Security Researchers Cry Wolf On RFID Credit Cards

from the bark->-bite dept

Two security researchers allege that the contactless payment solutions credit-card companies have begun building into their cards are relatively insecure, and transmit sensitive information without any encryption. The story plays into the most common fears about RFID and other similar technologies: that they turn people into walking clouds of identity theft, where their personal information's just waiting to be grabbed out of the ether. But the credit-card companies say the researchers' work doesn't point to a large-scale real-world threat, and it appears they're mostly right. First off, the researchers admit they used a small sample -- just 20 cards, and the article doesn't disclose how many of them actually transmit the information without encryption. Also, the researchers work with RSA Labs, part of a company that sells encryption technology, something else the article glosses over. But a bigger problem is that the researchers don't seem to have considered just how difficult it would be for criminals to collect any useful information from these cards on a scale large enough to make their efforts (and the expense of buying and building the necessary equipment) worthwhile. One of the researchers says that it would be easy to collect the data from mailboxes by walking down a street and acting as if you were dropping fliers in each one. While nobody might notice, the odds that you'd actually find one of the cards is ridiculously slim. Worries about information being stolen at the point of purchase are overblown as well, since most of the imaginable scenarios don't make things much easier than were somebody to try to steal the card information from a swipe card. Furthermore, the researchers haven't considered that mechanisms in the radio broadcast are just one part of the overall security system of these cards, and they enjoy the same anti-fraud protection (and lack of consumer liability for unauthorized purchases) as cards without the contactless technology. While transmitting the information unencrypted isn't a great idea and should be changed, it seems highly unlikely that the security situation here is nearly as bad as these researchers intimate.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Oct 23rd, 2006 @ 9:33am

    I'm with the researchers..

    Its stupid to implement RFID without encryption.

    Can anyone come up with an excuse why an unauthorized scanner should be able to access info just by me walking by it?

    Just what is the benefit of addidng RFID if NOT for security? How is easier access that has the same controlset an enhancement?

    We are just making ourselves more vulnerable by broadcasting...

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Aaron, Oct 23rd, 2006 @ 9:41am

    Better question...

    Do I really want RFID technology in my card? Not so much...

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous dude, Oct 23rd, 2006 @ 10:05am

    Easy fix

    An X-acto knife easily cuts the RFID chip out of my credit card, and to date not a single cashier has even noticed that the card is missing it. If you're careful, there won't be any damage.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Oct 23rd, 2006 @ 10:08am

    What I would worry about is someone hacking together a device that let him stroll through a mall during the Christmas season picking credit card info from random passers by. I don't think it would that hard to piece a device like that togehter, if you imagine a trend towards all cards having this info available and therefore the ready availablility of low cost scanners, I imagine a person could get a pretty good collection of credit card numbers in a pretty short time, and they'd only need to use each card once or twice. Still- you're right that there's nothing to worry about. Consumers have the fraud protection on the individual level, and it's not worth it to Visa to build in expensive protections unless that kind of scenario I mentioned actually happens.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Comboman, Oct 23rd, 2006 @ 10:10am

    Making the Point-of-purchase hole bigger

    Worries about information being stolen at the point of purchase are overblown as well, since most of the imaginable scenarios don't make things much easier than were somebody to try to steal the card information from a swipe card.

    While it's true that sales clerks can double-swipe customer cards to gather information (TIP: keep an eye on the clerk the whole time they have your card and make sure it doesn't go under the counter), they can be caught by closed-circuit cameras and fellow employees. With RF tech, there's no visible evidence that they're gathering info; in fact, it could be the 'customer' in line behind you that's getting your credit card data. I think I'll stick to my swipe cards for now.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Pesti, Oct 23rd, 2006 @ 10:12am

    Having a credit card with RFID is the least of our worries,
    WAKE UP AMERICA!! The next one is gonna be in your arm!!
    Think I'm crazy?? do some research..get informed, Big Brother is knocking on your door..........

    http://i63.photobucket.com/albums/h134/pestilotsi/05.jpg

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Robert Thille, Oct 23rd, 2006 @ 10:19am

    Bus or subway?

    Or that pan-handler standing by a constriction where lots of people pass by? There's plenty of people-dense areas where lots of CCs could be harvested without anyone being the wiser (once RFID cards are standard).
    If you're introducing a new technology, why not at least think about the issues, rather than running headlong off the cliff?
    And don't think that CC fraud isn't passed onto the companies customers...

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Pesti, Oct 23rd, 2006 @ 10:21am

    Check it out!

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Mousky, Oct 23rd, 2006 @ 10:26am

    Overblown Propoganda

    By sensitive information do they mean the credit card number? You know, the number that is printed on the front and back of most credit cards? I also see that many credit cards have a three-digit card security code plus a signature strip. Something must be done to stop this breach of security - how dare this sensitive information be visible to others ;) Everyday, millions of people hand over their credit cards to total strangers. Some people even give their credit card information over the phone. Yet, the credit card system seems to function.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Chicken Little, Oct 23rd, 2006 @ 10:29am

    Re:

    The sky is falling, the sky is falling!

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Craig Betney, Oct 23rd, 2006 @ 10:32am

    Only a matter of time before someone works out how

    It won't be long before someone works out how to read an RFID tag from further away using high-gain equipment and more sophisticated filtering etc...

    Apparently the British and American Passports had to be redesigned to shield their own RFID chip when closed because people had already worked out how to read it from a distance. and despite this Norwegian students have managed to read them from 60 centimetres away when the passport has been only been opened by 1cm (my beaten-up passport opens this much by itself).

    It would probably quite easy for someone to conceal equipment in a doorway that harvested the info from every RFID tag that passed through it.

    So much for privacy.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Chronno S. Trigger, Oct 23rd, 2006 @ 10:37am

    subways or buses?

    You do know that this tech only works within a few mm of the card? how would someone be able to get close enough to not only find my card but get the data off of it? Is it in my right or left pocket? front or back? is it in my backpack? You still have a better chance to be pick pocketed than have this done. We have something like this at our building to get in at night, It won't even work threw my pants let alone from a distance.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Oct 23rd, 2006 @ 11:06am

    RFID does not = Secure, LOL

    It's bad enough now as it is, don't need to be transmitting your credit card info on the airwaves.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Over, Oct 23rd, 2006 @ 11:14am

    Re: Overblown Propoganda

    Sure, it functions well don't it?

    How prevalent is identity theft now? Been the victim of it? Oh... not *yet* huh?

    Yep - it's secure alright!! http://www.eweek.com/article2/0,1759,1628696,00.asp

    Just like DVD copy protection, aye?
    Or maybe Database Security at the Vetern's Affairs?

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Overcast, Oct 23rd, 2006 @ 11:16am

    Here ya go - even further..

    Go download it :)

    http://www.rf-dump.org/

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Republican Gun, Oct 23rd, 2006 @ 11:25am

    Small Business

    I don't see small business owners buying into this technology. There are still thousands of merchants(Small Business owners) that haven't upgraded their POS (Point of Sale) terminals to comply with the law that requires merchants to have modern terminals that only display the last four digits of the CC account number.

    I also wonder what type of Adsense Ads will be on this page.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Orny, Oct 23rd, 2006 @ 11:39am

    Hastle

    Sure, I don't have to directly pay for credit card fraud (although indirectly, as previously stated). However, have you ever had to go through the hastle of getting a new card, changing all of your auto-pays, sending letters stating you didn't make charges, etc. It's not fun. Am I really so lazy I just can't swipe my card?

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Wayne Smith, Oct 23rd, 2006 @ 11:40am

    zero liability?

    Umm... somebody pays for that zero liability. Like by % rate. Or annual fees... or... but believe me, the credit card isn't covering it out of their pockets until your pocket has been picked.

    RF in cards for purchases is just a plain bad idea

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Overcast, Oct 23rd, 2006 @ 1:08pm

    Yes - at the interest rates they charge - which always seem to be going up - someone's paying for it indeed.

    The credit card company's realize a positive profit - still, they are not losing money.

    Yes, the consumers will pay for it - they just pass the 'overhead' on. They lobbied congress for bankruptcy law changes to collect on more debt.

    take a look:

    http://quote.morningstar.com/Quote/Quote.aspx?ticker=MA

    Don't be fooled by the day's trading graph at first - swtich it to one year :) lol

    They aren't losing money....

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    mmrtnt (profile), Oct 23rd, 2006 @ 2:36pm

    This Doesn't Happen Often

    Boing Boing took the opposite tack on this:

    http://www.boingboing.net/2006/10/23/report_contactless_c.html

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    TriggerMan, Oct 23rd, 2006 @ 10:18pm

    Re: subways or buses?

    That's only because your building didn't want to pay for better door sensors. You can buy ones that will read your card from six feet away. And much farther if you want to spend the money.

    Your buildings went for the cheapest option. That does not mean it was the best or only option.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Reginald P. Zornow, Oct 23rd, 2006 @ 10:30pm

    Security Researchers Cry Wolf On RFID Credit Cards

    the expense of buying and building the necessary equipment. The equipment placed the middle of NY market area for one day would pay for it and then some.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Dr Dan H., Oct 24th, 2006 @ 3:04am

    A very silly thing to put on a card.

    What I can envision a smart thief doing when this sort of thing becomes prevalent is simply building a device that has a fairly powerful RFID reader built into it, a wifi connector, a small computer and a big hard disk. This could then be put into a lamp post or similar powered street furniture, to leech power from this and to actively filter the sniffed RFIDs. Power is necessary for this operation to get the sniffing range on passive tags, and to power a small computer to filter the ensuing flood of info and sift out the useful stuff.

    From there, all it need do is sit, pull power from mains and sniff for RFIDs. The thief hardly needs to work then; just pull up near the device every so often, connect into it and pull off the sniffed data, and if necessary amend the logging filters to sharpen up the response.

    Historically, whenever the credit industry gets a new technological toy, it always starts out lax in security, then gets more secure at the publicand legal systems force it to (unwillingly) do so. RFID shouldn't be any exception to this rule.

    Even encryption won't be a deterrent, unless it is strong. It isn't beyond the bounds of possibility for a smart criminal to start up or buy a computer recycling company, just to get hold of a source of cheap old PCs. These could then be built into a Beowulf cluster, for use in cracking RFIDs.

    The easiest response is to invest in the tinfoil wallet as soon as possible, and to avoid all RFIDs until the banking industry is once more forced to engage brain and implement some security.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous, Oct 26th, 2006 @ 4:12am

    Perhaps the authors of this article should have re

    The paper looks fairly convincing. It raises a much needed warning that we should be cautious.

    Check out http://prisms.cs.umass.edu/7Ekevinfu/papers/RFID-CC-manuscript.pdf

    The researchers do disclose their limitations. They didn't do live tests on real RFID payment systems. They clearly say they can't comment on anti-fraud measures. They did use information obtained from one of their own cards to make a real purchase!

    They found some privacy issues. Personally, I am less concerned about these than the other issues they raise.

    They also were able to lift the account numbers and expiry dates from all but one card brand. The theft of information is from "skimming" and "eavesdropping". There are still lots of places that don't check those extra digits on the back of your card. That's how they made their purchase. They call it "cross-contamination" (what a mouthful).

    The sample is discussed including the size (20 cards), number of major card brands (3), some unspecified number of banks, and type/behaviour of the cards (4). I find criticsm that this number is too small to be specious and self serving. How many digital copies of a mass marketed product do you need to test? Maybe there are better cards out there. Maybe there aren't. This sample indicates that there are enough with problems to catch unwanted interest.

    Most of the equipment was comercially available. They applied some smarts to figure out what commands the cards and card readers responded to. Once the criminals figure out the same it will be cookie cutter and anyone will be able to do it.

    Isn't there a universal card company standard that requires card information to be encrypted when sent over wireless links? Do their left and right hands know what the other is doing?

    This is from the same people that are clinging to magnetic stripe technology. What is the expected lifespan of this technology? How long will it hang on past its "best before date"? The ability to increase the "read range" during this time is what is really worrying. Other people have worked on this problem and it looks like it might be practical within about 1-2 yards at this point. The high end claims are much higher.

    I did find one of the scenarios discussed for attack a bit weak. Without changing a thing I can think of lots of places that you could find more cards faster than stuffing flyers in side of the road mailboxes trying to skim cards.

    I don't think I want a card that is always ready to broadcast information to any gadget that asks if I just wallk by it.

    But in perspective I'd much rather have an RFID credit card than an RFID passport.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous, Oct 26th, 2006 @ 5:10am

    Fraud prevention will take a beating

    I can'thelp but think this is going to make fraud detection and control much harder and less successful.

    Today, if there is a compromise banks and card processors cooperate to identify the common point and time frame where the cards were used. Then they can notify people that their cards may have been compromised even before fraud occurs.

    With RFID this will be much harder because there may be no common point of purchase!

    Even if they can deduce that many people were in the same crowd at the same time, say a baseball game, how do they find and notify them before a fraud occurs? Take out an add in the paper?

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Walt Augustinowicz, Oct 31st, 2006 @ 9:59am

    Banks could send the cards in our shielded sleeves

    You can sleep easy just by buying a Secure Sleeve from Identity Stronghold. We make credit card and soon passport sleeves. They shield the card and are just like the sleeves the credit card companies used to send out to protect the mag strip only have a special layer.

    Of course the credit card companies could just ship the cards with them and the cards in the mailbox would be protected as well.

    see idstronghold.com

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous, Jul 5th, 2007 @ 4:06pm

    Re: Banks could send the cards in our shielded sle

    And you can sleep easy too, Walt. Seeing as how you are the owner and founder of the home-based company that hawks these sleeves. To quote an earlier poster, "The Sky is Falling!"

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    tom james, Feb 14th, 2008 @ 12:29pm

    Re: Banks could send the cards in our shielded sle

    WOW Very expensive the smart card guard sleeves sold by national envelope are 6 cents each compaired to these at $3 I found.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    dallasrocs, Feb 24th, 2009 @ 7:10pm

    credit card copyed

    My daughtres credit card was copyed some how and being used in florida to purchess gas out at the pump. Secruity called and shut the card down we live in virginia. Hoe did they get the info to make the card i don"t know . just watch out

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    John Spivey, Mar 3rd, 2010 @ 9:04am

    RFID card and passport security

    RFID enabled cards and passports have been indisputably proven unsecure. Even with the most innovative encryption, data can be skimmed (read stolen) from these devices. The best way to secure data stored on a RFID enabled card or passport is to prevent unauthorized access to it in the first place. Focusing on this objective, we developed ‘Dead Bolt’ integrated contactless RFID security technology.

    Our patent pending security solution is built directly into RFID enabled cards or passports at the time of manufacture. This solution integrates novel piezo driven circuitry into the card or passport, disabling the receive/transmit functions of the RFID circuit. To allow the card or passport integrated with our technology to receive and transmit, a simple and intuitive pressure is applied. This activates our circuitry which, in turn, allows the RFID circuit to function normally; however, this condition is momentary. The time in which our circuitry allows the RFID circuit to send and receive is predetermined by the issuing vendor’s requirements – the unit shown in our demonstration videos is arbitrarily set for 200 milliseconds. At the end of this predetermined “read/transmit window” our circuitry resets, again disabling the card or passport.

    ‘Dead Bolt’ is thinner than the embedded RFID chip itself and gives no outward appearance of its existence, allowing for practically unlimited applications. It is impossible to access data stored on RFID enabled cards and passports that integrate ‘Dead Bolt’ technology until or unless the user intentionally initiates the read process.

    Additionally, by being integrated into the card or passport, 'Dead Bolt' eliminates the need to buy anything else to keep your information safe. Why should we be forced to buy external protection for information stored on a device that, by all rights, be secure before we receive it?

    For more information and to see demonstration videos of ‘Dead Bolt’, go to www.spiveytechnologies.com and www.youtube.com/spiveytechnologies.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Robert Maas, Jan 20th, 2011 @ 7:27am

    RFID credit cards

    How would a breach of a merchant be handled even with a remote possiblity of a hacker accessing the information from the chip. Doesn't this provide a merchant with a possible reason for a breach and that the merchant shouldn't be held liable.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This