Security Researchers Cry Wolf On RFID Credit Cards
from the bark->-bite dept
Two security researchers allege that the contactless payment solutions credit-card companies have begun building into their cards are relatively insecure, and transmit sensitive information without any encryption. The story plays into the most common fears about RFID and other similar technologies: that they turn people into walking clouds of identity theft, where their personal information's just waiting to be grabbed out of the ether. But the credit-card companies say the researchers' work doesn't point to a large-scale real-world threat, and it appears they're mostly right. First off, the researchers admit they used a small sample -- just 20 cards, and the article doesn't disclose how many of them actually transmit the information without encryption. Also, the researchers work with RSA Labs, part of a company that sells encryption technology, something else the article glosses over. But a bigger problem is that the researchers don't seem to have considered just how difficult it would be for criminals to collect any useful information from these cards on a scale large enough to make their efforts (and the expense of buying and building the necessary equipment) worthwhile. One of the researchers says that it would be easy to collect the data from mailboxes by walking down a street and acting as if you were dropping fliers in each one. While nobody might notice, the odds that you'd actually find one of the cards is ridiculously slim. Worries about information being stolen at the point of purchase are overblown as well, since most of the imaginable scenarios don't make things much easier than were somebody to try to steal the card information from a swipe card. Furthermore, the researchers haven't considered that mechanisms in the radio broadcast are just one part of the overall security system of these cards, and they enjoy the same anti-fraud protection (and lack of consumer liability for unauthorized purchases) as cards without the contactless technology. While transmitting the information unencrypted isn't a great idea and should be changed, it seems highly unlikely that the security situation here is nearly as bad as these researchers intimate.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
I'm with the researchers..
Can anyone come up with an excuse why an unauthorized scanner should be able to access info just by me walking by it?
Just what is the benefit of addidng RFID if NOT for security? How is easier access that has the same controlset an enhancement?
We are just making ourselves more vulnerable by broadcasting...
[ link to this | view in chronology ]
Better question...
[ link to this | view in chronology ]
Easy fix
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Making the Point-of-purchase hole bigger
While it's true that sales clerks can double-swipe customer cards to gather information (TIP: keep an eye on the clerk the whole time they have your card and make sure it doesn't go under the counter), they can be caught by closed-circuit cameras and fellow employees. With RF tech, there's no visible evidence that they're gathering info; in fact, it could be the 'customer' in line behind you that's getting your credit card data. I think I'll stick to my swipe cards for now.
[ link to this | view in chronology ]
WAKE UP AMERICA!! The next one is gonna be in your arm!!
Think I'm crazy?? do some research..get informed, Big Brother is knocking on your door..........
http://i63.photobucket.com/albums/h134/pestilotsi/05.jpg
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Bus or subway?
If you're introducing a new technology, why not at least think about the issues, rather than running headlong off the cliff?
And don't think that CC fraud isn't passed onto the companies customers...
[ link to this | view in chronology ]
Check it out!
[ link to this | view in chronology ]
Overblown Propoganda
[ link to this | view in chronology ]
Re: Overblown Propoganda
How prevalent is identity theft now? Been the victim of it? Oh... not *yet* huh?
Yep - it's secure alright!! http://www.eweek.com/article2/0,1759,1628696,00.asp
Just like DVD copy protection, aye?
Or maybe Database Security at the Vetern's Affairs?
[ link to this | view in chronology ]
Only a matter of time before someone works out how
Apparently the British and American Passports had to be redesigned to shield their own RFID chip when closed because people had already worked out how to read it from a distance. and despite this Norwegian students have managed to read them from 60 centimetres away when the passport has been only been opened by 1cm (my beaten-up passport opens this much by itself).
It would probably quite easy for someone to conceal equipment in a doorway that harvested the info from every RFID tag that passed through it.
So much for privacy.
[ link to this | view in chronology ]
subways or buses?
[ link to this | view in chronology ]
Re: subways or buses?
Your buildings went for the cheapest option. That does not mean it was the best or only option.
[ link to this | view in chronology ]
It's bad enough now as it is, don't need to be transmitting your credit card info on the airwaves.
[ link to this | view in chronology ]
Go download it :)
http://www.rf-dump.org/
[ link to this | view in chronology ]
Small Business
I also wonder what type of Adsense Ads will be on this page.
[ link to this | view in chronology ]
Hastle
[ link to this | view in chronology ]
zero liability?
RF in cards for purchases is just a plain bad idea
[ link to this | view in chronology ]
The credit card company's realize a positive profit - still, they are not losing money.
Yes, the consumers will pay for it - they just pass the 'overhead' on. They lobbied congress for bankruptcy law changes to collect on more debt.
take a look:
http://quote.morningstar.com/Quote/Quote.aspx?ticker=MA
Don't be fooled by the day's trading graph at first - swtich it to one year :) lol
They aren't losing money....
[ link to this | view in chronology ]
This Doesn't Happen Often
http://www.boingboing.net/2006/10/23/report_contactless_c.html
[ link to this | view in chronology ]
Security Researchers Cry Wolf On RFID Credit Cards
[ link to this | view in chronology ]
A very silly thing to put on a card.
From there, all it need do is sit, pull power from mains and sniff for RFIDs. The thief hardly needs to work then; just pull up near the device every so often, connect into it and pull off the sniffed data, and if necessary amend the logging filters to sharpen up the response.
Historically, whenever the credit industry gets a new technological toy, it always starts out lax in security, then gets more secure at the publicand legal systems force it to (unwillingly) do so. RFID shouldn't be any exception to this rule.
Even encryption won't be a deterrent, unless it is strong. It isn't beyond the bounds of possibility for a smart criminal to start up or buy a computer recycling company, just to get hold of a source of cheap old PCs. These could then be built into a Beowulf cluster, for use in cracking RFIDs.
The easiest response is to invest in the tinfoil wallet as soon as possible, and to avoid all RFIDs until the banking industry is once more forced to engage brain and implement some security.
[ link to this | view in chronology ]
Perhaps the authors of this article should have re
Check out http://prisms.cs.umass.edu/7Ekevinfu/papers/RFID-CC-manuscript.pdf
The researchers do disclose their limitations. They didn't do live tests on real RFID payment systems. They clearly say they can't comment on anti-fraud measures. They did use information obtained from one of their own cards to make a real purchase!
They found some privacy issues. Personally, I am less concerned about these than the other issues they raise.
They also were able to lift the account numbers and expiry dates from all but one card brand. The theft of information is from "skimming" and "eavesdropping". There are still lots of places that don't check those extra digits on the back of your card. That's how they made their purchase. They call it "cross-contamination" (what a mouthful).
The sample is discussed including the size (20 cards), number of major card brands (3), some unspecified number of banks, and type/behaviour of the cards (4). I find criticsm that this number is too small to be specious and self serving. How many digital copies of a mass marketed product do you need to test? Maybe there are better cards out there. Maybe there aren't. This sample indicates that there are enough with problems to catch unwanted interest.
Most of the equipment was comercially available. They applied some smarts to figure out what commands the cards and card readers responded to. Once the criminals figure out the same it will be cookie cutter and anyone will be able to do it.
Isn't there a universal card company standard that requires card information to be encrypted when sent over wireless links? Do their left and right hands know what the other is doing?
This is from the same people that are clinging to magnetic stripe technology. What is the expected lifespan of this technology? How long will it hang on past its "best before date"? The ability to increase the "read range" during this time is what is really worrying. Other people have worked on this problem and it looks like it might be practical within about 1-2 yards at this point. The high end claims are much higher.
I did find one of the scenarios discussed for attack a bit weak. Without changing a thing I can think of lots of places that you could find more cards faster than stuffing flyers in side of the road mailboxes trying to skim cards.
I don't think I want a card that is always ready to broadcast information to any gadget that asks if I just wallk by it.
But in perspective I'd much rather have an RFID credit card than an RFID passport.
[ link to this | view in chronology ]
Fraud prevention will take a beating
Today, if there is a compromise banks and card processors cooperate to identify the common point and time frame where the cards were used. Then they can notify people that their cards may have been compromised even before fraud occurs.
With RFID this will be much harder because there may be no common point of purchase!
Even if they can deduce that many people were in the same crowd at the same time, say a baseball game, how do they find and notify them before a fraud occurs? Take out an add in the paper?
[ link to this | view in chronology ]
Banks could send the cards in our shielded sleeves
Of course the credit card companies could just ship the cards with them and the cards in the mailbox would be protected as well.
see idstronghold.com
[ link to this | view in chronology ]
Re: Banks could send the cards in our shielded sle
[ link to this | view in chronology ]
Re: Banks could send the cards in our shielded sle
[ link to this | view in chronology ]
credit card copyed
[ link to this | view in chronology ]
RFID card and passport security
Our patent pending security solution is built directly into RFID enabled cards or passports at the time of manufacture. This solution integrates novel piezo driven circuitry into the card or passport, disabling the receive/transmit functions of the RFID circuit. To allow the card or passport integrated with our technology to receive and transmit, a simple and intuitive pressure is applied. This activates our circuitry which, in turn, allows the RFID circuit to function normally; however, this condition is momentary. The time in which our circuitry allows the RFID circuit to send and receive is predetermined by the issuing vendor’s requirements – the unit shown in our demonstration videos is arbitrarily set for 200 milliseconds. At the end of this predetermined “read/transmit window” our circuitry resets, again disabling the card or passport.
‘Dead Bolt’ is thinner than the embedded RFID chip itself and gives no outward appearance of its existence, allowing for practically unlimited applications. It is impossible to access data stored on RFID enabled cards and passports that integrate ‘Dead Bolt’ technology until or unless the user intentionally initiates the read process.
Additionally, by being integrated into the card or passport, 'Dead Bolt' eliminates the need to buy anything else to keep your information safe. Why should we be forced to buy external protection for information stored on a device that, by all rights, be secure before we receive it?
For more information and to see demonstration videos of ‘Dead Bolt’, go to www.spiveytechnologies.com and www.youtube.com/spiveytechnologies.
[ link to this | view in chronology ]
RFID credit cards
[ link to this | view in chronology ]