NFC credit cards Number26: The unprotected Safe Heist risk?
More and more banks in Europe are upgrading technically and give an NFC enabled credit card to its customers. This is intended, among other things the payment process at the checkout are easier, which is to be welcomed in principle. Despite this, the security of the card and the data it can not be neglected, as the current example of online banking companies Number26 shows.
In Germany, credit cards have in principle a significantly lower spread compared to other countries, what the NFC credit card will not change much. The German customer unfamiliar art and their safety so right about the way and perhaps for good reason. Number26 , a celebrated Fin-tech startup based in Berlin, currently has to contend with a larger security problem and put in researching out that the bank is not alone by far.
Sensitive data on the NFC credit card
The problem: Using an NFC-enabled Android smartphones, a simple app for reading NFC tags and NFC credit cards Number26 who Fidor Bank AG, ING DiBa and even American Express (AmEx) can be read on the cards stored data , While it is limited at ING DiBa, Fidor Bank AG and AmEx to the card number and the expiration date of the respective NFC credit card, there are at the Number26 cards of MasterCard and Maestro also the 10 most recent transactions. Including amount of currency and the date.
Discovered had the vulnerability Christian Hawkins that his findings around the NFC credit cards Number26 on his blog published MetaBubble .
The dangerous thing is not only the ability to read simply picked up sensitive data via NFC, but rather the business also – albeit very small and not much aussagende – can create Purchase History on individual customers. Who an NFC credit card or other NFC-enabled debit card calls his own, can perform the self-test with a free Android app.
Bank card reader NFC (EMC): Download
According explorers Hawkins are maps of Comdirect, Consorsbank and other credit institutions not be affected by the security issue. Important for the test here is a so-called EMC-chip, on which the data is stored. Primarily this is to ensure the authenticity of the card and protect against counterfeit credit card, but is available just depending on the publisher of map settings as data storage.
According to an official statement by Number26 against colleagues from t3n is this not the case. So other NFC-enabled credit cards will store the data without the knowledge of the user, where you did not want to go into the map Community here. The Startup assured only that you take a closer look with the manufacturer of the chip card and the other partners the problem.
What Number26 officially to say, you can read the following text folding.
The fault lies not only in Number26
But what you must not forget about the whole thing is the point that Number26 is not responsible for the data leak the NFC credit card itself. The startup itself, for example, is still awaiting its official banking license, so as editor of the MasterCard and Maestro card, Wirecard Bank acts. Therefore, the credit institution is likely the cause of the problem, but this is not immediately apparent in reporting.
If it goes to the members of the Rat Pack , experts in the field of financial technology, then not even have to be the trigger itself Wirecard Bank. Since the software of EMV chips is defined in addition to the issuing financial institutions and by the manufacturer of the respective card, the cause could lie there. Some banks even put on the reading of the data. So the reading per app is including the last purchases made in girogo Card Sparkasse association even called an extra feature.
Bottom line, though not really dangerous data that can be read, but the incident shows that an NFC credit card is anything but really safe. The embarrassing thing is therefore rather that Number26 nothing knew of the potential security breach.
In relation to this is a comment-products by t3n recommended: In the end is a lot of wind around a theme whose problem actually very few conclusions permits ever to the user.