Serious security threat in AfterPay bracelet payment ---------------------------------------------------- Finnish version of this advisory: https://sintonen.fi/advisories/afterpay-ranneke.txt The AfterPay bracelet payment method used in The Great Beers – Small Breweries -festival can be cloned in seconds with for example Android mobile phone. Afterwards the attacker is able to buy products in victim's credit for up to 500€ worth. The victim won't know about the attack until after receiving the excessive bill after the event. The AfterPay bracelet lacks the security features of the credit card contactless payment: - the bracelet can be cloned trivially, unlike the CC - the CC contactless payment requires the user to enter the PIN code periodically - the CC contactless payment has an upper payment limit (usually 20-30€) The bracelet includes a NXP MIFARE CLASSIC 1k NFC sticker. When the AfterPay bracelet is taken into use the unique identifier of the sticker is associated with the user. At payment time the amount is first entered to the payment terminal and then the identifier is read from the sticker. The identifier is used to match the payment to specific user. A bill is sent to the user after the event. The attacker is able to clone the NFC sticker if the attacker is able to get to close proximity of the victim's bracelet with for example Android mobile phone. The clone can be written to fully writable Chinese NFC token (worth roughly 1€). The token can be placed under the real bracelet, enabling impersonation of the victim's bracelet. The payments will then be associated to victim's credit account, instead. I told this to the AfterPay representative at the GBSB event on 27th July 2016. The representative told me that the problem is already known. The only concrete action taken was to threaten my removal from the GBSB event. Security tips for AfterPay bracelet users ----------------------------------------- 1. Make sure that no one is able to access your bracelet with a mobile phone or similar device. The cloning can be done from a distance of 5-10 cm. 2. If you suspect that your bracelet has been cloned immediately visit the AfterPay representative to get the bracelet deactivated from the system. Merely destroying the bracelet is does not stop the potential abuse! Timeline -------- 27.07.2016 initial discovery 27.07.2016 notification to vendor's representative 29.07.2016 writing the initial advisory 30.07.2016 english translation of the advisory Harry Sintonen