Credit Card Companies Gagged Mythbusters Over RFID Vulnerabilities?

from the security-through-obscurity...-and-legal-threats dept

It's amazing to watch just how sensitive some companies are concerning the rather well-known security vulnerabilities associated with RFID tags and smart cards. We've seen time and time again, companies try to suppress such research from getting published -- and every single time, those efforts to suppress the publication of the vulnerabilities backfires, often badly.

But that never seems to stop companies from flexing their legal muscles.

The latest example comes to use via the Consumerist blog, who dug out a clip of Adam Savage from the TV show Mythbusters talking about what happened when the show tried to do an episode on RFID vulnerabilities:
Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else... They were way, way outgunned and they absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it.
Check out the video of him saying this (while admitting he's probably not supposed to talk about it) here:
Perhaps it's an exaggeration by Savage, but do the credit card companies really think that security through obscurity (with a healthy dose of legal threats) is the best way to protect their customers?


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Dewy, Sep 2nd, 2008 @ 8:44am

    How dare you accuse them of thinking... they have a team of lawyers to do that for them...

    Since we are a society of Laws, then lawsuits, not common sense shall rule the end of the day.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Cynical, Sep 2nd, 2008 @ 9:03am

    do the credit card companies really think that security through obscurity (with a healthy dose of legal threats) is the best way to protect their customers?

    No, this is just business. The RFID tags are supposed to be a big selling point for credit cards -- it's how they make our lives more convenient and how they convince us that they're better than the other guys. They don't want it to become common knowledge that this convenience makes them really, really vulnerable -- imagine the backlash! People wouldn't sign up for new cards and very possibly might cancel the cards they have. Turning a selling point into a liability is a Bad Thing, and it's only "smart" for then to keep their customers stupid.

    After all, identity theft is the consumer's problem...

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Sep 2nd, 2008 @ 9:05am

    Since when did you think that the credit card companies are out to protect the customers? It seems to me that their actions and policies have almost always been about them.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Twinrova, Sep 2nd, 2008 @ 9:09am

    For shame, Discovery... for shame.

    Things like this just piss me off. If the show details issues with RFID, then it should be aired. It's not Discovery's fault these issues are so prevalent. So instead, fans of the show get screwed because Discovery is run by a bunch of cowards.

    Savage is cool. I'm glad he made the comment and I'm further glad it's spreading like wildfire.

    When will stations realize ad revenue doesn't even come close to offsetting the cost of shows, so why bother running them in the first place.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Sep 2nd, 2008 @ 9:12am

    Who cares????!???! Its the companies that will lose the money in the end, anyway. I guarantee they have a team of experts working to make it as secure as possible, because they CAN'T let the customer hang out for the balance on the card that was stolen through RFID security flaws. It would be no different than having your card stolen. Visa cancels the balance while they find and sue the guy who stole it. The customer has nothing to worry about.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Sep 2nd, 2008 @ 9:17am

    "but do the credit card companies really think that security through obscurity is the best way to protect their customers?"

    Yes they do. Seriously, you can nag and complain all you want. But at the end of the day, they believe this to be correct.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Sep 2nd, 2008 @ 9:19am

    Re:

    Well, if this becomes public knowledge they have to throw resources at correcting the flaws.

    If the cost of the breaches currently happening is less than the cost of correcting the flaws. Then nothing will happen except for the authoring of Techdirt articles.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Sep 2nd, 2008 @ 9:20am

    Don't Link RFID and Smart Cards

    You look like fools lumping them together. RFID is not a very smart system or very secure...

    Smart Cards are very secure and virtually un hackable.. to get the secure data on them..

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Sep 2nd, 2008 @ 9:25am

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Sep 2nd, 2008 @ 9:28am

    http://www.youtube.com/watch?v=xPkzFETzueQ


    can stop TV, but try to stop the internet. As with most things, by trying to keep it quiet, they have opened it up for the the whole world to see.

    Congratulates

    >^..^

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    arby, Sep 2nd, 2008 @ 9:34am

    Security through Obscurity

    Back in the early days of the cellular industry, people were unsure whether or not the content of their calls were secure. Of course, they were right. Anyone with a Radioshack scanner that scanned the 800-1000 megahertz band could.

    So, rather than make better, more secure cellphones, the cellular carriers pushed through the Electronic Communications Protection Act of 1986 which banned the sale of any scanner that could pick up cellular phone frequencies. As expected, that only made pre-ECPA scanners more valuable and proliferated the hacks for post-ECPA scanners to restore the missing frequencies.

    But, with the end of analog cell phones, there are no more cellphones to listen in on...

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Urban, Sep 2nd, 2008 @ 9:38am

    Re:

    "I guarantee they have a team of experts working to make it as secure as possible"

    How naive are you really?
    The CC companies do not design this stuff, they implement 3rd party solutions. And trust me, the cheapest wins.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Brian, Sep 2nd, 2008 @ 9:38am

    It won't stop here either

    because what comes next is RFIDs in currency. The government will follow every bill to every bank/store/atm. Using the data from those RFID tags in conjunction with the data from your cards and clothes and other RFID tagged properties they'll follow every bill every step of the way. You won't be able to disable the tags in the bill because at some step along the way they'll trace the bill back to you and know where the tag died, and tampering with currency is illegal. Then they'll pass a law banning disabling tags on all other items too. Oh, they won't throw you in jail for it though, at least at first, they'll just fine you heavily. The jail time comes later when you're broke. Then they'll RFID you.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Hulser, Sep 2nd, 2008 @ 9:40am

    Re: Don't Link RFID and Smart Cards

    You look like fools lumping them [RFIDs and SmartCards] together.

    That's a very strong statement. Care to explain the reasoning behind your ad hominem attack? Based on the links that Mike provided, the commonality between RFIDs and SmartCards is the tendency of their manufacturers to supress and deny the existence of security vulnerability rather than fix them. Even if SmartCards are much more secure than RFID systems, this point it not negated.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Sep 2nd, 2008 @ 9:44am

    Re:

    Actually the credit card companies do NOT repeat NOT pay for the stolen balance on the card, they pass that burden straight through to the merchant who accepted the card along with a fee (read fine) for accepting the stolen card in the first place. Unless the merchant has a signature and it matches the customers the merchant cannot fight the chargeback with any hope of winning... and winning by the way means the customer pays.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    andy, Sep 2nd, 2008 @ 9:48am

    all the talks were at hope 2008

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    lavi d (profile), Sep 2nd, 2008 @ 10:11am

    Enough Already

    The sooner the corporations team up with the government and turn the internet into an extension of TV, the sooner we'll be done with embarrassing episodes like this.

    Whoever thought that giving the public the ability to comment, discuss and share technology was definitely high.

    Honestly.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Sep 2nd, 2008 @ 10:25am

    Re: It won't stop here either

    Good to see at least one person is aware of the real purpose behind RFID, cattle tags for humans. They're designed to track your every move and financial expendature and where contention arises, RFID's will simply be shut off, and all devices dependant upon RFID compatability will be rendered useless.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    michael, Sep 2nd, 2008 @ 10:27am

    smash lab

    BOOOOOOOOOOOOOOOO!!!


    "Yeah, I know..."

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Ryan, Sep 2nd, 2008 @ 10:33am

    Credit Cards

    I moved to all cash, if we all did that everyone would be way better off

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    maniac in a Speedo'd, Sep 2nd, 2008 @ 10:39am

    Re: Credit Cards

    Clearly you've never been robbed.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Richard Ahlquist (profile), Sep 2nd, 2008 @ 11:03am

    Yes Shoot the messenger! These are not the droids you are looking for...

    RFID is a neat toy but it is not secure. Not the ones in credit cards, not the ones in passports, none of it. Of course most people dont realize that.

    Shameful is it that Discovery channel buckled like a cheap hooker with a five spot dangled in their face! It just goes to prove one thing you cant discover on Discovery is a strong moral compass. Although the color yellow appears readily abundant.

    In conclusion Discovery will happily show you any truth that doesn't go against a sponsor. Never forget through that the truth is less important to them than greed so take everything you hear from them with a grain of salt because after all....

    Discovery is the best programming a corporate bribe can buy!

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Sierra Night Tide, Sep 2nd, 2008 @ 11:59am

    credit cards

    YET ANTHER reason NOT to own credit cards (not debit cards.)

    Our ancestors didn't use them and we DO NOT need them now. Buy what you can afford not what you can afford to pay each month...for now.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Urban, Sep 2nd, 2008 @ 12:28pm

    Re: credit cards

    "Our ancestors didn't use them and we DO NOT need them now".

    Amen brother, and while we are at it we should abolish the use of fire too.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    foogama, Sep 2nd, 2008 @ 12:38pm

    Re: For shame, Discovery... for shame.

    "When will stations realize ad revenue doesn't even come close to offsetting the cost of shows, so why bother running them in the first place."

    ...clearly you've never worked or even met anyone in the television industry.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    chris (profile), Sep 2nd, 2008 @ 12:47pm

    Re: Yes Shoot the messenger! These are not the droids you are looking for...

    In conclusion Discovery will happily show you any truth that doesn't go against a sponsor. Never forget through that the truth is less important to them than greed so take everything you hear from them with a grain of salt because after all....

    Discovery is the best programming a corporate bribe can buy!


    you act like the media has some sort of responsibility to us. we are a product, a commodity to be leveraged and traded. the media's only responsibility is to the company execs and the stock holders. the execs and stock holders only care about profits, and profits are dictated by advertisers. er go, advertisers will always be able to bend media companies to their will. if you think fox or nbc or cnn are any different than the discovery channel you are woefully naive.

    real security research is now and will forever be underground. it's cheaper to provide the illusion of security than it is to build truly secure systems, so corporations and governments will always opt for obscurity first until an independent researcher exposes these vulnerabilities.

    the credit industry is built on impulse buying. secure systems with integrity checks and access restrictions are a hindrance to impulse buys and will never be implemented. credit systems will always be flawed and fraud will just be considered the cost of doing business. if you think that's pessimistic think about this: what does a company do when it's had a large data breach: it buys the victims a year of credit monitoring and it moves on like it never happened.

    why do you think credit card companies and news programs blame ID thefts and credit card fraud on hackers?

    identities get stolen by identity thieves. credit card companies are defrauded by con artists. there is no hacking involved 99% of the time.

    corporations want you to see competitive analysis and independent research as the products of shadowy figures that we need to fear so that you will mistrust the exposure of security vulnerabilities and not ask scary and expensive questions.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    John, Sep 2nd, 2008 @ 12:50pm

    Of course!

    but do the credit card companies really think that security through obscurity (with a healthy dose of legal threats) is the best way to protect their customers?
    Um, YES! If customers don't know about a problem, then there is no problem, especially if the problem is security-related. Plus, it's easier to hide the flaw than try to convince customers that the flaw isn't too bad. Instead of spending money on R&D to fix the issues, just get the already-paid-for lawyers to threaten anyone who mentions the issue. Problem solved!

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Chuck Norris' Enemy (deceased), Sep 2nd, 2008 @ 1:11pm

    Leaked episode

    Savage should leak the episode and then do a Mythbusters on whether or not CC companies can track the leak and sue him for it.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Rob, Sep 2nd, 2008 @ 1:22pm

    I have seen some RFID solutions that are worth looking at that provide very secure mechanisms (128 bit encr.) for activating, reading and writing. One is from Neology Corp., which uses a priopietary passive chip with 3 different channels for the above options, each with a unique key to activate the chip.
    Their chip is expensive, but provides more security than any other RFID chip i have looked at.

    I have worked with several security solutions for credit cards, and trust me, the weakest link is never the security either on the card itself, or at the contact points (TPV, ATM, POS, Interet VPos). The weakest link is always the holder of the card.

    The use of either contact chips or RFID tags on credit cards, needs to go hand in hand with the use of a PIN (ore more) to complete any transaction. That leaves part of the security in the user hands, without seriously compromising the information stored in the chip (which has to be limited).

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    mobiGeek, Sep 2nd, 2008 @ 1:25pm

    Re: credit cards

    Your argument about our ancestors not needing something simply doesn't hold. The world changes, and with those changes are goods and bads.

    What in particular do you find offensive about credit cards and debit cards (I could guess, but I won't)?

    I have a credit card, use it frequently, find it extremely convenient, and as a individual who can do arithmetic understand the ins-and-outs of my monthly finances to determine the appropriate payback structure so as to maximize the potential of my overall net worth.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Fred, Sep 2nd, 2008 @ 1:39pm

    Get some real facts - not just opinions

    An excellent book on this subject can be found on Amazon entitled "Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity" By Byron Acohido and Jon Swartz (hardback, Amazon $13.57).

    The main premise of the book is that the payment industry, comprised of credit card companies, banks, credit bureaus and data brokers have created an easy-to-use, low cost (in maintenance) infrastructure that is pliable, extendable and very adaptable, but paper-thin when it comes to security. The system is built with the idea that "ease of access" for the customer 'will bring them in' especially when linked with easy credit. But when you link ease of access, easy credit and the absolute need for speed (for transactional processing), the payment industry has had to sacrifice a robust security infrastructure and privacy controls. Examples abound in the book of what not to do, as well as a Who's Who of companies and bad guys (and girls), how they actually link up together, and how they control your credit.
    Intended not merely to alarm, but to illuminate, "Zero Day Threat" exposes how lawbreakers do their dirty work, and how corporations knowingly, and unknowingly, help them do it.
    As they say up north, "Take that in your pipe and smoke it !"

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Sep 2nd, 2008 @ 3:03pm

    I can't believe...

    ... that we don't have a PIN number for ALL transactions on credit cards. Sure, it's convenient to not have to enter a PIN, but it would help quite a bit.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Sep 2nd, 2008 @ 4:37pm

    Options

    You can wrap your RFID CC in tin foil. drill through the RFID chip or you can also request a CC without the RFID.
    Also there are active RFID jammers.

    It will not be long till these things are either unavailable or illegal.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Johnny Canada, Sep 2nd, 2008 @ 7:53pm

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    Derek Kerton (profile), Sep 2nd, 2008 @ 9:41pm

    The Pizza Stone

    ...sure, all this is neat, but I'm most interested in that great question asked by the woman at the end of the video clip: "Will you do a Mythbusters on whether a commercial pizza stone does a better job of cooking pizza in a home oven over a regular clay tile?" Now that would be a gripping show... for an audience of one.

    Why is it that at every conference, some weirdo manages to commandeer the Q&A mic and ask lengthy questions that they should know don't interest anyone? You can see the line of people at the mic who want to get their turn, but she slides in this ludicrous pizza idea as her second question. Why are events not better moderated? Couldn't someone step in with a friendly, "How 'bout you finish your question offline?"

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Zaphod, Sep 2nd, 2008 @ 10:24pm

    Security through obscurity.

    "but do the credit card companies really think that security through obscurity is the best way to protect their customers?" Hmmm, the myth of "Security through Obscurity" probably ought to be tested. Plenty of examples, plenty of failures, but corporations still believe in the myth. Just ask the Boston subway operators. :P

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Sep 3rd, 2008 @ 2:40am

    Re: Re: Credit Cards

    ...or tried to purchase online, over the phone, through mail order, or anything above £1000.00.

    Just be extra careful when walking around with £10,000 for a new car.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Tracking Devices, Sep 3rd, 2008 @ 8:38am

    Regardless of practices and policies, competition is really what balances everything out so that we deal with companies that treat everyone fairly.

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Fred, Sep 4th, 2008 @ 1:38pm

    Re:

    Oh, Please.... What fairy tale did you just finish reading ? Companies treating everyone fairly ? When did "fair" ever get counted on the bottom line ? What this is all about is charging the customer (you and I, if you missed that) for the financial company's wrong decision (or choice) of technology. Fast, cheap, secure and easy-to-use; pick any three, but the fourth goes down the toilet and we get to pick-up the tab passed through via your local financial institution.

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    rfid implant, Sep 4th, 2008 @ 8:48pm

    the irony of obscuring the truth from the people creates security for credit card corporations

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Payday Loans, Feb 8th, 2009 @ 9:10pm

    One of the most successful financial services outside of the banks and credit card companies (who can afford to lobby, we might mention) is under fire from legislative bodies these days. It's Washington DC that might be setting their sights on payday loan lenders next. Part of Obama's economic plan is to get a rate cap in place on all lending, and keep it at 36%, which makes payday lending untenable. Accusations of predatory lending are only backed up by anecdotal evidence, whereas the empirical (which means legitimate) evidence stacks up on the side of the payday loan lenders providing a needed service.

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    Smart Cards, Nov 23rd, 2009 @ 3:17pm

    They need to switch to Java microprocessor cards because there more secure.

     

    reply to this | link to this | view in thread ]

  43.  
    icon
    Smartcards (profile), Nov 23rd, 2009 @ 3:20pm

    They need to switch to Java microprocessor cards because there more secure.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This