…And so does your Maestro Card.
Just one week after reporting about a Man-In-The-Middle vulnerability of Number26, I was poking around a little more. Unfortunately, there is more negative findings to write about Number26. This time about their physical cards, the MasterCard and Maestro to be precise.
So what is this all about?
Every modern credit card has a little golden chip on it. This is called the EMV-Chip. Instead of just storing the credit card number (as the magnetic stripe does), it is a tiny computer performing individual signing jobs, whenever you use the card. And just like every computer, it also has some writable permanent storage. It doesn’t surprise, since it allows to change the pin.
Now, being curious about almost everything I have and do, I thought I might try to read all the stored and revealable content on that chip. I don’t quite know what I expected, but I didn’t see this one coming.
The data on the cards
Besides revealing the full card number and expiration date, which already makes me want to put my NFC cards in a tinfoil
hat case, as well as information that I didn’t try to understand yet, it reveals your recent transaction history with both date and amount (including currency). You can see more details about that in the second screenshot:
NFC scan of my Numebr26 MasterCard (click to enlarge)
I have scanned my remaining credit cards. None of them were saving any historic transaction details. So if you are privacy cautions or even have to hide something, maybe a recurring pharmacy expense or a gift for your wife/girlfriend/mistress, you are better off using another card.
with transaction history
- Number26 MasterCard
- Number26 Maestro
- Fidor Smart Mastercard/Maesto combination (sources: @ReneHesse, t3n)
without transaction history
- Germanwings Gold VISA
- Germanwings Gold Mastercard
- Consorsbank VISA debit
- Comdirect VISA
Try it yourself
There is a free version of the Credit Card Reader NFC (EMV) on Google Play. If your android phone supports NFC, you can read the contents of your NFC Cards with it. If you found any other cards that store the transaction history, I’d be happy to see a comment from you.
Their cards store payment amount and date of your last purchases for everyone to read via NFC.
I have posted this link on their facebook asking why there is nothing in the privacy statement page. It got one reply stating “Very interesting. Also works with my number26-card.”. Instead of getting a reply they deleted it.
Here is an example how you can see that someone might have been somewhere else where they claimed to have been. The currency clearly gives away that that person has been to the Czech Republic on the 23rd of January.
My wife and me have been to the Czech republic. But what if she didn’t go with me and I just found out she was somewhere else than she claimed? (click to enlarge)
After all the claims that this is behavior shared between all Mastercards, I went to buy some cookies and paid it with my Germanwings Gold Mastercard that tested negative yesterday. What if I never used it? I got worried. But now I can confirm that even after using the card using the chip, no record of any transaction can be found reading it with the NFC scanner.
Number26 has released a new support center, which also covers the NFC cards extensively. Read more about it in this post.