|
|
|
|
|
|
by swatcoder
582 days ago
|
|
|
> The phase where the relaying is supposed to happen (between the terminal sending its actual challenge and receiving the response) already employs a very short timeout (a millisecond or less, definitely not anywhere near a network round-trip to, well, anywhere). Sincere question: is that enforced by some certification process? Because for anything that isn't strictly audited, I wouldn't assume that your own wise practices are universally applied. In fact, things like timeouts in particular are often treated very informally by engineers and often face pressure from product people for more leniance to improve the happy path user experience. Until real exploits like this become widely known, people can be really quite sloppy about this stuff. > Also, upwards of 80% of all point-of-sale transactions in some northern-European countries are NFC these days, and if any of this had truly any large-scale applicability, people would definitely have noticed... I don't think the article is suggesting this is an epidemic that threatens nfc payments at some large scale, and highlights the prerequisites for pulling it off. All they seem to be reporting is that it's acheivable, inviting to malicious actors, and seems to be happening in the wild. |
|
|
Yes, pretty much any NFC payment solution has to be EMVCo (Eurocard/Mastercard/Visa) licensed, and relay resistance is an explicit part of that.
> seems to be happening in the wild
Nah, NFC is so ubiquitous that would have been a lot more noisy.