Announcement

Collapse
No announcement yet.

No-Swipe Credit Cards and You

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • No-Swipe Credit Cards and You

    This is something i've been working on, reading data off RFID-equipped credit and debit cards without the cardholders knowledge. The New York Times just did an article on this as well. Since it's breached into the realm of public disclosure, I'm more than happy to share:

    The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate “128-bit encryption,” and J. P. Morgan Chase has said that its cards, which it calls Blink, use “the highest level of encryption allowed by the U.S. government.”

    But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder’s name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.

    They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50.
    Full Article

    Basically, if you have one of these "PayPass" or other-labeled cards that allow you to just touch your card to a payment terminal without being swiped, you could very well be vulnerable to this type of credit card theft. I've successfully done this with RFID based access cards to get into buildings and have played with Credit/Debit cards as well.

    You can buy equipment capable of doing this for around $75 right now. If you have a Windows CE based PDA, it's relatively easy to modify the RFID antenna to be mounted externally via a wire running down your sleeve. You can hold the RFID antenna concealed in your hand, and walk through a city grabbing card numbers left and right.

    There are plans out on the net for a low-powered EMP generator that can be built out of a disposable camera. You could use one of these EMP devices to effectively fry the RFID chip on your card to prevent this type of theft, but you'll also render your card inoperable with any device that requires the RFID chip to be intact.

    Keep this in mind; your card information can be read through your pants, through your wallet, by someone walking by you or in very close proximity. I think we're going to start seeing this type of card theft in the wild within the next 6-12 months.
    Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

  • #2
    Re: No-Swipe Credit Cards and You

    I've often wondered: Given the numerous and demonstrable security flaws of RFID systems, what is the momentum driving their implementation? Chips for your credit cards, chips for your car, your pets, for your kids. What the Hell?
    In game handle: Steel Scion
    sigpic

    Comment


    • #3
      Re: No-Swipe Credit Cards and You

      Originally posted by Steeler View Post
      I've often wondered: Given the numerous and demonstrable security flaws of RFID systems, what is the momentum driving their implementation? Chips for your credit cards, chips for your car, your pets, for your kids. What the Hell?
      Personally, I think it's driven by the industries excitement to use this new technology. It's been known for some time now that RFID can be extremely weak, yet many companies are still moving forward with this type of weak technology.

      I also don't see the value in an RFID equipped card. If you can just swipe your card with a magnetic stripe reader, what's the advantage of still having to pull out your card to tap the RFID reader and transmitting that same information wirelessly?
      Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

      Comment


      • #4
        Re: No-Swipe Credit Cards and You

        Originally posted by Steeler View Post
        I've often wondered: Given the numerous and demonstrable security flaws of RFID systems, what is the momentum driving their implementation? Chips for your credit cards, chips for your car, your pets, for your kids. What the Hell?
        I also say what the hell?


        - -

        Comment


        • #5
          Re: No-Swipe Credit Cards and You

          Dugg.

          RFID seems like a perfectly ducky technology, but I can't imagine wanting any personal information worth anything broadcast out like that.

          Tracking inventory? Sure. EZPass? I'll bite to save the time. Avoid swiping a credit card? That's jumping the laziness shark right there.
          [volun2]
          NS Game Officer. TF2 Admin. BF2 Admin / Scripter. PM with issues.
          Tempus: Pokerface is nailing it right on the head. Everyone who is arguing against him is simply arguing against reality.
          <anmuzi> it is not permitted to have privacy or anonymity
          <LazyEye> yeah when I play on TG the server digs though my trash

          Arm yourself with knowledge: TG NS TF2 BF2

          Comment


          • #6
            Re: No-Swipe Credit Cards and You

            I don't understand why the card is even storing my personal information. A key that can be used to match my purchases against a record in a secure database seems less crazy.

            E.g. instead of "leejo at 123 Fake Street, credit rating of 423" broadcast "consumer #8574632910" and implement the security where it's not flying through the air.

            I've worked with web sites and databases that handle secure information, and we used to transmit and store information in a less-than secure manner until people 1) began to notice; 2) it began to hurt; and 3) someone coughed up the budget to retro-fit security into the systems. My guess is that is happening here. Some developer threw together a data structure with no security to test the system, then wizz-bang it's out in the real world before anyone (other than QA who were shot down by Sales) raised a concern.

            This doesn't solve the problem of restricting physical access, or failing to, with these cards. So you don't even have to gain access to the cards any more? Nice.

            Comment


            • #7
              Re: No-Swipe Credit Cards and You

              Originally posted by leejo View Post
              I don't understand why the card is even storing my personal information. A key that can be used to match my purchases against a record in a secure database seems less crazy.

              E.g. instead of "leejo at 123 Fake Street, credit rating of 423" broadcast "consumer #8574632910" and implement the security where it's not flying through the air.
              This is how the Mobil Speedpass works. I agree with you, the RFID chips in credit/debit cards should have a reference number ONLY that corresponds to the actual cardholder information stored in a database at the issuing bank.

              This poses a technological hurdle for credit card processors and merchants though, as their systems are not designed for reference numbers, but actual transactions between merchants and acquiring banks through the various processing networks. Mobil gets away with this by storing that data centrally and authorizing Speedpass purchases on their centralized server rather than through the traditional merchant accounts.
              Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

              Comment


              • #8
                Re: No-Swipe Credit Cards and You

                This is bound to happen.

                I don't have a problem with this being used on, say subway pass (where the value in those card are usually low), but once it wired to a creditcard with high limits ($7-8k is very common), it became a liability as it had a direct relationship with your credit rating and potential sensitive information (unlike a subway pass).
                Slow is Smooth. Smooth is Fast!

                Comment


                • #9
                  Re: No-Swipe Credit Cards and You

                  Originally posted by Apophis View Post
                  This is how the Mobil Speedpass works. I agree with you, the RFID chips in credit/debit cards should have a reference number ONLY that corresponds to the actual cardholder information stored in a database at the issuing bank.

                  This poses a technological hurdle for credit card processors and merchants though, as their systems are not designed for reference numbers, but actual transactions between merchants and acquiring banks through the various processing networks. Mobil gets away with this by storing that data centrally and authorizing Speedpass purchases on their centralized server rather than through the traditional merchant accounts.
                  Dude, you could make a fortune as an expert witness once the class-action lawsuits over this get cranked up. Just food for thought.

                  Comment


                  • #10
                    Re: No-Swipe Credit Cards and You

                    RFID cards have brought about a ton of projects that block the RF to the card. Here is an RFID blocking wallet project:
                    http://www.rpi-polymath.com/ducttape/RFIDWallet.php

                    Here is a company that makes RFID blocking wallets:
                    http://www.difrwear.com/
                    Last edited by Wimpinator; 10-23-2006, 12:16 PM. Reason: added second URL cause I'm cool like that...
                    Retired 6th DB

                    Comment


                    • #11
                      Re: No-Swipe Credit Cards and You

                      To take things a bit further, here is a brilliant idea.. lets not protect your passport information either!
                      sigpic


                      Comment


                      • #12
                        Re: No-Swipe Credit Cards and You

                        But P8, I love it when people in foreign countries can know my name and nationality from across the street! Perfect for exotic locales such as Columbia.
                        A policy of freedom for the individual is the only truly progressive policy. -F.A. Hayek

                        "$250,000 a year won't get me to Central Park West."

                        Comment


                        • #13
                          Re: No-Swipe Credit Cards and You

                          It's so NICE when a stranger can call you by your first name!

                          .. and last name
                          .. and SSN
                          .. and birthdate
                          sigpic


                          Comment


                          • #14
                            Re: No-Swipe Credit Cards and You

                            This whole thread reminded of me of an interview that I heard with Liz McIntyre who wrote a book called Spychips. I haven't read the book yet but it is on my list of "to read".

                            Brief Bio on Liz
                            Liz McIntyre is a consumer privacy expert and author of the book Spychips: How Major Corporations and Government Plan to Track your Every Move with RFID. In this book, McIntyre and co-author Katherine Albrecht expose how organizations like Procter & Gamble, Gillette, Wal-Mart, and even the U.S. Postal Service plan to use tiny computer chips smaller than a grain of sand to track everyday objects and even people, keeping tabs on everything you own and everywhere you go.

                            At some point it seems a little far fetched but on the other hand I know that the major companies want to know everything about every little habit I have to be able to market to that need. Of course they tout it as being a system for theft prevention and child safety which allows them to step by step get to their goal…which is either Make more Money or Gain more Control…or usually a bit of both…

                            Seems to me like there are better more secure ways to do things but I guess we shall see what happens...



                            Play MySpace games? PeepsDepot.com to get all the Peeps you need for any game!

                            Wii# 5935-7920-5346-8754 | PS3:TheeShadyB | XBOX 360:TheeShadyB

                            Comment


                            • #15
                              Re: No-Swipe Credit Cards and You

                              Stuff like that gets my inner Luddite all a-rage.
                              In game handle: Steel Scion
                              sigpic

                              Comment

                              Connect

                              Collapse

                              TeamSpeak 3 Server

                              Collapse

                              Advertisement

                              Collapse

                              Twitter Feed

                              Collapse

                              Working...
                              X