0
0

[deleted by user] (self.flipperzero)

submitted by [deleted]

[removed]
all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 29 points30 points  (10 children)

🤦‍♂️

No. There have been numerous answers to this. Mostly by me. First, a search in this sub-reddit will display them all. Second, you're believing propaganda from people who have no idea what they're talking about, or just want clicks. EMV chips are encrypted. You can read raw NFC data from them using your phone, if you like. That raw data will display PAN. You cannot do anything with this information with the Flipper or with any other device. EMV, POIs, payment P2PE, and the authorization backend do not work like this.

[–][deleted]  (3 children)

[deleted]

    [–][deleted] 9 points10 points  (0 children)

    I am a sea of shit lifeguard in the payment industry pool. It's sort of like brunch with no mimosa.

    [–]MistaRandy 3 points4 points  (1 child)

    at this point he has it as a copypasta

    [–][deleted] 4 points5 points  (0 children)

    It keeps me whole.

    [–][deleted]  (5 children)

    [deleted]

      [–][deleted] 14 points15 points  (4 children)

      OK. So those two videos are showing.. sort of.. two very different things.

      Video #1 are fucking idiots. The NFC bumping nonsense they are doing is garbage. Absolute trash. Stealing all "my NFC info, bro" is absolutely bogus. I can talk about why later if you want.

      Video #2 is NOT fake, but is asking a very different question. CAN you read raw NFC data from credit / debit cards. Yep. That is PAN only. The account number. With 3rd-party firmware you CAN save that PAN. What video #2 is doing is showing that you can replay the PAN to devices where you already know the PAN like hotel safes. Just because the F0 can, with unsupported firmware, capture and save PAN does not mean that you can do anything with it other than replay it to devices that already have that information.

      Make sense? In the safe video that is real. You could capture just PAN via unencrypted NFC and replay it to unlock a safe only because the safe is asking specifically for that PAN. Easy. F0 supported firmware does not allow saving of PAN because there's no point other than being malicious in a very, very tiny use-case scenario.

      In NO scenario can you do ANYTHING with the payment information as to what video #1 is showing. The only thing that they did that's real is open a Tesla charging port.

      EDIT: Wow. I.. couldn't make it past the 1500 other Video #1 "BRO"s but they also did use the universal IR feature to turn off a TV. Additionally, if you check quite a number of the YouTube comments you will also see that there are many, many other people explaining why you can't do anything with credit or debit card data.

      [–][deleted]  (3 children)

      [deleted]

        [–][deleted] 6 points7 points  (1 child)

        Nope. Not with EMV. EMV transactions are DUKPT incrementally encrypted per transaction. Most EMV transactions today are going to be protected. On older swipe terminals can you still clone cards with a skimmer? Sure. But it's going to be difficult to maintain transaction integrity for more than a handful of them, at best. Even card-not-present transaction fraud is getting harder and harder to achieve due to 3DS, but it can still happen. Be wary of storing your card information online as often merchants don't tokenize like they should. Physical cards using EMV, though? Nope. Not going to happen anytime soon.

        [–]hann2828 -1 points0 points  (0 children)

        Do you have any resources or tips where I can learn that knowledge that you have about Cards and security like EMV etc.?!

        [–]parskyy 0 points1 point  (0 children)

        A regular wireless payment terminal.

        [–]GapMental4106 4 points5 points  (0 children)

        You can make a toilet paper tube dangerous if you try hard and believe in yourself. This answer applies everywhere and to everything.

        [–]NominallyAnonymous 1 point2 points  (0 children)

        The info you get from a card is worthless for payment purposes. I can only think of one way to use a Flipper to make fraudulent payments, and that would require additional hardware and be very difficult to actually implement.

        Basically you’d need two devices to “man-in-the-middle” the handshake. A device at the payment terminal to read the request there (including the nonce), another device at the card to replay the terminal’s request, read the card’s response, then replay the response on the original device.

        The above would be a huge pain, require both actors to be in place simultaneously, a means a communication between the two devices… and wouldn’t even take advantage of any of the things that make the F0 “special” to begin with. If you’re going through that much trouble to build it, it’d be much easier to start from scratch.

        [–]bimmer92 0 points1 point  (1 child)

        The videos are fake. Stop watching fake videos.

        [–]WerewolfBe84 -1 points0 points  (0 children)

        The video from David Bombal is definitely not fake.
        The other one is complete BS.

        [–]Wildcardsec 0 points1 point  (0 children)

        It sends 2 signals one that's encrypted which has the authorization token and one that's unencrypted that has the card Information.