CariDotMy

 Forgot password?
 Register

ADVERTISEMENT

12
Return to list New
Author: CARI-MRO

Tular Kad Berasaskan Paywave Mudah Digodam, Ini Penjelasan Sebenar Dari Pakar

[Copy link]
Post time 18-1-2017 11:55 PM From the mobile phone | Show all posts
Mahalnya sarung kad tu. Kawan akak jual singgit je.
Reply

Use magic Report


ADVERTISEMENT


Post time 19-1-2017 02:07 AM From the mobile phone | Show all posts
Pakai apps memanglah banyak pagar. Tapi kalau guna card reader yg target RFID memang boleh bypass security semua. Maybe bukan skg tp soon la sebab manusia kan makin pandai
Reply

Use magic Report

Post time 19-1-2017 12:44 PM | Show all posts
Changa replied at 18-1-2017 04:49 PM
chip nak replicate lagu mana sister?
setiap transaksi ada code unique yand di generate kekdahnya  ...

Tak perlu nak replicate chip. bayar paywave tak perlu nk read chip. So whatever yang cardreader boleh read through paywave, just replicate the info into another blank card. Then buat another paywave transaction sebab semua info readable from paywave dah direplicate. Kalau perlu secret key bagai, if its transferable through paywave, dia tetap boleh direplicate. unless the card ada processing power untuk buat authentication / decipher. sebagai contoh

Client (Card) hantar info ----> server (bank) verify info

server reply with encrypted key ------> client receive dan decipher using card private key

client reply deciphered value  ----------> server approve if the value is correct.


Kalau transaction macam ni, card tu kena ada processing power untuk decipher the value. Then dalam hal ni private key tak ditransfer dalam paywave so pencuri tak boleh curi guna paywave. baru transaction ni secure.

Tapi kalau transaction macam ni:

Card hantar encypted value apa bagai ----> bank receive and decrypt, kalau correct baru approve transaction

pencuri just replicate je balik value yang card hantar, then hantar the same value to bank. bank still akan approve sebab no actual verification untuk verify the card is the correct card.

jadi dekat sini aku tak rasa card kita ni ada processing power untuk buat semua authentication method ni. melainkan ada method lain yang aku tak perasan, mungkin boleh tunjuk kat sini macam mana authentication method card sekarang guna paywave yang buatkan transaction ni secure?






Reply

Use magic Report

Post time 19-1-2017 12:52 PM | Show all posts
WhiskeyScotch replied at 18-1-2017 05:34 PM
Betullah explanation akak ni. Setiap visa paywave card yang kita dapat has its own secret key whic ...

so pencuri pun tetap akan dapat the unique code kan through paywave. diorg just replicate the code dalam blank card then use it back for illegal transaction. sama ja, tetap boleh curi. unless the victim pakai the card dulu sebelum pencuri tu pakai which the code will no longer valid/expired.

walaupon 4 cm, benda tetap boleh curi. especially effective dalam train or tempat yang ramai orang dan berhimpit. easy. tambah2 semua kad sekarang memang ada paywave capability, chances nk 'ter'dapat scan tu bertambah tinggi.

Limit paywave rasanya rm250, bagi sesetengah orang RM250 tu banyak. so better kurangkan limit atau off terus paywave function.
Reply

Use magic Report

Post time 19-1-2017 01:36 PM | Show all posts
Edited by Changa at 19-1-2017 01:39 PM
FMKiller replied at 19-1-2017 12:52 PM
so pencuri pun tetap akan dapat the unique code kan through paywave. diorg just replicate the code ...

secret key tak bekerja sebegitu sis, tak boleh simply letak key apa2 then boleh encrypt/decrypt sebegitu jah
akak syak secret key itu di simpan dalam server bank tied up dengan kita punya card bukan di simpan dalam cip itu sendiri?

ini FAQ untuk acik2 kepam lebih fahami.

http://www.cba.ca/tap-to-pay-card-security-an-faq

Should I be concerned about security of tap to pay cards?
No. Tap to pay card transactions are processed through the same secure networks used for all other Visa, MasterCard and Interac transactions. Your card never leaves your hand and each transaction has a unique, encrypted code that changes every time the card is used.
There have been news reports about “electronic pick-pocketing”, where a criminal with a card reader or smartphone can read the information on these cards and commit fraud. It’s important to know that tap to pay cards are embedded with multiple layers of security to protect you, so the chances of you becoming the victim of this type of fraud are extremely unlikely. These security features include:
  • Short range – Tap to pay cards can only work within short range of a retail terminal, which makes it difficult for criminals to gain access to card information from a distance. Even if they could, the stolen card data cannot be used to create a counterfeit card capable of being used for fraud.
  • Encryption –Tap to pay cards do not use the same RFID technology typically used for inventory management that just transmit information, but instead use the much more secure international EMV chip standards and advanced cryptography. During a transaction, the card and the terminal communicate with each other, doing security checks and transmitting a unique encryption code, which expires after the transaction is finished. If someone was able to get close enough to steal data from your card, they would not be able to use the encryption code because it would have expired.
  • Limited information – The information transmitted during a tap to pay transaction is very limited and includes things like language preference, card number and other coding. The customer’s name, bank account number and the three-digit security code on the back of the credit card are not transmitted during a transaction.
  • Low transaction limits – Generally these cards have low transaction limits – typically between $50 and $100 – and any larger purchase will require you to enter your PIN. If your card is lost, this will prevent large purchases from being made.
  • Zero liability – Visa, MasterCard and Interac all have zero liability policies for credit and debit card holders. In cases of fraud, you won’t be held responsible and will get your money back.

Reply

Use magic Report

Post time 19-1-2017 01:41 PM | Show all posts
FMKiller replied at 19-1-2017 12:52 PM
so pencuri pun tetap akan dapat the unique code kan through paywave. diorg just replicate the code ...

dah nama pun unique code sister, celah mana nak copy?
code itu di generate setiap kali transaction, contoh sis guna security device untuk access online banking itu, pin code itu di generate setiap kali kita login.
so setiap transaction different code yang di generate
Reply

Use magic Report

Follow Us
Post time 19-1-2017 01:53 PM | Show all posts
FMKiller replied at 18-1-2017 03:28 PM
dekat oversea, dah ramai orang demo macam mana nak dapatkan detail credit card tu. Bukan pakai apps, ...

ako setuju je dgn ko. mmg benda ni wujud pun dan ako dh kena kat ostolia. so ako tak heran. jenuh ako terangkan kat thread lagi satu.
penah la jugak ako tgk demo yg ko ckp ni kat ostolia.

tp masalahnya, bila kite cuba kongsi maklumat, dlm forum ni ramai yg terasa dirinya hebat. derang ingat nk scan details tu guna apps cikai dlm android/iphone derang kot.

kongsi la apa yg kite tau, ada yg terima dan sebaliknya. agaknya bila dh kena batang hidung sendiri baru tau langit tu tinggi ke rendah gamaknya.



Reply

Use magic Report

Post time 19-1-2017 03:04 PM | Show all posts
Changa replied at 19-1-2017 01:41 PM
dah nama pun unique code sister, celah mana nak copy?
code itu di generate setiap kali transactio ...

ok, unique code tu sapa yang generate? bank generate? kalau bank generate macam mana card nak verify the unique code? does the card have the capability?

kalau card yang generate, macam mana dia transmit the code to the bank? guna paywave kan. so everything transmitted through paywave boleh dibaca dan dicopy oleh any card reader that has been tune with the exact frequency.

after copy, pencuri tu guna the code to do transaction. bagi pihak bank, code tu valid sebab code tu belum digunakan.
Reply

Use magic Report


ADVERTISEMENT


Post time 19-1-2017 03:12 PM From the mobile phone | Show all posts
Actually hacker ada wat demo boleh copy info masuk blank card n wat transaksi paywave..cuma boleh wat sekali transaksi saja n under limit card tu contohnya rm200..
Reply

Use magic Report

Post time 19-1-2017 03:17 PM | Show all posts
FMKiller replied at 19-1-2017 03:04 PM
ok, unique code tu sapa yang generate? bank generate? kalau bank generate macam mana card nak veri ...

tune frequency lagu mana sister?
kalau nak curi data masa transaksi makna nya sister kena celah bedah device sister masa user tengah nak scan sebab ianya tak boleh nak scan card dari jarak a few meters ke apa...

coba sister pergi guna paywave then sis acah2 nak wave dari jarak 5m dari mesin card itu, agak2 boleh charge tak?
silap haribulan sister kena pelangkung dengan acik cashier
Reply

Use magic Report

Post time 19-1-2017 03:25 PM | Show all posts
manehnya replied at 18-1-2017 06:47 AM
payah lah, simpan bawah bantal payah, simpan kt bank pun payah!!!

apa nama sarung kad anti gelomb ...

RIFD Wallet

semalam da search, bayak yg murah2
Reply

Use magic Report

Post time 19-1-2017 03:35 PM | Show all posts
Changa replied at 19-1-2017 01:36 PM
secret key tak bekerja sebegitu sis, tak boleh simply letak key apa2 then boleh encrypt/decrypt se ...

Memang la secret key (technically called private key) untuk encrypt or decrypt tak bole main taruk je. Kalau main letak memang tak bole nak decrypt. Kalau simpan dekat bank dan di tied dengan card, kalau card tu nak buat verify, mesti dia kena pass value to the bank untuk verification. Jadi card tu pass value pakai ape? Paywave kan. Kalau lalu paywave, boleh bagi sebab tak kenapa other card reader yang ditune frequency untuk baca card tak kan boleh baca the value? Melainkan the signal is block at the first place, sebab tu ada wallet block RFID frequency.

If someone was able to get close enough to steal data from your card, they would not be able to use the encryption code because it would have expired.
Dalam artikel tu sendiri indicate boleh ambil encryption code tu cuma tak boleh pakai sebab expired. tapi kalau pencuri tu directly charge when scan the card (application untuk charge boleh je buat, teknologi dah ada), tak sempat nk expired pon code tu.

In the end, still possible to curi tapi tak mudah. hanya perlukan a little bit more effort than usual. pencuri yang biasa2 memang tak dapat la.
Reply

Use magic Report

Post time 19-1-2017 03:42 PM | Show all posts
Changa replied at 19-1-2017 03:17 PM
tune frequency lagu mana sister?
kalau nak curi data masa transaksi makna nya sister kena celah b ...

seriously, tak pernah tengok orang demo pakai card reader read data dalam card walaupon card tu ada dalam handbag? berlambat dekat youtube. they don't need 5 meters. diorg letak card reader dalam 1 beg kecik, then tap to other handbag or wallet. tak perlu keluarkn card dengan card reader tu.

haih....matlamat aku ni bukan nak kondem paywave tu ke apa. bagi kesedaran security risk of the paywave tu. terpulang dekat korang kalau nak terima ke tak.
Reply

Use magic Report

Post time 19-1-2017 03:44 PM | Show all posts
grouper replied at 19-1-2017 03:12 PM
Actually hacker ada wat demo boleh copy info masuk blank card n wat transaksi paywave..cuma boleh wa ...

memang possible, and ada demo dah dekat security conference. tapi biasa la porummer sini, malas mencari dan membaca. nak semua disuap. ada yang dah bagi penerangan pon still tak nak ambik percaya.
Reply

Use magic Report

Post time 19-1-2017 03:46 PM | Show all posts
jojoba_beads replied at 19-1-2017 01:53 PM
ako setuju je dgn ko. mmg benda ni wujud pun dan ako dh kena kat ostolia. so ako tak heran. jenuh  ...

benda nih memang wujud dan possible. dah ada orang demo dekat security conference dah pon.
Reply

Use magic Report

Post time 19-1-2017 03:47 PM | Show all posts
tiba-tiba aku jadi macam bijak sikit baca thread nih
Reply

Use magic Report


ADVERTISEMENT


Post time 19-1-2017 04:38 PM | Show all posts
dekmieDandy replied at 19-1-2017 03:25 PM
RIFD Wallet

semalam da search, bayak yg murah2

tengkiu tengkiu
Reply

Use magic Report

Post time 4-2-2017 01:22 AM From the mobile phone | Show all posts
I almost percaya dengan berita palsu ni tau
Reply

Use magic Report

Post time 4-2-2017 02:56 PM From the mobile phone | Show all posts
Entahla mana nak percaya pon xtau
Reply

Use magic Report

12
Return to list New
You have to log in before you can reply Login | Register

Points Rules

 

ADVERTISEMENT



 

ADVERTISEMENT


 


ADVERTISEMENT
Follow Us

ADVERTISEMENT


Mobile|Archiver|Mobile*default|About Us|CariDotMy

22-11-2024 07:17 PM GMT+8 , Processed in 0.402290 second(s), 28 queries , Gzip On, Redis On.

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

Quick Reply To Top Return to the list