Posted on 10/23/2006 2:30:42 PM PDT by Ben Mugged
Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.
Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.
The demonstration revealed potential security and privacy holes in a new generation of credit cards--cards whose data is relayed by radio waves without need of a signature or physical swiping through a machine. Tens of millions of the cards have been issued, and equipment for their use is showing up at a growing number of locations, including CVS pharmacies, McDonald's restaurants and many movie theaters.
The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate "128-bit encryption," and J. P. Morgan Chase has said that its cards, which it calls Blink, use "the highest level of encryption allowed by the U.S. government."
But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder's name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.
They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50.
(Excerpt) Read more at news.com.com ...
What's amazing is that 10's of millions of people have been suckered into using this technology.
Including the US government for passports.
What legitimate security advantages to RFID passports have over contact-based ones?
As far as I can tell: none, except that it would make customs quicker.
In theory, it would be harder to forge a passport, as one would also need to copy the RFID chip data, alter it, and perform a hash function using an authentic digital signature as the basis of the hash.
I understand the value of having an embedded microcircuit, but a contact-based chip provide the same security features as RFID while avoiding some of the security and privacy risks.
Ah. I missed that you were talking about contact chips as opposed to a plain passport.
What is so tough about swiping a card? Does it take that much longer than RFI? Scam.
RFID is a technology that will be really swell... in about five to seven years.
In the meantime the credit companies are jumping the shark.
Bad idea. Lots 'o people gonna get burned real bad.
"Tap and go" my ass. Tap and get scammed is more like it.
The article hints that cleartext mag strip data is readable remotely, through your pants, through mailing envelopes, etc. A quote from Professor Fu's draft report confirms that impression:
Integration of RF technology into existing credit-card infrastructure: The RFID payment cards that we examined seem to have been designed specifically for easy integra- tion into the existing payment-authorization infrastructure. For instance, even though no magnetic stripes are read during an RF transaction, the RFID credit card readers that we examined reformat received RFID data into “Track 1 Data” and “Track 2 Data” before passing it along to point-of-sale terminals. In other words, data is presented to the charge- processing network in the same format regardless of whether the credit-card reader received the information from an RF transaction, or a traditional swipe of a magnetic strip.Card companies consider mag stripe data to be sensitve. They require merchants to store it securely and not keep it around unnecessarily. Federal law requires that full card numbers and expiration dates not be printed on receipts (embossed imprint machines are grand-fathered for the time being, but when was the last time you saw one of those?).
That is absolute nonsense. The magnetic signal that can be received from a magstripe card will off very quickly at short distances (much faster than discance-squared). A typical magstripe card has a data density of 3 bits/mm on the lowest-density track. At a distance of 2mm, any magnetic signal picked up will be only 1/1000 as strong as at 0.16mm. A very carefully constructed reader might be able to read a magstripe at that distance if its motion were precisely controlled and it were shielded from all other types of magnetic interference. From a practical perspective, however, magstripe readers are contact-only.
[continuing]
The issue of concern I think from the article's perspective is that a typical RFID-equipped credit card point-of-sale system handles the RFID by converting it electrically into signals similar to those from a normal magstripe reader. It would be fairly trivial for someone with access to the inner workings of a POS system to tape into the card-reader (or RFID-reader) signals and snatch the unencrypted card data from there.
That's true. But the professor appears to be reporting that the same data contained in the mag stripes is being transmitted via RFID, and is therefore readable well beyond 0.16mm. and without having to hack the POS (which, admittedly, is quite easy for rogue merchant personnel — that's why PIN pads are used for debit cards in debit mode) or even be near a POS.
A secure solution would require a three-way conversation between the customer's credit card (or mobile phone, perhaps?), the merchant's POS system, and the credit card company. The customer's card would request a transaction from the card company via SSL (probably relayed by, but definitely not readable by the POS). Then the card company would notify the POS whether the transaction is approved or denied. There would also need to be a way for the customer to authenticate to the card (or phone), in order to make it hard to use stolen cards (or phones).
Can you just destroy the RFID chip with an X-acto blade and then use the card as regular swipe-only?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.