Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

RFID credit card hacked (time to wrap your wallet in tin foil?)
techradar.com ^ | 3/20/08 | Audley Jarvis

Posted on 03/20/2008 8:15:59 AM PDT by LibWhacker

Hacker gives live video demonstration

Following on from last week’s story about how the MIFARE Classic’s RFID chip, as used in London Transport’s Oyster card, had been compromised, BoingBoing has gone a step further. It gave a video demonstration of a hacker demonstrating how easy it is to extract details from a RFID-equipped credit card.

In the video, the hacker Pablos Holman boasts that he is able to “decrypt the data” using an “eight dollar reader from eBay”. One quick swipe of the reporter’s American Express card later and he appears to have done just that, with the cardholder’s name and expiry date both visible.

“You’ll get that from most cards,” explains Holman, before adding “now we can go online and start shopping”.

Holman then offers his explanation as to why the use of RFID technology is spreading despite its obvious security flaws. “The credit card industry understands that creating a secure system isn’t really the priority; creating a system that feels secure to the user is. In reality it’s easier for me to get numbers now than it was before.”

Security risk

Mr Holmon then shows how RFID card carriers could protect themselves from readers with the aid of a metal wallet, before offering his views on how much of a security risk RFID-equipped credit cards really pose:

“I don’t expect this to be a major threat for a while. People are stealing credit card numbers from websites and that’s still pretty easy,” he says, before adding, somewhat more ominously “with a bigger antenna hooked up to this I can go into Starbucks and get the name of everyone in there”.


TOPICS: News/Current Events
KEYWORDS: card; credit; hacked; rfid; risk; security
See also: http://gizmodo.com/369796/rfid-credit-cards-can-be-hacked-with-8-worth-of-stuff [WARNING: Foul language in the public comments section]
1 posted on 03/20/2008 8:16:00 AM PDT by LibWhacker
[ Post Reply | Private Reply | View Replies]

To: LibWhacker
RFID Blocking Wallet

DIFRWEAR's stylish RFID blocking wallets are made of the finest quality leather and are built to last. The wallets contain a layer of RF shielding that prevents RFID readers from reading any passive tags stored within. They have a convenient flap to allow easy "flip" access to RFID cards. To allow RFID devices to be read, simply open the wallet and direct it towards the reader.

Dimensions when closed:
4.3" x 3.3"
10.9cm x 8.4cm http://www.difrwear.com/products.shtml Free Market works.

2 posted on 03/20/2008 8:22:54 AM PDT by BGHater ($2300 is the limit of your Free Speech.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: LibWhacker

Holman got ripped off. My husband stumbled on a card reader in an electronics surplus store in Silicon Valley priced at only $5.


3 posted on 03/20/2008 8:23:41 AM PDT by caseinpoint (Don't get thickly involved in thin things.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BGHater

Wow, holy cow, thanks. Somebody’s way, way ahead of me again — as usual.

I never got what all this RFID paranoia was about until today. Didn’t know they were going to build the technology into credit cards.

Question: If you have an RFID credit card is it obvious; i.e., can you tell just by looking at it? Or does it look lik e any other credit card? I wanna opt out!


4 posted on 03/20/2008 8:32:35 AM PDT by LibWhacker
[ Post Reply | Private Reply | To 2 | View Replies]

To: LibWhacker

The new passports have RFID as well.

Some travelers have wrapped their passports in tin foil.


5 posted on 03/20/2008 8:39:18 AM PDT by july4thfreedomfoundation (Change.....that's what we will have left in our pockets if a Democrat gets elected president!)
[ Post Reply | Private Reply | To 4 | View Replies]

To: july4thfreedomfoundation

Beat me to it.


6 posted on 03/20/2008 8:40:06 AM PDT by fishhound
[ Post Reply | Private Reply | To 5 | View Replies]

To: LibWhacker

New Credit Cards Leak Personal Info

Some cards equipped with RFID chips send out names and account numbers.

Erik Larkin, PC World

Fri, 23 Mar 2007 22:00:00 UTC

You may be carrying a new type of credit card that can transmit your personal information to anyone who gets close to you with a scanner.


Embedded computer chips allow for reading a credit card's information from a distance.

The new cards--millions of them have been issued over the past year--use RFID, or Radio Frequency Identification, technology. RFID allows scanners to use radio signals at varying distances to read information stored on a computer chip, a chip that is embedded in the card (click on image above).

According to a study by researchers at the University of Massachusetts and at security companies RSA and Innealta, many of these cards will transmit your name, the credit card's number, and its expiration date (but not the three-digit security code) unencrypted to anyone nearby with an RFID scanner. (To see the full report as a PDF file, go to "Vulnerabilities in First-Generation RFID-enabled Credit Cards".)

Swipe and Pay

RFID is widely used to track shipments and inventory. In credit cards, it allows customers to swipe the cards past readers in such establishments as McDonald's restaurants and CVS pharmacies, making for quick and easy transactions. Visa says it has distributed over 6 million "contactless" cards worldwide, and the UMass study estimates that at least 20 million exist, with the total growing rapidly.

In an e-mail, one of the UMass researchers, Kevin Fu, wrote that "in our collection of approximately 20 cards, the vast majority revealed [the credit card holder's] name, CC number, and expiration" when the researchers scanned them with a commercial RFID reader they had modified to work with such cards. The cards in the sample came from American Express, MasterCard, and Visa, and had been issued by several major banks.

The credit cards use an encrypted security code to verify a transaction, which can protect against certain types of fraud--but not against someone who pulls the name and number from a card and uses the information to make online purchases, for instance.

As additional protection, Visa has begun requiring that banks not issue cards that transmit the cardholder's name, according to Brian Tripplett, the company's senior vice president of emerging product development (previously Visa only suggested this). Cards issued by American Express after this February also do not send the name, according to a spokesperson. MasterCard did not respond to PC World's requests for information.

According to American Express, for added security its cards transmit a card number different from that displayed on the card. Visa's Tripplett says that the contactless-card standard has a shorter read range and communicates differently than does the simple RFID used for such purposes as inventory management.

Do you have RFID?


To identify VISA contactless cards, look for the wavelike symbol pictured here.

How do you tell if your card has one of these chips? You can see the actual chip in the American Express cards (see image near the beginning of this story). And Tripplett says that Visa contactless cards have a symbol: four vertical wavelike bands on the front or the back. But to know for sure, and also to know whether your card sends your name, you must call your bank (or American Express) and ask. You should also be able to request a card that comes without the contactless technology if you prefer, or at least one that doesn't transmit your name.

Also, you can block RFID signals with a "Faraday cage," which uses a metal mesh or casing. For instance, at ThinkGeek.com, you can buy an "RFID-blocking wallet."

Even for the first-generation cards that do send the holder's name, some other factors mitigate the risk.

First, while the researchers used a commercially available RFID reader, they made modifications to it that take "technical skills and know-how," Fu wrote. Also, the reader must be close to an RFID chip: Card specifications say only a couple of inches, but Fu points out that some research papers have put the maximum range at about 6 inches.

And most important, phishing, keyloggers, and other means of online ID theft are far too successful at this time for criminals to expend the effort required by this type of fraud. So the risk probably isn't significant--for now.

Major risk or not, however, credit cards should have included the recent security upgrades from the beginning. Whether the threat is large or small, adding another opportunity for ID theft where there simply doesn't need to be any clearly makes no sense.

7 posted on 03/20/2008 8:42:19 AM PDT by BGHater ($2300 is the limit of your Free Speech.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: LibWhacker

REAL ID is coming and they don’t want you to opt out. You shall become a subject of the government, do you hear me?


8 posted on 03/20/2008 8:45:53 AM PDT by B4Ranch ("In politics, nothing happens by accident. If it happens, you can bet it was planned that way." FDR)
[ Post Reply | Private Reply | To 4 | View Replies]

To: BGHater

9 posted on 03/20/2008 8:47:18 AM PDT by Paleo Conservative
[ Post Reply | Private Reply | To 2 | View Replies]

To: B4Ranch

LOL, yikes! That’s probably how it’s gonna be, too... We’re not going to have any choice.


10 posted on 03/20/2008 8:48:05 AM PDT by LibWhacker
[ Post Reply | Private Reply | To 8 | View Replies]

To: BGHater

Very cool, thanks. Reading through it now.


11 posted on 03/20/2008 8:48:37 AM PDT by LibWhacker
[ Post Reply | Private Reply | To 7 | View Replies]

To: B4Ranch

Yep.


12 posted on 03/20/2008 8:52:16 AM PDT by EternalVigilance ("I am sure that Senator Clinton would make a good president." - John McCain)
[ Post Reply | Private Reply | To 8 | View Replies]

To: BGHater
it allows customers to swipe the cards past readers in such establishments as McDonald's restaurants and CVS pharmacies, making for quick and easy transactions.

I had to complain to CVS as my purse was on the counter as I got out my wallet to pay with cash for a purchase, the sensors picked up my debit card and the cleck just smiled at me and said thank you.. no pin or signature needed I made her cancel the transaction.
13 posted on 03/20/2008 8:56:19 AM PDT by boxerblues
[ Post Reply | Private Reply | To 7 | View Replies]

To: boxerblues

Crazy. However, we are witnessing the future. No cash :(


14 posted on 03/20/2008 9:00:28 AM PDT by BGHater ($2300 is the limit of your Free Speech.)
[ Post Reply | Private Reply | To 13 | View Replies]

To: LibWhacker

Either a CHIP under the skin or an ID Card. Take your choice or we’ll give you both!


15 posted on 03/20/2008 9:01:46 AM PDT by B4Ranch ("In politics, nothing happens by accident. If it happens, you can bet it was planned that way." FDR)
[ Post Reply | Private Reply | To 10 | View Replies]

To: boxerblues

how long before stores will be able to tell if you have brought money to actually BUY something.

How about an automatic fee to enter the store.


16 posted on 03/20/2008 9:02:38 AM PDT by longtermmemmory (VOTE! http://www.senate.gov and http://www.house.gov)
[ Post Reply | Private Reply | To 13 | View Replies]

To: BGHater

The machines are set way too sensitive. When my bank come out with this it was billed as “Tap & Go” and you had to just tap your card to a spot on the machine. I didnt use it then and still wont use it anywhere I dont have an option to sign for my purchases

We’ve all seen the commercials of a well oiled machine paying with Visa instead of cash thats what this is.


17 posted on 03/20/2008 9:07:56 AM PDT by boxerblues
[ Post Reply | Private Reply | To 14 | View Replies]

To: longtermmemmory

How about an automatic fee to enter the store.

shhhh dont give them any ideas


18 posted on 03/20/2008 9:08:38 AM PDT by boxerblues
[ Post Reply | Private Reply | To 16 | View Replies]

To: boxerblues

high end malls do this now with having only pay parking.


19 posted on 03/20/2008 9:10:59 AM PDT by longtermmemmory (VOTE! http://www.senate.gov and http://www.house.gov)
[ Post Reply | Private Reply | To 18 | View Replies]

To: LibWhacker

Figured it would happen sooner or later. Doesn’t really surprise me much.


20 posted on 03/20/2008 9:11:15 AM PDT by Domandred (McCain's 'R' is a typo that has never been corrected)
[ Post Reply | Private Reply | To 1 | View Replies]

To: LibWhacker
Solutions:
RFID-blocking passport billfold
RFID-blocking wallet

Personally, I'd go for one of those if I had anything with RFID in or on it - they're not badly priced either.
21 posted on 03/20/2008 9:16:07 AM PDT by Hyzenthlay (I aim to misbehave.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: LibWhacker

You wanna opt out of RFID? You better contact your Congressman about the Federal Real ID then... they want to make the “advanced” IDs RFID readable to “facilitate increased western hemisphere travel” (immigration)


22 posted on 03/20/2008 9:17:38 AM PDT by underground (Viva la Socialisme Wall Street /s)
[ Post Reply | Private Reply | To 4 | View Replies]

To: BGHater

What’s the world coming to when your wallet needs shielding?


23 posted on 03/20/2008 9:58:24 AM PDT by Red in Blue PA (Truth : Liberals :: Kryptonite : Superman)
[ Post Reply | Private Reply | To 2 | View Replies]

I called AmEx and they said they don’t offer an alternative. They offered to turn it off remotely, but how do I know really and what’s to stop them from turning it on again.

9/11 1984 aigh!


24 posted on 09/05/2008 8:29:32 PM PDT by startswithj
[ Post Reply | Private Reply | To 7 | View Replies]

To: startswithj

It’s easy to disable RFID yourself, and detecting the chip is fairly trivial as well.

http://wvp.diablops.com/component/content/article/67-braindead/37-bad-paypass-bad.html


25 posted on 12/09/2010 6:16:39 AM PST by braindead0
[ Post Reply | Private Reply | To 24 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson