RFID credit cards easily hacked with $8 reader
The RFID hacks keep coming fast and furious -- hot the heels of that Mifare / Oyster Card exploit, the crew at BoingBoing TV has posted up a little demo of how easy cracking the RFID encryption on an American Express card can be. All it takes is an $8 dollar reader easily available on eBay, some software, and the courage to walk around with a laptop waving plastic boxes at people's butt pockets, but developer Pablos Holman says he's hoping to develop a newer version that will allow him to be a little more discreet. The root of the problem is apparently the fact that the system uses local decryption rather than sending card info to a secure data center, but either way we've been worried about this for a long time -- we're sticking to loose change and the barter system from now on. Video after the break.
Filed under: Misc. Gadgets
Reader Comments (Page 2 of 2)
Henry @ Mar 20th 2008 3:31AM
His RFID reader was an actual Mastercard Pay Pass terminal used my retailers, there are none currently listed on e-bay, and if there was they would be going for a lot more then $8.
andrew_uk @ Mar 20th 2008 8:39AM
Do not forget this system was developed for ease of use not security. If you want to suck lots off value off a card the user has to present their PIN anyway. Plus, great you can get value off cards, but how are you going to redeem it? OK it is a nifty DoS attack, but that is about it. Plus if you are wandering around surfing for card details it is just as easy to be caught by the enforcement agencies looking for this signals in places they should not be - and hey presto off to prison you go - all for taking a few cents off someone for a laugh!
RijilV @ Mar 20th 2008 11:25AM
So, the idea is less that the attacker would be charging the card themselves are more that the attacker would use the information obtained to create a fake card and use the fake card to make the charges at real stores. Also, there is likely a information leak here, as the card contains personally identifiable information. An attacker could even use this to track victims.
As for "enforcement agencies" -- I can tell you you are living in a pipe-dream-reality for a number of reasons
1) The power levels on these frequencies is very very low - you would have a hard time detecting it outsides of a few dozen meters.
2) Moreover, these cards use industry standard RFID chips, so if something was detected it could take a long time to determine if there wasn't a legitimate reader in the vicinity.
3) frequencies used and the power levels used could very likely be spurious emissions from any number of other devices.
4) by "enforcement agencies" who are you talking about? The FCC? The police? maybe the Secret Service? Yeah - none of those people have the resources to either a) send enough agents around the country or b) buy and train people on how to use the gear
5) what is the apprehension mode you envision? An "enforcement agent" walks into a crowded bus terminal, detects a rouge signal, and detains the entire bus terminal, searching people until the find the reader?
How many people on here have gone wardriving? How many of you know someone who got busted for it?
photon @ Mar 20th 2008 10:24AM
Can someone explain to me why credit card companies are pushing this technology? Is it really so onerous to ask the consumer to swipe their cards instead of "waving" them at a reader?
Derek Hinch @ Mar 20th 2008 1:28PM
Well.
1. You can lift EM outside its transmittable range by pulsing a same frequency and smaller PRI pulses, across the transmitting RFID EM field limit, - a little of the receiving antenae on the cross pulse allows you to see how the smaller field affected the larger field (remember, its all Magnetic in nature). The level of disurbance is directly related to the outgoing pulse inside that frequency. Since most non powered RFID's operate in the 125khz-500khz range, it may be possible (accounting for enough attenuation over distance, initial power levels and possible interference) that the Error Correction at that point can assist with redeveloping the video pulse of the RFID > Reader session. I am not sure if you need a session already in progress (a static point) like an RFID enabled ATM or checkout.
This isn't a feasible attack, but one that would work in a laboratory - much like the sup3rl33t haX0r here's SNAFU of an attack.
MOD4LIPHE
Benjamin @ Mar 28th 2008 7:31AM
I need hacked nos.
UncoolJohn @ Apr 28th 2008 11:30PM
I recently had to get a replacement card from American Express and I asked if I could get one without an RFID chip. The phone jockey said it wasn't an option.
Turd Ferguson @ May 14th 2008 5:05AM
Does anyone know the name of the device or where you can get it? I want one.