RFID credit cards easily hacked with $8 reader
By Nilay Patel 
posted Mar 19th 2008 6:33PM
posted Mar 19th 2008 6:33PM
The RFID hacks keep coming fast and furious -- hot the heels of that Mifare / Oyster Card exploit, the crew at BoingBoing TV has posted up a little demo of how easy cracking the RFID encryption on an American Express card can be. All it takes is an $8 dollar reader easily available on eBay, some software, and the courage to walk around with a laptop waving plastic boxes at people's butt pockets, but developer Pablos Holman says he's hoping to develop a newer version that will allow him to be a little more discreet. The root of the problem is apparently the fact that the system uses local decryption rather than sending card info to a secure data center, but either way we've been worried about this for a long time -- we're sticking to loose change and the barter system from now on. Video after the break.
Freaky!!!... imagin the next time a guy bumps into you, you would lease a couple of thousands ....
Actually, usually when a guy bumps into you, the money flows in the opposite direction, unless... maybe if you're a republican senator or sth.
First, real hackers don't use a MB Air...thats just sad.
Second, he looks like a tool, therefore...he is
Actually he's a "futurist," lol.
Don't be sad because A: you can't afford one, and B: that guy is probably way smarter than you.
In the future we will say "get up to your ass" until it becomes awkward....We will be skinny and dress in tight black clothing while doing this. In the future we will call ourselves hackers while using computers with one USB port, and publicly do so with no visible shame.
The future is strange.
REAL programmers use butterflies.
http://xkcd.com/378
I wonder how Amex deals with news like this... they're pretty good about refunding you fraudulent charges - stuff like this would impact their bottom line. I love the RFID Blue card for getting morning coffee at 7-11. No cash, no change, no typing in PIN's... just sweet, tasty, industrial blend coffee
With it being so easy to fraud people the smart thief (if they exist) would only charge $5 a month to 1000's of people.
so, you put the computer in a shoulder bag and run the wire tro a jackat and tro the scanner in your hand ;) and your safe :P
...Then to "extract" data from a credit card, you need to somehow touch the other guy's butt! *Bleh!* X_X
From Article:
"waving plastic boxes at people's butt pockets"
Well, he said that with a big enough antenna you wouldn't need to play grab-ass to get credit card info. I don't know if that's possible/practical or if he's spreading the good ol' FUD. I'd rather play grab-ass to get credit card info but women use purses, so...that's no good.
Why wouldn't it be possible. There are risks of such things as interference and getting garbage data, but just seems like the RDIF version of wardriving... with more potential benefits and more possible jail-time (which makes it more fun, until you get caught).
Well, I wouldn't be responsible for fraudulent charges so the real losers here are the credit card companies.
No. Everyone pays. They write off the losses, way pay them in premiums (interest rates, business surcharges, etc). Plus AMEX frequently has an annual card fee so you potentially pay with that too.
"...so the real losers here are the credit card companies."
Which are our major banks. We already have a problem with the damn mortgage sector completely killing our economy, (gasoline prices aren't helping) I don't think we need the major banks to stop giving out credit cards right now. Banks are the in the business to make money not lose it. $0.99 music tracks for free is one thing, this is just horrid. Great to know, so I can watch out for strange people in big coats touching people's butts, but besides that this in my eyes is horrible.
incorrect
I dont pay premiums on credit cards. I have never paid any interest rates, so that is not a problem, and my mortgage for my house was paid off years ago. All my credit cards have no yearly fees.
So yeah, its not my problem. Credit card companies will be stuck paying the bill; its not my problem
it's def a consumer problem because consumers have to check our f'in bills so closely!
Sounds like a job for the Faraday Wallet! (concept ©2008) :-D
old news. they have had home made devices that can clone rfid in the past. i believe the article was on engadget actually...
obviously, this isn't news about the rfid technology, but that they made a video with a macbook air in it!!!
funny--amex just sent me a letter yesterday announcing that they were discontinuing the rfid keyfobs by the end of july 2008. they said they were doing this in order to focus their attention on the rfid cards.
I NEED THINGS TO BE AWESOME
"That's why I'm getting Verizon FiOS."
Yeah right, bitch! They don't have FiOS yet in the northwest valley of L.A. THAT IS NOT AWESOME. I want to be snatching my porn (pun oh-so-intended) at FiOS speed already dammit.
/article derailment
"Awesome pool."
I want a bomb in my pool... Actually, first I need a pool.
yeah lol I was going to say the best part of this entire video was the michael bay FIOS commercial
you guys see the HD-DVD Player he had in his living room?!
Well that explains how a "hacker & futurist" could afford that computer.
And this is why I don't have any RFID credit cards (plus I don't have much credit yet anyway)
Why wave a box at people's butts? Hide one under a seat at the mall...
Now, all ya'll gonna be checking under your seats, huh?
one wonders if a short microwave could fry the RFID but leave the mag stripe intact? Anybody with an AmEx card wanna try that and report back?
Would be a very easy test, and they're always eager to replace lost or stolen cards.
I've also heard that hitting it with a hammer works.
the microwave makes your card look burny
You can protect your card by putting aluminum foil in the lining of your wallet.
you know, for you . . . paranoid types
It really does work, and it takes about 5 seconds,
on the plus side, you don't need a stainless steel wallet and you can save your rfid ( if you actually use it)
Hacked: $8
Fixed for the life of the card: Cost of one paper hole punch
Knowing that I'm secure from RFID attack: ...you know the rest
Crap, now I need to get a lead sleeve for my credit card. Thanks a lot AMEX, And I never even use the stupid RFID functionality!
When will people learn that devices which provide purchasing power (credit cards) should never be allowed to transfer data wirelessly... It makes it way too easy to retrieve data without the owner's permission.
Security and wireless technologies don't mix very well.
With the close lines at some Starbucks, he could use a UMPC, put that reader in his front pocket, and just brush into someone. It wouldnt be to hard.
It is sad how insecure credit card companies are.
Yeah. Then he would only have to casually hump someone. Much better than groping them. ;)
Awesome hack.
*michael bay pops in and blows up macbook air*
Hmmmm... if you had a really, really, really big antenna, I bet you could "snipe" credit card data from miles away!
Not really, the RFID's transmitting range is extremely short, so you won't be getting anything out of range regardless of how big your antenna is.
That's true. AlexL knows nothing of the electromagnetic spectrum and how to make use of it. All you need is a more powerfull transciever to pick up the low power rfid signal.
Hell, we can pick up Voyager's signals, and that's damn near out of the solar system.
Oh joy... wait till this gets easier to pull off... how about that guy behind you on the subway in Boston or NYC during rush hour... is he really happy to see you, or is that an RFID wand in his pocket?
Whoa, thats pretty sweet stuff. From hacking wireless networks to bluetooth hacking to this, that is awsome. I understand hacking wireless for free internet, bluetooth hacking for a little fun, but this is just pure evil. Good technology but bad for the wrong use. Cool stuff though :P
I call bullshit. A standard RFID mifare reader (which can read ISO 14443, that Amex RFID is based on), will cost you at LEAST $30-$50 for a cheap one, and more for a better on. And these won't read it, because it's not standard Mifare.
It looks like he is using an actual reader meant to read those cards, which I cannot find on eBay, and I doubt it would go for as little as $8.
And I'm not so sure the actual card number would be available on the RFID. If you call Amex, they can disableth RFID portion of the card (i.e. it will workbut no longer be accepted) If it used your normal account number, I don't think you could do that.
So basically just ride the subway in NYC during rush hour, and you're bound to scan at least a few cards.
Is this PCI or PABP compliant? Visa and other card vendors should lay the smacketh down on cards holding Track2 data local to the card. Please authorize in secured third party site or require pins to extract track 2 data from the card that are 128 bit encrypted up in heyyah!
You know I've been using my RFID blocking wallet for some time now. Good ol' ThinkGeek! And I don't even have any RFID cards... better safe than sorry!!
His RFID reader was an actual Mastercard Pay Pass terminal used my retailers, there are none currently listed on e-bay, and if there was they would be going for a lot more then $8.
I recently had to get a replacement card from American Express and I asked if I could get one without an RFID chip. The phone jockey said it wasn't an option.
Do not forget this system was developed for ease of use not security. If you want to suck lots off value off a card the user has to present their PIN anyway. Plus, great you can get value off cards, but how are you going to redeem it? OK it is a nifty DoS attack, but that is about it. Plus if you are wandering around surfing for card details it is just as easy to be caught by the enforcement agencies looking for this signals in places they should not be - and hey presto off to prison you go - all for taking a few cents off someone for a laugh!
So, the idea is less that the attacker would be charging the card themselves are more that the attacker would use the information obtained to create a fake card and use the fake card to make the charges at real stores. Also, there is likely a information leak here, as the card contains personally identifiable information. An attacker could even use this to track victims.
As for "enforcement agencies" -- I can tell you you are living in a pipe-dream-reality for a number of reasons
1) The power levels on these frequencies is very very low - you would have a hard time detecting it outsides of a few dozen meters.
2) Moreover, these cards use industry standard RFID chips, so if something was detected it could take a long time to determine if there wasn't a legitimate reader in the vicinity.
3) frequencies used and the power levels used could very likely be spurious emissions from any number of other devices.
4) by "enforcement agencies" who are you talking about? The FCC? The police? maybe the Secret Service? Yeah - none of those people have the resources to either a) send enough agents around the country or b) buy and train people on how to use the gear
5) what is the apprehension mode you envision? An "enforcement agent" walks into a crowded bus terminal, detects a rouge signal, and detains the entire bus terminal, searching people until the find the reader?
How many people on here have gone wardriving? How many of you know someone who got busted for it?
Can someone explain to me why credit card companies are pushing this technology? Is it really so onerous to ask the consumer to swipe their cards instead of "waving" them at a reader?
Well.
1. You can lift EM outside its transmittable range by pulsing a same frequency and smaller PRI pulses, across the transmitting RFID EM field limit, - a little of the receiving antenae on the cross pulse allows you to see how the smaller field affected the larger field (remember, its all Magnetic in nature). The level of disurbance is directly related to the outgoing pulse inside that frequency. Since most non powered RFID's operate in the 125khz-500khz range, it may be possible (accounting for enough attenuation over distance, initial power levels and possible interference) that the Error Correction at that point can assist with redeveloping the video pulse of the RFID > Reader session. I am not sure if you need a session already in progress (a static point) like an RFID enabled ATM or checkout.
This isn't a feasible attack, but one that would work in a laboratory - much like the sup3rl33t haX0r here's SNAFU of an attack.
MOD4LIPHE
I need hacked nos.
Does anyone know the name of the device or where you can get it? I want one.