Welcome back to my blog series on the offensive capabilities of the Flipper Zero! Part two of this series will be focused on NFC capabilities of the device, specifically how it may be used to copy credit card data, otherwise known as skimming attacks. One of the benefits of chip technology in modern credit cards is that due to how the cryptography works with how keys are generated, it’s not possible to listen to an NFC signal and then repeat it. So, you would not be able to use the Flipper Zero to pay for items by tapping it on a payment kiosk, as the Flipper does not have the capability of generating the cryptographic keys necessary to create a valid payment signature. However, the Flipper does have one capability that can still cause credit card fraud, the information taken from a credit card can be typed in manually in order to complete online purchases. Luckily, this isn’t a complete disaster, as the Flipper’s capabilities at reading card data via NFC includes the card number and expiration date, but does not include the CVV security number printed on the back of cards. Additionally, simply skimming a card will not give the attacker access to your valid billing address. However, since the CVV is a short number, it can be easily stored during a skimming attack, and some payment processors do not require a valid billing address while others do not fully validate them as they should.
Pavel Zhovner, the founder and CEO of Flipper Devices, Inc., stated that reading credit cards “is not a real feature and implemented just for demonstration”, and eventually they removed the credit card reading functionality from the NFC section of the Flipper in update 0.81.1 of the firmware. So, if your Flipper has been updated, you will either need to re-add the functionality back manually by editing the firmware and recompiling it, or simply download an older version of the firmware and load it onto your Flipper using the qFlipper update tool. For simplicity’s sake, I will be just loading on the oldest firmware which still supports reading bank and credit cards for this demonstration. Older firmware can be found on the Flipper’s builds page. I downloaded the latest firmware that still had card reading functionality for demonstration purposes, 0.80.1, flipper-z-f7-update-0.80.1.tgz. If you want the ability to store the card data, as later versions supported reading but not storing bank card data, you’ll have to use version 0.68.1 or earlier, which would be flipper-z-f7-update-0.68.1.tgz. Alternatively, you can modify the more recent firmware to include a save menu, which just involves copy and pasting save functionality from another part of the NFC menu into the EMV card reading section of the firmware.
Open up qFlipper and connect your Flipper Zero via USB. From there, click on “Install from file”, and be sure to choose the firmware that you downloaded. Note that Flipper recommends plugging the device directly into your computer instead of through a USB hub, as it may cause the update to fail. Wait for it to finish installing, and you will have card reading functionality back on your Flipper.
From here, the process is quite simple. You go to the NFC menu, select “Read”, and place it against the card. Almost instantly, the Flipper will register the new card and you’ll be able to store it in Flipper as whatever name you wish (if your firmware version supports saving card data). The card data can then be read from the Flipper by going to “Saved” in the NFC menu and selecting the saved data. It can also be extracted to a computer and read as a text file if desired.
The Payment Card Industry Security Standards Council (PCI SSC) released an informational PDF explaining how to prevent skimming attacks, and this focuses on devices that are much more stealthy than the Flipper Zero. This includes examples of terminal fraud, and the best ways for retailers to look for compromised payment terminals.
The best way for an individual to protect themselves from these attacks are to be aware of skimming attacks and take a look at your payment terminal before tapping your card, and to be sure to store your card in a radio frequency blocking sleeve. There are situations where your card may end up out of sight when paying, such as when giving your card to the wait staff at a restaurant. Unfortunately, there’s nothing that you can do if a member of the wait staff is malicious and uses a skimmer to take your card data when they step away from the table. As a silver lining, for large transactions, payment processors usually require a valid billing address. So, if your data was skimmed in this way, it’s likely to be for smaller transactions, although that also makes it harder to detect if you’re just paying your bill and not inspecting your statement. So, it’s best to keep tabs on your monthly bill to ensure no fraudulent transactions are on them. Minimizing your risk exposure is best, but as of right now, it’s impossible to fully eliminate it.