Many of the coffee shops I go to in New York City no longer have magnetic swipe card readers, in favor of more secure near-field communication (NFC) readers — the method of wireless data transfer that’s used for services like Apple Pay. But as payment systems evolve, so do cybersecurity researchers who learn of new ways to reveal the flaws in current technologies. One such researcher, Salvador Mendoza, is exposing vulnerabilities with payment systems using his device NFC Copy Cat.
NFC Copy Cat, manufactured by Electronic Cats, is a small device that combines two powerful cybersecurity tools, NFCopy and MagSpoof. NFCopy works by copying a Visa NFC transaction to replay it later. Similarly, MagSpoof can wirelessly emulate/spoof any magnetic stripe card. So by using NFC Copy Cat, you can store magnetic stripe or NFC payment data to be replayed later — known in the cybersecurity world as a replay attack.
NFC Copy Cat comes with a simple user interface and can be programmed using the Arduino IDE. It has a micro USB connector, 3.7V LiPo battery leads, antenna leads, two programmable buttons, and a reset button.
"The NFCat PCB has 3 buttons: one for reset, and the other two are programmable. In the default example, one button is used to activate MagSpoof and the second to emulate an NFC transaction while they are pressed. But, the users will have the flexibility to interact with both technologies in the way they want."
Devices like NFC Copy Cat are essential for research and to prompt further development of publically released technology. And even though NFC Copy Cat is currently only utilized for training sessions there are plenty of things you can do right now to secure your payment information. Keep yourself safe by checking for malicious card skimmers, utilizing RFID-blocking wallets, and staying informed by following cybersecurity researchers like Salvador Mendoza.