[access-uk] Re: Contactless payment cards (was Accessible bank card)

  • From: Shaun O'Connor <capricorn8159@xxxxxxxxx>
  • To: access-uk@xxxxxxxxxxxxx
  • Date: Mon, 06 Apr 2015 22:38:48 +0100

good to know the source is available on git hub.at least any
modification will be picked up pretty smartish., probably a good thing
too that the code isn't encoded into the nfc module on the card so one
has to assume an alternative verification method is in place.

hmm maybe i's have a gander at the source code later.(smile)l

On 06/04/2015 19:59, lsmithso@xxxxxxxxxxxxxxxx wrote:

Assuming you're referring to the Android app.

The source code is available on github. However if you're paranoid you
won't believe that the source code matches the downloaded app.

Apps can only access the Internet if they are given express permission
to do so when they are installed. If you are truly paranoid you will
probably just plain disbelieve this.

If you are really truly paranoid, then the lack of proof that it isn't
sending your card details will count as proof that it is.

I've read from independent sources that the cvv is not encoded on the
card, either on the magnetic strip, or on the chip. I'm surprised that
the card holders name isn't available though.

Shaun O'Connor writes:
> had a look myself my only concern is that, without access to the source
> code of the app there is no way of knowing if the information is being
> transmitted elsewhere, also, even though security information ( for
> example the three digit code) is not visible on your device, it doesn't
> necessarily mean the data isn't (a) being read and (b) being transmitted
> to a party other than an authorized party.
> My thinking is , and has always been if its too convenient you are
> sacrificing something in return and not always with your explicit consent.
> On 06/04/2015 14:47, lsmithso@xxxxxxxxxxxxxxxx wrote:
> > Hi: A while ago there was a conversation on here about the
> > accessability and security of contactless payment cards. I received
> > mine a few weeks ago, and finally got around to testing if I could
> > read it with a smart phone.
> >
> > The answer is yes. I can read the card number, the expiry date, card
> > type, the card issuer and the number of PIN attempts left, and that
> > was that. The card holders name and the cvv cryptogram are not
> > readable.
> >
> > The card has to be held within 1cm of the back of the phone for about
> > 0.5 seconds for it to be read. It could be reliably read when inside
> > my wallet, in my trouser pocket. Wrapping the card in a single
> > thickness of cooking foil completely prevented the card from being
> > read.
> >
> > Given that less information is exposed by NFC than is available from a
> > casual glance of the card, and that any eavesdropper would have to get
> > pretty touchy feely to be able to scan my card without my knowledge,
> > then I'm pretty relaxed about having this card in my wallet. I feel
> > no more vulnerable than if I used a non-contactless card.
> >
> > App details:
> > Banking card reader NFC (EMV)
> >
> >
> > Android Nexus 5.
> >
> --


Other related posts: