Credit Card Companies Gagged Mythbusters Over RFID Vulnerabilities?

from the security-through-obscurity...-and-legal-threats dept

It’s amazing to watch just how sensitive some companies are concerning the rather well-known security vulnerabilities associated with RFID tags and smart cards. We’ve seen time and time again, companies try to suppress such research from getting published — and every single time, those efforts to suppress the publication of the vulnerabilities backfires, often badly.

But that never seems to stop companies from flexing their legal muscles.

The latest example comes to use via the Consumerist blog, who dug out a clip of Adam Savage from the TV show Mythbusters talking about what happened when the show tried to do an episode on RFID vulnerabilities:

Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else… They were way, way outgunned and they absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it’s on Discovery’s radar and they won’t let us go near it.

Check out the video of him saying this (while admitting he’s probably not supposed to talk about it) here:

Perhaps it’s an exaggeration by Savage, but do the credit card companies really think that security through obscurity (with a healthy dose of legal threats) is the best way to protect their customers?

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Credit Card Companies Gagged Mythbusters Over RFID Vulnerabilities?”

Subscribe: RSS Leave a comment
Cynical says:

do the credit card companies really think that security through obscurity (with a healthy dose of legal threats) is the best way to protect their customers?

No, this is just business. The RFID tags are supposed to be a big selling point for credit cards — it’s how they make our lives more convenient and how they convince us that they’re better than the other guys. They don’t want it to become common knowledge that this convenience makes them really, really vulnerable — imagine the backlash! People wouldn’t sign up for new cards and very possibly might cancel the cards they have. Turning a selling point into a liability is a Bad Thing, and it’s only “smart” for then to keep their customers stupid.

After all, identity theft is the consumer’s problem…

Twinrova says:

For shame, Discovery... for shame.

Things like this just piss me off. If the show details issues with RFID, then it should be aired. It’s not Discovery’s fault these issues are so prevalent. So instead, fans of the show get screwed because Discovery is run by a bunch of cowards.

Savage is cool. I’m glad he made the comment and I’m further glad it’s spreading like wildfire.

When will stations realize ad revenue doesn’t even come close to offsetting the cost of shows, so why bother running them in the first place.

Anonymous Coward says:

Who cares????!???! Its the companies that will lose the money in the end, anyway. I guarantee they have a team of experts working to make it as secure as possible, because they CAN’T let the customer hang out for the balance on the card that was stolen through RFID security flaws. It would be no different than having your card stolen. Visa cancels the balance while they find and sue the guy who stole it. The customer has nothing to worry about.

Anonymous Coward says:

Re: Re:

Actually the credit card companies do NOT repeat NOT pay for the stolen balance on the card, they pass that burden straight through to the merchant who accepted the card along with a fee (read fine) for accepting the stolen card in the first place. Unless the merchant has a signature and it matches the customers the merchant cannot fight the chargeback with any hope of winning… and winning by the way means the customer pays.

Hulser says:

Re: Don't Link RFID and Smart Cards

You look like fools lumping them [RFIDs and SmartCards] together.

That’s a very strong statement. Care to explain the reasoning behind your ad hominem attack? Based on the links that Mike provided, the commonality between RFIDs and SmartCards is the tendency of their manufacturers to supress and deny the existence of security vulnerability rather than fix them. Even if SmartCards are much more secure than RFID systems, this point it not negated.

arby says:

Security through Obscurity

Back in the early days of the cellular industry, people were unsure whether or not the content of their calls were secure. Of course, they were right. Anyone with a Radioshack scanner that scanned the 800-1000 megahertz band could.

So, rather than make better, more secure cellphones, the cellular carriers pushed through the Electronic Communications Protection Act of 1986 which banned the sale of any scanner that could pick up cellular phone frequencies. As expected, that only made pre-ECPA scanners more valuable and proliferated the hacks for post-ECPA scanners to restore the missing frequencies.

But, with the end of analog cell phones, there are no more cellphones to listen in on…

Brian says:

It won't stop here either

because what comes next is RFIDs in currency. The government will follow every bill to every bank/store/atm. Using the data from those RFID tags in conjunction with the data from your cards and clothes and other RFID tagged properties they’ll follow every bill every step of the way. You won’t be able to disable the tags in the bill because at some step along the way they’ll trace the bill back to you and know where the tag died, and tampering with currency is illegal. Then they’ll pass a law banning disabling tags on all other items too. Oh, they won’t throw you in jail for it though, at least at first, they’ll just fine you heavily. The jail time comes later when you’re broke. Then they’ll RFID you.

Anonymous Coward says:

Re: It won't stop here either

Good to see at least one person is aware of the real purpose behind RFID, cattle tags for humans. They’re designed to track your every move and financial expendature and where contention arises, RFID’s will simply be shut off, and all devices dependant upon RFID compatability will be rendered useless.

Richard Ahlquist (profile) says:

Yes Shoot the messenger! These are not the droids you are looking for...

RFID is a neat toy but it is not secure. Not the ones in credit cards, not the ones in passports, none of it. Of course most people dont realize that.

Shameful is it that Discovery channel buckled like a cheap hooker with a five spot dangled in their face! It just goes to prove one thing you cant discover on Discovery is a strong moral compass. Although the color yellow appears readily abundant.

In conclusion Discovery will happily show you any truth that doesn’t go against a sponsor. Never forget through that the truth is less important to them than greed so take everything you hear from them with a grain of salt because after all….

Discovery is the best programming a corporate bribe can buy!

chris (profile) says:

Re: Yes Shoot the messenger! These are not the droids you are looking for...

In conclusion Discovery will happily show you any truth that doesn’t go against a sponsor. Never forget through that the truth is less important to them than greed so take everything you hear from them with a grain of salt because after all….

Discovery is the best programming a corporate bribe can buy!

you act like the media has some sort of responsibility to us. we are a product, a commodity to be leveraged and traded. the media’s only responsibility is to the company execs and the stock holders. the execs and stock holders only care about profits, and profits are dictated by advertisers. er go, advertisers will always be able to bend media companies to their will. if you think fox or nbc or cnn are any different than the discovery channel you are woefully naive.

real security research is now and will forever be underground. it’s cheaper to provide the illusion of security than it is to build truly secure systems, so corporations and governments will always opt for obscurity first until an independent researcher exposes these vulnerabilities.

the credit industry is built on impulse buying. secure systems with integrity checks and access restrictions are a hindrance to impulse buys and will never be implemented. credit systems will always be flawed and fraud will just be considered the cost of doing business. if you think that’s pessimistic think about this: what does a company do when it’s had a large data breach: it buys the victims a year of credit monitoring and it moves on like it never happened.

why do you think credit card companies and news programs blame ID thefts and credit card fraud on hackers?

identities get stolen by identity thieves. credit card companies are defrauded by con artists. there is no hacking involved 99% of the time.

corporations want you to see competitive analysis and independent research as the products of shadowy figures that we need to fear so that you will mistrust the exposure of security vulnerabilities and not ask scary and expensive questions.

mobiGeek says:

Re: credit cards

Your argument about our ancestors not needing something simply doesn’t hold. The world changes, and with those changes are goods and bads.

What in particular do you find offensive about credit cards and debit cards (I could guess, but I won’t)?

I have a credit card, use it frequently, find it extremely convenient, and as a individual who can do arithmetic understand the ins-and-outs of my monthly finances to determine the appropriate payback structure so as to maximize the potential of my overall net worth.

John (profile) says:

Of course!

but do the credit card companies really think that security through obscurity (with a healthy dose of legal threats) is the best way to protect their customers?
Um, YES! If customers don’t know about a problem, then there is no problem, especially if the problem is security-related. Plus, it’s easier to hide the flaw than try to convince customers that the flaw isn’t too bad. Instead of spending money on R&D to fix the issues, just get the already-paid-for lawyers to threaten anyone who mentions the issue. Problem solved!

Rob says:

I have seen some RFID solutions that are worth looking at that provide very secure mechanisms (128 bit encr.) for activating, reading and writing. One is from Neology Corp., which uses a priopietary passive chip with 3 different channels for the above options, each with a unique key to activate the chip.
Their chip is expensive, but provides more security than any other RFID chip i have looked at.

I have worked with several security solutions for credit cards, and trust me, the weakest link is never the security either on the card itself, or at the contact points (TPV, ATM, POS, Interet VPos). The weakest link is always the holder of the card.

The use of either contact chips or RFID tags on credit cards, needs to go hand in hand with the use of a PIN (ore more) to complete any transaction. That leaves part of the security in the user hands, without seriously compromising the information stored in the chip (which has to be limited).

Fred says:

Get some real facts - not just opinions

An excellent book on this subject can be found on Amazon entitled “Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity” By Byron Acohido and Jon Swartz (hardback, Amazon $13.57).

The main premise of the book is that the payment industry, comprised of credit card companies, banks, credit bureaus and data brokers have created an easy-to-use, low cost (in maintenance) infrastructure that is pliable, extendable and very adaptable, but paper-thin when it comes to security. The system is built with the idea that “ease of access” for the customer ‘will bring them in’ especially when linked with easy credit. But when you link ease of access, easy credit and the absolute need for speed (for transactional processing), the payment industry has had to sacrifice a robust security infrastructure and privacy controls. Examples abound in the book of what not to do, as well as a Who’s Who of companies and bad guys (and girls), how they actually link up together, and how they control your credit.
Intended not merely to alarm, but to illuminate, “Zero Day Threat” exposes how lawbreakers do their dirty work, and how corporations knowingly, and unknowingly, help them do it.
As they say up north, “Take that in your pipe and smoke it !”

Derek Kerton (profile) says:

The Pizza Stone

…sure, all this is neat, but I’m most interested in that great question asked by the woman at the end of the video clip: “Will you do a Mythbusters on whether a commercial pizza stone does a better job of cooking pizza in a home oven over a regular clay tile?” Now that would be a gripping show… for an audience of one.

Why is it that at every conference, some weirdo manages to commandeer the Q&A mic and ask lengthy questions that they should know don’t interest anyone? You can see the line of people at the mic who want to get their turn, but she slides in this ludicrous pizza idea as her second question. Why are events not better moderated? Couldn’t someone step in with a friendly, “How ’bout you finish your question offline?”

Zaphod (user link) says:

Security through obscurity.

“but do the credit card companies really think that security through obscurity is the best way to protect their customers?”

Hmmm, the myth of “Security through Obscurity” probably ought to be tested. Plenty of examples, plenty of failures, but corporations still believe in the myth.

Just ask the Boston subway operators. 😛

Fred says:

Re: Re:

Oh, Please…. What fairy tale did you just finish reading ? Companies treating everyone fairly ? When did “fair” ever get counted on the bottom line ? What this is all about is charging the customer (you and I, if you missed that) for the financial company’s wrong decision (or choice) of technology. Fast, cheap, secure and easy-to-use; pick any three, but the fourth goes down the toilet and we get to pick-up the tab passed through via your local financial institution.

Payday Loans (user link) says:

One of the most successful financial services outside of the banks and credit card companies (who can afford to lobby, we might mention) is under fire from legislative bodies these days. It’s Washington DC that might be setting their sights on payday loan lenders next. Part of Obama’s economic plan is to get a rate cap in place on all lending, and keep it at 36%, which makes payday lending untenable. Accusations of predatory lending are only backed up by anecdotal evidence, whereas the empirical (which means legitimate) evidence stacks up on the side of the payday loan lenders providing a needed service.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...