Your Number26 Mastercard knows what you did last summer…

…And so does your Maestro Card.

Just one week after reporting about a Man-In-The-Middle vulnerability of Number26, I was poking around a little more. Unfortunately, there is more negative findings to write about Number26. This time about their physical cards, the MasterCard and Maestro to be precise.

So what is this all about?

Every modern credit card has a little golden chip on it. This is called the EMV-Chip. Instead of just storing the credit card number (as the magnetic stripe does), it is a tiny computer performing individual signing jobs, whenever you use the card. And just like every computer, it also has some writable permanent storage. It doesn’t surprise, since it allows to change the pin.

Now, being curious about almost everything I have and do, I thought I might try to read all the stored and revealable content on that chip. I don’t quite know what I expected, but I didn’t see this one coming.

 

The data on the cards

Besides revealing the full card number and expiration date, which already makes me want to put my NFC cards in a tinfoil hat case, as well as information that I didn’t try to understand yet, it reveals your recent transaction history with both date and amount (including currency). You can see more details about that in the second screenshot:


NFC scan of my Numebr26 MasterCard (click to enlarge)

I was surprised, that any shop you buy at could see how much money you spent over a certain timespan. But not only stores, even your spouse or friends do have access to this data in just the matter of seconds with their phone. Most annoyingly, I didn’t find any information in Number26’s Terms and Conditions or Privacy Policy. When I asked their support about what historic transaction data is stored on the card, the first answer was, that the card isn’t storing any information. After showing them the facts and providing a way to read their own cards, the support was suddenly (as always) not available to comment on this issue.

I have scanned my remaining credit cards. None of them were saving any historic transaction details. So if you are privacy cautions or even have to hide something, maybe a recurring pharmacy expense or a gift for your wife/girlfriend/mistress, you are better off using another card.

 

Scanned Cards

with transaction history

  • Number26 MasterCard
  • Number26 Maestro
  • Fidor Smart Mastercard/Maesto combination (sources: @ReneHesse, t3n)

without transaction history

  • Germanwings Gold VISA
  • Germanwings Gold Mastercard
  • Consorsbank VISA debit
  • Comdirect VISA

 

Try it yourself

There is a free version of the Credit Card Reader NFC (EMV) on Google Play. If your android phone supports NFC, you can read the contents of your NFC Cards with it. If you found any other cards that store the transaction history, I’d be happy to see a comment from you.

 

tl;dr

Their cards store payment amount and date of your last purchases for everyone to read via NFC.

 

Update

2016-02-09 22:45

I have posted this link on their facebook asking why there is nothing in the privacy statement page. It got one reply stating “Very interesting. Also works with my number26-card.”. Instead of getting a reply they deleted it.

2016-02-10 12:55

Here is an example how you can see that someone might have been somewhere else where they claimed to have been. The currency clearly gives away that that person has been to the Czech Republic on the 23rd of January.


My wife and me have been to the Czech republic. But what if she didn’t go with me and I just found out she was somewhere else than she claimed? (click to enlarge)

2016-02-10 14:16

After all the claims that this is behavior shared between all Mastercards, I went to buy some cookies and paid it with my Germanwings Gold Mastercard that tested negative yesterday. What if I never used it? I got worried. But now I can confirm that even after using the card using the chip, no record of any transaction can be found reading it with the NFC scanner.

 

Follow-Up

Number26 has released a new support center, which also covers the NFC cards extensively. Read more about it in this post.

19 thoughts on “Your Number26 Mastercard knows what you did last summer…

  1. Nfc is a track2 data trasaction. Same as a magstripe transaction.
    Instead if being surprised about the card and expiry date being present you should understand how nfc payments work.

    1. I was surprised because at some stage I was convinced, every NFC payment is a challenge-response and not a reading-the-number operation. Thank you for clearing that up. However, do you have a source for your claim at hand? I can just find that track 2 holds these data, but not that this is being used for NFC (rather than signing with the private key).

    2. That is incorrect. EMV is supported over NFC as well as the legacy “Magstripe” fallback mode, provided both the card and the terminal support it (and almost all cards and terminals in Europe do so by now).

  2. Have you tried any other MasterCard or Maestro card by a German issuer? Based on my experiences (three cards by three different banks), they all have transaction logs enabled. Unfortunately, this seems to be the default configuration of the MasterCard EMV application.

    1. The only other German NFC activated Mastercard is my Germanwings Gold, see my update (2016-02-10 14:16) on that one.

      What’s really annoying me about this issue is that it is not mentioned in Number26’s privacy policy or terms of service.

      1. This has nothing to do with NFC. Transaction logs are a basic EMV feature, which seems to be disabled by default for Visa cards, and enabled for MasterCard/Maestro cards.

        Also, online NFC transactions aren’t recorded (as the card is removed from the field before the issuer’s authorization response arrives at the terminal), so to be sure, you would have to perform a contact transaction and check your card afterwards (via either interface).

        Did you do that for your Germanwings card?

          1. That’s interesting. Are the transaction log slots empty (usually 10 entries showing all zeroes) or entirely missing?

            The Germanwings credit cards seem to be issued by Barclays, so maybe they aren’t using the German, but the UK card defaults?

          2. I can’t tell that from the app, as it doesn’t show empty slots. (I used my card 7 times with contact, my wife many more times. I have 7 entries, she has 10). Also the log in the app only shows 7 entries that kinda look the same, so I guess empty slots are not reported. But that’s just a guess.

  3. I just checked my card and as you said, NFC payments are logged and readable.
    Then I took my french bank visa, and it is the same, I have nfc payments from 2013 logged in it.
    So its not limited to MasterCard or number26.

  4. Great Information and two questions. What’s about KalixaCard?
    Can I go to my issueing bank and tell them to deactivate this?

    Another information: contactless OysterCard in London also would read all your last transactions when using NFC MasterCards?

  5. I can confirm that my Targobank (Tchibo PrivatCard), Advanzia (Gebuhrenfrei – non NFC) and Fidor (SmartCard) Mastercard all have a transaction log.

    Is the Germanwings Card Offline-Enabled? Otherwise a transaction log makes no sense.

    1. If your Advanzia is non NFC, no-one will be able to read it without immediate physical access to it. Fidor has already been covered. I used the Germanwings Gold in an airplane, I am almost certain it is capable of offline transactions.

  6. Yes, but I would not overestimate the risk of reading without immediate physical access. It’s probably not that easy for an attacker to distinguish between the several NFC payment cards, the transport pass, the office key card and the library card in my pocket. Add some metal foil or a RFID protector wallet and it’s impossible.

    On the other hand I could see a use-case for this data with the marketing department of some shops, hotels, restaurants, …

    1. I recently got a iZettle reader and I held it against a friends pocket. He believed he had a NFC-shielding wallet (kind of a metal case) and his multiple cards would jam the signal. I had to reimburse that transaction with cash, because it went through. Don’t underestimate it either.

      I just retested it. 5 cards with NFC, the one closest to the reader won—through the wallet and my jeans.

      1. That’s actually a feature of the NFC specifications, i.e. ISO 14443, called anticollision. In a nutshell, the terminal can “mute” all cards in the field and select them individually by ID.

Leave a Reply

Your email address will not be published. Required fields are marked *