Today is Samstag, 23rd März 2019

NFC Geldkarte – broken by design?

The Union of German“s Sparkassen (Deutsche Sparkassen- und Giroverband; DSGV) currently is in the middle of huge NFC project. The plan is to start rolling out 45 Mio. NFC enabled bankcards to customers in mid 2012.

The card will feature two different means of payment. One is a prepaid purse, which has to be topped up at a cash dispenser/ATM. The purse can be used to pay for goods up to 20 EUR. For amounts, which are above 20 EUR, a PIN required. In this case a direct debit transaction is performed and the money is directly debited to the customers account.

Now an according Android App „S-kontaktlos“ was released (developed by DSV Group. Using this app, the amount of money stored within the purse on the card can be read without (!) a PIN. Additionally the most recent top-up and payment transactions are displayed. From a security point, this is nightmare as with an ISO 14443 compliant reader someone is able to read this information form the card without the notice of the user. As the BSI (German“s Ministry for Information security) has shown, it is possible to read such a transponder of a online casino distance up to 1,5 meters in a study. Therefore this feature is questionable from a privacy point of view.

Additionally, the prepaid card is awkward for the user as well. The current (contacted) Geldkarte is hardly used in Germany due, as prepaid usage is not very popular. Question is: why should this change with a contactless card. Hopefully, if the feature is integrated into the UICC of a mobile phone, OTA top-up is available to the user.

B S Cardservice: s-Kontaktlos App

Sparkassen start to introduce NFC

Welcome at