RFID credit card hacked (time to wrap your wallet in tin foil?)

techradar.com ^ | 3/20/08 | Audley Jarvis

[LibWhacker]

Hacker gives live video demonstration

Following on from last week’s story about how the MIFARE Classic’s RFID chip, as used in London Transport’s Oyster card, had been compromised, BoingBoing has gone a step further. It gave a video demonstration of a hacker demonstrating how easy it is to extract details from a RFID-equipped credit card.

In the video, the hacker Pablos Holman boasts that he is able to “decrypt the data” using an “eight dollar reader from eBay”. One quick swipe of the reporter’s American Express card later and he appears to have done just that, with the cardholder’s name and expiry date both visible.

“You’ll get that from most cards,” explains Holman, before adding “now we can go online and start shopping”.

Holman then offers his explanation as to why the use of RFID technology is spreading despite its obvious security flaws. “The credit card industry understands that creating a secure system isn’t really the priority; creating a system that feels secure to the user is. In reality it’s easier for me to get numbers now than it was before.”

Security risk

Mr Holmon then shows how RFID card carriers could protect themselves from readers with the aid of a metal wallet, before offering his views on how much of a security risk RFID-equipped credit cards really pose:

“I don’t expect this to be a major threat for a while. People are stealing credit card numbers from websites and that’s still pretty easy,” he says, before adding, somewhat more ominously “with a bigger antenna hooked up to this I can go into Starbucks and get the name of everyone in there”.

[LibWhacker]

See also: http://gizmodo.com/369796/rfid-credit-cards-can-be-hacked-with-8-worth-of-stuff [WARNING: Foul language in the public comments section]

[BGHater]

RFID Blocking Wallet

DIFRWEAR's stylish RFID blocking wallets are made of the finest quality leather and are built to last. The wallets contain a layer of RF shielding that prevents RFID readers from reading any passive tags stored within. They have a convenient flap to allow easy "flip" access to RFID cards. To allow RFID devices to be read, simply open the wallet and direct it towards the reader.

Dimensions when closed:
4.3" x 3.3"
10.9cm x 8.4cm http://www.difrwear.com/products.shtml Free Market works.

[caseinpoint]

Holman got ripped off. My husband stumbled on a card reader in an electronics surplus store in Silicon Valley priced at only $5.

[LibWhacker]

Wow, holy cow, thanks. Somebody’s way, way ahead of me again — as usual.

I never got what all this RFID paranoia was about until today. Didn’t know they were going to build the technology into credit cards.

Question: If you have an RFID credit card is it obvious; i.e., can you tell just by looking at it? Or does it look lik e any other credit card? I wanna opt out!

[july4thfreedomfoundation]

The new passports have RFID as well.

Some travelers have wrapped their passports in tin foil.

[fishhound]

Beat me to it.

[BGHater]

New Credit Cards Leak Personal Info

Some cards equipped with RFID chips send out names and account numbers.

Erik Larkin, PC World

Fri, 23 Mar 2007 22:00:00 UTC

You may be carrying a new type of credit card that can transmit your personal information to anyone who gets close to you with a scanner.

Embedded computer chips allow for reading a credit card's information from a distance.

The new cards--millions of them have been issued over the past year--use RFID, or Radio Frequency Identification, technology. RFID allows scanners to use radio signals at varying distances to read information stored on a computer chip, a chip that is embedded in the card (click on image above).

According to a study by researchers at the University of Massachusetts and at security companies RSA and Innealta, many of these cards will transmit your name, the credit card's number, and its expiration date (but not the three-digit security code) unencrypted to anyone nearby with an RFID scanner. (To see the full report as a PDF file, go to "Vulnerabilities in First-Generation RFID-enabled Credit Cards".)

Swipe and Pay

RFID is widely used to track shipments and inventory. In credit cards, it allows customers to swipe the cards past readers in such establishments as McDonald's restaurants and CVS pharmacies, making for quick and easy transactions. Visa says it has distributed over 6 million "contactless" cards worldwide, and the UMass study estimates that at least 20 million exist, with the total growing rapidly.

In an e-mail, one of the UMass researchers, Kevin Fu, wrote that "in our collection of approximately 20 cards, the vast majority revealed [the credit card holder's] name, CC number, and expiration" when the researchers scanned them with a commercial RFID reader they had modified to work with such cards. The cards in the sample came from American Express, MasterCard, and Visa, and had been issued by several major banks.

The credit cards use an encrypted security code to verify a transaction, which can protect against certain types of fraud--but not against someone who pulls the name and number from a card and uses the information to make online purchases, for instance.

As additional protection, Visa has begun requiring that banks not issue cards that transmit the cardholder's name, according to Brian Tripplett, the company's senior vice president of emerging product development (previously Visa only suggested this). Cards issued by American Express after this February also do not send the name, according to a spokesperson. MasterCard did not respond to PC World's requests for information.

According to American Express, for added security its cards transmit a card number different from that displayed on the card. Visa's Tripplett says that the contactless-card standard has a shorter read range and communicates differently than does the simple RFID used for such purposes as inventory management.

Do you have RFID?

To identify VISA contactless cards, look for the wavelike symbol pictured here.

How do you tell if your card has one of these chips? You can see the actual chip in the American Express cards (see image near the beginning of this story). And Tripplett says that Visa contactless cards have a symbol: four vertical wavelike bands on the front or the back. But to know for sure, and also to know whether your card sends your name, you must call your bank (or American Express) and ask. You should also be able to request a card that comes without the contactless technology if you prefer, or at least one that doesn't transmit your name.

Also, you can block RFID signals with a "Faraday cage," which uses a metal mesh or casing. For instance, at ThinkGeek.com, you can buy an "RFID-blocking wallet."

Even for the first-generation cards that do send the holder's name, some other factors mitigate the risk.

First, while the researchers used a commercially available RFID reader, they made modifications to it that take "technical skills and know-how," Fu wrote. Also, the reader must be close to an RFID chip: Card specifications say only a couple of inches, but Fu points out that some research papers have put the maximum range at about 6 inches.

And most important, phishing, keyloggers, and other means of online ID theft are far too successful at this time for criminals to expend the effort required by this type of fraud. So the risk probably isn't significant--for now.

Major risk or not, however, credit cards should have included the recent security upgrades from the beginning. Whether the threat is large or small, adding another opportunity for ID theft where there simply doesn't need to be any clearly makes no sense.

[B4Ranch]

REAL ID is coming and they don’t want you to opt out. You shall become a subject of the government, do you hear me?

[Paleo Conservative]

[LibWhacker]

LOL, yikes! That’s probably how it’s gonna be, too... We’re not going to have any choice.

[LibWhacker]

Very cool, thanks. Reading through it now.

[EternalVigilance]

Yep.

[boxerblues]

it allows customers to swipe the cards past readers in such establishments as McDonald's restaurants and CVS pharmacies, making for quick and easy transactions.

I had to complain to CVS as my purse was on the counter as I got out my wallet to pay with cash for a purchase, the sensors picked up my debit card and the cleck just smiled at me and said thank you.. no pin or signature needed I made her cancel the transaction.

[BGHater]

Crazy. However, we are witnessing the future. No cash :(

[B4Ranch]

Either a CHIP under the skin or an ID Card. Take your choice or we’ll give you both!

[longtermmemmory]

how long before stores will be able to tell if you have brought money to actually BUY something.

How about an automatic fee to enter the store.

[boxerblues]

The machines are set way too sensitive. When my bank come out with this it was billed as “Tap & Go” and you had to just tap your card to a spot on the machine. I didnt use it then and still wont use it anywhere I dont have an option to sign for my purchases

We’ve all seen the commercials of a well oiled machine paying with Visa instead of cash thats what this is.

[boxerblues]

How about an automatic fee to enter the store.

shhhh dont give them any ideas

[longtermmemmory]

high end malls do this now with having only pay parking.

[Domandred]

Figured it would happen sooner or later. Doesn’t really surprise me much.