Hacking My Credit Card with a Flipper Zero: Separating Fact from Fiction

Hacking My Credit Card with a Flipper Zero: Separating Fact from Fiction

Paul Hardy

My name is Paul, and I'm part of the security team here at Lendable. While my colleagues handle monitoring and policy, I'm the one focused on offensive security - deliberately trying to break into our own systems. It's how I find the vulnerabilities before anyone else does, turning "shenanigans" into valuable threat intelligence.

As someone who enjoys exploring the ins and outs of payment systems, I recently decided to experiment with a Flipper Zero - the popular hacking multi-tool - to see what data I could extract from my own credit card.

Armed with my Flipper Zero and a payment card, I set out to uncover the realities of credit card security.

What Data Can a Flipper Zero Read?

Using the Flipper Zero’s NFC capabilities, I was able to retrieve:

  • The card number (PAN)
  • The expiry date
  • EMV metadata about applications and preferences

Essentially, this is the same information that's printed on the front of your card.

What Data Remains Secure?

It's important to emphasize what I couldn’t access:

  • No CVV (the 3-digit number on the back of the card)
  • No secret cryptographic keys
  • No PIN
  • No ability to clone the card for fraudulent transactions

Despite online scaremongering, a Flipper Zero cannot be used to simply "copy and go" with someone else's credit card.

How is this secure?

To understand the security controls present on a payment card we need to take a step back and understand the method that a card will use to transmit data at the point of payment. This is done via a standard called EMV (Europay, Mastercard, and Visa) which is the global standard for cards with chip technology that replaced the old magnetic stripe.

The EMV system is designed with multiple layers of security:

  • Each transaction generates a unique cryptographic signature, preventing replay attacks.
  • Sensitive data is stored securely within the card's tamper-resistant chip.
  • Banks employ issuer-side risk scoring to detect and flag suspicious transactions.
  • Credit card users benefit from legal protection. In the UK, Section 75 of the Consumer Credit Act holds card issuers jointly liable for purchases over £100, limiting your liability in cases of fraud.

Zable Card mobile application spend controls screen

Protecting Your Card Information

Here are some practical tips to enhance your financial security:

  • Use credit cards for online purchases: Credit cards offer greater legal protection compared to debit cards.
  • Apply Spend Controls: Use a card like Zable, which allows you to disable the contactless feature and provides other controls to safeguard your finances.
  • Enable transaction alerts: Monitor your card activity and receive notifications for any unauthorized transactions.
  • Use virtual card numbers: When available, use virtual card numbers for online purchases to prevent exposing your actual card details.
  • Be cautious about where you enter your card information: Avoid entering your card details on untrustworthy websites (you know the ones!).
  • Consider an RFID-blocking wallet: While not strictly necessary, it makes you feel like a spy (which is half the point!)

Conclusion

Reading my own credit card was a fun way to demystify the EMV system - and a reminder of just how much data lives on that little chip. Yes, some of it is readable. No, that doesn’t mean your money is at risk from anyone with a Flipper in their pocket.

Security isn’t about being unbreakable. It’s about being resilient, layered, and difficult enough to crack that bad actors won’t bother. For all its quirks, EMV still does a solid job on that front.

And just because your card “talks” when tapped doesn’t mean it’s spilling secrets to anyone nearby - it only shares the necessary data, at the right time.