|
|
Tular Kad Berasaskan Paywave Mudah Digodam, Ini Penjelasan Sebenar Dari Pakar
[Copy link]
|
|
|
|
Mahalnya sarung kad tu. Kawan akak jual singgit je. |
|
|
|
|
|
|
|
|
|
|
|
|
Pakai apps memanglah banyak pagar. Tapi kalau guna card reader yg target RFID memang boleh bypass security semua. Maybe bukan skg tp soon la sebab manusia kan makin pandai |
|
|
|
|
|
|
|
|
|
|
|
Tak perlu nak replicate chip. bayar paywave tak perlu nk read chip. So whatever yang cardreader boleh read through paywave, just replicate the info into another blank card. Then buat another paywave transaction sebab semua info readable from paywave dah direplicate. Kalau perlu secret key bagai, if its transferable through paywave, dia tetap boleh direplicate. unless the card ada processing power untuk buat authentication / decipher. sebagai contoh
Client (Card) hantar info ----> server (bank) verify info
server reply with encrypted key ------> client receive dan decipher using card private key
client reply deciphered value ----------> server approve if the value is correct.
Kalau transaction macam ni, card tu kena ada processing power untuk decipher the value. Then dalam hal ni private key tak ditransfer dalam paywave so pencuri tak boleh curi guna paywave. baru transaction ni secure.
Tapi kalau transaction macam ni:
Card hantar encypted value apa bagai ----> bank receive and decrypt, kalau correct baru approve transaction
pencuri just replicate je balik value yang card hantar, then hantar the same value to bank. bank still akan approve sebab no actual verification untuk verify the card is the correct card.
jadi dekat sini aku tak rasa card kita ni ada processing power untuk buat semua authentication method ni. melainkan ada method lain yang aku tak perasan, mungkin boleh tunjuk kat sini macam mana authentication method card sekarang guna paywave yang buatkan transaction ni secure?
|
|
|
|
|
|
|
|
|
|
|
|
so pencuri pun tetap akan dapat the unique code kan through paywave. diorg just replicate the code dalam blank card then use it back for illegal transaction. sama ja, tetap boleh curi. unless the victim pakai the card dulu sebelum pencuri tu pakai which the code will no longer valid/expired.
walaupon 4 cm, benda tetap boleh curi. especially effective dalam train or tempat yang ramai orang dan berhimpit. easy. tambah2 semua kad sekarang memang ada paywave capability, chances nk 'ter'dapat scan tu bertambah tinggi.
Limit paywave rasanya rm250, bagi sesetengah orang RM250 tu banyak. so better kurangkan limit atau off terus paywave function.
|
|
|
|
|
|
|
|
|
|
|
|
Edited by Changa at 19-1-2017 01:39 PM
secret key tak bekerja sebegitu sis, tak boleh simply letak key apa2 then boleh encrypt/decrypt sebegitu jah 
akak syak secret key itu di simpan dalam server bank tied up dengan kita punya card bukan di simpan dalam cip itu sendiri?
ini FAQ untuk acik2 kepam lebih fahami.
http://www.cba.ca/tap-to-pay-card-security-an-faq
Should I be concerned about security of tap to pay cards?No. Tap to pay card transactions are processed through the same secure networks used for all other Visa, MasterCard and Interac transactions. Your card never leaves your hand and each transaction has a unique, encrypted code that changes every time the card is used. There have been news reports about “electronic pick-pocketing”, where a criminal with a card reader or smartphone can read the information on these cards and commit fraud. It’s important to know that tap to pay cards are embedded with multiple layers of security to protect you, so the chances of you becoming the victim of this type of fraud are extremely unlikely. These security features include: - Short range – Tap to pay cards can only work within short range of a retail terminal, which makes it difficult for criminals to gain access to card information from a distance. Even if they could, the stolen card data cannot be used to create a counterfeit card capable of being used for fraud.
- Encryption –Tap to pay cards do not use the same RFID technology typically used for inventory management that just transmit information, but instead use the much more secure international EMV chip standards and advanced cryptography. During a transaction, the card and the terminal communicate with each other, doing security checks and transmitting a unique encryption code, which expires after the transaction is finished. If someone was able to get close enough to steal data from your card, they would not be able to use the encryption code because it would have expired.
- Limited information – The information transmitted during a tap to pay transaction is very limited and includes things like language preference, card number and other coding. The customer’s name, bank account number and the three-digit security code on the back of the credit card are not transmitted during a transaction.
- Low transaction limits – Generally these cards have low transaction limits – typically between $50 and $100 – and any larger purchase will require you to enter your PIN. If your card is lost, this will prevent large purchases from being made.
- Zero liability – Visa, MasterCard and Interac all have zero liability policies for credit and debit card holders. In cases of fraud, you won’t be held responsible and will get your money back.
|
|
|
|
|
|
|
|
|
|
|
|
dah nama pun unique code sister, celah mana nak copy?
code itu di generate setiap kali transaction, contoh sis guna security device untuk access online banking itu, pin code itu di generate setiap kali kita login.
so setiap transaction different code yang di generate
|
|
|
|
|
|
|
|
|
|
|
|
ako setuju je dgn ko. mmg benda ni wujud pun dan ako dh kena kat ostolia. so ako tak heran. jenuh ako terangkan kat thread lagi satu.
penah la jugak ako tgk demo yg ko ckp ni kat ostolia.
tp masalahnya, bila kite cuba kongsi maklumat, dlm forum ni ramai yg terasa dirinya hebat. derang ingat nk scan details tu guna apps cikai dlm android/iphone derang kot.
kongsi la apa yg kite tau, ada yg terima dan sebaliknya. agaknya bila dh kena batang hidung sendiri baru tau langit tu tinggi ke rendah gamaknya.
|
|
|
|
|
|
|
|
|
|
|
|
ok, unique code tu sapa yang generate? bank generate? kalau bank generate macam mana card nak verify the unique code? does the card have the capability?
kalau card yang generate, macam mana dia transmit the code to the bank? guna paywave kan. so everything transmitted through paywave boleh dibaca dan dicopy oleh any card reader that has been tune with the exact frequency.
after copy, pencuri tu guna the code to do transaction. bagi pihak bank, code tu valid sebab code tu belum digunakan.
|
|
|
|
|
|
|
|
|
|
|
|
|
Actually hacker ada wat demo boleh copy info masuk blank card n wat transaksi paywave..cuma boleh wat sekali transaksi saja n under limit card tu contohnya rm200.. |
|
|
|
|
|
|
|
|
|
|
|
tune frequency lagu mana sister?
kalau nak curi data masa transaksi makna nya sister kena celah bedah device sister masa user tengah nak scan sebab ianya tak boleh nak scan card dari jarak a few meters ke apa...
coba sister pergi guna paywave then sis acah2 nak wave dari jarak 5m dari mesin card itu, agak2 boleh charge tak?
silap haribulan sister kena pelangkung dengan acik cashier
|
|
|
|
|
|
|
|
|
|
|
|
RIFD Wallet
semalam da search, bayak yg murah2
|
|
|
|
|
|
|
|
|
|
|
|
Memang la secret key (technically called private key) untuk encrypt or decrypt tak bole main taruk je. Kalau main letak memang tak bole nak decrypt. Kalau simpan dekat bank dan di tied dengan card, kalau card tu nak buat verify, mesti dia kena pass value to the bank untuk verification. Jadi card tu pass value pakai ape? Paywave kan. Kalau lalu paywave, boleh bagi sebab tak kenapa other card reader yang ditune frequency untuk baca card tak kan boleh baca the value? Melainkan the signal is block at the first place, sebab tu ada wallet block RFID frequency.
If someone was able to get close enough to steal data from your card, they would not be able to use the encryption code because it would have expired.
In the end, still possible to curi tapi tak mudah. hanya perlukan a little bit more effort than usual. pencuri yang biasa2 memang tak dapat la.
|
|
|
|
|
|
|
|
|
|
|
|
seriously, tak pernah tengok orang demo pakai card reader read data dalam card walaupon card tu ada dalam handbag? berlambat dekat youtube. they don't need 5 meters. diorg letak card reader dalam 1 beg kecik, then tap to other handbag or wallet. tak perlu keluarkn card dengan card reader tu.
haih....matlamat aku ni bukan nak kondem paywave tu ke apa. bagi kesedaran security risk of the paywave tu. terpulang dekat korang kalau nak terima ke tak.
|
|
|
|
|
|
|
|
|
|
|
|
memang possible, and ada demo dah dekat security conference. tapi biasa la porummer sini, malas mencari dan membaca. nak semua disuap. ada yang dah bagi penerangan pon still tak nak ambik percaya.
|
|
|
|
|
|
|
|
|
|
|
|
benda nih memang wujud dan possible. dah ada orang demo dekat security conference dah pon. |
|
|
|
|
|
|
|
|
|
|
|
|
tiba-tiba aku jadi macam bijak sikit baca thread nih |
|
|
|
|
|
|
|
|
|
|
|
tengkiu tengkiu 
|
|
|
|
|
|
|
|
|
|
|
|
|
I almost percaya dengan berita palsu ni tau |
|
|
|
|
|
|
|
|
|
|
|
|
Entahla mana nak percaya pon xtau |
|
|
|
|
|
|
|
|
|
| |
|
Post time 18-1-2017 11:55 PM
