why cant flipper do a credit card clone?
google wallet can save your cards. its using NFC as well to communicate with the terminal.
1 Like
That isn’t really how it works. This is what’s happening behind the scenes to the best of my understanding.
Google never copies the cryptographic keys from your actual card. You give Google your credit card information and they create a virtual card. The virtual card is a completely new card with it’s own cryptographic keys. Google emulates the virtual card then they charge your real card. Google can only do this because they operate there own payment processing.
For security reasons, your gwallet makes the NFC hardware address swap multiple times a second, it seems to be some security feature to prevent cloning etc. If you capture the stuff you’re phone spits out during a transaction you see a list of ID’s passing by, so it is not a static key.
You could potentially copy your physical CC, but not from a gwallet.
That doesn’t give the chip keys for tap to pay or the cvv required for any other type of payment. You would still need to physically access the card. At that point you can just read the data with your two eyes and the Flipper becomes irrelevant.
It’s not that simple.
Credit cards are well protected from cloning. They have encryption keys inside the chip that sign every transaction and those keys are not readable.
The google wallet does not clone a credit card. Instead, it creates a token, and replaces the microchip security features with single-use passwords that it silently receives from the bank. This require internet access and support from both payment system and your bank.
1 Like
For the flipper maybe not default , but with a PM3 it is pretty easy to copy the contactless payment option, also cloning the magstripe is not such a problem, but yes you need physical acces and know more about the card, then there are other verification 2factor options you cannot really clone, but if it is about physical card abuse, cloning one is not that hard rlly.
But the gpay function is also entirely diffrent from a physical card so you cannot clone it like a physical card.
- You can clone magstripe. This is the reason why magstripe-only cards are not produced anymore. But the magstripe on a chip-capable card has a special code indicating that, so a chip-capable terminal would not accept a magstripe of a chip-capable card, so magstripe cloning is mostly useless nowadays, unless you find a magstripe-only terminal in some backward countries such as Kenya or US. Also this requires a different equipment as Flipper cannot read or write magnetic stripes.
- You can proxy a contactless card, having a reader near a card and an emulator near a terminal with realtime two-way communication. Requires perfect timing, close proximity and could work with small amounts only, because the terminal would ask for a PIN for a bigger amount.Never heard of it in real life.
- You cannot copy a contactless or chip card. All you can do is read some information, but it would not be enough to make a transaction. Each chip has a crypto key inside it and an incrementing counter. The chip never gives away the key. But it signs with it the transaction data it receives from the terminal (such as terminal id and amount) along with the counter value. The counter values are never repeated. The card issuer verifies the signature and the value of the counter before approval.
Maybe not with a flipper , but with pm3you can definitly emulate recent CC’s , actually very easy, i never tried to clone it to a physical card, but emulating them works fine.
If you know the key, you can emulate the card. This is what the banks do for the certification purposes with the test cards. But you can’t get the key for a production card.
Have you found any cards that reveal the entire payment information including the cvv?
The CCV is not on the magstrip or rfid but it is printed on the card so while having physical access, yes i have the ccv information? so cloning it is no problem?
1 Like
I’m trying to look at it from a practical standpoint. If you have physical access a pen and paper or camera will work as well as the Flipper or PMx. There isn’t even a way to save the ccv information as note so a pen and paper might actually be more practical.
1 Like
In a lot of eastern countries these scams are pretty popular, clone magstrip, and check ccv , print them on a random self printed or prepaid CC to make it look legit and start shopping with your card. Good that insurance covers this but still a problem to look out for in shady gas stations or restaurants in places where people are not to strong on ethics 
Perhaps but they will use the cheapest practical solution. Much like how thieves prefer a rock to lock picking.
yep, usually it is just a magstrip cloner, with a camera on the keypad to steal your pin and/or CCV , but even restaurant workers, and other clerks at cheap night kiosks seem to like to have a keen interest into scamming people with their credit cards, so being aware about your cards while traveling could be a healthy paranoid state of mind , but i guess everyone in security has that problem where they see risk’s before convenience, i guess its part of the geek genes , adhd and AS problems that i am more paranoid about wireless implementations compared to the regular population. I do like to watch for the worst in situation and people, also since i met to many incompetent people in the IT work-field i was in before till the point i bricked my self. Now I am trying to keep my memory working doing it as a hobby instead of work.
1 Like
ATHF , ahhh you just hit a soft spot, i loved this adult swim cartoon for decades already since it started in the early millennium era. ATHF, Archer, Sealab, Venture brothers, 12oz mouse, xavier renage angel… this brings me back to my unhealthy years where i was dedicated to smoking herbs and other things.
1 Like
As an expert does it sound like an appropriate name?
1 Like
Yeah pretty much, everyone has a Carl in their neighborhood.
1 Like