to mind the small levels of fraud this could cause. – Peanut May 04 '12 at 14:52
  • But What about normal RFID/NFC cards, like keys for doors? can they be copied and used from the phone? – Midhat Dec 01 '12 at 17:46
  • @Midhat - if it's intended for security, then you aren't going to be able to easily clone it (unless the vendor was a complete bunch of morons). Normally devices that are used for security are NOT just 'here's my number' kinds of things - they have some info internally, and when the reader asks, they do something and return an answer, so as to avoid just this problem. That's not to say that it's 100% foolproof, but you're not going to just sit it near your phone and clone it. – Michael Kohne Dec 01 '12 at 19:35
6

The NFC hardware in the Nexus S and the Galaxy Nexus is technically capable of emulating an NFC tag such as a contactless credit card. This is exactly how Google Wallet works. However, cloning an existing card is not possible, due to how the authentication process between card and payment terminal works (based on secret cryptographic keys). So the simplest way to accomplish what you want is to install Google Wallet on the phone (it comes pre-installed on the Nexus S 4G, there are various tutorials available on the web for plain Nexus S and Galaxy Nexus) and load up some money in a Google prepaid card and off you go to have a coffee.

NFC guy
  • 298
  • 2
  • 6
  • 1
    Any alternatives for non-US folks out there? Google Wallet is not available and Android Pay isn't working if rooted and whatnot. – kiradotee Aug 29 '16 at 11:30
4

While the other two answers are basically correct (you cannot create full clones of current contactless credit cards), there are attack scenarios that permit creating limited clones of EMV-based contactless credit cards. This paper, for instance, describes a method to clone MasterCard PayPass cards by abusing a vulnerability caused by the backwards-compatibility of PayPass cards with a (cryptographically) weak protocol and insufficient checking of transactions at the card issuer side. Similarly, this paper describes how to abuse specific weakness of payment terminals to create limited copies of EMV-based credit cards.

In combination with the new host-based card emulation (HCE) feature of Android 4.4 (or the host-based card emulation functionality of CyanogenMod 9.1 and later), you can emulate a pre-played credit card with your phone. However, you have to keep in mind that both cloning methods are attack scenarios and can lead you into serious legal issues ;-) Moreover, at least the first attack will quickly render your original credit card unusable due to draining the transaction counter.

Michael Roland
  • 348
  • 4
  • 12
-1

Yes you can, using NFC Proxy on 2 units of NFC enabled phone - one as proxy and the other as server. this application is / was mainly for security researcher to audit and test near-field applications that uses rfid, mifare, etc. as an open source project, i see some progresses made by the community and the developers do maintain the project and update the wiki to keep up with current technology or application trends. i am still currently playing around with this and use my nexus s for exploring the potential, reliability and vulnarabilities in daily applications such as hotel cards or to trigger automation.

however, if you are plan to use your debit/credit card, loyalty/membership or even ez-pass (for toll/subway/bus) cards on your nexus S, applications such as google wallet, square wallet and isis (to name a few) should suffice. ive used paypal, google wallet and square wallet for both making and receive payment. when properly configured, linked and verified these applications have the potential to substitute the content of your wallet. it is edgy, modern and powerful but with great power comes great responsibility because these fancy-schmancy stuff will create soft spot or weak chain on your security and privacy.

let me know if you too are interested in using your nexus S as a playset. it is such an interesting piece of hardware between nfc, obd and sdr there is always new thing to discover with this old device.

harayz
  • 101
  • 2
  • 2
    Could you explain more how to use this app to achieve OP's request? Providing only an app without any steps is discouraged since users may not know how to use it (and might damage their device). Also, I read that you need to use CyanogenMod for this to work. – Andrew T. Apr 13 '15 at 07:25
  • not anymore - you can now use other roms. – harayz Apr 20 '15 at 00:54