The
RFID hacks keep coming fast and furious -- hot the heels of that
Mifare / Oyster Card exploit, the crew at BoingBoing TV has posted up a little demo of how easy cracking the RFID encryption on an American Express card can be. All it takes is an $8 dollar reader easily available on eBay, some software, and the courage to walk around with a laptop waving plastic boxes at people's butt pockets, but developer Pablos Holman says he's hoping to develop a newer version that will allow him to be a little more discreet. The root of the problem is apparently the fact that the system uses local decryption rather than sending card info to a secure data center, but either way we've been
worried about this for a long time -- we're sticking to loose change and the barter system from now on. Video after the break.
Reader Comments (Page 1 of 2)
Ayman @ Mar 19th 2008 6:39PM
Freaky!!!... imagin the next time a guy bumps into you, you would lease a couple of thousands ....
linumax @ Mar 19th 2008 6:55PM
Actually, usually when a guy bumps into you, the money flows in the opposite direction, unless... maybe if you're a republican senator or sth.
Rob Percoco @ Mar 19th 2008 6:48PM
First, real hackers don't use a MB Air...thats just sad.
Second, he looks like a tool, therefore...he is
Raheem @ Mar 19th 2008 6:58PM
Actually he's a "futurist," lol.
CraigJ @ Mar 19th 2008 7:45PM
Don't be sad because A: you can't afford one, and B: that guy is probably way smarter than you.
MEAT! @ Mar 19th 2008 7:47PM
In the future we will say "get up to your ass" until it becomes awkward....We will be skinny and dress in tight black clothing while doing this. In the future we will call ourselves hackers while using computers with one USB port, and publicly do so with no visible shame.
The future is strange.
Macroy @ Mar 19th 2008 9:19PM
REAL programmers use butterflies.
http://xkcd.com/378
CharlieX @ Mar 19th 2008 6:49PM
I wonder how Amex deals with news like this... they're pretty good about refunding you fraudulent charges - stuff like this would impact their bottom line. I love the RFID Blue card for getting morning coffee at 7-11. No cash, no change, no typing in PIN's... just sweet, tasty, industrial blend coffee
Ghen @ Mar 20th 2008 10:43AM
With it being so easy to fraud people the smart thief (if they exist) would only charge $5 a month to 1000's of people.
robert @ Mar 19th 2008 6:50PM
so, you put the computer in a shoulder bag and run the wire tro a jackat and tro the scanner in your hand ;) and your safe :P
Aguiluz @ Mar 19th 2008 7:18PM
...Then to "extract" data from a credit card, you need to somehow touch the other guy's butt! *Bleh!* X_X
From Article:
"waving plastic boxes at people's butt pockets"
The Dude @ Mar 19th 2008 7:48PM
Well, he said that with a big enough antenna you wouldn't need to play grab-ass to get credit card info. I don't know if that's possible/practical or if he's spreading the good ol' FUD. I'd rather play grab-ass to get credit card info but women use purses, so...that's no good.
Tony Rayo @ Mar 19th 2008 10:52PM
Why wouldn't it be possible. There are risks of such things as interference and getting garbage data, but just seems like the RDIF version of wardriving... with more potential benefits and more possible jail-time (which makes it more fun, until you get caught).
hp540 @ Mar 19th 2008 6:53PM
Well, I wouldn't be responsible for fraudulent charges so the real losers here are the credit card companies.
Anthony @ Mar 19th 2008 7:04PM
No. Everyone pays. They write off the losses, way pay them in premiums (interest rates, business surcharges, etc). Plus AMEX frequently has an annual card fee so you potentially pay with that too.
Killer @ Mar 19th 2008 7:45PM
"...so the real losers here are the credit card companies."
Which are our major banks. We already have a problem with the damn mortgage sector completely killing our economy, (gasoline prices aren't helping) I don't think we need the major banks to stop giving out credit cards right now. Banks are the in the business to make money not lose it. $0.99 music tracks for free is one thing, this is just horrid. Great to know, so I can watch out for strange people in big coats touching people's butts, but besides that this in my eyes is horrible.
Dave @ Mar 19th 2008 9:29PM
incorrect
I dont pay premiums on credit cards. I have never paid any interest rates, so that is not a problem, and my mortgage for my house was paid off years ago. All my credit cards have no yearly fees.
So yeah, its not my problem. Credit card companies will be stuck paying the bill; its not my problem
TRAFFICBLOWS @ Mar 20th 2008 9:02AM
it's def a consumer problem because consumers have to check our f'in bills so closely!
whitephatt @ Mar 19th 2008 7:05PM
Sounds like a job for the Faraday Wallet! (concept ©2008) :-D
Dean @ Mar 19th 2008 7:06PM
old news. they have had home made devices that can clone rfid in the past. i believe the article was on engadget actually...
obviously, this isn't news about the rfid technology, but that they made a video with a macbook air in it!!!
Henry Mensch @ Mar 19th 2008 7:18PM
funny--amex just sent me a letter yesterday announcing that they were discontinuing the rfid keyfobs by the end of july 2008. they said they were doing this in order to focus their attention on the rfid cards.
7on @ Mar 19th 2008 7:22PM
I NEED THINGS TO BE AWESOME
The Dude @ Mar 19th 2008 7:40PM
"That's why I'm getting Verizon FiOS."
Yeah right, bitch! They don't have FiOS yet in the northwest valley of L.A. THAT IS NOT AWESOME. I want to be snatching my porn (pun oh-so-intended) at FiOS speed already dammit.
/article derailment
DaCheez @ Mar 19th 2008 9:18PM
"Awesome pool."
I want a bomb in my pool... Actually, first I need a pool.
Dave @ Mar 19th 2008 9:48PM
yeah lol I was going to say the best part of this entire video was the michael bay FIOS commercial
athousandleaves @ Mar 19th 2008 11:06PM
you guys see the HD-DVD Player he had in his living room?!
Matt @ Mar 19th 2008 7:41PM
And this is why I don't have any RFID credit cards (plus I don't have much credit yet anyway)
peshue @ Mar 19th 2008 7:43PM
Well that explains how a "hacker & futurist" could afford that computer.
Munky @ Mar 19th 2008 7:58PM
Why wave a box at people's butts? Hide one under a seat at the mall...
Now, all ya'll gonna be checking under your seats, huh?
CraigJ @ Mar 19th 2008 7:59PM
one wonders if a short microwave could fry the RFID but leave the mag stripe intact? Anybody with an AmEx card wanna try that and report back?
newgalactic @ Mar 19th 2008 8:31PM
Would be a very easy test, and they're always eager to replace lost or stolen cards.
tiuk @ Mar 19th 2008 9:50PM
I've also heard that hitting it with a hammer works.
athousandleaves @ Mar 19th 2008 11:07PM
the microwave makes your card look burny
newgalactic @ Mar 19th 2008 8:06PM
Hacked: $8
Fixed for the life of the card: Cost of one paper hole punch
Knowing that I'm secure from RFID attack: ...you know the rest
Skawt @ Mar 19th 2008 8:08PM
You can protect your card by putting aluminum foil in the lining of your wallet.
you know, for you . . . paranoid types
Skawt @ Mar 19th 2008 9:25PM
It really does work, and it takes about 5 seconds,
on the plus side, you don't need a stainless steel wallet and you can save your rfid ( if you actually use it)
Mr. E @ Mar 19th 2008 8:10PM
Crap, now I need to get a lead sleeve for my credit card. Thanks a lot AMEX, And I never even use the stupid RFID functionality!
Doug @ Mar 19th 2008 8:37PM
When will people learn that devices which provide purchasing power (credit cards) should never be allowed to transfer data wirelessly... It makes it way too easy to retrieve data without the owner's permission.
Security and wireless technologies don't mix very well.
Joshua Walters @ Mar 19th 2008 8:40PM
With the close lines at some Starbucks, he could use a UMPC, put that reader in his front pocket, and just brush into someone. It wouldnt be to hard.
It is sad how insecure credit card companies are.
Skawt @ Mar 19th 2008 9:25PM
Yeah. Then he would only have to casually hump someone. Much better than groping them. ;)
CubeGuy @ Mar 19th 2008 8:41PM
Awesome hack.
*michael bay pops in and blows up macbook air*
thethirdmoose @ Mar 19th 2008 8:41PM
Hmmmm... if you had a really, really, really big antenna, I bet you could "snipe" credit card data from miles away!
AlexL @ Mar 19th 2008 9:33PM
Not really, the RFID's transmitting range is extremely short, so you won't be getting anything out of range regardless of how big your antenna is.
m.edgar @ Mar 20th 2008 12:09AM
That's true. AlexL knows nothing of the electromagnetic spectrum and how to make use of it. All you need is a more powerfull transciever to pick up the low power rfid signal.
Hell, we can pick up Voyager's signals, and that's damn near out of the solar system.
fuma @ Mar 19th 2008 8:53PM
Oh joy... wait till this gets easier to pull off... how about that guy behind you on the subway in Boston or NYC during rush hour... is he really happy to see you, or is that an RFID wand in his pocket?
ma5t3rw1tt @ Mar 19th 2008 9:58PM
Whoa, thats pretty sweet stuff. From hacking wireless networks to bluetooth hacking to this, that is awsome. I understand hacking wireless for free internet, bluetooth hacking for a little fun, but this is just pure evil. Good technology but bad for the wrong use. Cool stuff though :P
Azureice @ Mar 19th 2008 10:32PM
I call bullshit. A standard RFID mifare reader (which can read ISO 14443, that Amex RFID is based on), will cost you at LEAST $30-$50 for a cheap one, and more for a better on. And these won't read it, because it's not standard Mifare.
It looks like he is using an actual reader meant to read those cards, which I cannot find on eBay, and I doubt it would go for as little as $8.
And I'm not so sure the actual card number would be available on the RFID. If you call Amex, they can disableth RFID portion of the card (i.e. it will workbut no longer be accepted) If it used your normal account number, I don't think you could do that.
Dave @ Mar 19th 2008 11:04PM
So basically just ride the subway in NYC during rush hour, and you're bound to scan at least a few cards.
Aguy29 @ Mar 20th 2008 12:10AM
Is this PCI or PABP compliant? Visa and other card vendors should lay the smacketh down on cards holding Track2 data local to the card. Please authorize in secured third party site or require pins to extract track 2 data from the card that are 128 bit encrypted up in heyyah!
Charlie Calhoun @ Mar 20th 2008 2:53AM
You know I've been using my RFID blocking wallet for some time now. Good ol' ThinkGeek! And I don't even have any RFID cards... better safe than sorry!!