In the NFC space, it is quite common to hear consumers asking if it is possible for them to copy their credit card or bus pass onto another NFC card. Fortunately, for security reasons, you generally cannot do this.
Most commonly available NFC tags aren’t very complicated devices. Effectively, they are small chunks of read-write memory with a radio interface tacked on. However, a we mentioned in our post on cloning hotel cards, there are also advanced cards available with the ability to perform cryptographic authentication and enciphered communication. Most large cashless payment systems make use of these advanced tags, which, when used correctly, render card cloning practically impossible. That said, there are a couple of relatively common exceptions to this:
Event cashless payment systems
There are some event-based cashless payment systems that make use of the card solely for identifying the attendee. In many of these systems, the card’s factory-encoded serial number is used to identify cards, which are then associated with their owners in the cloud. As we discussed in the hotel cards post, cards in such a system can be successfully cloned, but it requires you to acquire a special tag with a changeable serial number or tag emulating device that can have its serial number set to match one of the event’s cards.
EMV Magstripe Emulation
Modern dual-interface credit cards make use of a standard called EMV, which aims to reduce credit card fraud by making use of advanced smart card capabilities. However, there is a mode in the standard where the card provides a payment terminal with information that looks like a magnetic stripe swipe. This mode is quite important for allowing gradual upgrading of payment infrastructure, but it introduces some significant security concerns. It is possible (and a few people have done so) to copy the data provided by this operating mode and use it to clone an existing credit card. However, in parts of the world where the EMV transition has been completed, many terminals will not allow you to make payments using magstripe emulation. Additionally, a modern smartcard has sufficient computing capacity to dynamically generate this magstripe-like data. Therefore, depending on how the credit card was programmed, attempting to clone your credit card’s magstripe emulation data may result in you getting a dynamically generated dataset that is only valid for a very limited time, possibly only a single transaction. So, while you can technically create a partial clone of an EMV credit card, there are measures in place to limit the impact of this vulnerability.