Hacking RFID Payment Cards Now Possible with Android App

Use of RFID based smart cards has grown popular with the introduction of NFC in our smart phones. With Apple also embracing it, the technology is set ot make a revolutionary boom. And as with every popular technology, the hacks and attacks have now begun to surface against RFID cards. Researchers at TrendMicro Labs have discovered that hacking RFID based payment cards is possible through a Android App.

Android App as the medium

Trend researchers have discovered a high-risk Android app detected as ANDROIDOS_STIP.A in Chile. This app is used to recharge smart cards that use RFID and is being spread via blogs, forums and other sites. Paying via RFID cards is becoming more popular nowadays as more mobile devices add NFC support. Banks, merchants or public services issue RFID cards to their customers with prepaid credits. The Apple Pay service has only added to the momentum of NFC based payments.

How was the tool’s author able to rewrite the card’s information despite not having the correct authentication keys? This is because these cards are based on an older version of the MIFARE.

Hacking RFID Payment Cards Now Possible with an Android App

MIFARE refers to a family of chips widely used in contactless smart cards and proximity cards.) series of cards (MIFARE Classic), which is known to have multiple security problems. An attacker is able to clone or modify a MIFARE Classic card in under 10 seconds, and the equipment (such as the Proxmark3), together with any needed support, is sold online. Trend Micro researchers have given the instance of recent hacking of BIP.

Hacking RFID Payment Cards Now Possible with an Android App
Manufacturer and memory content of a MIFARE Classic card


Trend researchers, after inspecting the app have found that the app could read and write onto the smart cards through any phone equipped with NFC. This particular app can rewrite data on the card for example, increasing the balance left on it to  10,000 Chilean pesos (approximately 15 US dollars). This is however restricted to only these specific cards because of the format restrictions.  Using tools available in abundance, the attacker managed to crack theauthentication of the cards. Once that was done, the card was cloned and the data on it rewritten through the android app.

Hacking RFID Payment Cards Now Possible with an Android App

Other successful attacks

Attacks on other kinds of MIFARE cards (specifically, MIFARE DESFire and MIFARE Ultralight) are known to exist. The researchers stated that there were at least three vulnerable cards, a social security card with banking service, a payment card for transportation and shopping, and a dining card. The social security card has approximately seven million users. The card in question in the dining card uses MIFARE Classic card, which is known to be easy to manipulate. The other two use  MIFARE DESFire, which in turn are vulnerable to side-channel attacks. The cryptosystems in these cards can leak information, leading to the full keys leaking out in around 7 hours. Once the keys have been leaked the card can be manipulated to any extent according to the attackers wishes.

These cards have been discontinued a long time ago, because of the risks mentioned. But looks like some organizations have preferred using the older cards thus putting their customers at risk.

Resource : TrendMicro Labs