Security Researchers Cry Wolf On RFID Credit Cards
from the bark->-bite dept
Two security researchers allege that the contactless payment solutions credit-card companies have begun building into their cards are relatively insecure, and transmit sensitive information without any encryption. The story plays into the most common fears about RFID and other similar technologies: that they turn people into walking clouds of identity theft, where their personal information’s just waiting to be grabbed out of the ether. But the credit-card companies say the researchers’ work doesn’t point to a large-scale real-world threat, and it appears they’re mostly right. First off, the researchers admit they used a small sample — just 20 cards, and the article doesn’t disclose how many of them actually transmit the information without encryption. Also, the researchers work with RSA Labs, part of a company that sells encryption technology, something else the article glosses over. But a bigger problem is that the researchers don’t seem to have considered just how difficult it would be for criminals to collect any useful information from these cards on a scale large enough to make their efforts (and the expense of buying and building the necessary equipment) worthwhile. One of the researchers says that it would be easy to collect the data from mailboxes by walking down a street and acting as if you were dropping fliers in each one. While nobody might notice, the odds that you’d actually find one of the cards is ridiculously slim. Worries about information being stolen at the point of purchase are overblown as well, since most of the imaginable scenarios don’t make things much easier than were somebody to try to steal the card information from a swipe card. Furthermore, the researchers haven’t considered that mechanisms in the radio broadcast are just one part of the overall security system of these cards, and they enjoy the same anti-fraud protection (and lack of consumer liability for unauthorized purchases) as cards without the contactless technology. While transmitting the information unencrypted isn’t a great idea and should be changed, it seems highly unlikely that the security situation here is nearly as bad as these researchers intimate.
Comments on “Security Researchers Cry Wolf On RFID Credit Cards”
I'm with the researchers..
Its stupid to implement RFID without encryption.
Can anyone come up with an excuse why an unauthorized scanner should be able to access info just by me walking by it?
Just what is the benefit of addidng RFID if NOT for security? How is easier access that has the same controlset an enhancement?
We are just making ourselves more vulnerable by broadcasting…
Better question...
Do I really want RFID technology in my card? Not so much…
Easy fix
An X-acto knife easily cuts the RFID chip out of my credit card, and to date not a single cashier has even noticed that the card is missing it. If you’re careful, there won’t be any damage.
What I would worry about is someone hacking together a device that let him stroll through a mall during the Christmas season picking credit card info from random passers by. I don’t think it would that hard to piece a device like that togehter, if you imagine a trend towards all cards having this info available and therefore the ready availablility of low cost scanners, I imagine a person could get a pretty good collection of credit card numbers in a pretty short time, and they’d only need to use each card once or twice. Still- you’re right that there’s nothing to worry about. Consumers have the fraud protection on the individual level, and it’s not worth it to Visa to build in expensive protections unless that kind of scenario I mentioned actually happens.
Making the Point-of-purchase hole bigger
Worries about information being stolen at the point of purchase are overblown as well, since most of the imaginable scenarios don’t make things much easier than were somebody to try to steal the card information from a swipe card.
While it’s true that sales clerks can double-swipe customer cards to gather information (TIP: keep an eye on the clerk the whole time they have your card and make sure it doesn’t go under the counter), they can be caught by closed-circuit cameras and fellow employees. With RF tech, there’s no visible evidence that they’re gathering info; in fact, it could be the ‘customer’ in line behind you that’s getting your credit card data. I think I’ll stick to my swipe cards for now.
Having a credit card with RFID is the least of our worries,
WAKE UP AMERICA!! The next one is gonna be in your arm!!
Think I’m crazy?? do some research..get informed, Big Brother is knocking on your door……….
http://i63.photobucket.com/albums/h134/pestilotsi/05.jpg
Re: Re:
The sky is falling, the sky is falling!
Bus or subway?
Or that pan-handler standing by a constriction where lots of people pass by? There’s plenty of people-dense areas where lots of CCs could be harvested without anyone being the wiser (once RFID cards are standard).
If you’re introducing a new technology, why not at least think about the issues, rather than running headlong off the cliff?
And don’t think that CC fraud isn’t passed onto the companies customers…
Check it out!
http://www.freedomtofascism.com/trailer/AMERICApromoV1.mov
Overblown Propoganda
By sensitive information do they mean the credit card number? You know, the number that is printed on the front and back of most credit cards? I also see that many credit cards have a three-digit card security code plus a signature strip. Something must be done to stop this breach of security – how dare this sensitive information be visible to others 😉 Everyday, millions of people hand over their credit cards to total strangers. Some people even give their credit card information over the phone. Yet, the credit card system seems to function.
Re: Overblown Propoganda
Sure, it functions well don’t it?
How prevalent is identity theft now? Been the victim of it? Oh… not *yet* huh?
Yep – it’s secure alright!! http://www.eweek.com/article2/0,1759,1628696,00.asp
Just like DVD copy protection, aye?
Or maybe Database Security at the Vetern’s Affairs?
Only a matter of time before someone works out how
It won’t be long before someone works out how to read an RFID tag from further away using high-gain equipment and more sophisticated filtering etc…
Apparently the British and American Passports had to be redesigned to shield their own RFID chip when closed because people had already worked out how to read it from a distance. and despite this Norwegian students have managed to read them from 60 centimetres away when the passport has been only been opened by 1cm (my beaten-up passport opens this much by itself).
It would probably quite easy for someone to conceal equipment in a doorway that harvested the info from every RFID tag that passed through it.
So much for privacy.
subways or buses?
You do know that this tech only works within a few mm of the card? how would someone be able to get close enough to not only find my card but get the data off of it? Is it in my right or left pocket? front or back? is it in my backpack? You still have a better chance to be pick pocketed than have this done. We have something like this at our building to get in at night, It won’t even work threw my pants let alone from a distance.
Re: subways or buses?
That’s only because your building didn’t want to pay for better door sensors. You can buy ones that will read your card from six feet away. And much farther if you want to spend the money.
Your buildings went for the cheapest option. That does not mean it was the best or only option.
RFID does not = Secure, LOL
It’s bad enough now as it is, don’t need to be transmitting your credit card info on the airwaves.
Here ya go – even further..
Go download it 🙂
http://www.rf-dump.org/
Small Business
I don’t see small business owners buying into this technology. There are still thousands of merchants(Small Business owners) that haven’t upgraded their POS (Point of Sale) terminals to comply with the law that requires merchants to have modern terminals that only display the last four digits of the CC account number.
I also wonder what type of Adsense Ads will be on this page.
Hastle
Sure, I don’t have to directly pay for credit card fraud (although indirectly, as previously stated). However, have you ever had to go through the hastle of getting a new card, changing all of your auto-pays, sending letters stating you didn’t make charges, etc. It’s not fun. Am I really so lazy I just can’t swipe my card?
zero liability?
Umm… somebody pays for that zero liability. Like by % rate. Or annual fees… or… but believe me, the credit card isn’t covering it out of their pockets until your pocket has been picked.
RF in cards for purchases is just a plain bad idea
Yes – at the interest rates they charge – which always seem to be going up – someone’s paying for it indeed.
The credit card company’s realize a positive profit – still, they are not losing money.
Yes, the consumers will pay for it – they just pass the ‘overhead’ on. They lobbied congress for bankruptcy law changes to collect on more debt.
take a look:
http://quote.morningstar.com/Quote/Quote.aspx?ticker=MA
Don’t be fooled by the day’s trading graph at first – swtich it to one year 🙂 lol
They aren’t losing money….
This Doesn't Happen Often
Boing Boing took the opposite tack on this:
http://www.boingboing.net/2006/10/23/report_contactless_c.html
Security Researchers Cry Wolf On RFID Credit Cards
the expense of buying and building the necessary equipment. The equipment placed the middle of NY market area for one day would pay for it and then some.
A very silly thing to put on a card.
What I can envision a smart thief doing when this sort of thing becomes prevalent is simply building a device that has a fairly powerful RFID reader built into it, a wifi connector, a small computer and a big hard disk. This could then be put into a lamp post or similar powered street furniture, to leech power from this and to actively filter the sniffed RFIDs. Power is necessary for this operation to get the sniffing range on passive tags, and to power a small computer to filter the ensuing flood of info and sift out the useful stuff.
From there, all it need do is sit, pull power from mains and sniff for RFIDs. The thief hardly needs to work then; just pull up near the device every so often, connect into it and pull off the sniffed data, and if necessary amend the logging filters to sharpen up the response.
Historically, whenever the credit industry gets a new technological toy, it always starts out lax in security, then gets more secure at the publicand legal systems force it to (unwillingly) do so. RFID shouldn’t be any exception to this rule.
Even encryption won’t be a deterrent, unless it is strong. It isn’t beyond the bounds of possibility for a smart criminal to start up or buy a computer recycling company, just to get hold of a source of cheap old PCs. These could then be built into a Beowulf cluster, for use in cracking RFIDs.
The easiest response is to invest in the tinfoil wallet as soon as possible, and to avoid all RFIDs until the banking industry is once more forced to engage brain and implement some security.
Perhaps the authors of this article should have re
The paper looks fairly convincing. It raises a much needed warning that we should be cautious.
Check out http://prisms.cs.umass.edu/7Ekevinfu/papers/RFID-CC-manuscript.pdf
The researchers do disclose their limitations. They didn’t do live tests on real RFID payment systems. They clearly say they can’t comment on anti-fraud measures. They did use information obtained from one of their own cards to make a real purchase!
They found some privacy issues. Personally, I am less concerned about these than the other issues they raise.
They also were able to lift the account numbers and expiry dates from all but one card brand. The theft of information is from “skimming” and “eavesdropping”. There are still lots of places that don’t check those extra digits on the back of your card. That’s how they made their purchase. They call it “cross-contamination” (what a mouthful).
The sample is discussed including the size (20 cards), number of major card brands (3), some unspecified number of banks, and type/behaviour of the cards (4). I find criticsm that this number is too small to be specious and self serving. How many digital copies of a mass marketed product do you need to test? Maybe there are better cards out there. Maybe there aren’t. This sample indicates that there are enough with problems to catch unwanted interest.
Most of the equipment was comercially available. They applied some smarts to figure out what commands the cards and card readers responded to. Once the criminals figure out the same it will be cookie cutter and anyone will be able to do it.
Isn’t there a universal card company standard that requires card information to be encrypted when sent over wireless links? Do their left and right hands know what the other is doing?
This is from the same people that are clinging to magnetic stripe technology. What is the expected lifespan of this technology? How long will it hang on past its “best before date”? The ability to increase the “read range” during this time is what is really worrying. Other people have worked on this problem and it looks like it might be practical within about 1-2 yards at this point. The high end claims are much higher.
I did find one of the scenarios discussed for attack a bit weak. Without changing a thing I can think of lots of places that you could find more cards faster than stuffing flyers in side of the road mailboxes trying to skim cards.
I don’t think I want a card that is always ready to broadcast information to any gadget that asks if I just wallk by it.
But in perspective I’d much rather have an RFID credit card than an RFID passport.
Fraud prevention will take a beating
I can’thelp but think this is going to make fraud detection and control much harder and less successful.
Today, if there is a compromise banks and card processors cooperate to identify the common point and time frame where the cards were used. Then they can notify people that their cards may have been compromised even before fraud occurs.
With RFID this will be much harder because there may be no common point of purchase!
Even if they can deduce that many people were in the same crowd at the same time, say a baseball game, how do they find and notify them before a fraud occurs? Take out an add in the paper?
Banks could send the cards in our shielded sleeves
You can sleep easy just by buying a Secure Sleeve from Identity Stronghold. We make credit card and soon passport sleeves. They shield the card and are just like the sleeves the credit card companies used to send out to protect the mag strip only have a special layer.
Of course the credit card companies could just ship the cards with them and the cards in the mailbox would be protected as well.
see idstronghold.com
Re: Banks could send the cards in our shielded sle
And you can sleep easy too, Walt. Seeing as how you are the owner and founder of the home-based company that hawks these sleeves. To quote an earlier poster, “The Sky is Falling!”
Re: Banks could send the cards in our shielded sle
WOW Very expensive the smart card guard sleeves sold by national envelope are 6 cents each compaired to these at $3 I found.
credit card copyed
My daughtres credit card was copyed some how and being used in florida to purchess gas out at the pump. Secruity called and shut the card down we live in virginia. Hoe did they get the info to make the card i don”t know . just watch out
RFID card and passport security
RFID enabled cards and passports have been indisputably proven unsecure. Even with the most innovative encryption, data can be skimmed (read stolen) from these devices. The best way to secure data stored on a RFID enabled card or passport is to prevent unauthorized access to it in the first place. Focusing on this objective, we developed ‘Dead Bolt’ integrated contactless RFID security technology.
Our patent pending security solution is built directly into RFID enabled cards or passports at the time of manufacture. This solution integrates novel piezo driven circuitry into the card or passport, disabling the receive/transmit functions of the RFID circuit. To allow the card or passport integrated with our technology to receive and transmit, a simple and intuitive pressure is applied. This activates our circuitry which, in turn, allows the RFID circuit to function normally; however, this condition is momentary. The time in which our circuitry allows the RFID circuit to send and receive is predetermined by the issuing vendor’s requirements – the unit shown in our demonstration videos is arbitrarily set for 200 milliseconds. At the end of this predetermined “read/transmit window” our circuitry resets, again disabling the card or passport.
‘Dead Bolt’ is thinner than the embedded RFID chip itself and gives no outward appearance of its existence, allowing for practically unlimited applications. It is impossible to access data stored on RFID enabled cards and passports that integrate ‘Dead Bolt’ technology until or unless the user intentionally initiates the read process.
Additionally, by being integrated into the card or passport, ‘Dead Bolt’ eliminates the need to buy anything else to keep your information safe. Why should we be forced to buy external protection for information stored on a device that, by all rights, be secure before we receive it?
For more information and to see demonstration videos of ‘Dead Bolt’, go to http://www.spiveytechnologies.com and http://www.youtube.com/spiveytechnologies.
RFID credit cards
How would a breach of a merchant be handled even with a remote possiblity of a hacker accessing the information from the chip. Doesn’t this provide a merchant with a possible reason for a breach and that the merchant shouldn’t be held liable.