Security Researchers Cry Wolf On RFID Credit Cards

from the bark->-bite dept

Two security researchers allege that the contactless payment solutions credit-card companies have begun building into their cards are relatively insecure, and transmit sensitive information without any encryption. The story plays into the most common fears about RFID and other similar technologies: that they turn people into walking clouds of identity theft, where their personal information’s just waiting to be grabbed out of the ether. But the credit-card companies say the researchers’ work doesn’t point to a large-scale real-world threat, and it appears they’re mostly right. First off, the researchers admit they used a small sample — just 20 cards, and the article doesn’t disclose how many of them actually transmit the information without encryption. Also, the researchers work with RSA Labs, part of a company that sells encryption technology, something else the article glosses over. But a bigger problem is that the researchers don’t seem to have considered just how difficult it would be for criminals to collect any useful information from these cards on a scale large enough to make their efforts (and the expense of buying and building the necessary equipment) worthwhile. One of the researchers says that it would be easy to collect the data from mailboxes by walking down a street and acting as if you were dropping fliers in each one. While nobody might notice, the odds that you’d actually find one of the cards is ridiculously slim. Worries about information being stolen at the point of purchase are overblown as well, since most of the imaginable scenarios don’t make things much easier than were somebody to try to steal the card information from a swipe card. Furthermore, the researchers haven’t considered that mechanisms in the radio broadcast are just one part of the overall security system of these cards, and they enjoy the same anti-fraud protection (and lack of consumer liability for unauthorized purchases) as cards without the contactless technology. While transmitting the information unencrypted isn’t a great idea and should be changed, it seems highly unlikely that the security situation here is nearly as bad as these researchers intimate.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Security Researchers Cry Wolf On RFID Credit Cards”

Subscribe: RSS Leave a comment
Anonymous Coward says:

I'm with the researchers..

Its stupid to implement RFID without encryption.

Can anyone come up with an excuse why an unauthorized scanner should be able to access info just by me walking by it?

Just what is the benefit of addidng RFID if NOT for security? How is easier access that has the same controlset an enhancement?

We are just making ourselves more vulnerable by broadcasting…

Anonymous Coward says:

What I would worry about is someone hacking together a device that let him stroll through a mall during the Christmas season picking credit card info from random passers by. I don’t think it would that hard to piece a device like that togehter, if you imagine a trend towards all cards having this info available and therefore the ready availablility of low cost scanners, I imagine a person could get a pretty good collection of credit card numbers in a pretty short time, and they’d only need to use each card once or twice. Still- you’re right that there’s nothing to worry about. Consumers have the fraud protection on the individual level, and it’s not worth it to Visa to build in expensive protections unless that kind of scenario I mentioned actually happens.

Comboman says:

Making the Point-of-purchase hole bigger

Worries about information being stolen at the point of purchase are overblown as well, since most of the imaginable scenarios don’t make things much easier than were somebody to try to steal the card information from a swipe card.

While it’s true that sales clerks can double-swipe customer cards to gather information (TIP: keep an eye on the clerk the whole time they have your card and make sure it doesn’t go under the counter), they can be caught by closed-circuit cameras and fellow employees. With RF tech, there’s no visible evidence that they’re gathering info; in fact, it could be the ‘customer’ in line behind you that’s getting your credit card data. I think I’ll stick to my swipe cards for now.

Robert Thille (user link) says:

Bus or subway?

Or that pan-handler standing by a constriction where lots of people pass by? There’s plenty of people-dense areas where lots of CCs could be harvested without anyone being the wiser (once RFID cards are standard).
If you’re introducing a new technology, why not at least think about the issues, rather than running headlong off the cliff?
And don’t think that CC fraud isn’t passed onto the companies customers…

Mousky (user link) says:

Overblown Propoganda

By sensitive information do they mean the credit card number? You know, the number that is printed on the front and back of most credit cards? I also see that many credit cards have a three-digit card security code plus a signature strip. Something must be done to stop this breach of security – how dare this sensitive information be visible to others 😉 Everyday, millions of people hand over their credit cards to total strangers. Some people even give their credit card information over the phone. Yet, the credit card system seems to function.

Craig Betney says:

Only a matter of time before someone works out how

It won’t be long before someone works out how to read an RFID tag from further away using high-gain equipment and more sophisticated filtering etc…

Apparently the British and American Passports had to be redesigned to shield their own RFID chip when closed because people had already worked out how to read it from a distance. and despite this Norwegian students have managed to read them from 60 centimetres away when the passport has been only been opened by 1cm (my beaten-up passport opens this much by itself).

It would probably quite easy for someone to conceal equipment in a doorway that harvested the info from every RFID tag that passed through it.

So much for privacy.

Chronno S. Trigger says:

subways or buses?

You do know that this tech only works within a few mm of the card? how would someone be able to get close enough to not only find my card but get the data off of it? Is it in my right or left pocket? front or back? is it in my backpack? You still have a better chance to be pick pocketed than have this done. We have something like this at our building to get in at night, It won’t even work threw my pants let alone from a distance.

Republican Gun (user link) says:

Small Business

I don’t see small business owners buying into this technology. There are still thousands of merchants(Small Business owners) that haven’t upgraded their POS (Point of Sale) terminals to comply with the law that requires merchants to have modern terminals that only display the last four digits of the CC account number.

I also wonder what type of Adsense Ads will be on this page.

Overcast says:

Yes – at the interest rates they charge – which always seem to be going up – someone’s paying for it indeed.

The credit card company’s realize a positive profit – still, they are not losing money.

Yes, the consumers will pay for it – they just pass the ‘overhead’ on. They lobbied congress for bankruptcy law changes to collect on more debt.

take a look:

Don’t be fooled by the day’s trading graph at first – swtich it to one year 🙂 lol

They aren’t losing money….

Dr Dan H. says:

A very silly thing to put on a card.

What I can envision a smart thief doing when this sort of thing becomes prevalent is simply building a device that has a fairly powerful RFID reader built into it, a wifi connector, a small computer and a big hard disk. This could then be put into a lamp post or similar powered street furniture, to leech power from this and to actively filter the sniffed RFIDs. Power is necessary for this operation to get the sniffing range on passive tags, and to power a small computer to filter the ensuing flood of info and sift out the useful stuff.

From there, all it need do is sit, pull power from mains and sniff for RFIDs. The thief hardly needs to work then; just pull up near the device every so often, connect into it and pull off the sniffed data, and if necessary amend the logging filters to sharpen up the response.

Historically, whenever the credit industry gets a new technological toy, it always starts out lax in security, then gets more secure at the publicand legal systems force it to (unwillingly) do so. RFID shouldn’t be any exception to this rule.

Even encryption won’t be a deterrent, unless it is strong. It isn’t beyond the bounds of possibility for a smart criminal to start up or buy a computer recycling company, just to get hold of a source of cheap old PCs. These could then be built into a Beowulf cluster, for use in cracking RFIDs.

The easiest response is to invest in the tinfoil wallet as soon as possible, and to avoid all RFIDs until the banking industry is once more forced to engage brain and implement some security.

Anonymous Coward says:

Perhaps the authors of this article should have re

The paper looks fairly convincing. It raises a much needed warning that we should be cautious.

Check out

The researchers do disclose their limitations. They didn’t do live tests on real RFID payment systems. They clearly say they can’t comment on anti-fraud measures. They did use information obtained from one of their own cards to make a real purchase!

They found some privacy issues. Personally, I am less concerned about these than the other issues they raise.

They also were able to lift the account numbers and expiry dates from all but one card brand. The theft of information is from “skimming” and “eavesdropping”. There are still lots of places that don’t check those extra digits on the back of your card. That’s how they made their purchase. They call it “cross-contamination” (what a mouthful).

The sample is discussed including the size (20 cards), number of major card brands (3), some unspecified number of banks, and type/behaviour of the cards (4). I find criticsm that this number is too small to be specious and self serving. How many digital copies of a mass marketed product do you need to test? Maybe there are better cards out there. Maybe there aren’t. This sample indicates that there are enough with problems to catch unwanted interest.

Most of the equipment was comercially available. They applied some smarts to figure out what commands the cards and card readers responded to. Once the criminals figure out the same it will be cookie cutter and anyone will be able to do it.

Isn’t there a universal card company standard that requires card information to be encrypted when sent over wireless links? Do their left and right hands know what the other is doing?

This is from the same people that are clinging to magnetic stripe technology. What is the expected lifespan of this technology? How long will it hang on past its “best before date”? The ability to increase the “read range” during this time is what is really worrying. Other people have worked on this problem and it looks like it might be practical within about 1-2 yards at this point. The high end claims are much higher.

I did find one of the scenarios discussed for attack a bit weak. Without changing a thing I can think of lots of places that you could find more cards faster than stuffing flyers in side of the road mailboxes trying to skim cards.

I don’t think I want a card that is always ready to broadcast information to any gadget that asks if I just wallk by it.

But in perspective I’d much rather have an RFID credit card than an RFID passport.

Anonymous Coward says:

Fraud prevention will take a beating

I can’thelp but think this is going to make fraud detection and control much harder and less successful.

Today, if there is a compromise banks and card processors cooperate to identify the common point and time frame where the cards were used. Then they can notify people that their cards may have been compromised even before fraud occurs.

With RFID this will be much harder because there may be no common point of purchase!

Even if they can deduce that many people were in the same crowd at the same time, say a baseball game, how do they find and notify them before a fraud occurs? Take out an add in the paper?

Walt Augustinowicz (user link) says:

Banks could send the cards in our shielded sleeves

You can sleep easy just by buying a Secure Sleeve from Identity Stronghold. We make credit card and soon passport sleeves. They shield the card and are just like the sleeves the credit card companies used to send out to protect the mag strip only have a special layer.

Of course the credit card companies could just ship the cards with them and the cards in the mailbox would be protected as well.


John Spivey (profile) says:

RFID card and passport security

RFID enabled cards and passports have been indisputably proven unsecure. Even with the most innovative encryption, data can be skimmed (read stolen) from these devices. The best way to secure data stored on a RFID enabled card or passport is to prevent unauthorized access to it in the first place. Focusing on this objective, we developed ‘Dead Bolt’ integrated contactless RFID security technology.

Our patent pending security solution is built directly into RFID enabled cards or passports at the time of manufacture. This solution integrates novel piezo driven circuitry into the card or passport, disabling the receive/transmit functions of the RFID circuit. To allow the card or passport integrated with our technology to receive and transmit, a simple and intuitive pressure is applied. This activates our circuitry which, in turn, allows the RFID circuit to function normally; however, this condition is momentary. The time in which our circuitry allows the RFID circuit to send and receive is predetermined by the issuing vendor’s requirements – the unit shown in our demonstration videos is arbitrarily set for 200 milliseconds. At the end of this predetermined “read/transmit window” our circuitry resets, again disabling the card or passport.

‘Dead Bolt’ is thinner than the embedded RFID chip itself and gives no outward appearance of its existence, allowing for practically unlimited applications. It is impossible to access data stored on RFID enabled cards and passports that integrate ‘Dead Bolt’ technology until or unless the user intentionally initiates the read process.

Additionally, by being integrated into the card or passport, ‘Dead Bolt’ eliminates the need to buy anything else to keep your information safe. Why should we be forced to buy external protection for information stored on a device that, by all rights, be secure before we receive it?

For more information and to see demonstration videos of ‘Dead Bolt’, go to and

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...