Shmoocon Demo Shows Easy, Wireless Credit Card Fraud 273
Sparrowvsrevolution writes with this excerpt from a Forbes piece recounting a scary demo at the just-ended Shmoocon: "[Security researcher Kristin] Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer's credit card onstage and obtained the card's number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer's money with the counterfeit card she'd just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.) ... A stealthy attacker in a crowded public place could easily scan hundreds of cards through wallets or purses."
Mitigating factors (Score:3, Informative)
Put two of these cards next to eachother, and they won't read. Put them in an aluminium card case, and they won't read. Move more than about 5 cm away from the card and it won't read.
There are numerous ways around this problem. It shouldn't stop people from using the technology.
Glossing over one problem... (Score:5, Informative)
So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here. Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals. The RFID spec for these cards has no provision for collision detection or avoidance.
If the name Paget rings a bell... (Score:2, Informative)
Kristin Paget [twitter.com] used to be Chris Paget [tombom.co.uk], famous GSM hacker. With that out of the way, we return you to this awesome hack.
Re:Aluminum Foil in the Wallet (Score:5, Informative)
Re:Aluminum Foil in the Wallet (Score:5, Informative)
Grounding a Faraday cage accomplishes two things:
1) The cage is made from a conductive material. If a hot wire shorts against it, and you touch the cage, you could be electrocuted. Grounding it is therefore prudent.
2) If anything inside the cage is trying to transmit, it turns the entire planet into its antenna. Your transmission is going to be pretty weak if you're trying to drive a planet-sized antenna with a few milliwatts of power. (Actually, no weaker than normal, but only if you're far enough away from the antenna that it looks like a point-source.)
Note the significant absence of "prevents radio signals from getting into the Faraday cage". It doesn't. Grounding has nothing to do with preventing radio signals from getting into the Faraday cage. The cage's mesh diameter is the only factor that affects which radio signals can get into the cage.
Re:Glossing over one problem... (Score:5, Informative)
Both, wrong... you less so.
The credit cards use an induction form of RFID. The wavelengths in question are very long - would require a big antenna to transmitt and an equally big antenna on the card to receive.... well the cards aren't big enough. So you see this spiral pattern (inductive loop) that is the antenna.
YAGI won't do it. You need something more along the lines of the magnetic sensors as you leave a store (EAS - Electronic Article surveillance).
Credit cards are 13.56 MHz RFID. That's a wavelength of ~75ft. Not going to hide that YAGI very well....
Nope, inductive loops. That's why it only works over about a meter because the strengths of the magnetic fields.
Re:Mitigating factors (Score:4, Informative)
People typically carry their wallets in their back pockets and purses, both of which a hacker can get arbitrarily close to. 5cm is way too much.
Yep, at a Kevin Mitnick conference last year he showed an RFID reader which fit in the palm of your hand (with a wire up the sleeve to the main unit). It worked at more than 5cm, too.
Re:Is this news? (Score:2, Informative)
It's hyperbole because the attacker has to be incredibly close to you. They actually have to bump the device up against your wallet. While it's technically "wireless" that's not what most people have in mind when they hear the word.
Also the CVV number it gives you works for one use only. It's used to authenticate the transaction.
Re:Is this news? (Score:5, Informative)
They actually have to bump the device up against your wallet.
Not according to TFA:
In a demonstration just before her talk, Paget read a card in my wallet through my back pocket without touching me, successfully obtaining the card’s information.
There are many situations where we get close enough to random strangers for someone to pull this off.
Re:What's the point of these? (Score:4, Informative)
One advantage is that magnetic stripes wear out. RFID cards won't. Similarly, swipe readers wear out, get gummed up, etc., whereas RF readers don't.
If I were responsible for the maintenance of POS terminals for a store, especially one with non-trivial traffic, that might be a different story.
The magstripe can wear out, but you can still key in the number manually when this happens. RFID chips are not invincible, and can be damaged, but certainly not as easily as a magstripe.
I did phone tech support for 7 years, working on various makes and models of credit card machines. The number of units that I personally saw during that time that genuinely had the reader head worn down to the point of malfunction was less than 10. I replaced far more units due to beer damage. Most read failures were either due to a badly abused card, or a slightly dirty head. Wrapping a dollar bill around a card and running it through a few times cleared up the read problems almost 100% of the time. And no, it doesn't have to be a $1 bill. If I had one for every time I was asked THAT question...
Re:Is this news? (Score:4, Informative)
I think if I get it within 2 or three millimeters of the reader it will work. But I never do it that way. I just slap my wallet against the reader. Suggesting that a criminal would do it differently is just silly.
Researchers seem to be able to do it from several feet away...just google for "rfid maximum distance" (or something similar).
Re:Is this news? (Score:5, Informative)
If you have an unusually thin wallet, that may work. But the attacker isn't going to get closer and closer to you until it works. That would be pretty silly, and rather conspicuous. They are going to bump up against you.
In a crowded commuter train or bus an attacker can inconspicuously bump his RFID reader containing backpack against 100 people without arising suspicion while pusing his way from one end of the train to the other. On a less crowded train, he can put his reader under the seat in front of him (many transit agencies use thin fiberglass or plastic seats) and get it to within 1/4 inch of the seated passenger's back pocket wallet.
I have an RFID access key I keep in my wallet. I think if I get it within 2 or three millimeters of the reader it will work. But I never do it that way. I just slap my wallet against the reader. Suggesting that a criminal would do it differently is just silly.
My RFID card key works 3 or 4 centimeters from the reader. Like you I usually slap it against the reader, but I'm not worried about making the reader suspicious about why I'm touching it. I've seen people who keep the card in their wallet do a butt touch on the reader and the card works fine through their wallet and clothes. If RFID card keys are any indication, then it would be trivial for a thief to get close enough to read the card without actually touching you - after all, pickpockets are already able to slip a wallet from a pocket undetected, so I think they can manage to get a card reader a few cm from your wallet without touching you.
I'm not sure how Credit Card RFID chips differ from the RFID chips used in passports, but Passport RFID readers with high gain antennas have been used to read a passport RFID chip from hundreds of feet away.
Re:MOD PARENT DOWN! (Score:4, Informative)
A "hot wire?" What is a "hot wire?" Are you talking about AC mains voltage? The same concept would apply to vehicles, building doors, household appliances, etc. This has nothing to do with RF.
I never said it did, moron. Yes, one of the reasons it is a good idea to ground a Faraday cage is exactly the "same concept" as why it is good to ground household appliances, etc.
Umm, NO. The idea of a Faraday cage is that you create an RF short as the cage is larger than lambda/2.
You're confusing signals getting into a Faraday cage with signals getting out of one. If the cage's mesh is larger than lambda/2, the signal will penetrate it. If it's not, the signal will not.
The earth does NOT become an antenna. You merely increase the VSWR at the transmitter.
If a charge is placed inside an ungrounded Faraday cage, the internal face of the cage will be charged (in the same manner described for an external charge) to prevent the existence of a field inside the body of the cage. However, this charging of the inner face would re-distribute the charges in the body of the cage. This charges the outer face of the cage with a charge equal in sign and magnitude to the one placed inside the cage. Since the internal charge and the inner face cancel each other out, the spread of charges on the outer face is not affected by the position of the internal charge inside the cage. So for all intents and purposes, the cage will generate the same electric field it would generate if it was simply charged by the charge placed inside. [wikipedia.org]
I.e. the Faraday cage becomes the antenna. You're welcome.
Re:Is this news? (Score:5, Informative)
I have an RFID access key I keep in my wallet. I think if I get it within 2 or three millimeters of the reader it will work.
Mine works from 3 inches away. At a regional office, there's a reader that is twice as large on the wall, and just walking near it with my wallet in my pocket opens the door. It's not the card that determines distance; it's the reader. So maybe the crooks don't buy the $50 reader, maybe they go for the $2000 reader that works from two feet away, and set up shop in a van parked next to a busy sidewalk.