Alright, this is getting out of hand. We were a little wary at the first when we heard about tying RFID so closely to our monies, and that Chase Bank blink card of ours has been collecting dust ever since it showed up in the mail, but the latest failings of RFID "security" have us running for the hills -- tin foil hat in tow. Apparently some UK scoundrels teamed up with a crooked gas station attendant to nab credit card numbers from
RFID smart card-enabled credit cards. They then stashed this info on the magnetic strips of phone cards, and flew over to India to make withdrawls. Since Indian ATMs don't require the double identification of
RFID smart card and magnetic strip, just the strip, they were able to manage quite a bit of cash before a vigilant security guard spotted them making withdrawls from multiple cards in succession. The gang of four men were caught with $14,000 and 116 credit cards. To make things worse, the UK Cyber Crime Unit wasn't even aware of the existence of RFID chips, (makes sense, since the cards don't use such technology) and we're not sure what's to stop another group of clever hackers making off with another set of credit cards and forever ruining any hope of security we've managed to hold onto so far.
UPDATE: Turns out there was some serious misinformation floating around, since UK cards don't even use RFID, but instead operate with smart cards that require physical contact. This makes roughly 95% of our ranting completely irrelevant, but the heist is disconcerting all the same.
[Via
Boing Boing]
posted Aug 9th 2006 at 1:07PM
Reader Comments (Page 1 of 1)
Scott Lippert @ Aug 9th 2006 1:21PM
thoroughly?
Benjamin @ Aug 9th 2006 1:23PM
It is ridiculous that you would call this a security breach.
First of all, you mention a crooked gas station attendant. If you have someone at the point-of-sale terminal willing to swipe the cards into something that stores the numbers for nefarious purposes, then what is the difference in security of magnetic strip vs. RFID?
There isn't. People simply are afraid of wireless transmissions and are making stupid and unfounded accusations. This article does not mention how the theives managed to get a PIN for the ATM transactions, but they didn't get it off the RFID, which is the main point of this article.
Handing your RFID card to someone at a counter is just as dangerous as handing them your magnetic strip. Get over your new technology heebie jeebies.
-Benjamin
Guruboy @ Aug 9th 2006 1:25PM
I agree with Ben, the main point was that these guys had access to some arse-hole who got them the credit card numbers.
chris @ Aug 9th 2006 1:33PM
this wasn't even rfid (source article was updated), it's a contact based system.
still doens't say where they got the PIN numbers.
abigsmurf @ Aug 9th 2006 1:37PM
erm this article is just plain incorrect. UK Chip and pin bank cards are smart cards that require physical contact with the chip. They don't use RFID technology at all.
The vulnerability comes from out of date equiptment elsewhere in the world and shoddy monitoring by banks who fail to spot fraudulent use of a card. Nothing to do with any inherent flaws with smart card technology itself.
Finished.Law.School @ Aug 9th 2006 1:45PM
"UK Cyber Crime Unit wasn't even aware of the existence of RFID chips"
so what exactly are these useless idiots aware of???? are they part of the group of retards who think that the internet is made of pipes??
abigsmurf @ Aug 9th 2006 1:55PM
Finished law school: They aren't aware of them because RFID chips aren't used on UK bank cards. The article was poorly researched
treetrunk @ Aug 9th 2006 1:58PM
As has been pointed out, this has got nothing to do with RFID. UK bank and credit cards use the chip & PIN system - there's a chip in the card which stores it's information, and you enter a PIN to a terminal to authorise a transaction. Magnetic strips are still present for compatability with old equipment - though since 14th February any retailer who accepts payment without a PIN is liable for the value of the transaction in case of fraud.
All that's happened here is a crooked checkout operator has swiped the magnetic strips the old-fashioned way, and then either doctored the PIN terminal (it's been done before) to keep a record, or more simply watched the customer type the PIN in. The crooks then went to a country with old cash machines which only need the magnetic strip, and entered the PINs. Nothing new here.
spanik @ Aug 9th 2006 2:22PM
Well they didn't have to bother going all the way to India, then banks skimming out withdrawal charges, etc.
Sadly enough, all ATMs in Spain accept plain vanilla magnetic cards, so you better check for suspicious bulges around the card slots (cloning devices) before you push anything in there. Don't judge too quickly, though--some banks started attaching bulges of their own. I suppose the bad guys are cantilevering their cloners by now.
On the other side, dealing with magnetic technology from the 70s and bulges from the Cambric Era may make us smarter, somehow.
TroyG @ Aug 9th 2006 2:30PM
And to add to it (even though these weren't RFID cards in the article): RFID cards do NOT transmit your credit card number! They receive a coded transmission from a merchant requesting authorization for a transaction, and they return a response good for one use, at that one merchant, for one specific amount. (Wish I could find the article that explains all of this.)
I,Robot @ Aug 9th 2006 3:00PM
It doesn’t matter HOW the thieves got the information, the point is, THEY GOT IT! A lot of good the “RIFD tags” did to stop it! Not only did it NOT WORK, but it seems easier to steal the money in the first place, by just getting around the system. And a security system that you can get around is f_ucking USELESS! No matter how sophisticated it is.
This was a hard and embarrassing lesson that Chase Bank clearly needed to learn. So the next time, when people tell them, “We DON’T want RIFD’s” maybe they’ll actually LISTEN! Why did it take a couple of old security guys walking around in India to stop cyber criminals? What the hell were the overpaid, big gunned, professions doing in the middle of all this? Chilling in the back, drinking coffee, and looking at porn? WTF?
This has NOTHING to do with techno-fear, and everything to do with PISSED-OFF! Which I would have been, if that was MY money running off in India.
Jeff @ Aug 9th 2006 3:09PM
"Get over your new technology heebie jeebies."
So I guess you'll be first in line for the new RFID-enabled passports that have already been cracked?
The answer to security isn't more technology, it's less technology. This is true 100% of the time; it's a variant of Occam's Razor. The more complex you make security, the easier it is to bypass it. Any technology can always be defeated with other technology. If you want a more secure door, you don't outfit it with lasers and sensors. You make a thicker door.
This article may be incorrect in its reference to RFID, but your seeming blanket embrace of technological security measures (like RFID) is wholly misguided. You're missing the point.
Martin @ Aug 9th 2006 3:25PM
Bugger, ever the crooks are outsourcing to indian now..
** Serioulsy In the UK I would prefer chip 'n pin **AND** for them to take a signature. Currently shops don't even check the card any more, just slap it in the machine and type your pin.
Maff @ Aug 9th 2006 4:19PM
as stated above, they should check the card, I use my wife's all the time cos it's Chip n PIN so the retailer never looks to see it says Mrs on it.
Finished.Law.School @ Aug 9th 2006 4:27PM
They need to start using a combination iris scan and thumb print or DNA swab of some sort at the point of sale. That would solve all of these problems...
Erinford @ Aug 9th 2006 4:37PM
Oh for God's sake. Luddites unite. 1) This was an old fashioned credit card skimming scam. The fact it happened in the UK with chip enabled cards is nothing but journalistic spice. This happens regularly with old fashioned mag stripe cards and is rife in non-smart card countries including the US.
2) Engadget get your techno facts right. RFID is NOT used in passports or credit cards. That technology is ISO 14443 and is as similar to RFID as an abacus is to a computer. Both are contactless technologies but one has a ton of inbuilt security and the other doesn't. To try and equate the two does a disservice to the community, the public and your reputation. Do your research so we can have an intelligent discussion on the pros and cons of new technology.
Scotty @ Aug 9th 2006 4:57PM
Yessir, Mr. Erinford sir!
Benjamin @ Aug 9th 2006 5:39PM
Kudos Erinford!
Justin @ Aug 9th 2006 6:49PM
I agree with the technology-lovers above. This has zero to do with the smart card technology, which would have in fact prevented this theft.
Also, I quite like my RFID credit card. I keep it in my wallet, and it barely works when I tap the whole shebang on the reader - just right. As an American who grew up in Hong Kong, I was very used to my Octopus card, and have been used to my RFID school ID to get into my building for the last three years. Anyone who can steal the information from you with RFID, especially with a credit card, would be much better served just to read the strip.
Jay @ Aug 10th 2006 1:53AM
Whats the big deal? Most card companies have 0 fraud liability and I do believe that federal law sets each victim's liability limit at somewhere between $25 and $50. People have been skimming credit card numbers at restaurants and gas stations and any other places that you lose physical sight of your card for years.
I personally work in Loss Prevention and I have access to -everyones- credit card numbers that buys something from my store. Even some regular employees have this access. Honestly, just because they put a more convenient lock on your house, doesn't mean more people are going to break in. If they want in, they'll get in, if they want to use your card, they'll use it. Simple as that.
Engineer @ Feb 11th 2008 2:11AM
Some people in the UK wipe the data from the magnetic strip on the chip and pin card. Seems like a good idea as it prevents this kind of attack, but it does mean you can't use the card in a lot of places.
Some people are even more cunning and rewrite the strip so it holds their loyalty card info or their access card details :-)
Tom @ Aug 10th 2006 7:14AM
This used to happen all the time before chip and pin (and is still prevalent now). It's why you're asked to look for signs of tampering on ATMs. Basically the thief places a card reader in front of the slot and points a camera at the keypad to film you entering the pin. The information from the card reader is then collected and transferred to a phone card which can then be used in any ATM. Of course chip and pin makes it more difficult with more and more ATMs checking the chip as well as the magnetic strip, which is why in this case the crooks went abroad, but you could probably still work it in the UK if you wanted. Old news.
lee @ Sep 14th 2006 11:45AM
THERE IS NO RFID IN THE UK, I SHOULD KNOW I LIVE HERE