I saw this particular item appear on a promoted tweet this morning and had to check I wasn’t going mad. For just over £126, it’ll capture your tap-to-pay card information and will then clone it. The result, after just a few minutes carrying the thing on the tube, a bus or train, is a huge stack of card details that you can then use and abuse.
The description of the product is frighteningly honest …
The ChameleonMini firmware can be configured and uploaded via USB to emulate a passive NFC device (e.g. a contactless card), act as an active NFC device (e.g. an RFID reader), sniff the communication (i.e. monitor the bits on the RF interface), and log the communication (during emulation and sniffing).
So, let’s just go over that again. It can pretend to be a reader, so can grab your card details when you’re close to it. It can then emulate your card so that the device can be held next to a payment machine to pay for items. Even if that’s not possible, this machine should be able to read your card number and sort code, plus it can copy door entry cards too, potentially letting people get into your workplace.
Of course, the makers of this device, which is based on open source software, tell us that it’s purely for “practical NFC and RFID security analysis, compliance and penetration tests, and various end-user applications” but then they also say that..
The freely programmable platform can create perfect clones of various existing commercial smartcards, including cryptographic functions and the Unique Identifier (UID).
Scary times. What next? Wrap your card in foil?