Researchers hack RFID credit cards. Big surprise.
RFID has been riddled with so many problems, it's amazing that anyone even has a shred of confidence in this technology at all. Our latest security problem du jour is that credit card companies are apparently issuing plastic that relays your digits wirelessly; as you might have guessed, security researchers are checking into this, and in a demonstration for The New York Times, easily hacked a University of Massachusetts computer science professor's newfangled RFID credit card. In short order (and with his permission), a researcher working with RSA Labs was able to steal the professor's name and credit card number that was being transmitted in cleartext -- thereby poking massive holes in Visa, MasterCard and American Express' claims that these card include "the highest level of encryption allowed by the U.S. government." Predictably, the credit card companies have already dismissed claims that the populus will be greatly affected by this hack. Brian Triplett, senior vice president for emerging-product development for Visa, told the Gray Lady: "This is an interesting technical exercise, but as a real threat to a consumer - that threat really doesn't exist." Well, Brian, care to put your plastic where your mouth is?[Via TechDirt]
Filed under: Misc. Gadgets, Wireless
Reader Comments (Page 1 of 2)
Juaquin @ Oct 23rd 2006 7:18PM
Are the credit card numbers encoded into the chip so that they can be changed without direct contact?
If so, I could get a credit card with an RFID chip, read your chip, and then change my chip to have your number. Everything would look fine to the retailer, but I just charged your account.
However, if the number on the chip can not be altered, there's not a whole lot you can do by just reading the number. A retailer won't accept a number without a card, and online sites require the security code printed on the card - of course, this assumes that that security code isn't also stored in the chip.
While I don't like it that numbers can be read, if the chips can not be altered, then armageddon isn't coming. A security risk? Yeah. A catastrophe? No.
v0dka @ Oct 23rd 2006 7:55PM
>>A retailer won't accept a number without a card
Says who? These are RFID, the cashier wouldn't give a second thought to you just swiping your wallet (or a device that looks like a wallet) a foot in front of the reader.
Noneformethanks @ Apr 21st 2008 3:02PM
If you did a search on credit card security and hacking and did some reading, you might discover that anyone can buy a mag strip reader/writer and use it to print your credit card. They cost less than $100. Then someone could get your info., clone your card, and use it wherever they want. Not to mention, they could save themselves the trouble and just max out your limit with online purchases where just the number and info. stored on the chip would be more than enough. If this isn't a security catastrophe, then what is?
Furthermore, what is the point of these stupid RFID chips anyway? So I can save my self 0.87123234 seconds swiping my card at the register? I don't see what the big advantage is. I would rather swipe it through like always and know that if someone is going to steal my identity it will at least take a little more effort than hiding nearby with a laptop and picking up RFID signals...isn't the ID theft crisis bad enough as it is?
rwg @ Jul 17th 2008 10:25AM
In 10 years, I’ve had 3 credit cards compromised, where people had the number and used the card without the printed number on the back and me being present. In 2 of the cases, the company claimed I was present and signed for the merchandise. I was able to prove that I had been to Europe in 5 years, therefore could not have been present for the purchase.
In other words, having a credit card number and expire date is enough for thief of items.
johnathan @ May 14th 2007 5:41PM
have you ever hacked a credit card number if you have can i have it
moua @ Oct 23rd 2006 8:07PM
What if you have multiple cards in your wallet ?
cami @ Jan 9th 2007 1:15PM
Funny, that happened to me. I knew I had one chipped card in my wallet...but didn't realize I had two. So instead of pulling out the right card and swiping it, I swiped the entire wallet and my receipt showed the one I wouldn't have pulled out. It seems it took the first one, which was closer to the reader (in my case).
Jon @ Oct 23rd 2006 8:14PM
Cyrus - you should have mentioned the MasterCard exec in that article, saying that taking a "small sample" of 20 cards doesn't represent the industry. To me that's like saying that finding a security hole in fresh installations of Windows on 20 machines doesn't represent other computers running Windows. Sure, there are hundreds - if not thousands - of card issuers, but THE CARDS ARE THE SAME! Every card uses the same protocol - if I have an RFID-enabled MasterCard that stores my name and CC# in plain text, why would another RFID MasterCard not store it? Why would ANY of them store that information if it wasn't necessary to make a transaction?
I don't want to sound like a n00b, but when I use the RFID on my AmEx at CVS (the only local retailer that uses EspressPay right now), the register reads RF with a CC# that's masked except the last 4 digits, as usual.
The last 4 digits don't match the ones on my card, and my name shows up nowhere on the receipt. This lead me to believe that there was a different authentication process for RF transactions, at least through AmEx, that required nothing more than having the RFID chip present. (No ID, no signature, and neither my name nor the regular CC# is involved).
I'd guess that putting the CC# and name on the card would allow for cheaper implementation of RFID readers at retailers, but at least encrypt it! It's just stupid to leave it sitting there waiting to be pulled.
potato @ Oct 23rd 2006 8:14PM
1. I really don't get why RFID credit cards are even necessary. Last time I checked the act of swiping a plastic card through a magnetic reader is not rocket science, nor are we likely to experience a surge in checkout-line productivity just because of it. What's wrong with swiping? This seems like fixing a problem that doesn't exist.
2. The RFID is most likely printed on a layer sandwiched between layers of your card - it would likely not be programmable. That said, there's nothing stopping a hacker from producing (at medium/high cost) a card that DOES have a programmable RFID chip.
3. Why RFID? Why not a smart card? A card that has some internal processing capability, instead of just broadcasting its payload on cue. A card that uses a challenge/response system to verify its identity instead of transmitting confidential information over the air?
This is stupid. I'm never getting one of these fraud-waiting-to-happen cards.
moua @ Oct 23rd 2006 8:50PM
RFID IS a smartcard, but with antenna.
However i agree with you.
Here in France, we use only chip since at least 15 years. This allow a way better security (That's also one reason why merchant pay less commission than US merchant on transactions), especially on "offline" transactions.
However, there is also many RFID test here.
Or more precisely, NFC test with mobile phone.
And with amex, visa, mc, JCB, ect... on NFC forum,
we can expect a worldwide contactless standard for payments, like EMV is for smartcards.
Karl @ Oct 23rd 2006 8:52PM
RFID production at high cost? Not at all. At my uni (electronic engineering dept.), we can make all the RFID devices we like. We can make extremely thin, extremely small RFID storage devices, and stick them on to the back of a normal card. When you swipe it, it all looks legit.
With RFID, the biggest problem is that by monitoring a transaction's requests and responses, you could spoof the whole thing. That limitation is built in to RFID.
Create a small chip that duplicates the responses, and bingo! You have yourself a credit card duplicate.
It's hard to find a quick, cost-effective and secure way to pay with credit cards. RFID is so not it.
twin @ Oct 17th 2008 12:58AM
where do you get the machine from
Vexorg @ Oct 23rd 2006 8:43PM
In other news, an individual has been arrested for stealing and impersonating the identity of Brian Triplett, senior VP of emerging product development for Visa and issuing inane statements concerning the security of RFID-based credit cards.
Alwynne @ Nov 2nd 2006 2:45PM
Hi Karl -- don't know if you'll see this post. I am a journalist working on a story about this RFID stuff. It's very interesting and I'm trying to find an engineering student who would know how to put together an RFID reader for CCs. I'm located in Toronto, so not sure where you are. But if you know anyone who could help me out, please respond. I'm really interested in getting out to the public how low-cost readers could be made.
Cheers -- Alwynne Gwilt
gwilta@toronto.cbc.ca
blake @ Oct 23rd 2006 8:52PM
Jon,
refering to your credit card number and how your name shows up on the reciept has nothing to do with the fact your card is rfid. its has to do with the machine and what it prints on your reciept. some places disclose more information on their reciept than others.
V0dka,
as far as a retailer not takeing numbers, there are plenty of places that would. the person that is hacking rfid for peoples information is not going to go to a local store and purchase. most likely they have a more sophisticated plan of attack.
blake @ Oct 23rd 2006 8:59PM
i think the cards idea will still take off, and it would be a case by case basis of identify theft. it sounds like a great idea and would make checking out for your favorite soft drink would be that muchs easier. ill stick to the swipe method.
jon, are you sure you got the correct reciept?
Dmnkly @ Oct 23rd 2006 9:08PM
Please correct me if I'm wrong, but since consumers aren't responsible for fraudulent charges, aren't the credit card companies the only ones shouldering the risk? And as such, should any security risk really bother us that much if it doesn't bother them? Of course, it would be an entirely different story if this put other personal information at risk, but if it's just a name and a card number, I don't see what consumers have to lose, aside from the inconvenience of potentially having to fill out a fraudulent charge affadavit.
potato @ Oct 24th 2006 12:28AM
> Please correct me if I'm wrong, but since consumers aren't responsible for fraudulent charges, aren't the credit card companies the only ones shouldering the risk?
Not exactly. The fees that VISA and other CC companies charge are based partially on the level of fraud that goes on. Increased fraud makes life difficult for everyone, as it adds a very heavy overhead to the CC's operating costs.
todd sims @ Feb 5th 2007 1:46PM
The credit card companies don't shoulder the risk, the merchants do. Even worse they profit from it by charging the merchants additional fees for fraudulent charges. They have no motivation to fix the problem.
Phour ZwanZig @ Oct 23rd 2006 9:11PM
"the highest level of encryption allowed by the U.S. government."
I like that.. And ppl are able to hack it.. That just tells me that the Gov. doesnt want us to be able to encrypt stuff tightly so that they cant get in it.. Cuz if this is the highest lvl of encryption allowed by the Gov, shouldnt they be using it too.. LOL..
Gov doesnt care when it comes to our personal data, but if its TopSecret Documents for them its a whole nother ballgame.. We really need to set our Gov straight..
rcme @ Oct 23rd 2006 10:01PM
I have an Amex card with the RFID chip (ExpressPay).
I don't see any advantage whatsoever with the RFID or that it could be any faster than simply swiping the magstripe on the card. Our local McDonalds has an ExpressPay reader in the same device as the magstripe reader. So how is RFID any quicker? I have to take the card out to "swipe" it past the RFID reader, where 1cm away I can just as easily, and just as quickly, swipe the magstripe.
The argument about being able to "swipe" my wallet past the reader, without having to take the card out, is equally bogus. I have two different RFID enabled credit cards, which one is used when I "swipe" my wallet?
This Amex card replaced my previous Amex card which had a smartcard chip (contact style). I recall that when that card first came out, Amex was offering smartcard readers for your computer. When I called Amex about it, their customer service folk didn't know anything about the smartcard feature, or what applications their smartcard reader worked with. Destined to failure.
After receiving this new RFID Amex card, I called to activate it, and I immediately requested the ExpressPay feature disabled. Again, the customer service folk had no idea about the RFID capabilities of the card or what the ExpressPay feature was. It took a couple of handoffs through customer service before I got to a rep that knew what ExpressPay was and that it could be disabled, so no charges from ExpressPay would be accepted. Again, destined to failure.
Ryhan @ Sep 28th 2007 2:11AM
Actually in Japan ('round saitamaken) we use the Suica card, and I find it VERY usefull. Used mainly for the train/subway system, these card let me quickly walk through, because i just drag my wallet across a pad rather than trying to swipe a card through a narrow slit...
Chris Smith @ Oct 23rd 2006 10:05PM
To the first poster... Juaquin .... it's not about the retailer accepting the card or not. We're both on the web, as well as a billion other people. Throw that information into an online shopping site and have the merhandise shipped to a house where the thief is waiting to recieve the delivery from the UPS man while the family is away at at work during the day. That's the power of getting the credit card info. If the info is not secure then it's not secure. That is problem enough.
It's all catastrophe because they're talking about putting these RFIDs in my passport, and your passport, and everyone else's passport... like next time I'm in Hong Kong I want my personal info shooting out into the stratosphere for little RFID readers to sniff up. No thanks! ;^)
sturat @ Oct 24th 2006 1:02AM
remember when the general public found out about freaking and that you could buy that little tone dialer and crystal at radio shack? well, i assume that since credit card fraud is already a pretty hefty problem, it'd be only a matter of time before the methods of doing this along with easily acquired portable readers would be out. go to the airport, a guy with a reader in a bag bumps into you and gets your passport info. a guy bumps into you with a reader in his back pocket and gets your credit card number. couldn't be good.
of course, nobody can resist defying the laws of common sense so that they can swipe their card in the air rather than in a slot, so i'm going rfid everything. they make rfid pants?
Juaquin @ Oct 23rd 2006 11:39PM
Chris, you missed my argument about how most online retailers require the "security code" printed on the card in order to complete a transaction. Unless this code is stored on the chip, if I just read the chip, I don't get the code, and then I can't use the credit card number online.
Vodka: A valid point. Of course, this is easily prevented by actually checking ID against the name on the card. The same problem occured years ago when retailers would actually just take a credit card number. Then retailers implemented a policy where ID has to be checked against a physical card. In much the same way I think the retailers will implement a similar policy with regards to RFID.
To me, the only problem with RFID that wasn't a problem with magnetic strips is that now thiefs can access the stored info from a certain distance away. Every other security risk is the same as before.
I'm not in favor of RFID implementation in any personally identifiable form (I'll never have any of these cards), but I think it's going to catch on with the public at large, and thus we all shouldn't freak out because in reality it's not that much more insecure than a magnetic card.
Dan @ Sep 28th 2007 7:55PM
PacketMonkee: these things use a thin wire coiled inside the card as an antenna (usually in a square shape). If you'd rather not have RFID, it's nothing an office hole-punch won't sort out ;)
And I'm quite sure they'll continue backwards compatibility the same way contact-chip cards still have the magnetic stripe - so as long as you're careful about where you cut the wires (don't cut the chip, don't punch through the magnetic stripe...) it should be fine - no doubt people will be posting instructions on the web before long :)
PacketMonkee @ Oct 24th 2006 3:51AM
Unfortunately there will come a day when you HAVE to have one of these cards. You will HAVE to have a personal ID card. You WILL conform.
If you don't have these cards, you can't be a part of the society that enforces their use.
It will happen. (c:
hmmmm @ Oct 24th 2006 1:11AM
I was just wondering why a pic of ABSA credit cards (South African Bank) is used with this story that otherwise plays out in the USA and does not have any apparent connection to SA or ABSA.
RE @ Sep 30th 2007 1:21PM
Stock image of credit cards?
DeaDGoD @ Oct 24th 2006 4:03AM
I knew that this would be a bad idea, both because it's not as secure as they want you to think (duh! nothing is ever as good as they want you to think), and the express pay is just plain dumn... Like it's so hard to swipe your card in the reader...
par @ Oct 24th 2006 6:09AM
"the highest level of encryption allowed by the U.S. government."
huh? A limit is set by the goverment?
Scorpious @ Oct 24th 2006 9:56AM
What really worries me is not so much the credit cards with RFID... what happens when they start putting RFID's in debit cards? It's relatively easy to dispute a transaction on your credit card, but when it's your debit card they're hitting, it's a whole other ballgame, 'cause that money is gone before you even get a chance to dispute it. Not to mention the fact that if they were to get your actual bank account info from the card (which I don't know if they would store that on the card or whatever), you'd be screwed, blued, and tattooed. One pass of the reader close enough to your card, even your credit card, could easily lead to a good six to twelve months of fighting to clear up the mess from someone stealing your identity. No thanks, I'll pay with cash, thank you very much.
Justin @ Oct 24th 2006 10:45AM
I love my Amex's RFID. It has a different Account number than my AMEX it's self or so when ever I use my RFID it prints a different last four on my receipt. The biggest benefit I like about the RFID is not having to sign my name.
And does RFID really transmit that far? I'd be more scared of someone actually mugging me and stealing my cc than someone stealing my # via a RFID reader.
JeffM @ Sep 28th 2007 2:05AM
Agree. ExpressPay offers marginal increase in convenience.
I too am more concerned with being mugged and mauled versus some white collar crime with some guy getting a hold of my Amex credit.
Tower @ Oct 24th 2006 5:08PM
At least if you are mugged, you know it, But if your info is stolen with RFID, you may not know it until your new mortgage application is turned down!!! And the steal can happen anywhere! street corner, restaurant, movies, stores, bus stop, 7-11, anywhere!!!
Eddie @ Oct 24th 2006 7:12PM
I know i must be wrong... PLEASE tell me I'm wrong...:
SO basically, all you have to do is read the date (encrypted or not, it doesn't matter) that the RFID chip is transmitting, put that into a new one, and swipe it past the reader?
Wow... What great security...
Brett @ Oct 25th 2006 12:19AM
My bank sent me one of these stupid cards and I didn't even want it. I'm too lazy to ask if I can get one without PayPass since I almost never use the card anyways.
Barton @ Dec 14th 2006 8:34AM
Why are the pictures of the cards from ABSA (South African bank)? Doesn't this have nothing to do with South Africa? Plus, if RFID was in SA then they would encrypt it more.
Believe me. I've been in SA and to get into a bank you have to pass thru something like airport security and two bulletproof doors that lock magnetically. They take security very seriously.
rp @ Dec 28th 2006 2:39PM
It's just a photograph of credit cards, why does it matter so much where they're from? It's not really relevant to discuss the picture if like 99% of people look at the picture and think "oh, credit cards, it's a story about credit cards" not "oh, those credit cards are from South Africa where they don't have that and it can't happen blah blah blah blah blah"
Justin @ Jan 27th 2007 6:05AM
To Cami, not that is another problem about this RFid thing, how would the reader know which card you want swiped if you have 2 or more cards in your billfold?
Well apparently i have always love the idea of RFID on your card. I'm from a country where (world wide accepted) Credit Card has just been introduced to the public, Nigeria, with quite a few bank providing it. So when i saw a post like this, i was so interested in it.
To me, i think the idea of rfid sucks since any memeber of the general public could get him/herself a rfid reader thru which one can get someone elses' info. Whether theres less or nothing you could do with the info, the fact that i could have my info being transmitted to a total stranger is something worth tripping about. Boh! Then why do i have my moneys on card? Why not go about with cash and let thief rob me?
Between there was someone here who said most of online shops needs 3 digits identification code to approve your order, yea that's true but there are at the same so many online store who doesn't ask for that... So you think all those criminal minded wont find a couple of stores like that? You think they have anything to loose searching for that? It's just a matter of typing a search string into google, powh! they have it and you money is gone.
I don't think i like the idea of rfid on credit card, it's makes no sense to me.
Sundar @ Mar 31st 2007 4:33PM
Hey why can this thing happen for a CC? as am a IT Guy we have come across the RAS Login for VPN. We would be Provided a Small equipement which has the password changed every minute or so..less than a mint is also posible. So when we login in the present password displayed in the Secure Login Device will accept the request to go forward. SO if there are things like this it would be of still better security naa...i hope you got me what i explained...?
Ian @ Apr 27th 2007 9:23PM
I'd say yeah, it probably doesn't matter if it can be hacked since credit card companies cover fraud. Also yes, swiping is a big deal... that's why express lines in grocery stores are the longest. If you can streamline payment, you can speed up everything. (In Hong Kong, the Octopus card they use for transportation also works for places like McDonald's and Convenience stores.)
I think it's a great idea, definitely for convenience... They should also start making it easy to slip something in next to your cell phone's battery, under the cover or something, so you don't need to have a separate card. (They had a special cell phone cover for octopus in HK).
Plus, it wouldn't be hard to make a wallet that blocks the RFID signal if you're so paranoid of someone stealing your number.
abdou @ May 19th 2007 5:40PM
ok
dee @ May 20th 2007 10:48AM
i can not use my credit card online with windows vista it says its blocking the software and somethang about activex control how do i fix it? can some 1 help me thank you very much.
syam @ Dec 19th 2007 12:33AM
Don't use Winod$ Vista
ron @ Nov 3rd 2007 11:10AM
I do not understand why the card company's are placing persons card info on rfid chip. all it needs is a standard chip with a 10+ digit random number which is associated with the account number at card company computer, checking it in real time & asking for pin if required. no use to fraudster but a little more expensive to card company.1000 times more secure.
ron @ Nov 3rd 2007 11:14AM
on the subject of rfid I am sure this will be of interest to European and usa readers of how money is being tracked...
http://www.ssrichardmontgomery.com/rfidmoney.htm
(copy and paste link into your browser)
barry @ Jun 17th 2008 12:16PM
can anybody teach me how to hack credit card.
Tony Tobias @ Sep 2nd 2008 12:39PM
"Predictably, the credit card companies have already dismissed claims that the *populus* will be greatly affected by this hack."
"Populus" is a genus of between 25–35 species of flowering plants in the family Salicaceae, native to most of the Northern Hemisphere. English names variously applied to different species include poplar, aspen, and cottonwood.
"Populace" is the word used to refer to an entire population.
xbubbax @ Sep 3rd 2008 7:33AM
if you have someones credit card info, you can put it on a dummy card and use the dummy card.....ie another fake credit card....very simple devices that can be bought on ebay.