Forgot your password?
typodupeerror
Crime Security The Almighty Buck IT

Shmoocon Demo Shows Easy, Wireless Credit Card Fraud 273

Posted by timothy
from the now-how-much-would-you-pay dept.
Sparrowvsrevolution writes with this excerpt from a Forbes piece recounting a scary demo at the just-ended Shmoocon: "[Security researcher Kristin] Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer's credit card onstage and obtained the card's number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer's money with the counterfeit card she'd just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.) ... A stealthy attacker in a crowded public place could easily scan hundreds of cards through wallets or purses."
This discussion has been archived. No new comments can be posted.

Shmoocon Demo Shows Easy, Wireless Credit Card Fraud

Comments Filter:
  • by Woil (25266) on Monday January 30, 2012 @01:41PM (#38866635) Homepage

    I've been using a Faraday Cage wallet and passport holder by DIFRwear: http://difrwear.com/ for several years now. I don't work for them, but with the very cheap wallet prices and sturdy construction I've been very pleased with the products. I can testify that they do work as I have an RFID key card and it won't activate the door if in the wallet.

  • by Anonymous Coward on Monday January 30, 2012 @01:42PM (#38866637)

    They also discussed in the same presentation that most of the foil coverings you can buy to protect your credit card don't work since unlike faraday cages they are not grounded

  • by barc0001 (173002) on Monday January 30, 2012 @01:52PM (#38866741)

    "with this attack you MUST be the next person to use the card's credentials." "the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base"

    Because it's impossible to build a rig that fits in a briefcase or backpack that scans cards within a meter or two of the holder and automatically runs scripted transactions as soon as a card is detected in range, right?

    Just because it's not AS bad a picture as the doomsayers are painting as a worst-case scenario doesn't mean it isn't ripe for exploitation.

  • by twotacocombo (1529393) on Monday January 30, 2012 @02:04PM (#38866859)
    What exactly is the advantage to these RFID credit cards? All the readers I've seen still require you to get the card close to it to work. Has the world really grown so lazy that we can no longer be bothered to make a vertical swiping motion? I can see the benefit for payment-enabled cell phones or key fobs, but credit cards? Seems like a solution to a problem that didn't exist.
  • by FictionPimp (712802) on Monday January 30, 2012 @02:18PM (#38866995) Homepage

    I have a RFID blocking wallet. My security badge for work will not scan when inside the wallet (but it will scan inside all my co-workers wallets and my old wallet).

    Same price as a normal wallet and not a bad investment.

  • Re:Is this news? (Score:3, Interesting)

    by FrankSchwab (675585) on Monday January 30, 2012 @02:36PM (#38867217) Journal

    The CVV used here, I believe, isn't the one printed on the back of the card. I believe that it's a one-time use CVV that changes for the next transaction (think rolling-code garage door opener or http://en.wikipedia.org/wiki/One_time_password [wikipedia.org])

    So, someone who steals one can do a single transaction.

  • false (Score:5, Interesting)

    by dutchwhizzman (817898) on Monday January 30, 2012 @02:45PM (#38867313)
    You can read RFID cards in peoples wallets at 30 ft with a transponder with higher send signal and a better antenna. The same applied for multiple cards. Some reading devices won't process if there is more than one card in it's reach, but that's a software decision. Devices purpose made to leech RFIDs do not play by the rules and legislation set out for "proper" RFID equipment.
  • by speedlaw (878924) on Monday January 30, 2012 @02:51PM (#38867385) Homepage
    Wasn't RFID the subject of the Mythbusters episode that was "squelched" by Visa ? Adam made a few comments and the issue was clamped down upon by all. The credit card companies (huge advertisers-when you get 29% interest you have lots of money) made it clear that RFID weaknesses were not a subject to be discussed in public to a lay audience.
  • Re:Is this news? (Score:3, Interesting)

    by jmorris42 (1458) * <jmorris@nOSPAM.beau.org> on Monday January 30, 2012 @02:59PM (#38867475)

    As a non-idiot I knew this was possible. I fight Chase regularly on this, they send a new card with the stupid chip, I call and roast em, they mail me a new one without the chip. But they tell me at the time that it is a one time only deal and sure enough they send another later in the year on a different card. Yes, because of mergermania I now have three credit cards but they are all Chase. They simply refuse to allow you to permanently opt out of this madness.

    Same with wanting to move me to a debit card instead of an ATM card. The ATM card requires a PIN for all transactions and has other safeguards which work in my favor. The debit cards can be used in all sorts of places without a PIN and since it isn't a credit card (despite the Visa logo) the stolen money is gone from your account and you are getting to pay NSF fees all over the place while you fight over it. So I just keep cutting those cards every time they send a new one out and keep using my ancient ATM card. When it stops working I'm out of there.

  • Re:MOD PARENT DOWN! (Score:4, Interesting)

    by _0xd0ad (1974778) on Monday January 30, 2012 @05:07PM (#38869363) Journal

    An anisotropic radiator? THE FUCK does directionality have to do with anything?

    An "electrostatic charge" is just an electric charge that isn't moving, by the way. Move an electric charge with an AC current and you get... wait for it... EM radiation.

    An antenna radiates EM energy by moving charges around. The radiated energy from an antenna, in turn, induces movement of electrons in other conductors. The Faraday cage is a conductor, so the radiated energy causes electrons to move in it. That movement of electrons also radiates energy, as if the Faraday cage were itself an antenna. Hence the Faraday cage might as well be pinned directly (electrically shorted) to the antenna of the transmitter inside it.

    I think you're using big words about concepts you don't really understand.

The most delightful day after the one on which you buy a cottage in the country is the one on which you resell it. -- J. Brecheux

Working...