Merry Christmas, I have your credit card!

Thoughts By 6 years ago

The recently released Samsung Galaxy Nexus has brought Near Field Communication (NFC) to the mainstream. Simply pass a PayWave or touch based credit card behind the phone with a good reader app installed and voila, you have credit card data.

We used NFC Taginfo.

Stay tuned, we are not exactly sure what all this data means yet, but it will be interesting to see if we can use my stored credit card data at a shop using the phone. Also I have blurred out numbers above in the pics of my credit card.

  • Fry

    Paywave/Paypass and other Chip & Pin protocols are all basically EMV compliant, which means the data on the card that is transmitted is encrypted, basically using your PIN (although it’s more complicated than that). There are some vulnerabilities in the protocol, especially if you control the merchant terminal (that they type the PIN into), but by itself the card data should not be harmful.

    • Recently most of my purchases at Coles and 7/11 allow me to pay wave without a PIN when less that $50. So does that mean if I can capture the data on the card (encrypted), store it, then I go to a touch pay terminal I can transmit the data? How would the terminal know whether i’m using a card or a phone?

  • Fry

    They have a floor limit, usually around $50, where they take the burden of the transaction without having to do full verification so as to speed up the checkout process.

    It gets worse when the line to the bank goes down and they basically just auth every single transaction up to about $200 so people don’t get stuck and complain.

    They then batch it up and do offline processing (charging it against your card) and if it turns out it was stolen, well, they or the bank can absorb the $50 no worries.

  • Great feedback, thanks!

  • Great to see that my app even has users on the other side of the world 😉

    Anyways, what you show in the picture above is not the credit card “part” of the card. The chip used for this credit card (I would guess it is a SmartMX from NXP) combines an APDU-based smartcard and a MIFARE Classic memory card. While the credit card part is within the APDU-based smartcard (possibly a JavaCard applet), the picture shows the MIFARE Classic part of the card.

    The numbers you see in the 4th row of each sector are the access conditions (the screenshot on the right side shows the human-readable translation). The first row of sector 0 contains the UID & manufacturer data (also not related to your credit card information).

    Unfortunately, I still didn’t have much time to read into EMV / PayPass / PayWave specifications but I intend to extend my app to read as much information from the credit card part as well. This might take a while though.

  • Hey Michael,
    Great app, well done and good work!

    Look forward to your updates as this is a very exciting area.

    We would be keen in assisting where possible. Let me know if you would be interested and we could do some research and cut some code.

  • Tim

    Can’t wait for the potential of NFC to be unlocked in the not-too-distant future!

    Thanks Michael for the awesome app! I’ll definitely keep an eye on this post’s discussion as using nfc in my galaxy nexus (pictured above) was the main reason for picking it over the samsung galaxy s ii 😛