Shmoocon Demo Shows Easy, Wireless Credit Card Fraud 273
Sparrowvsrevolution writes with this excerpt from a Forbes piece recounting a scary demo at the just-ended Shmoocon: "[Security researcher Kristin] Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer's credit card onstage and obtained the card's number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer's money with the counterfeit card she'd just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.) ... A stealthy attacker in a crowded public place could easily scan hundreds of cards through wallets or purses."
Aluminum Foil in the Wallet (Score:5, Funny)
That is why I have lined my wallet with the aluminum foil that I had left over from making my hat.
Re:Aluminum Foil in the Wallet (Score:5, Informative)
Re: (Score:2)
Then what you need is aluminium foil AND a metal tail touching the ground.
Re: (Score:2)
i have a copper-like envelope and can't scan the card when it's inside. It came with the card so i have no idea what brand or material.
Re:Aluminum Foil in the Wallet (Score:5, Interesting)
I have a RFID blocking wallet. My security badge for work will not scan when inside the wallet (but it will scan inside all my co-workers wallets and my old wallet).
Same price as a normal wallet and not a bad investment.
Re:Aluminum Foil in the Wallet (Score:5, Informative)
Grounding a Faraday cage accomplishes two things:
1) The cage is made from a conductive material. If a hot wire shorts against it, and you touch the cage, you could be electrocuted. Grounding it is therefore prudent.
2) If anything inside the cage is trying to transmit, it turns the entire planet into its antenna. Your transmission is going to be pretty weak if you're trying to drive a planet-sized antenna with a few milliwatts of power. (Actually, no weaker than normal, but only if you're far enough away from the antenna that it looks like a point-source.)
Note the significant absence of "prevents radio signals from getting into the Faraday cage". It doesn't. Grounding has nothing to do with preventing radio signals from getting into the Faraday cage. The cage's mesh diameter is the only factor that affects which radio signals can get into the cage.
Re: (Score:2)
2) If anything inside the cage tries to transmit, nothing happens outside. The transmission is bottled up inside. The Faraday cage is a barrier between the outside and inside.
No.
Re:MOD PARENT DOWN! (Score:4, Informative)
A "hot wire?" What is a "hot wire?" Are you talking about AC mains voltage? The same concept would apply to vehicles, building doors, household appliances, etc. This has nothing to do with RF.
I never said it did, moron. Yes, one of the reasons it is a good idea to ground a Faraday cage is exactly the "same concept" as why it is good to ground household appliances, etc.
Umm, NO. The idea of a Faraday cage is that you create an RF short as the cage is larger than lambda/2.
You're confusing signals getting into a Faraday cage with signals getting out of one. If the cage's mesh is larger than lambda/2, the signal will penetrate it. If it's not, the signal will not.
The earth does NOT become an antenna. You merely increase the VSWR at the transmitter.
If a charge is placed inside an ungrounded Faraday cage, the internal face of the cage will be charged (in the same manner described for an external charge) to prevent the existence of a field inside the body of the cage. However, this charging of the inner face would re-distribute the charges in the body of the cage. This charges the outer face of the cage with a charge equal in sign and magnitude to the one placed inside the cage. Since the internal charge and the inner face cancel each other out, the spread of charges on the outer face is not affected by the position of the internal charge inside the cage. So for all intents and purposes, the cage will generate the same electric field it would generate if it was simply charged by the charge placed inside. [wikipedia.org]
I.e. the Faraday cage becomes the antenna. You're welcome.
Re:MOD PARENT DOWN! (Score:4, Interesting)
An anisotropic radiator? THE FUCK does directionality have to do with anything?
An "electrostatic charge" is just an electric charge that isn't moving, by the way. Move an electric charge with an AC current and you get... wait for it... EM radiation.
An antenna radiates EM energy by moving charges around. The radiated energy from an antenna, in turn, induces movement of electrons in other conductors. The Faraday cage is a conductor, so the radiated energy causes electrons to move in it. That movement of electrons also radiates energy, as if the Faraday cage were itself an antenna. Hence the Faraday cage might as well be pinned directly (electrically shorted) to the antenna of the transmitter inside it.
I think you're using big words about concepts you don't really understand.
Mitigating factors (Score:3, Informative)
Put two of these cards next to eachother, and they won't read. Put them in an aluminium card case, and they won't read. Move more than about 5 cm away from the card and it won't read.
There are numerous ways around this problem. It shouldn't stop people from using the technology.
Re:Mitigating factors (Score:5, Insightful)
Put two of these cards next to eachother, and they won't read. Put them in an aluminium card case, and they won't read. Move more than about 5 cm away from the card and it won't read.
Stand in line at the convenience store behind victim. Tada, you just got owned.
There are numerous ways around this problem. It shouldn't stop people from using the technology.
Its about as secure as tatooing your social security number on your forehead, then telling people its safe because you need a telephoto lens from over 100 feet, or you can just wear a skimask all the time.
Re: (Score:2)
I think the point everyone is missing is that credit cards are already utterly insecure. If you haven't been a victim yet you've just been lucky - there are a lot of CC's out there and only so many theives.
The only way to fix it is to block CC companies from writing-off fraud losses while preventing them from passing them onto the consumer. Right now, they perform a cursory 'investigation' only for the purposes of justifying the write-off, effectively passing the costs back onto consumers(taxpayers).
Re: (Score:2)
The only way to fix it is to block CC companies from writing-off fraud losses
This doesn't make sense.
while preventing them from passing them onto the consumer.
This doesn't seem possible.
Right now, they perform a cursory 'investigation' only for the purposes of justifying the write-off, effectively passing the costs back onto consumers(taxpayers).
The "cursory investigation" is just a means to determine the legal indemnity for the cost of the fraud. i.e. does the merchant, customer, issuing bank, transaction possessor network (e.g. VISA) or an insurance company pay for the fraud? The merchant pays most often. Customers are almost never charged. This however says nothing of the global incidence of the cost, which may be influenced but probably not entirely controlled via statutory means.
false (Score:5, Interesting)
Re:Mitigating factors (Score:5, Insightful)
The issue isnt being able to mitigate, the issue is that if the CC companies convince everyone that this isnt possible, then they have an easy path to never having to pay out against fraud. They can just refuse to believe this exists, and tell anyone who had their card info stolen that the cause was their behavior, and then never have to honor a dime of repayment. This is enough to let everyone know that theft can occur this way, and liability remains with the CC companies.
Re: (Score:2)
This is the real concern - not how easy or difficult it is to actually perform the actions, but that the credit card companies are awfully mistaken about it being possible at all. With a flawed fundamental understanding of how the technology actually works, who knows what they may attempt to do with it in the future based on this flawed understanding.
Re: (Score:2)
What I don't understand is how the CC companies can't be employing anyone with any knowledge in the field. Seriously, they don't have anyone on staff that doesn't have a hobby in this area who could have explained it to them? Or are they just putting a banana in their ear and claiming they didn't hear anything?
Then again, tobacco companies seem to have plenty of people on staff to tell them how safe tobacco is, so I guess I shouldn't be quite so surprised.
Re: (Score:2)
It's why wireless/pinless transactions are limited to £15 and what ever the limit in the US is.
Re: (Score:2)
It was posted here several years ago that some insurance companies were using the same line to claim that RFID cars were 'impossible to steal' [slashdot.org] and were refusing to pay out on claims because of it.
Re: (Score:2)
Put them in an aluminium card case, and they won't read.
This is not something people typically do. You cant get the majority to store their cards in faraday cages just because of this.
Move more than about 5 cm away from the card and it won't read.
People typically carry their wallets in their back pockets and purses, both of which a hacker can get arbitrarily close to. 5cm is way too much.
Put two of these cards next to eachother, and they won't read.
Care to point to some resources? Because that would mean the fixed readers at warehouses are pretty much useless.
Re:Mitigating factors (Score:4, Informative)
People typically carry their wallets in their back pockets and purses, both of which a hacker can get arbitrarily close to. 5cm is way too much.
Yep, at a Kevin Mitnick conference last year he showed an RFID reader which fit in the palm of your hand (with a wire up the sleeve to the main unit). It worked at more than 5cm, too.
Re: (Score:2)
Put them in an aluminium card case, and they won't read.
This is not something people typically do. You cant get the majority to store their cards in faraday cages just because of this.
I have one. I know lots of people who have them.
Re: (Score:3)
Since the only way to be safe is to have a special shield so you have to take your card out to use it anyway, it might as well ditch the near field and go back to contact only.
The new technology gains you nothing (it actually cost you the price of the special case) and exposes a lot of people to fraud. (which still costs you since those losses are recouped through fees that show up on the retail price).
Re: (Score:3)
Exactly, this technology gains you nothing and exposes you to more potential fraud vectors. I don't see the point - I'd rather swipe my own card through a standard pad and type in my PIN. I'm already standing there; I don't need some stupid tap technology to go "DURRR, IT TOOK MUH MONEY AND I DIDN'T EVEN HAFTA ENTER MUH PIN!!".
The one place I think contactless cards make a difference is in transit systems. While in Japan I used the refillable PASMO card, and it was nice to be able to tap my wallet on the
Re: (Score:3)
The RFID technology used in credit cards is more based on magnetic fields than electric fields. As such, stacking the cards doesn't help. The magnetic ones were somehow assumed to be more secure because they can only be read from a few inches away. Then again, store security systems use magnetic fields as well and they can read at least 4 ft away.
A Faraday cage is one defense.
Or, burn out the chip and just use the magnetic stripe (best defense). I have yet to use one of these no-contact credit card read
Re: (Score:2)
There are numerous ways around this problem. It shouldn't stop people from using the technology.
Remember the security motto: "Attacks always get better..."
FUD (Score:5, Insightful)
You should be more worried about waiters and cashiers then somebody in a crowd grabbing your data.
Re: (Score:2)
There are still plenty of online sites that don't require the CVV at all... And if you can use a card-magnetizing tool, then you could use the card at any physical location. Can't remember the last time a cashier looked at my card or asked for the CVV.
Re: (Score:3)
Because that information is on the stripe.
Re: (Score:3)
The CVV1 is on the stripe, the CVV2 code is not on the stripe - it's the second code on the signature strip.
In many countries in Europe, it's mandatory to provide the CVV2 code for authorization of "cardholder not present" transactions. Online retailers that don't ask for it now make me nervous.
Re:FUD (Score:5, Insightful)
Untrue ; waiters and cashiers will eventually get busted by data mining - you just need to correlate the transactions that pay for food and note the common location, then go through their time cards.
Whereas with wireless, you could collect the data in a location not covered by security cams, and transmit it, encrypted (how ironic) to avoid detection, to another location where payments are processed. A crowded subway car would be ideal - people are not going to be using their cards, and it's the ultimate in cultured anonymity - everyone goes out of their way not to notice anyone else.
Re:FUD (Score:4, Insightful)
Or they're smart and pass the numbers on to someone else who collects the info from many waiters and runs charges the next day.
Re: (Score:2)
You are more likely to die of heart disease than cancer.
So what?
There may at least a paper trail when a cashier is involved.
The Obvious Solution* (Score:5, Funny)
Put her in jail for teaching others how to defraud the public!!!!
* Obvious to the credit card industry
This is sort of old news. (Score:5, Insightful)
Glossing over one problem... (Score:5, Informative)
So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here. Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals. The RFID spec for these cards has no provision for collision detection or avoidance.
Re: (Score:2)
You don't need a big field. You need a high gain directional antenna. Preferably one made by beam forming that could be steered to sweep a room.
High gain directional beam formed steerable antennas and control hardware are mass produced and small enough to go in handheld devices.
An 802.11n basestation is an example of a steerable beam forming device that could suit the purpose.
Re: (Score:2)
You need a big field. You're confusing reading a signal from a card with energizing the card in the first place. The cards have no internal power source; they start up when they are in an induction field that is generated by the reader. These fields are very weak...so it doesn't take much to power the card, but on the flip side, the cards can't handle much because of the need for them to operate at low power levels. And even if you could shape the field to a beam, it still remains a range issue. You ca
Re:Glossing over one problem... (Score:5, Informative)
Both, wrong... you less so.
The credit cards use an induction form of RFID. The wavelengths in question are very long - would require a big antenna to transmitt and an equally big antenna on the card to receive.... well the cards aren't big enough. So you see this spiral pattern (inductive loop) that is the antenna.
YAGI won't do it. You need something more along the lines of the magnetic sensors as you leave a store (EAS - Electronic Article surveillance).
Credit cards are 13.56 MHz RFID. That's a wavelength of ~75ft. Not going to hide that YAGI very well....
Nope, inductive loops. That's why it only works over about a meter because the strengths of the magnetic fields.
Re: (Score:2)
It would be easy enough to swing around a YAGI antenna from the confines of a mesh hide - net curtains would be enough to conceal a distant antenna spook from view without obscuring his view of potential targets.
Combine a YAGI with an invisible laser rangefinder to set the power and you have yourself a range-safe power snooper for RFID cards.
Re: (Score:2)
Say... Is that a high gain directional antenna in your pocket or are you just happy to see me?
Re:Glossing over one problem... (Score:5, Interesting)
"with this attack you MUST be the next person to use the card's credentials." "the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base"
Because it's impossible to build a rig that fits in a briefcase or backpack that scans cards within a meter or two of the holder and automatically runs scripted transactions as soon as a card is detected in range, right?
Just because it's not AS bad a picture as the doomsayers are painting as a worst-case scenario doesn't mean it isn't ripe for exploitation.
Re:Glossing over one problem... (Score:5, Insightful)
So we'd have to funnel people through a chokepoint to isolate them ... and it might not work if they had more than one RFID enabled card in their wallet? And then you have to use it quickly, like this was done (while still on stage), rather than waiting for the person to try to make a legit transaction.
I'm guessing that someone standing near the entrance to a subway system could work within those restrictions well enough that even if they got less than 1% success rate per person entering could still turn a nice little "profit" during rush-hour.
Re: (Score:2)
with this attack you MUST be the next person to use the card's credentials. If not, the attack fails.
Implicit in this statement is the assumption that the hacker will be unable to discover the sequence of CVV codes based on the one they have right now. Given Sony's epic failure to implement proper encryption on the PS3, are you willing to take the chance that the CVV code generation algorithm will remain a secret forever?
Re: (Score:2)
So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here. Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals. The RFID spec for these cards has no provision for collision detection or avoidance.
You've never been to a train station have you? Or sat outside at a coffee shop? Or sat in a car at a busy mall? Sounds pretty trivial to me. Wait for a good signal to walk by, swipe and swipe. Wait for next good signal. Rinse and repeat.
Re: (Score:2)
It wouldn't be too hard to come up with a scheme to steal a bunch of cards and use the number immediately. You just hook the scanner up to a device that can make purchases at the same time the scan happens. Heck, build it into some sort of anonymous money scheme paypal account where you pay yourself and you could simply steal money. (Quick note, I don't know if or how anyone would actually do this but there must be ways.)
Beyond that it seems a bit to me like the real reasons there aren't recorded inst
Re:Glossing over one problem... (Score:5, Insightful)
>> the cards are set to offer up a one-time CVV code with every scan
Wait, I thought RFID only offered up static information. Does this infer that the cards have some sort of logic onboard to generate these 'one-time codes' and have create a new code on every scan that matches up with its processor? How does this effect an inadvertent scan, do the codes get all out of sync? Is there resync logic as well? How would this be handled throught payment processors and 3rd party clearing houses?
Now, someone enlighten me on this if it's true. But this sounds to me like total bullcrap.
Re: (Score:3)
The "Smart" in SmartCard indeed means that they are smart. The ones we use at work are programmable, run a tiny OS, and can be logged into (after a fashion). The CPUs do real crypto using RSA. A SmartCard has flash to store data, so a one-time key (like CVV2) is not hard at all. My SmartCard can generate an SSH key-pair and does not ever release the private key. It does the RSA challenge-response operations allowing secure login to a standard SSH client.
While I don't know if the CVV stuff is true, it is
Re: (Score:3)
+1, Elementary Composition
Re: (Score:2)
A big magnetic field... or a choke point, like a door to the conference center.
Re: (Score:3)
So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails.
Not hard to have a scanner & processor working at the same time.
It's not quite as bad as they make it out to be here.
Perhaps financially for individual consumers, but it can be a huge problem in other ways. Wouldn't it suck if your RFID enabled credit card & passport were read at the same time and you purchased a 1-way ticket for some terrorist (Does Godwin's law include terrorism references yet?).
Naturally restricting the liability to just a couple (or 1) transaction means individuals will not be out a lot of money. But it can still cause problems
Re: (Score:2)
So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here.
Ummm....yes it is. Being the next person use the card isn't very difficult if you can do it via an iPhone. The chances of somebody using their card in the ten minutes after you grab their details is very small.
Not the last person (Score:2)
Re: (Score:2)
with this attack you MUST be the next person to use the card's credentials.
I don't know about you, but I don't use my credit card every day, but I do come into contact with strangers every day. If someone were to sit next to me on my morning bus ride to work and read the card in my wallet, they'd have anywhere from as little as four hours, if I happen to go shopping at lunchtime, to as much as a few days to put the information to use.
Re: (Score:3)
So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here.
No, this really is as bad as it's made out to be. From what I've read above, the attacker has to be the next person to use the card's credentials from the RFID part, not just any credentials. So if the cardholder gets his credentials stolen, and then uses
Use a Faraday Cage wallet (Score:5, Interesting)
I've been using a Faraday Cage wallet and passport holder by DIFRwear: http://difrwear.com/ for several years now. I don't work for them, but with the very cheap wallet prices and sturdy construction I've been very pleased with the products. I can testify that they do work as I have an RFID key card and it won't activate the door if in the wallet.
And in other news... (Score:3)
Have more than 1 credit/debit card with an RFID chip.
Aren't really close to the card.
Store your card in an aluminum wallet.
Sure, it is possible, but we focus so much on the possible technological side while totally neglecting the fact that people could quite easily just record your credit card info when you pay for things.
Re: (Score:3)
However, when people record the info when you pay for something, that person becomes directly traceable. I.e. if the police look into the matter, they can almost certainly quickly find out who is responsible. The RFID method is completely 100% anonymous (unless you memorize the faces of everyone you pass on the street, and even then you simply will not be able to trace down the person responsible). This adds a psychological, if not a real, barrier to CC skimming for employees.
The RFID system is quick, ano
Re: (Score:2)
I must've missed the part of the article where it said "don't worry about any other form of credit card theft, because this one is all that matters".
This is yet another potential attack. Other attacks are well documented. The fact that those other attacks exist, or even that many of them are more likely to occur, does not in any way mean this threat should not be publicized so that it can be mitigated.
I have one card with a chip. I wander through busy public areas daily where multiple strangers brush past m
Such 'demos' should be illegal. (Score:2)
Square is the big security fail here... (Score:3, Insightful)
Real Problem. (Score:2)
Hurry, oh wonderful American government, censor both of these things!
If the name Paget rings a bell... (Score:2, Informative)
Kristin Paget [twitter.com] used to be Chris Paget [tombom.co.uk], famous GSM hacker. With that out of the way, we return you to this awesome hack.
GuardBunny (Score:2)
What's the point of these? (Score:5, Interesting)
Re: (Score:3)
Ostensibly, they allow for more brains behind the card than is possible with a magstripe. The current solution is simply a one time use CCV code, if a more recent code has been used it rejects all the codes that came before it, meaning that A) A stolen card can only be used once and B) Not even once if the legitimate user makes a purchase in the meantime. To me, with a bit more processing power, it seems like it should be possible to set up an encryption scheme where the person reading the card only ever
Re: (Score:2)
Re: (Score:3)
Ostensibly, they allow for more brains behind the card than is possible with a magstripe.
You get that benefit from having a microprocessor on the card, such as a standard "chip card" with metal pads (like a SIM card) that you insert into the reader. Adding all of the RFID nonsense on top of that just makes it less secure.
(I'm aware that "chip+pin" also has known security flaws, but it's better than the alternatives).
Re: (Score:2)
What people fail to notice is the "Analog Hole" part of this demonstration. Paget did not clone the RFID card. She transferred information from a secure environment (RFID) to an insecure environment (mag stripe). As long as the amount of money lost through theft is a fraction of the cost of upgrading the infrastructure to get rid of magstripe, this capabillity will remain.
FWIW, the who needs RFID cards is defintely an American bias. When I was in Paris last year there were a number of times where not ha
Re: (Score:2)
Paget did not clone the RFID card. She transferred information from a secure environment (RFID) to an insecure environment (mag stripe).
FWIW, the who needs RFID cards is defintely an American bias. When I was in Paris last year there were a number of times where not having a RFID card was a real PITA.
Ah, this is what I just asked about in another reply. Until they lock out mag stripe reads on an account, they will always be the weakest link.
I was in Paris in '10 as well, and the only place I recall where RFID would have been worth using was at the Metro ticket counters, so that the card didn't need to be passed through the safety glass. Places like gift shops and restaurants wouldn't have seen much of a benefit...
Re: (Score:2)
What exactly is the advantage to these RFID credit cards?
One advantage is that magnetic stripes wear out. RFID cards won't. Similarly, swipe readers wear out, get gummed up, etc., whereas RF readers don't.
Personally, neither is a compelling enough argument for me as a consumer to get one. If I were responsible for the maintenance of POS terminals for a store, especially one with non-trivial traffic, that might be a different story.
Re:What's the point of these? (Score:4, Informative)
One advantage is that magnetic stripes wear out. RFID cards won't. Similarly, swipe readers wear out, get gummed up, etc., whereas RF readers don't.
If I were responsible for the maintenance of POS terminals for a store, especially one with non-trivial traffic, that might be a different story.
The magstripe can wear out, but you can still key in the number manually when this happens. RFID chips are not invincible, and can be damaged, but certainly not as easily as a magstripe.
I did phone tech support for 7 years, working on various makes and models of credit card machines. The number of units that I personally saw during that time that genuinely had the reader head worn down to the point of malfunction was less than 10. I replaced far more units due to beer damage. Most read failures were either due to a badly abused card, or a slightly dirty head. Wrapping a dollar bill around a card and running it through a few times cleared up the read problems almost 100% of the time. And no, it doesn't have to be a $1 bill. If I had one for every time I was asked THAT question...
Re: (Score:2)
In addition to the the reasons given below, I would like to point out that you are assuming an advantage exists for consumers. It is the transaction possessors and merchants that reduce risks and costs from RFID cards. It is sold as a novelty to consumers and card holders.
Re: (Score:3)
PayWave and those types of authentication schemes are not about security, they are about finding away to replace the last of the legal anonymous cash transactions.
And the CC companies are quiet happy to refund any fraudulent transactions in the short term in order to get to that long term
Stainless steel wallet? (Score:2)
Would this protect the card?
http://www.thinkgeek.com/homeoffice/gear/9964/ [thinkgeek.com]
gender (Score:2, Insightful)
Probably should be modded as off topic for this, but why did the article feel the need to point out Paget's gender change? did it make her a better programmer, or design better hardware? or were there lots of people reading the article were like "Hey, I knew I guy with the last name Paget that worked there, I wonder if they are related? ... Oh!" /scratches head
It's worse than you think.. (Score:2)
The bit not mentioned in the article is the reason why you need to be close to the card to read it: bad aerials in the card terminal.
If you build a better aerial (larger) and ensure the receiver stage has a decent low noise entry you can read those RFIDs from quite a distance..
Mythbusters lost episode (Score:5, Interesting)
Re:Is this news? (Score:5, Insightful)
It is news in that this has now been brought up to the credit card companies in a manner which cannot be easily ignored.
Re: (Score:3)
I remember seeing it on the news - they demonstrated someone with a cheap RFID reader and a laptop can bump into people, grab their cards, and run off. It was impressive enough that my parents got worried and checked their cards for that paypass logo.
Of course, having it more in the news isn't a bad thing. Add in a few elaborations (attackers can read your credit card without having to be
Re:Is this news? (Score:5, Insightful)
Why is it "hyperbole" if somebody can drain hundreds of bank accounts wirelessly with a $50 device?
To me that sounds more like "panic stations, block all cards now!!"
Why anybody needs RFID credit cards is beyond me anyway. Is it sooooo hard to swipe a card through a reader?
PS: Why would the CVV number be on the RFID chip? Surely that's the secret only you and the company are supposed to know?
Re: (Score:2, Informative)
It's hyperbole because the attacker has to be incredibly close to you. They actually have to bump the device up against your wallet. While it's technically "wireless" that's not what most people have in mind when they hear the word.
Also the CVV number it gives you works for one use only. It's used to authenticate the transaction.
Re:Is this news? (Score:5, Informative)
They actually have to bump the device up against your wallet.
Not according to TFA:
In a demonstration just before her talk, Paget read a card in my wallet through my back pocket without touching me, successfully obtaining the card’s information.
There are many situations where we get close enough to random strangers for someone to pull this off.
Re: (Score:2)
If you have an unusually thin wallet, that may work. But the attacker isn't going to get closer and closer to you until it works. That would be pretty silly, and rather conspicuous. They are going to bump up against you.
I have an RFID access key I keep in my wallet. I think if I get it within 2 or three millimeters of the reader it will work. But I never do it that way. I just slap my wallet against the reader. Suggesting that a criminal would do it differently is just silly.
And that claim is hyperbolic bec
Re:Is this news? (Score:4, Informative)
I think if I get it within 2 or three millimeters of the reader it will work. But I never do it that way. I just slap my wallet against the reader. Suggesting that a criminal would do it differently is just silly.
Researchers seem to be able to do it from several feet away...just google for "rfid maximum distance" (or something similar).
Re:Is this news? (Score:5, Informative)
If you have an unusually thin wallet, that may work. But the attacker isn't going to get closer and closer to you until it works. That would be pretty silly, and rather conspicuous. They are going to bump up against you.
In a crowded commuter train or bus an attacker can inconspicuously bump his RFID reader containing backpack against 100 people without arising suspicion while pusing his way from one end of the train to the other. On a less crowded train, he can put his reader under the seat in front of him (many transit agencies use thin fiberglass or plastic seats) and get it to within 1/4 inch of the seated passenger's back pocket wallet.
I have an RFID access key I keep in my wallet. I think if I get it within 2 or three millimeters of the reader it will work. But I never do it that way. I just slap my wallet against the reader. Suggesting that a criminal would do it differently is just silly.
My RFID card key works 3 or 4 centimeters from the reader. Like you I usually slap it against the reader, but I'm not worried about making the reader suspicious about why I'm touching it. I've seen people who keep the card in their wallet do a butt touch on the reader and the card works fine through their wallet and clothes. If RFID card keys are any indication, then it would be trivial for a thief to get close enough to read the card without actually touching you - after all, pickpockets are already able to slip a wallet from a pocket undetected, so I think they can manage to get a card reader a few cm from your wallet without touching you.
I'm not sure how Credit Card RFID chips differ from the RFID chips used in passports, but Passport RFID readers with high gain antennas have been used to read a passport RFID chip from hundreds of feet away.
Re:Is this news? (Score:5, Informative)
I have an RFID access key I keep in my wallet. I think if I get it within 2 or three millimeters of the reader it will work.
Mine works from 3 inches away. At a regional office, there's a reader that is twice as large on the wall, and just walking near it with my wallet in my pocket opens the door. It's not the card that determines distance; it's the reader. So maybe the crooks don't buy the $50 reader, maybe they go for the $2000 reader that works from two feet away, and set up shop in a van parked next to a busy sidewalk.
Re: (Score:3)
"That would be pretty silly, and rather conspicuous. They are going to bump up against you."
Never used public transportation, I see.
Re: (Score:3)
Re: (Score:2)
Re: (Score:3)
I once worked for Tektronix, back in the 1990s when they were pioneering this technology. As a demonstration, one door on main headquarters had a reader that could read from 12 feet away- the light would go green as you approached that door.
I have *NO* doubt that with a suitable antenna, line of sight, and enough power, you could read an RFID chip from a mile or two away.
Re: (Score:2)
Walk through Grand Central during rush hour. You can say excuse me if you like, but everyone might think you're weird.
For the cost of one subway fare you can rack up a few hundred credit cards.
Re:Is this news? (Score:4, Insightful)
It's hyperbole because the attacker has to be incredibly close to you. They actually have to bump the device up against your wallet. While it's technically "wireless" that's not what most people have in mind when they hear the word.
I was at Kristin's talk. The range with a standard cheap-ass reader is a few cm. With your own higher-power add-on (13.56MHz is right next to the 14MHz amateur band for which you can get off-the-shelf gear), it's tens of feet.
Also the CVV number it gives you works for one use only.
So you perform multiple reads and get one CVV per read.
Re: (Score:3, Interesting)
The CVV used here, I believe, isn't the one printed on the back of the card. I believe that it's a one-time use CVV that changes for the next transaction (think rolling-code garage door opener or http://en.wikipedia.org/wiki/One_time_password [wikipedia.org])
So, someone who steals one can do a single transaction.
Re: (Score:3)
Re: (Score:2)
Re: (Score:3, Interesting)
As a non-idiot I knew this was possible. I fight Chase regularly on this, they send a new card with the stupid chip, I call and roast em, they mail me a new one without the chip. But they tell me at the time that it is a one time only deal and sure enough they send another later in the year on a different card. Yes, because of mergermania I now have three credit cards but they are all Chase. They simply refuse to allow you to permanently opt out of this madness.
Same with wanting to move me to a debit ca
Re: (Score:2)
Anyone with $50 worth of equipment can drain your bank account!
Which is one of several reasons why I only have Credit Cards.
Re: (Score:2)
Re: (Score:2)
That was a rerun, it was over a year ago. This is the next part where people get to see that it wasn't one of those things that can only happen in television land.