The antišŸš«-derailmentšŸšƒ & threadšŸ§µ hijackingšŸ”« threadšŸ§µ ā‰

That was tongue-in-cheek. You donā€™t need 5 or 6 NFC cards. One is enough, and you probably already have one in your wallet - another payment card, swimming pool card or something. Just put the card you want to protect in the same slot in your wallet for zero dollars. And If you really, desperately want a dedicated NFC shield, fold some tinfoil for almost zero dollars. No need to waste money on those gizmos.

2 Likes

:sweat_smile: I should have known

2 Likes

That reminds me, Iā€™m still surprised daily by how good my collegeā€™s security infrastructure is. Not only are they using DESFire EV2s with their own applications loaded (with encryption enabled), but the readers also properly implement anti-collision. To authenticate with the readers, I just lazily slap my wallet on top, and it can read fine despite having 4 other 13.56MHz cards layered around my student ID card.

They outsource everything to Transact Campus (used to be a part of Blackboard Inc). They use their own line of readers and kiosks, for everything from building access control, to laundry, to meal swipes. They have two applications loaded to the card, with one of them also allowing the card to make purchases from a pre-paid account (acts like a debit account at local stores).

The readers all seem to be custom, but I canā€™t seem to find much info on them. Thereā€™s some older models on ebay, but nothing modern. Iā€™m curious on the backend infrastructure, the readers seem to connect via ethernet (with an RJ45 jack).

Itā€™s a really interesting system, but annoying for someone who wants to clone a card haha.

They found a niche and did a great job with it. Honestly if I was going to pick a specialized industry to deploy this kind of solution it would be schools. Constant long tail for new cards every year and Iā€™m sure they do a subscription model per student anyways.

2 Likes

Stumbled across this video on youtube. Itā€™s a little dry, but very interesting.

2 Likes

The only place Iā€™ve seen anti-collision used was at my local library after they moved from the barcode system to a barcode/rfid. Each of the books got a little nfc sticker in the back and you could just drop an entire stack of books on the checkout counter. It would account for all of them without too much issue. Assuming your stack of books wasnā€™t too high of course. The barcode reader was really only used to scan your library card and any books that might not have had the new nfc stickers in them yet.

The thing with anticollision is, it works fine but, unless thereā€™s a specific reason to use it like in the application you mention, most applications are single-use, single-card. Programmers being lazy and pressed for time, itā€™s easier to throw an error when more than one card is in the field rather than deal with them properly.

Crucially - and that was the original question of ā€œshieldingā€ NFC cards - you can bet your ass bad guys walking around with covert NFC readers most likely didnā€™t bother to implement it right, so youā€™ll be fine with another NFC card on top to confuse the reader :slight_smile:

2 Likes

I didnā€™t find it all that dry but then again I find this kind of stuff interesting. Iā€™m actually surprised I havenā€™t run into this video before now. Itā€™s very good and a great explanation and demonstration of evolution and mutation.

I can understand shielded wallets and the badge holder in the video I posted above. Reducing the hassle of these things is always nice, especially when you are already making things less convenient to increase securityā€¦

I used to be more paranoid about this in the past, and I no longer have any cards that worry me. But I donā€™t regret giving a company money for making something that I enjoyed using for several years.

But is there any actual evidence of contactless payment sniffing happening anymore?

Seems like at best a theoretical problem, not a real world attack, given the amount of time theyā€™d need to be in read range

I think people confuse stealing access credentials
Uids from 125, and 13.56 with being able to steal credit card info

I could be wrong, but I havenā€™t seen any real evidence of thisā€¦ people are still getting skimmed left and right via mag stripe data, which I think they blame on rfid attacks

Iā€™ve been skimmed multiple times

Eventually I obliterated my mag stripe on my cards,
If a business still doesnā€™t have an EMV chip reader, or is incapable of plugging in the data manually as a backupā€¦ I can either pay cash or go elsewhereā€¦

Itā€™s been several quiet years since then, with no issues

Since there are multiple EMV NFC related vulnerabilities disclosed every year, Iā€™d bet this is used in real life attacks. And even without vulns, malicious readers can exist, the card doesnā€™t show it paid so you can easily trick a customer to pay 2 invoices.

2 Likes

Pretty muchā€¦ And I doubt sniffing was ever a problem to begin with. There where some wireless repeater based attacks that required two people and modern chips have protections against that. But to my knowledge, those where never a thing in the wild.

Now that is a real risk and I donā€™t understand why are banks still allowing mag stripe. In my corner of the world, at least some backs disable mag stripe payments by default and you have to ask them to allow it if you want to use it.

Somehow, payment companies are more concerned with disallowing implants than with blocking mag stripeā€¦ :eyeroll:

1 Like

Hey @greydoc, @Backpackingvet

Any chance you have any experience with those suture alternative stickers with little zip tie mechanisms that draw a cut together?

Iā€™ve used ones that look like little Velcro cable ties. Useful in certain situations like skin flaps or in wetter environments. Got a few at home. They are kinda big to use on an implant hole though.

1 Like

I do not good sir! I have a pack of quick clot if you want lol

Just wondering if they would be viable for a 1ā€ flex install incision

1 Like

I mean, Iā€™m not a real doctor like greydoc, but I donā€™t see why you wouldnā€™t be able to put this on and close one, or cut it in half personally.

Worst case, it doesnā€™t work. But if it last overnight, I think you would be good if you keep it from opening. Maybe move to a butterfly after a day or two. Idk. Just my opinion

A good quality butterfly bandage over a dry and hemostatic incision should be sufficientā€¦ maybe two. If you are concerned about the site getting wet over time then place a tegaderm or film bandage over top of the butterfly bandages to protect them. The only critical thing is that your wound not bleed because that will ruin the adhesive power of the butterfly bandages.

Even for a 1ā€ incision? Like a flexEM

Iā€™d say yeahā€¦ 2 to 3 butterfly should be ok if there is not tension pulling the skin open. Also a tegaderm overtop should help stabilize the whole thing too.

I am not a doctor, but I play one on the forums :slight_smile:

I guess my question is, why would you need to use bandages of youā€™re having your flexEM installed properly by a professional who can use sutures? :wink:

3 Likes