Apophis

This is something i've been working on, reading data off RFID-equipped credit and debit cards without the cardholders knowledge. The New York Times just did an article on this as well. Since it's breached into the realm of public disclosure, I'm more than happy to share:

Full Article

Basically, if you have one of these "PayPass" or other-labeled cards that allow you to just touch your card to a payment terminal without being swiped, you could very well be vulnerable to this type of credit card theft. I've successfully done this with RFID based access cards to get into buildings and have played with Credit/Debit cards as well.

You can buy equipment capable of doing this for around $75 right now. If you have a Windows CE based PDA, it's relatively easy to modify the RFID antenna to be mounted externally via a wire running down your sleeve. You can hold the RFID antenna concealed in your hand, and walk through a city grabbing card numbers left and right.

There are plans out on the net for a low-powered EMP generator that can be built out of a disposable camera. You could use one of these EMP devices to effectively fry the RFID chip on your card to prevent this type of theft, but you'll also render your card inoperable with any device that requires the RFID chip to be intact.

Keep this in mind; your card information can be read through your pants, through your wallet, by someone walking by you or in very close proximity. I think we're going to start seeing this type of card theft in the wild within the next 6-12 months.

__________________
Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

Steeler

I've often wondered: Given the numerous and demonstrable security flaws of RFID systems, what is the momentum driving their implementation? Chips for your credit cards, chips for your car, your pets, for your kids. What the Hell?

__________________

Apophis

Personally, I think it's driven by the industries excitement to use this new technology. It's been known for some time now that RFID can be extremely weak, yet many companies are still moving forward with this type of weak technology.

I also don't see the value in an RFID equipped card. If you can just swipe your card with a magnetic stripe reader, what's the advantage of still having to pull out your card to tap the RFID reader and transmitting that same information wirelessly?

__________________
Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

Vulcan

I also say what the hell?

__________________

Pokerface

Dugg.

RFID seems like a perfectly ducky technology, but I can't imagine wanting any personal information worth anything broadcast out like that.

Tracking inventory? Sure. EZPass? I'll bite to save the time. Avoid swiping a credit card? That's jumping the laziness shark right there.

__________________

NS Game Officer. TF2 Admin. BF2 Admin / Scripter. PM with issues.
Tempus: Pokerface is nailing it right on the head. Everyone who is arguing against him is simply arguing against reality.
<anmuzi> it is not permitted to have privacy or anonymity
<LazyEye> yeah when I play on TG the server digs though my trash
Arm yourself with knowledge: TG NS TF2 BF2

leejo

I don't understand why the card is even storing my personal information. A key that can be used to match my purchases against a record in a secure database seems less crazy.

E.g. instead of "leejo at 123 Fake Street, credit rating of 423" broadcast "consumer #8574632910" and implement the security where it's not flying through the air.

I've worked with web sites and databases that handle secure information, and we used to transmit and store information in a less-than secure manner until people 1) began to notice; 2) it began to hurt; and 3) someone coughed up the budget to retro-fit security into the systems. My guess is that is happening here. Some developer threw together a data structure with no security to test the system, then wizz-bang it's out in the real world before anyone (other than QA who were shot down by Sales) raised a concern.

This doesn't solve the problem of restricting physical access, or failing to, with these cards. So you don't even have to gain access to the cards any more? Nice.

Apophis

This is how the Mobil Speedpass works. I agree with you, the RFID chips in credit/debit cards should have a reference number ONLY that corresponds to the actual cardholder information stored in a database at the issuing bank.

This poses a technological hurdle for credit card processors and merchants though, as their systems are not designed for reference numbers, but actual transactions between merchants and acquiring banks through the various processing networks. Mobil gets away with this by storing that data centrally and authorizing Speedpass purchases on their centralized server rather than through the traditional merchant accounts.

__________________
Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

RocketPunch

This is bound to happen.

I don't have a problem with this being used on, say subway pass (where the value in those card are usually low), but once it wired to a creditcard with high limits ($7-8k is very common), it became a liability as it had a direct relationship with your credit rating and potential sensitive information (unlike a subway pass).

__________________

Slow is Smooth. Smooth is Fast!

leejo

Dude, you could make a fortune as an expert witness once the class-action lawsuits over this get cranked up. Just food for thought.

Wimpinator

RFID cards have brought about a ton of projects that block the RF to the card. Here is an RFID blocking wallet project:
http://www.rpi-polymath.com/ducttape/RFIDWallet.php

Here is a company that makes RFID blocking wallets:
http://www.difrwear.com/

__________________

|TG-6th|Wimpinator

[TGU Staff]

P8riot

To take things a bit further, here is a brilliant idea.. lets not protect your passport information either!

__________________


Dungeons and Dragons Online; Thorgaard, Thaumiel and Mahblung
EVE Online Captain Thorgaard OHern; skipper of the Battlecruiser "Jane Says.."
Pirates of the Burning Sea; Pirate Thorgaard O'Hern
Age of Conan Cimmeria; Tharashk, Thaumiel, guild Ars Tactika

xTYBALTx

But P8, I love it when people in foreign countries can know my name and nationality from across the street! Perfect for exotic locales such as Columbia.

__________________
Current good song: Justice - Stress

P8riot

It's so NICE when a stranger can call you by your first name!

.. and last name
.. and SSN
.. and birthdate

__________________


Dungeons and Dragons Online; Thorgaard, Thaumiel and Mahblung
EVE Online Captain Thorgaard OHern; skipper of the Battlecruiser "Jane Says.."
Pirates of the Burning Sea; Pirate Thorgaard O'Hern
Age of Conan Cimmeria; Tharashk, Thaumiel, guild Ars Tactika

Quest Shady

This whole thread reminded of me of an interview that I heard with Liz McIntyre who wrote a book called Spychips. I haven't read the book yet but it is on my list of "to read".

Brief Bio on Liz
Liz McIntyre is a consumer privacy expert and author of the book Spychips: How Major Corporations and Government Plan to Track your Every Move with RFID. In this book, McIntyre and co-author Katherine Albrecht expose how organizations like Procter & Gamble, Gillette, Wal-Mart, and even the U.S. Postal Service plan to use tiny computer chips smaller than a grain of sand to track everyday objects and even people, keeping tabs on everything you own and everywhere you go.

At some point it seems a little far fetched but on the other hand I know that the major companies want to know everything about every little habit I have to be able to market to that need. Of course they tout it as being a system for theft prevention and child safety which allows them to step by step get to their goal…which is either Make more Money or Gain more Control…or usually a bit of both…

Seems to me like there are better more secure ways to do things but I guess we shall see what happens...

__________________

Steeler

Stuff like that gets my inner Luddite all a-rage.

__________________