Near-field communication (NFC) payments are the contactless way that you can purchase goods by tapping your credit card or compatible smartphone to a reader. They’re a convenient way to make payments, and are therefore fairly popular. And, for the most part, they’re pretty secure as well, as revolving encrypted authorization tokens are used. But there is still a vulnerability with a credit card’s magnetic stripe data (MSD) that opens up the possibility for replay attacks. Salvador Mendoza has come up with a tiny, inexpensive device for performing those replay attacks.
As always, we have to warn you not to perform this attack yourself — especially not against other people. It’s not only highly illegal, it’s also extremely unethical. This device should only be used for educational purposes, and to push for improved security. For that reason, Mendoza doesn’t provide any details on how the original transaction data can be intercepted and have the token remain valid, just how to build the device and a demonstration of how it works. In that demonstration, Mendoza shows that his NFCopy85 device was able to successfully replay a transaction at a NFC payment-capable vending machine.
NFCopy85 is essentially a smaller version of Mendoza’s early NFCopy device. That originally device was built on a Raspberry Pi Zero W, but this new one uses a small and power-efficient ATtiny85 microcontroller. That’s paired with a PN532 NFC board, with a tiny 3.7V LiPo battery for power. Mendoza used Adafruit’s PN532 NFC library, but had to modify it to work with the limited resources of the ATtiny85. That was mostly a matter of removing unnecessary parts of the library. The only other components on the NFCopy85 are a boost converter for the 5V required by the PN532, and an LED for debugging. At just $10 to build, the NFCopy85 illustrates just how inexpensive it is to perform NFC replay attacks.