Credit Card Companies Gagged Mythbusters Over RFID Vulnerabilities?
from the security-through-obscurity...-and-legal-threats dept
It's amazing to watch just how sensitive some companies are concerning the rather well-known security vulnerabilities associated with RFID tags and smart cards. We've seen time and time again, companies try to suppress such research from getting published -- and every single time, those efforts to suppress the publication of the vulnerabilities backfires, often badly.But that never seems to stop companies from flexing their legal muscles.
The latest example comes to use via the Consumerist blog, who dug out a clip of Adam Savage from the TV show Mythbusters talking about what happened when the show tried to do an episode on RFID vulnerabilities:
Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else... They were way, way outgunned and they absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it.Check out the video of him saying this (while admitting he's probably not supposed to talk about it) here:
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: adam savage, gagged, mythbusters, rfid, smart cards, vulnerabilities
Reader Comments
Subscribe: RSS
View by: Time | Thread
Since we are a society of Laws, then lawsuits, not common sense shall rule the end of the day.
[ link to this | view in chronology ]
No, this is just business. The RFID tags are supposed to be a big selling point for credit cards -- it's how they make our lives more convenient and how they convince us that they're better than the other guys. They don't want it to become common knowledge that this convenience makes them really, really vulnerable -- imagine the backlash! People wouldn't sign up for new cards and very possibly might cancel the cards they have. Turning a selling point into a liability is a Bad Thing, and it's only "smart" for then to keep their customers stupid.
After all, identity theft is the consumer's problem...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
For shame, Discovery... for shame.
Savage is cool. I'm glad he made the comment and I'm further glad it's spreading like wildfire.
When will stations realize ad revenue doesn't even come close to offsetting the cost of shows, so why bother running them in the first place.
[ link to this | view in chronology ]
Re: For shame, Discovery... for shame.
...clearly you've never worked or even met anyone in the television industry.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
If the cost of the breaches currently happening is less than the cost of correcting the flaws. Then nothing will happen except for the authoring of Techdirt articles.
[ link to this | view in chronology ]
Re:
How naive are you really?
The CC companies do not design this stuff, they implement 3rd party solutions. And trust me, the cheapest wins.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Yes they do. Seriously, you can nag and complain all you want. But at the end of the day, they believe this to be correct.
[ link to this | view in chronology ]
Don't Link RFID and Smart Cards
Smart Cards are very secure and virtually un hackable.. to get the secure data on them..
[ link to this | view in chronology ]
Re: Don't Link RFID and Smart Cards
http://weblog. infoworld.com/zeroday/archives/2006/03/fedex_smartcard.html
http://query.nytimes.com/gst/fullpage .html?res=9406E4DB1739F930A25756C0A9649C8B63
[ link to this | view in chronology ]
Re: Don't Link RFID and Smart Cards
That's a very strong statement. Care to explain the reasoning behind your ad hominem attack? Based on the links that Mike provided, the commonality between RFIDs and SmartCards is the tendency of their manufacturers to supress and deny the existence of security vulnerability rather than fix them. Even if SmartCards are much more secure than RFID systems, this point it not negated.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
can stop TV, but try to stop the internet. As with most things, by trying to keep it quiet, they have opened it up for the the whole world to see.
Congratulates
>^..^
[ link to this | view in chronology ]
Security through Obscurity
So, rather than make better, more secure cellphones, the cellular carriers pushed through the Electronic Communications Protection Act of 1986 which banned the sale of any scanner that could pick up cellular phone frequencies. As expected, that only made pre-ECPA scanners more valuable and proliferated the hacks for post-ECPA scanners to restore the missing frequencies.
But, with the end of analog cell phones, there are no more cellphones to listen in on...
[ link to this | view in chronology ]
It won't stop here either
[ link to this | view in chronology ]
Re: It won't stop here either
[ link to this | view in chronology ]
all the talks were at hope 2008
mp3's
[ link to this | view in chronology ]
Enough Already
Whoever thought that giving the public the ability to comment, discuss and share technology was definitely high.
Honestly.
[ link to this | view in chronology ]
smash lab
"Yeah, I know..."
[ link to this | view in chronology ]
Credit Cards
[ link to this | view in chronology ]
Re: Credit Cards
[ link to this | view in chronology ]
Re: Re: Credit Cards
Just be extra careful when walking around with £10,000 for a new car.
[ link to this | view in chronology ]
Yes Shoot the messenger! These are not the droids you are looking for...
Shameful is it that Discovery channel buckled like a cheap hooker with a five spot dangled in their face! It just goes to prove one thing you cant discover on Discovery is a strong moral compass. Although the color yellow appears readily abundant.
In conclusion Discovery will happily show you any truth that doesn't go against a sponsor. Never forget through that the truth is less important to them than greed so take everything you hear from them with a grain of salt because after all....
Discovery is the best programming a corporate bribe can buy!
[ link to this | view in chronology ]
Re: Yes Shoot the messenger! These are not the droids you are looking for...
Discovery is the best programming a corporate bribe can buy!
you act like the media has some sort of responsibility to us. we are a product, a commodity to be leveraged and traded. the media's only responsibility is to the company execs and the stock holders. the execs and stock holders only care about profits, and profits are dictated by advertisers. er go, advertisers will always be able to bend media companies to their will. if you think fox or nbc or cnn are any different than the discovery channel you are woefully naive.
real security research is now and will forever be underground. it's cheaper to provide the illusion of security than it is to build truly secure systems, so corporations and governments will always opt for obscurity first until an independent researcher exposes these vulnerabilities.
the credit industry is built on impulse buying. secure systems with integrity checks and access restrictions are a hindrance to impulse buys and will never be implemented. credit systems will always be flawed and fraud will just be considered the cost of doing business. if you think that's pessimistic think about this: what does a company do when it's had a large data breach: it buys the victims a year of credit monitoring and it moves on like it never happened.
why do you think credit card companies and news programs blame ID thefts and credit card fraud on hackers?
identities get stolen by identity thieves. credit card companies are defrauded by con artists. there is no hacking involved 99% of the time.
corporations want you to see competitive analysis and independent research as the products of shadowy figures that we need to fear so that you will mistrust the exposure of security vulnerabilities and not ask scary and expensive questions.
[ link to this | view in chronology ]
credit cards
Our ancestors didn't use them and we DO NOT need them now. Buy what you can afford not what you can afford to pay each month...for now.
[ link to this | view in chronology ]
Re: credit cards
Amen brother, and while we are at it we should abolish the use of fire too.
[ link to this | view in chronology ]
Re: credit cards
What in particular do you find offensive about credit cards and debit cards (I could guess, but I won't)?
I have a credit card, use it frequently, find it extremely convenient, and as a individual who can do arithmetic understand the ins-and-outs of my monthly finances to determine the appropriate payback structure so as to maximize the potential of my overall net worth.
[ link to this | view in chronology ]
Of course!
Um, YES! If customers don't know about a problem, then there is no problem, especially if the problem is security-related. Plus, it's easier to hide the flaw than try to convince customers that the flaw isn't too bad. Instead of spending money on R&D to fix the issues, just get the already-paid-for lawyers to threaten anyone who mentions the issue. Problem solved!
[ link to this | view in chronology ]
Leaked episode
[ link to this | view in chronology ]
Their chip is expensive, but provides more security than any other RFID chip i have looked at.
I have worked with several security solutions for credit cards, and trust me, the weakest link is never the security either on the card itself, or at the contact points (TPV, ATM, POS, Interet VPos). The weakest link is always the holder of the card.
The use of either contact chips or RFID tags on credit cards, needs to go hand in hand with the use of a PIN (ore more) to complete any transaction. That leaves part of the security in the user hands, without seriously compromising the information stored in the chip (which has to be limited).
[ link to this | view in chronology ]
Get some real facts - not just opinions
The main premise of the book is that the payment industry, comprised of credit card companies, banks, credit bureaus and data brokers have created an easy-to-use, low cost (in maintenance) infrastructure that is pliable, extendable and very adaptable, but paper-thin when it comes to security. The system is built with the idea that "ease of access" for the customer 'will bring them in' especially when linked with easy credit. But when you link ease of access, easy credit and the absolute need for speed (for transactional processing), the payment industry has had to sacrifice a robust security infrastructure and privacy controls. Examples abound in the book of what not to do, as well as a Who's Who of companies and bad guys (and girls), how they actually link up together, and how they control your credit.
Intended not merely to alarm, but to illuminate, "Zero Day Threat" exposes how lawbreakers do their dirty work, and how corporations knowingly, and unknowingly, help them do it.
As they say up north, "Take that in your pipe and smoke it !"
[ link to this | view in chronology ]
I can't believe...
[ link to this | view in chronology ]
Options
Also there are active RFID jammers.
It will not be long till these things are either unavailable or illegal.
[ link to this | view in chronology ]
Lots look at
[ link to this | view in chronology ]
The Pizza Stone
Why is it that at every conference, some weirdo manages to commandeer the Q&A mic and ask lengthy questions that they should know don't interest anyone? You can see the line of people at the mic who want to get their turn, but she slides in this ludicrous pizza idea as her second question. Why are events not better moderated? Couldn't someone step in with a friendly, "How 'bout you finish your question offline?"
[ link to this | view in chronology ]
Security through obscurity.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]