Security Researchers Cry Wolf On RFID Credit Cards

from the bark->-bite dept

Two security researchers allege that the contactless payment solutions credit-card companies have begun building into their cards are relatively insecure, and transmit sensitive information without any encryption. The story plays into the most common fears about RFID and other similar technologies: that they turn people into walking clouds of identity theft, where their personal information's just waiting to be grabbed out of the ether. But the credit-card companies say the researchers' work doesn't point to a large-scale real-world threat, and it appears they're mostly right. First off, the researchers admit they used a small sample -- just 20 cards, and the article doesn't disclose how many of them actually transmit the information without encryption. Also, the researchers work with RSA Labs, part of a company that sells encryption technology, something else the article glosses over. But a bigger problem is that the researchers don't seem to have considered just how difficult it would be for criminals to collect any useful information from these cards on a scale large enough to make their efforts (and the expense of buying and building the necessary equipment) worthwhile. One of the researchers says that it would be easy to collect the data from mailboxes by walking down a street and acting as if you were dropping fliers in each one. While nobody might notice, the odds that you'd actually find one of the cards is ridiculously slim. Worries about information being stolen at the point of purchase are overblown as well, since most of the imaginable scenarios don't make things much easier than were somebody to try to steal the card information from a swipe card. Furthermore, the researchers haven't considered that mechanisms in the radio broadcast are just one part of the overall security system of these cards, and they enjoy the same anti-fraud protection (and lack of consumer liability for unauthorized purchases) as cards without the contactless technology. While transmitting the information unencrypted isn't a great idea and should be changed, it seems highly unlikely that the security situation here is nearly as bad as these researchers intimate.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 23 Oct 2006 @ 9:33am

    I'm with the researchers..

    Its stupid to implement RFID without encryption.

    Can anyone come up with an excuse why an unauthorized scanner should be able to access info just by me walking by it?

    Just what is the benefit of addidng RFID if NOT for security? How is easier access that has the same controlset an enhancement?

    We are just making ourselves more vulnerable by broadcasting...

    link to this | view in chronology ]

  • identicon
    Aaron, 23 Oct 2006 @ 9:41am

    Better question...

    Do I really want RFID technology in my card? Not so much...

    link to this | view in chronology ]

  • identicon
    Anonymous dude, 23 Oct 2006 @ 10:05am

    Easy fix

    An X-acto knife easily cuts the RFID chip out of my credit card, and to date not a single cashier has even noticed that the card is missing it. If you're careful, there won't be any damage.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Oct 2006 @ 10:08am

    What I would worry about is someone hacking together a device that let him stroll through a mall during the Christmas season picking credit card info from random passers by. I don't think it would that hard to piece a device like that togehter, if you imagine a trend towards all cards having this info available and therefore the ready availablility of low cost scanners, I imagine a person could get a pretty good collection of credit card numbers in a pretty short time, and they'd only need to use each card once or twice. Still- you're right that there's nothing to worry about. Consumers have the fraud protection on the individual level, and it's not worth it to Visa to build in expensive protections unless that kind of scenario I mentioned actually happens.

    link to this | view in chronology ]

  • identicon
    Comboman, 23 Oct 2006 @ 10:10am

    Making the Point-of-purchase hole bigger

    Worries about information being stolen at the point of purchase are overblown as well, since most of the imaginable scenarios don't make things much easier than were somebody to try to steal the card information from a swipe card.

    While it's true that sales clerks can double-swipe customer cards to gather information (TIP: keep an eye on the clerk the whole time they have your card and make sure it doesn't go under the counter), they can be caught by closed-circuit cameras and fellow employees. With RF tech, there's no visible evidence that they're gathering info; in fact, it could be the 'customer' in line behind you that's getting your credit card data. I think I'll stick to my swipe cards for now.

    link to this | view in chronology ]

  • identicon
    Pesti, 23 Oct 2006 @ 10:12am

    Having a credit card with RFID is the least of our worries,
    WAKE UP AMERICA!! The next one is gonna be in your arm!!
    Think I'm crazy?? do some research..get informed, Big Brother is knocking on your door..........

    http://i63.photobucket.com/albums/h134/pestilotsi/05.jpg

    link to this | view in chronology ]

  • identicon
    Robert Thille, 23 Oct 2006 @ 10:19am

    Bus or subway?

    Or that pan-handler standing by a constriction where lots of people pass by? There's plenty of people-dense areas where lots of CCs could be harvested without anyone being the wiser (once RFID cards are standard).
    If you're introducing a new technology, why not at least think about the issues, rather than running headlong off the cliff?
    And don't think that CC fraud isn't passed onto the companies customers...

    link to this | view in chronology ]

  • identicon
    Mousky, 23 Oct 2006 @ 10:26am

    Overblown Propoganda

    By sensitive information do they mean the credit card number? You know, the number that is printed on the front and back of most credit cards? I also see that many credit cards have a three-digit card security code plus a signature strip. Something must be done to stop this breach of security - how dare this sensitive information be visible to others ;) Everyday, millions of people hand over their credit cards to total strangers. Some people even give their credit card information over the phone. Yet, the credit card system seems to function.

    link to this | view in chronology ]

  • identicon
    Craig Betney, 23 Oct 2006 @ 10:32am

    Only a matter of time before someone works out how

    It won't be long before someone works out how to read an RFID tag from further away using high-gain equipment and more sophisticated filtering etc...

    Apparently the British and American Passports had to be redesigned to shield their own RFID chip when closed because people had already worked out how to read it from a distance. and despite this Norwegian students have managed to read them from 60 centimetres away when the passport has been only been opened by 1cm (my beaten-up passport opens this much by itself).

    It would probably quite easy for someone to conceal equipment in a doorway that harvested the info from every RFID tag that passed through it.

    So much for privacy.

    link to this | view in chronology ]

  • identicon
    Chronno S. Trigger, 23 Oct 2006 @ 10:37am

    subways or buses?

    You do know that this tech only works within a few mm of the card? how would someone be able to get close enough to not only find my card but get the data off of it? Is it in my right or left pocket? front or back? is it in my backpack? You still have a better chance to be pick pocketed than have this done. We have something like this at our building to get in at night, It won't even work threw my pants let alone from a distance.

    link to this | view in chronology ]

    • identicon
      TriggerMan, 23 Oct 2006 @ 10:18pm

      Re: subways or buses?

      That's only because your building didn't want to pay for better door sensors. You can buy ones that will read your card from six feet away. And much farther if you want to spend the money.

      Your buildings went for the cheapest option. That does not mean it was the best or only option.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Oct 2006 @ 11:06am

    RFID does not = Secure, LOL

    It's bad enough now as it is, don't need to be transmitting your credit card info on the airwaves.

    link to this | view in chronology ]

  • identicon
    Overcast, 23 Oct 2006 @ 11:16am

    Here ya go - even further..

    Go download it :)

    http://www.rf-dump.org/

    link to this | view in chronology ]

  • identicon
    Republican Gun, 23 Oct 2006 @ 11:25am

    Small Business

    I don't see small business owners buying into this technology. There are still thousands of merchants(Small Business owners) that haven't upgraded their POS (Point of Sale) terminals to comply with the law that requires merchants to have modern terminals that only display the last four digits of the CC account number.

    I also wonder what type of Adsense Ads will be on this page.

    link to this | view in chronology ]

  • identicon
    Orny, 23 Oct 2006 @ 11:39am

    Hastle

    Sure, I don't have to directly pay for credit card fraud (although indirectly, as previously stated). However, have you ever had to go through the hastle of getting a new card, changing all of your auto-pays, sending letters stating you didn't make charges, etc. It's not fun. Am I really so lazy I just can't swipe my card?

    link to this | view in chronology ]

  • identicon
    Wayne Smith, 23 Oct 2006 @ 11:40am

    zero liability?

    Umm... somebody pays for that zero liability. Like by % rate. Or annual fees... or... but believe me, the credit card isn't covering it out of their pockets until your pocket has been picked.

    RF in cards for purchases is just a plain bad idea

    link to this | view in chronology ]

  • identicon
    Overcast, 23 Oct 2006 @ 1:08pm

    Yes - at the interest rates they charge - which always seem to be going up - someone's paying for it indeed.

    The credit card company's realize a positive profit - still, they are not losing money.

    Yes, the consumers will pay for it - they just pass the 'overhead' on. They lobbied congress for bankruptcy law changes to collect on more debt.

    take a look:

    http://quote.morningstar.com/Quote/Quote.aspx?ticker=MA

    Don't be fooled by the day's trading graph at first - swtich it to one year :) lol

    They aren't losing money....

    link to this | view in chronology ]

  • icon
    mmrtnt (profile), 23 Oct 2006 @ 2:36pm

    This Doesn't Happen Often

    Boing Boing took the opposite tack on this:

    http://www.boingboing.net/2006/10/23/report_contactless_c.html

    link to this | view in chronology ]

  • identicon
    Reginald P. Zornow, 23 Oct 2006 @ 10:30pm

    Security Researchers Cry Wolf On RFID Credit Cards

    the expense of buying and building the necessary equipment. The equipment placed the middle of NY market area for one day would pay for it and then some.

    link to this | view in chronology ]

  • identicon
    Dr Dan H., 24 Oct 2006 @ 3:04am

    A very silly thing to put on a card.

    What I can envision a smart thief doing when this sort of thing becomes prevalent is simply building a device that has a fairly powerful RFID reader built into it, a wifi connector, a small computer and a big hard disk. This could then be put into a lamp post or similar powered street furniture, to leech power from this and to actively filter the sniffed RFIDs. Power is necessary for this operation to get the sniffing range on passive tags, and to power a small computer to filter the ensuing flood of info and sift out the useful stuff.

    From there, all it need do is sit, pull power from mains and sniff for RFIDs. The thief hardly needs to work then; just pull up near the device every so often, connect into it and pull off the sniffed data, and if necessary amend the logging filters to sharpen up the response.

    Historically, whenever the credit industry gets a new technological toy, it always starts out lax in security, then gets more secure at the publicand legal systems force it to (unwillingly) do so. RFID shouldn't be any exception to this rule.

    Even encryption won't be a deterrent, unless it is strong. It isn't beyond the bounds of possibility for a smart criminal to start up or buy a computer recycling company, just to get hold of a source of cheap old PCs. These could then be built into a Beowulf cluster, for use in cracking RFIDs.

    The easiest response is to invest in the tinfoil wallet as soon as possible, and to avoid all RFIDs until the banking industry is once more forced to engage brain and implement some security.

    link to this | view in chronology ]

  • identicon
    Anonymous, 26 Oct 2006 @ 4:12am

    Perhaps the authors of this article should have re

    The paper looks fairly convincing. It raises a much needed warning that we should be cautious.

    Check out http://prisms.cs.umass.edu/7Ekevinfu/papers/RFID-CC-manuscript.pdf

    The researchers do disclose their limitations. They didn't do live tests on real RFID payment systems. They clearly say they can't comment on anti-fraud measures. They did use information obtained from one of their own cards to make a real purchase!

    They found some privacy issues. Personally, I am less concerned about these than the other issues they raise.

    They also were able to lift the account numbers and expiry dates from all but one card brand. The theft of information is from "skimming" and "eavesdropping". There are still lots of places that don't check those extra digits on the back of your card. That's how they made their purchase. They call it "cross-contamination" (what a mouthful).

    The sample is discussed including the size (20 cards), number of major card brands (3), some unspecified number of banks, and type/behaviour of the cards (4). I find criticsm that this number is too small to be specious and self serving. How many digital copies of a mass marketed product do you need to test? Maybe there are better cards out there. Maybe there aren't. This sample indicates that there are enough with problems to catch unwanted interest.

    Most of the equipment was comercially available. They applied some smarts to figure out what commands the cards and card readers responded to. Once the criminals figure out the same it will be cookie cutter and anyone will be able to do it.

    Isn't there a universal card company standard that requires card information to be encrypted when sent over wireless links? Do their left and right hands know what the other is doing?

    This is from the same people that are clinging to magnetic stripe technology. What is the expected lifespan of this technology? How long will it hang on past its "best before date"? The ability to increase the "read range" during this time is what is really worrying. Other people have worked on this problem and it looks like it might be practical within about 1-2 yards at this point. The high end claims are much higher.

    I did find one of the scenarios discussed for attack a bit weak. Without changing a thing I can think of lots of places that you could find more cards faster than stuffing flyers in side of the road mailboxes trying to skim cards.

    I don't think I want a card that is always ready to broadcast information to any gadget that asks if I just wallk by it.

    But in perspective I'd much rather have an RFID credit card than an RFID passport.

    link to this | view in chronology ]

  • identicon
    Anonymous, 26 Oct 2006 @ 5:10am

    Fraud prevention will take a beating

    I can'thelp but think this is going to make fraud detection and control much harder and less successful.

    Today, if there is a compromise banks and card processors cooperate to identify the common point and time frame where the cards were used. Then they can notify people that their cards may have been compromised even before fraud occurs.

    With RFID this will be much harder because there may be no common point of purchase!

    Even if they can deduce that many people were in the same crowd at the same time, say a baseball game, how do they find and notify them before a fraud occurs? Take out an add in the paper?

    link to this | view in chronology ]

  • identicon
    Walt Augustinowicz, 31 Oct 2006 @ 9:59am

    Banks could send the cards in our shielded sleeves

    You can sleep easy just by buying a Secure Sleeve from Identity Stronghold. We make credit card and soon passport sleeves. They shield the card and are just like the sleeves the credit card companies used to send out to protect the mag strip only have a special layer.

    Of course the credit card companies could just ship the cards with them and the cards in the mailbox would be protected as well.

    see idstronghold.com

    link to this | view in chronology ]

    • identicon
      Anonymous, 5 Jul 2007 @ 4:06pm

      Re: Banks could send the cards in our shielded sle

      And you can sleep easy too, Walt. Seeing as how you are the owner and founder of the home-based company that hawks these sleeves. To quote an earlier poster, "The Sky is Falling!"

      link to this | view in chronology ]

    • identicon
      tom james, 14 Feb 2008 @ 12:29pm

      Re: Banks could send the cards in our shielded sle

      WOW Very expensive the smart card guard sleeves sold by national envelope are 6 cents each compaired to these at $3 I found.

      link to this | view in chronology ]

  • identicon
    dallasrocs, 24 Feb 2009 @ 7:10pm

    credit card copyed

    My daughtres credit card was copyed some how and being used in florida to purchess gas out at the pump. Secruity called and shut the card down we live in virginia. Hoe did they get the info to make the card i don"t know . just watch out

    link to this | view in chronology ]

  • identicon
    John Spivey, 3 Mar 2010 @ 9:04am

    RFID card and passport security

    RFID enabled cards and passports have been indisputably proven unsecure. Even with the most innovative encryption, data can be skimmed (read stolen) from these devices. The best way to secure data stored on a RFID enabled card or passport is to prevent unauthorized access to it in the first place. Focusing on this objective, we developed ‘Dead Bolt’ integrated contactless RFID security technology.

    Our patent pending security solution is built directly into RFID enabled cards or passports at the time of manufacture. This solution integrates novel piezo driven circuitry into the card or passport, disabling the receive/transmit functions of the RFID circuit. To allow the card or passport integrated with our technology to receive and transmit, a simple and intuitive pressure is applied. This activates our circuitry which, in turn, allows the RFID circuit to function normally; however, this condition is momentary. The time in which our circuitry allows the RFID circuit to send and receive is predetermined by the issuing vendor’s requirements – the unit shown in our demonstration videos is arbitrarily set for 200 milliseconds. At the end of this predetermined “read/transmit window” our circuitry resets, again disabling the card or passport.

    ‘Dead Bolt’ is thinner than the embedded RFID chip itself and gives no outward appearance of its existence, allowing for practically unlimited applications. It is impossible to access data stored on RFID enabled cards and passports that integrate ‘Dead Bolt’ technology until or unless the user intentionally initiates the read process.

    Additionally, by being integrated into the card or passport, 'Dead Bolt' eliminates the need to buy anything else to keep your information safe. Why should we be forced to buy external protection for information stored on a device that, by all rights, be secure before we receive it?

    For more information and to see demonstration videos of ‘Dead Bolt’, go to www.spiveytechnologies.com and www.youtube.com/spiveytechnologies.

    link to this | view in chronology ]

  • identicon
    Robert Maas, 20 Jan 2011 @ 7:27am

    RFID credit cards

    How would a breach of a merchant be handled even with a remote possiblity of a hacker accessing the information from the chip. Doesn't this provide a merchant with a possible reason for a breach and that the merchant shouldn't be held liable.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.