Posted on 10/14/2010 11:32:35 AM PDT by ShadowAce
How often do you go to the store on a monthly basis? Maybe you go down to the local Starbucks every morning before work. This is prime hunting ground for an attacker to steal all of your credit card information without ever touching you, using equipment they got on ebay for under $20. These are the threats that credit card companies and the thieves don’t want you to know about. RFID hacking has been in the news quite a bit lately. There’s a lot of concern as to what it involves, how easy it is, and what exactly RFID is. We will also touch on some of the security practices that are in place for RFID and how effective they are. Before we dive in, what is RFID?
RFID is short for Radio-Frequency Identification. RFID chips consist of two parts, an integrated circuit for processing data, and an antenna for transmitting and receiving data. There are three types of RFID devices.
 |
 |
 |
Passive:
They have no battery and rely upon an external reader to generate RF that the chip can then modulate and re-transmit. Their range is the shortest.
Battery Assisted Passive:
They are similar to passive chips, but use a battery once they are “awake” to transmit their signal over a greater range.
Active:
They use their battery to transmit over an even greater range than battery assisted passive chips.
Regardless of the type, all RFID chips work on the same basic principle of receiving an RF signal, modulating it through its integrated circuit, and then transmitting the modulated signal.
RFID tags are typically used in asset tracking. Farmers use RFID tags clipped to their livestock to keep track of them. Retail outlets are trying to implement RFID chips as a supplement to barcodes to help speed up checkout times. In the United States, toll roads use RFID chips to quickly pay tolls without drivers needing to pull off into a toll booth.
Active RFID Toll Pass
Due to the existing use of RFID chips to uniquely identify whatever they are attached to, some companies have decided to implement them in security based technologies (think access cards for opening doors) and personal identification technologies (think passports and drivers licenses). This is where that problems begin to happen.
The hacking of RFID chips is typically done through the use of a RFID cloner. It is a device that is able to capture an RFID signal from a distance and then emit the signal whenever the attacker wants. The inherit design of RFID chips is to respond to any kind of frequency on the chip’s wireless band. This makes regular RFID chips very versatile, but terrible for security. Normal RFID chips don’t include any kind of security measures (mostly due to the processing limitations on the chips) for preventing unwanted reading of the chip. An attacker with a high enough powered reader could sniff the RFID chip in a security door access card while being far enough away that you would never know what he was doing. After they have your ID number they can come back at their leisure and use a cloner to replicate your ID and gain access to the restricted area, all with you being none the wiser.
Imagine you’re standing in line at the store. The guy behind you in line is standing a little closer than you would like. It is uncomfortable but you don’t say anything. He gets a smirk on his face and moves back to a more comfortable distance. He’s just stolen your credit card without ever touching you. American Express and Visa both have RFID enabled credit cards out on the market. The chip in those cards has everything you would need to make a purchase (name, card number, expiration date, etc.). Both companies offer these cards with the thought of making customers lives easier, but in reality they’re making them even more vulnerable to identity theft. It’s not like the equipment is is difficult to use or hard to come by either. For under $20, someone lurking around ebay can get all the equipment they would possibly need to build a powerful RFID reader.
Yes, but as with many security and privacy related issues, the real culprit lies in half-baked security algorithms and bottom line budgets. There are RFID chips that can do proper challenge-response authentication, but they cost significantly more than ones that don’t. There is also the computational performance limitations of passive RFID chips. This makes it difficult for them to implement proven encryption ciphers like SHA-1 (used to encrypt credit card transactions online). The computational power of passive RFID chips will no doubt improve as technology improves, and will in turn bring down the cost.
The bottom line is that you shouldn’t use RFID as the sole identification method in a system, unless it is using a proven encryption method. It should instead be used in conjunction with other types of authentication systems. If you’re not willing to fork out the money to properly secure a system, then you may as well flush your money down the toilet.
Those with concerns over their data being stolen from their credit cards are in luck as it seems there are several manufacturers making RFID blocking billfolds and passport wallets. That’s right some passports contain RFID chips as well. An example of such a a product can be seen here. Maybe all of those tin foil hat wearers really were on to something after all.
mythbuster wanted to do a piece on RFID etch
they were threatened with a lawsuit.
likely because the RDID tech is so hacker-friendly
Who threatened them?
I want RFID’s on everything I own - my car keys, my glasses, the TV clicker - so I can use an iPhone app to instantly find whatever it is I am looking for.
These things are really a bad idea.
I would imagine they'd be particularly succeptable to MITM attacks as well.
You can make RFID readers that will work across more than 10 meters. Sounds to me like the banks are just asking to be brutally defrauded. Consumers are the ones who will ultimately pay for their shoddy understanding of technology.
So will magnets disable them?
How do you find and remove them? Can you?
I am thinking more than from a d/l or credit card here....
the mfg council’
check thier site
No. These are not magnetic strips. These are hard-coded transmitters in a chip.
I've been against them from the beginning. I don't want a transmitter following me around.
I know that technically they are not transmitters, but they act like them.
“For under $20, someone lurking around ebay can get all the equipment they would possibly need to build a powerful RFID reader.”
Citation needed....
I’m not saying hacking isn’t possible. It most certainly is. But I doubt the $20 price tag for a workable finished unit.
wrap your card inn tin foil
or buy a lined wallet (check the web)
your new passport may this devil spawn imbedded in them as well
I can speak slightly authoritatively. I just designed one!
RFID by itself is not inherently bad or good (kind of like guns!) It is a technology that can be used intelligently or stupidly (say as a security device..)If they are used as for their real intention, i.e. wireless serial numbers, then they have a place.
How it works - The “Reader” puts out a radio signal with a modulation on top of it telling the tags what to do. The tags gather the radio energy (these are the passive units described above), and store this energy++
internally until it’s their turn to transmit. They transmit back what they have stored - usually some sort of product code (read programmable serial number.) The passive tags generally don’t have real transmitters - they actually change the resonance of their antennas in a fashion that the “Reader” can pick up. This is how they convey information back to the “Reader.” These are REALLY low power devices.
The current EPC specification for “Generation 2” devices has no provision for encryption. They only have a programmable password. This password would be used to access the information/change the information. It would be possible for someone to “observe” the “Reader” transmissions an clone the password, so this really isn’t any source of protection. It’s really meant to stop someone from changing the RFID’s memory....
If this "Tap Method" is the way to use your card or one of the two ways, then you are vulnerable. This RFID emitter may be a raised square bump on the card if it is an applied device on your card.
In any case, if you have any worry about ANY OF YOUR CREDIT / DEBIT CARDs containing an RFID, immediately call the issuer and ask about it. If they identify it as such a card, you have the absolute right to ask for a non-RFID replacement.
My personal opinion on this issue is that this is a miss-use of a valid technology and I have not found it hard to use my credit card in the old way at all. Frankly, it may be still too easy but that is a matter of PERSONAL self-control.
In general I’m totally cool with RFIDs, I don’t worry if every reader I pass can get my pants’ serial number. RFID credit cards OTOH are a little too much power in a little too much convenience.
The article states that SHA-1 is used to encrypt data. Secure Hashing Algorithms are a “one way” mathematical construct - you can’t (within normal computational means) retrieve the original information. SHA-1 is NOT an encryption method. This kind of basic misunderstanding of security must surely negate any informative content of this article. At least it does for me, being knowledgeable of both digital security and payments.
The basic concept of the article is accurate. You can buy RFID readers for cheap, you can just walk around with them and pick up people credit card RFIDs and you can program your own RFIDs to emit the same data and functionally steal their credit card. As always non-technical people will screw up the technical details, but the core is there.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.