Skip to comments.RFID credit card hacked (time to wrap your wallet in tin foil?)
Posted on 03/20/2008 8:15:59 AM PDT by LibWhacker
Hacker gives live video demonstration
Following on from last weeks story about how the MIFARE Classics RFID chip, as used in London Transports Oyster card, had been compromised, BoingBoing has gone a step further. It gave a video demonstration of a hacker demonstrating how easy it is to extract details from a RFID-equipped credit card.
In the video, the hacker Pablos Holman boasts that he is able to decrypt the data using an eight dollar reader from eBay. One quick swipe of the reporters American Express card later and he appears to have done just that, with the cardholders name and expiry date both visible.
Youll get that from most cards, explains Holman, before adding now we can go online and start shopping.
Holman then offers his explanation as to why the use of RFID technology is spreading despite its obvious security flaws. The credit card industry understands that creating a secure system isnt really the priority; creating a system that feels secure to the user is. In reality its easier for me to get numbers now than it was before.
Mr Holmon then shows how RFID card carriers could protect themselves from readers with the aid of a metal wallet, before offering his views on how much of a security risk RFID-equipped credit cards really pose:
I dont expect this to be a major threat for a while. People are stealing credit card numbers from websites and thats still pretty easy, he says, before adding, somewhat more ominously with a bigger antenna hooked up to this I can go into Starbucks and get the name of everyone in there.
DIFRWEAR's stylish RFID blocking wallets are made of the finest quality leather and are built to last. The wallets contain a layer of RF shielding that prevents RFID readers from reading any passive tags stored within. They have a convenient flap to allow easy "flip" access to RFID cards. To allow RFID devices to be read, simply open the wallet and direct it towards the reader.
Dimensions when closed:
4.3" x 3.3"
10.9cm x 8.4cm http://www.difrwear.com/products.shtml Free Market works.
Holman got ripped off. My husband stumbled on a card reader in an electronics surplus store in Silicon Valley priced at only $5.
Wow, holy cow, thanks. Somebody’s way, way ahead of me again — as usual.
I never got what all this RFID paranoia was about until today. Didn’t know they were going to build the technology into credit cards.
Question: If you have an RFID credit card is it obvious; i.e., can you tell just by looking at it? Or does it look lik e any other credit card? I wanna opt out!
The new passports have RFID as well.
Some travelers have wrapped their passports in tin foil.
Beat me to it.
Erik Larkin, PC World
You may be carrying a new type of credit card that can transmit your personal information to anyone who gets close to you with a scanner.
Embedded computer chips allow for reading a credit card's information from a distance.
The new cards--millions of them have been issued over the past year--use RFID, or Radio Frequency Identification, technology. RFID allows scanners to use radio signals at varying distances to read information stored on a computer chip, a chip that is embedded in the card (click on image above).
According to a study by researchers at the University of Massachusetts and at security companies RSA and Innealta, many of these cards will transmit your name, the credit card's number, and its expiration date (but not the three-digit security code) unencrypted to anyone nearby with an RFID scanner. (To see the full report as a PDF file, go to "Vulnerabilities in First-Generation RFID-enabled Credit Cards".)
RFID is widely used to track shipments and inventory. In credit cards, it allows customers to swipe the cards past readers in such establishments as McDonald's restaurants and CVS pharmacies, making for quick and easy transactions. Visa says it has distributed over 6 million "contactless" cards worldwide, and the UMass study estimates that at least 20 million exist, with the total growing rapidly.
In an e-mail, one of the UMass researchers, Kevin Fu, wrote that "in our collection of approximately 20 cards, the vast majority revealed [the credit card holder's] name, CC number, and expiration" when the researchers scanned them with a commercial RFID reader they had modified to work with such cards. The cards in the sample came from American Express, MasterCard, and Visa, and had been issued by several major banks.
The credit cards use an encrypted security code to verify a transaction, which can protect against certain types of fraud--but not against someone who pulls the name and number from a card and uses the information to make online purchases, for instance.
As additional protection, Visa has begun requiring that banks not issue cards that transmit the cardholder's name, according to Brian Tripplett, the company's senior vice president of emerging product development (previously Visa only suggested this). Cards issued by American Express after this February also do not send the name, according to a spokesperson. MasterCard did not respond to PC World's requests for information.
According to American Express, for added security its cards transmit a card number different from that displayed on the card. Visa's Tripplett says that the contactless-card standard has a shorter read range and communicates differently than does the simple RFID used for such purposes as inventory management.
To identify VISA contactless cards, look for the wavelike symbol pictured here.
How do you tell if your card has one of these chips? You can see the actual chip in the American Express cards (see image near the beginning of this story). And Tripplett says that Visa contactless cards have a symbol: four vertical wavelike bands on the front or the back. But to know for sure, and also to know whether your card sends your name, you must call your bank (or American Express) and ask. You should also be able to request a card that comes without the contactless technology if you prefer, or at least one that doesn't transmit your name.
Even for the first-generation cards that do send the holder's name, some other factors mitigate the risk.
First, while the researchers used a commercially available RFID reader, they made modifications to it that take "technical skills and know-how," Fu wrote. Also, the reader must be close to an RFID chip: Card specifications say only a couple of inches, but Fu points out that some research papers have put the maximum range at about 6 inches.
And most important, phishing, keyloggers, and other means of online ID theft are far too successful at this time for criminals to expend the effort required by this type of fraud. So the risk probably isn't significant--for now.
Major risk or not, however, credit cards should have included the recent security upgrades from the beginning. Whether the threat is large or small, adding another opportunity for ID theft where there simply doesn't need to be any clearly makes no sense.
REAL ID is coming and they don’t want you to opt out. You shall become a subject of the government, do you hear me?
LOL, yikes! That’s probably how it’s gonna be, too... We’re not going to have any choice.
Very cool, thanks. Reading through it now.
Crazy. However, we are witnessing the future. No cash :(
Either a CHIP under the skin or an ID Card. Take your choice or we’ll give you both!
how long before stores will be able to tell if you have brought money to actually BUY something.
How about an automatic fee to enter the store.
The machines are set way too sensitive. When my bank come out with this it was billed as “Tap & Go” and you had to just tap your card to a spot on the machine. I didnt use it then and still wont use it anywhere I dont have an option to sign for my purchases
We’ve all seen the commercials of a well oiled machine paying with Visa instead of cash thats what this is.
How about an automatic fee to enter the store.
shhhh dont give them any ideas
high end malls do this now with having only pay parking.
Figured it would happen sooner or later. Doesn’t really surprise me much.
You wanna opt out of RFID? You better contact your Congressman about the Federal Real ID then... they want to make the “advanced” IDs RFID readable to “facilitate increased western hemisphere travel” (immigration)
What’s the world coming to when your wallet needs shielding?
I called AmEx and they said they don’t offer an alternative. They offered to turn it off remotely, but how do I know really and what’s to stop them from turning it on again.
9/11 1984 aigh!
It’s easy to disable RFID yourself, and detecting the chip is fairly trivial as well.