Credit Card Companies Gagged Mythbusters Over RFID Vulnerabilities?

from the security-through-obscurity...-and-legal-threats dept

Tue, Sep 2nd 2008 8:33am — Mike Masnick

It's amazing to watch just how sensitive some companies are concerning the rather well-known security vulnerabilities associated with RFID tags and smart cards. We've seen time and time again, companies try to suppress such research from getting published -- and every single time, those efforts to suppress the publication of the vulnerabilities backfires, often badly.

But that never seems to stop companies from flexing their legal muscles.

The latest example comes to use via the Consumerist blog, who dug out a clip of Adam Savage from the TV show Mythbusters talking about what happened when the show tried to do an episode on RFID vulnerabilities:

Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else... They were way, way outgunned and they absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it.

Check out the video of him saying this (while admitting he's probably not supposed to talk about it) here:

Perhaps it's an exaggeration by Savage, but do the credit card companies really think that security through obscurity (with a healthy dose of legal threats) is the best way to protect their customers?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: adam savage, gagged, mythbusters, rfid, smart cards, vulnerabilities

45 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Dewy, 2 Sep 2008 @ 8:44am

How dare you accuse them of thinking... they have a team of lawyers to do that for them...

Since we are a society of Laws, then lawsuits, not common sense shall rule the end of the day.
[ link to this | view in chronology ]
Cynical, 2 Sep 2008 @ 9:03am

do the credit card companies really think that security through obscurity (with a healthy dose of legal threats) is the best way to protect their customers?

No, this is just business. The RFID tags are supposed to be a big selling point for credit cards -- it's how they make our lives more convenient and how they convince us that they're better than the other guys. They don't want it to become common knowledge that this convenience makes them really, really vulnerable -- imagine the backlash! People wouldn't sign up for new cards and very possibly might cancel the cards they have. Turning a selling point into a liability is a Bad Thing, and it's only "smart" for then to keep their customers stupid.

After all, identity theft is the consumer's problem...
[ link to this | view in chronology ]
Anonymous Coward, 2 Sep 2008 @ 9:05am

Since when did you think that the credit card companies are out to protect the customers? It seems to me that their actions and policies have almost always been about them.
[ link to this | view in chronology ]
Twinrova, 2 Sep 2008 @ 9:09am

For shame, Discovery... for shame.
Things like this just piss me off. If the show details issues with RFID, then it should be aired. It's not Discovery's fault these issues are so prevalent. So instead, fans of the show get screwed because Discovery is run by a bunch of cowards.

Savage is cool. I'm glad he made the comment and I'm further glad it's spreading like wildfire.

When will stations realize ad revenue doesn't even come close to offsetting the cost of shows, so why bother running them in the first place.
[ link to this | view in chronology ]
- foogama, 2 Sep 2008 @ 12:38pm
  
  Re: For shame, Discovery... for shame.
  "When will stations realize ad revenue doesn't even come close to offsetting the cost of shows, so why bother running them in the first place."
  
  ...clearly you've never worked or even met anyone in the television industry.
  [ link to this | view in chronology ]
Anonymous Coward, 2 Sep 2008 @ 9:12am

Who cares????!???! Its the companies that will lose the money in the end, anyway. I guarantee they have a team of experts working to make it as secure as possible, because they CAN'T let the customer hang out for the balance on the card that was stolen through RFID security flaws. It would be no different than having your card stolen. Visa cancels the balance while they find and sue the guy who stole it. The customer has nothing to worry about.
[ link to this | view in chronology ]
- Anonymous Coward, 2 Sep 2008 @ 9:19am
  
  Re:
  Well, if this becomes public knowledge they have to throw resources at correcting the flaws.
  
  If the cost of the breaches currently happening is less than the cost of correcting the flaws. Then nothing will happen except for the authoring of Techdirt articles.
  [ link to this | view in chronology ]
- Urban, 2 Sep 2008 @ 9:38am
  
  Re:
  "I guarantee they have a team of experts working to make it as secure as possible"
  
  How naive are you really?
  The CC companies do not design this stuff, they implement 3rd party solutions. And trust me, the cheapest wins.
  [ link to this | view in chronology ]
- Anonymous Coward, 2 Sep 2008 @ 9:44am
  
  Re:
  Actually the credit card companies do NOT repeat NOT pay for the stolen balance on the card, they pass that burden straight through to the merchant who accepted the card along with a fee (read fine) for accepting the stolen card in the first place. Unless the merchant has a signature and it matches the customers the merchant cannot fight the chargeback with any hope of winning... and winning by the way means the customer pays.
  [ link to this | view in chronology ]
Anonymous Coward, 2 Sep 2008 @ 9:17am

"but do the credit card companies really think that security through obscurity is the best way to protect their customers?"

Yes they do. Seriously, you can nag and complain all you want. But at the end of the day, they believe this to be correct.
[ link to this | view in chronology ]
Anonymous Coward, 2 Sep 2008 @ 9:20am

Don't Link RFID and Smart Cards
You look like fools lumping them together. RFID is not a very smart system or very secure...

Smart Cards are very secure and virtually un hackable.. to get the secure data on them..
[ link to this | view in chronology ]
- Anonymous Coward, 2 Sep 2008 @ 9:34am
  
  Re: Don't Link RFID and Smart Cards
  http://www.g4tv.com/techtvvault/features/37779/Smart_Card_Vulnerability_Found.html
  
  http://weblog. infoworld.com/zeroday/archives/2006/03/fedex_smartcard.html
  
  http://query.nytimes.com/gst/fullpage .html?res=9406E4DB1739F930A25756C0A9649C8B63
  [ link to this | view in chronology ]
- Hulser, 2 Sep 2008 @ 9:40am
  
  Re: Don't Link RFID and Smart Cards
  You look like fools lumping them [RFIDs and SmartCards] together.
  
  That's a very strong statement. Care to explain the reasoning behind your ad hominem attack? Based on the links that Mike provided, the commonality between RFIDs and SmartCards is the tendency of their manufacturers to supress and deny the existence of security vulnerability rather than fix them. Even if SmartCards are much more secure than RFID systems, this point it not negated.
  [ link to this | view in chronology ]
Anonymous Coward, 2 Sep 2008 @ 9:25am

http://www.rfidvirus.org/
[ link to this | view in chronology ]
Anonymous Coward, 2 Sep 2008 @ 9:26am

http://www.lockergnome.com/reflections/2007/04/03/rfid-payment-card-vulnerabilities/
[ link to this | view in chronology ]
Anonymous Coward, 2 Sep 2008 @ 9:28am

http://www.youtube.com/watch?v=xPkzFETzueQ

can stop TV, but try to stop the internet. As with most things, by trying to keep it quiet, they have opened it up for the the whole world to see.

Congratulates

>^..^
[ link to this | view in chronology ]
arby, 2 Sep 2008 @ 9:34am

Security through Obscurity
Back in the early days of the cellular industry, people were unsure whether or not the content of their calls were secure. Of course, they were right. Anyone with a Radioshack scanner that scanned the 800-1000 megahertz band could.

So, rather than make better, more secure cellphones, the cellular carriers pushed through the Electronic Communications Protection Act of 1986 which banned the sale of any scanner that could pick up cellular phone frequencies. As expected, that only made pre-ECPA scanners more valuable and proliferated the hacks for post-ECPA scanners to restore the missing frequencies.

But, with the end of analog cell phones, there are no more cellphones to listen in on...
[ link to this | view in chronology ]
Brian, 2 Sep 2008 @ 9:38am

It won't stop here either
because what comes next is RFIDs in currency. The government will follow every bill to every bank/store/atm. Using the data from those RFID tags in conjunction with the data from your cards and clothes and other RFID tagged properties they'll follow every bill every step of the way. You won't be able to disable the tags in the bill because at some step along the way they'll trace the bill back to you and know where the tag died, and tampering with currency is illegal. Then they'll pass a law banning disabling tags on all other items too. Oh, they won't throw you in jail for it though, at least at first, they'll just fine you heavily. The jail time comes later when you're broke. Then they'll RFID you.
[ link to this | view in chronology ]
- Anonymous Coward, 2 Sep 2008 @ 10:25am
  
  Re: It won't stop here either
  Good to see at least one person is aware of the real purpose behind RFID, cattle tags for humans. They're designed to track your every move and financial expendature and where contention arises, RFID's will simply be shut off, and all devices dependant upon RFID compatability will be rendered useless.
  [ link to this | view in chronology ]
andy, 2 Sep 2008 @ 9:48am

all the talks were at hope 2008
http://www.thelasthope.org/talks.html

mp3's
[ link to this | view in chronology ]
lavi d (profile), 2 Sep 2008 @ 10:11am

Enough Already
The sooner the corporations team up with the government and turn the internet into an extension of TV, the sooner we'll be done with embarrassing episodes like this.

Whoever thought that giving the public the ability to comment, discuss and share technology was definitely high.

Honestly.
[ link to this | view in chronology ]
michael, 2 Sep 2008 @ 10:27am

smash lab
BOOOOOOOOOOOOOOOO!!!

"Yeah, I know..."
[ link to this | view in chronology ]
Ryan, 2 Sep 2008 @ 10:33am

Credit Cards
I moved to all cash, if we all did that everyone would be way better off
[ link to this | view in chronology ]
- maniac in a Speedo'd, 2 Sep 2008 @ 10:39am
  
  Re: Credit Cards
  Clearly you've never been robbed.
  [ link to this | view in chronology ]
  - Anonymous Coward, 3 Sep 2008 @ 2:40am
    
    Re: Re: Credit Cards
    ...or tried to purchase online, over the phone, through mail order, or anything above £1000.00.
    
    Just be extra careful when walking around with £10,000 for a new car.
    [ link to this | view in chronology ]
Richard Ahlquist (profile), 2 Sep 2008 @ 11:03am

Yes Shoot the messenger! These are not the droids you are looking for...
RFID is a neat toy but it is not secure. Not the ones in credit cards, not the ones in passports, none of it. Of course most people dont realize that.

Shameful is it that Discovery channel buckled like a cheap hooker with a five spot dangled in their face! It just goes to prove one thing you cant discover on Discovery is a strong moral compass. Although the color yellow appears readily abundant.

In conclusion Discovery will happily show you any truth that doesn't go against a sponsor. Never forget through that the truth is less important to them than greed so take everything you hear from them with a grain of salt because after all....

Discovery is the best programming a corporate bribe can buy!
[ link to this | view in chronology ]
- chris (profile), 2 Sep 2008 @ 12:47pm
  
  Re: Yes Shoot the messenger! These are not the droids you are looking for...
  In conclusion Discovery will happily show you any truth that doesn't go against a sponsor. Never forget through that the truth is less important to them than greed so take everything you hear from them with a grain of salt because after all....
  
  Discovery is the best programming a corporate bribe can buy!
  
  you act like the media has some sort of responsibility to us. we are a product, a commodity to be leveraged and traded. the media's only responsibility is to the company execs and the stock holders. the execs and stock holders only care about profits, and profits are dictated by advertisers. er go, advertisers will always be able to bend media companies to their will. if you think fox or nbc or cnn are any different than the discovery channel you are woefully naive.
  
  real security research is now and will forever be underground. it's cheaper to provide the illusion of security than it is to build truly secure systems, so corporations and governments will always opt for obscurity first until an independent researcher exposes these vulnerabilities.
  
  the credit industry is built on impulse buying. secure systems with integrity checks and access restrictions are a hindrance to impulse buys and will never be implemented. credit systems will always be flawed and fraud will just be considered the cost of doing business. if you think that's pessimistic think about this: what does a company do when it's had a large data breach: it buys the victims a year of credit monitoring and it moves on like it never happened.
  
  why do you think credit card companies and news programs blame ID thefts and credit card fraud on hackers?
  
  identities get stolen by identity thieves. credit card companies are defrauded by con artists. there is no hacking involved 99% of the time.
  
  corporations want you to see competitive analysis and independent research as the products of shadowy figures that we need to fear so that you will mistrust the exposure of security vulnerabilities and not ask scary and expensive questions.
  [ link to this | view in chronology ]
Sierra Night Tide, 2 Sep 2008 @ 11:59am

credit cards
YET ANTHER reason NOT to own credit cards (not debit cards.)

Our ancestors didn't use them and we DO NOT need them now. Buy what you can afford not what you can afford to pay each month...for now.
[ link to this | view in chronology ]
- Urban, 2 Sep 2008 @ 12:28pm
  
  Re: credit cards
  "Our ancestors didn't use them and we DO NOT need them now".
  
  Amen brother, and while we are at it we should abolish the use of fire too.
  [ link to this | view in chronology ]
- mobiGeek, 2 Sep 2008 @ 1:25pm
  
  Re: credit cards
  Your argument about our ancestors not needing something simply doesn't hold. The world changes, and with those changes are goods and bads.
  
  What in particular do you find offensive about credit cards and debit cards (I could guess, but I won't)?
  
  I have a credit card, use it frequently, find it extremely convenient, and as a individual who can do arithmetic understand the ins-and-outs of my monthly finances to determine the appropriate payback structure so as to maximize the potential of my overall net worth.
  [ link to this | view in chronology ]
John (profile), 2 Sep 2008 @ 12:50pm

Of course!
but do the credit card companies really think that security through obscurity (with a healthy dose of legal threats) is the best way to protect their customers?
Um, YES! If customers don't know about a problem, then there is no problem, especially if the problem is security-related. Plus, it's easier to hide the flaw than try to convince customers that the flaw isn't too bad. Instead of spending money on R&D to fix the issues, just get the already-paid-for lawyers to threaten anyone who mentions the issue. Problem solved!
[ link to this | view in chronology ]
Chuck Norris' Enemy (deceased), 2 Sep 2008 @ 1:11pm

Leaked episode
Savage should leak the episode and then do a Mythbusters on whether or not CC companies can track the leak and sue him for it.
[ link to this | view in chronology ]
Rob, 2 Sep 2008 @ 1:22pm

I have seen some RFID solutions that are worth looking at that provide very secure mechanisms (128 bit encr.) for activating, reading and writing. One is from Neology Corp., which uses a priopietary passive chip with 3 different channels for the above options, each with a unique key to activate the chip.
Their chip is expensive, but provides more security than any other RFID chip i have looked at.

I have worked with several security solutions for credit cards, and trust me, the weakest link is never the security either on the card itself, or at the contact points (TPV, ATM, POS, Interet VPos). The weakest link is always the holder of the card.

The use of either contact chips or RFID tags on credit cards, needs to go hand in hand with the use of a PIN (ore more) to complete any transaction. That leaves part of the security in the user hands, without seriously compromising the information stored in the chip (which has to be limited).
[ link to this | view in chronology ]
Fred, 2 Sep 2008 @ 1:39pm

Get some real facts - not just opinions
An excellent book on this subject can be found on Amazon entitled "Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity" By Byron Acohido and Jon Swartz (hardback, Amazon $13.57).

The main premise of the book is that the payment industry, comprised of credit card companies, banks, credit bureaus and data brokers have created an easy-to-use, low cost (in maintenance) infrastructure that is pliable, extendable and very adaptable, but paper-thin when it comes to security. The system is built with the idea that "ease of access" for the customer 'will bring them in' especially when linked with easy credit. But when you link ease of access, easy credit and the absolute need for speed (for transactional processing), the payment industry has had to sacrifice a robust security infrastructure and privacy controls. Examples abound in the book of what not to do, as well as a Who's Who of companies and bad guys (and girls), how they actually link up together, and how they control your credit.
Intended not merely to alarm, but to illuminate, "Zero Day Threat" exposes how lawbreakers do their dirty work, and how corporations knowingly, and unknowingly, help them do it.
As they say up north, "Take that in your pipe and smoke it !"
[ link to this | view in chronology ]
Anonymous Coward, 2 Sep 2008 @ 3:03pm

I can't believe...
... that we don't have a PIN number for ALL transactions on credit cards. Sure, it's convenient to not have to enter a PIN, but it would help quite a bit.
[ link to this | view in chronology ]
Anonymous Coward, 2 Sep 2008 @ 4:37pm

Options
You can wrap your RFID CC in tin foil. drill through the RFID chip or you can also request a CC without the RFID.
Also there are active RFID jammers.

It will not be long till these things are either unavailable or illegal.
[ link to this | view in chronology ]
Johnny Canada, 2 Sep 2008 @ 7:53pm

http://www.youtube.com/watch?v=yZaQFilWXgE&feature=related

Lots look at
[ link to this | view in chronology ]
Derek Kerton (profile), 2 Sep 2008 @ 9:41pm

The Pizza Stone
...sure, all this is neat, but I'm most interested in that great question asked by the woman at the end of the video clip: "Will you do a Mythbusters on whether a commercial pizza stone does a better job of cooking pizza in a home oven over a regular clay tile?" Now that would be a gripping show... for an audience of one.

Why is it that at every conference, some weirdo manages to commandeer the Q&A mic and ask lengthy questions that they should know don't interest anyone? You can see the line of people at the mic who want to get their turn, but she slides in this ludicrous pizza idea as her second question. Why are events not better moderated? Couldn't someone step in with a friendly, "How 'bout you finish your question offline?"
[ link to this | view in chronology ]
Zaphod, 2 Sep 2008 @ 10:24pm

Security through obscurity.
"but do the credit card companies really think that security through obscurity is the best way to protect their customers?" Hmmm, the myth of "Security through Obscurity" probably ought to be tested. Plenty of examples, plenty of failures, but corporations still believe in the myth. Just ask the Boston subway operators. :P
[ link to this | view in chronology ]
Tracking Devices, 3 Sep 2008 @ 8:38am

Regardless of practices and policies, competition is really what balances everything out so that we deal with companies that treat everyone fairly.
[ link to this | view in chronology ]
- Fred, 4 Sep 2008 @ 1:38pm
  
  Re:
  Oh, Please.... What fairy tale did you just finish reading ? Companies treating everyone fairly ? When did "fair" ever get counted on the bottom line ? What this is all about is charging the customer (you and I, if you missed that) for the financial company's wrong decision (or choice) of technology. Fast, cheap, secure and easy-to-use; pick any three, but the fourth goes down the toilet and we get to pick-up the tab passed through via your local financial institution.
  [ link to this | view in chronology ]
rfid implant, 4 Sep 2008 @ 8:48pm

the irony of obscuring the truth from the people creates security for credit card corporations
[ link to this | view in chronology ]
Payday Loans, 8 Feb 2009 @ 9:10pm

One of the most successful financial services outside of the banks and credit card companies (who can afford to lobby, we might mention) is under fire from legislative bodies these days. It's Washington DC that might be setting their sights on payday loan lenders next. Part of Obama's economic plan is to get a rate cap in place on all lending, and keep it at 36%, which makes payday lending untenable. Accusations of predatory lending are only backed up by anecdotal evidence, whereas the empirical (which means legitimate) evidence stacks up on the side of the payday loan lenders providing a needed service.
[ link to this | view in chronology ]
Smart Cards, 23 Nov 2009 @ 3:17pm

They need to switch to Java microprocessor cards because there more secure.
[ link to this | view in chronology ]
Smartcards (profile), 23 Nov 2009 @ 3:20pm

They need to switch to Java microprocessor cards because there more secure.
[ link to this | view in chronology ]