Works for me too - Nexus 5, MasterCard PayPass. The app in its current form isn't dangerous, it takes ~2 minutes to read the card and if the screen goes off or the reader loses contact you have to start again.
I wrote essentially the same proof of concept app two years ago after seeing that report pretty much just by reading the specs. From reading the paper mentioned on GitHub, the only real difference to what I wrote is that I didn't check for the CVC3 information (which I think is generally not included, or doesn't correspond to the actual security code on the back of the card).
But in any case, just the card number and expiry number are enough — as mentioned in the Channel 4 report — to make purchases from a lot of places.
If CVC3 is anything like CVV and CVV2, it's probably intentionally different than what's on the back of the card.
Mag-stripe VISA cards have a three-digit code embedded in the stripe (this is the CVV), and a different three-digit code on the back of the card (the CVV2). Different brands of cards use the same model, but they don't always call them CVV/CVV2, and the number of digits may be different.
The numbers are different so that use of the card is a magnetic reader can be differentiated from someone typing it in.
Doesn't this make it an impractical attack in most situations? I've never thought that buying RF shielding cases is of much use for 99% of situations, and this seems to support that theory.
Or should I rush out tomorrow and get one? (Australia, so yep, all of them are paywave, whether you want them or not).
Though as I understand from the source this also acts as an emulator, so if you scan your phone it may replay those card details, worth keeping in mind.
I'd love this. My bank wants me to pay $2.99 for a sticker to go on the back of my phone (to do contactless purchases) while supporting Galaxy S* phones natively...
Sounds to me like his bank is the Commonwealth Bank of Australia(1), so Google Wallet is a non-starter. Coin is interesting, but the payments landscape in .au is rapidly moving away from card swipes to Paywave/Paypass. I've seen quite a few places that offer Cash or Tap, no swipe (I presume because of the fee structure).
Commonwealth Bank charge $2.99 a year regardless of what you want to do. To use their Android app, they also bill you that to have the functionality turned on.
The annual fee is not applicable in case of the PayTag (https://www.commbank.com.au/personal/can/can-tap.html). Also, can you refer me to the doc that mentions the extra cost of using the Android app for that purpose?
I just tried this. Card: NAB Visa (payWave). Handset: Nexus 5. Merchant: 7-11.
The app read the card correctly and gave the card number and expiry. When I tried to use it in store the eftpos terminal returned roughly:
Err 226 contactless card not allowed. The terminal fell back to swipe/insert mode and the merchant told me 'contactless not allowed'. Inserted the (same) card and paid successfully.
I was disappointed because for me, being able to carry just mmy phone for day to day would be awesome, and NAB has no phone solution yet.
Seems to be really about misconfiguration and serving as a reminder for developers to check permissions on AWS buckets. While some data is obviously stored in public bucks for a reason, it's clear that much of the data Rapid7 was able to find in the "open" buckets was not intended to be made available to the public. It's not a security flaw with AWS, but an administrative oversight really, but at least a good reminder for everyone to go check their buckets :)
Doesn't appear to be confirmed whatsoever. That rumor was based on an "anonymous" phone call. On Sunday, another report shows the complete opposite, with Belize officials denying any claims of his capture:
