Would You Trust RFID-Enabled ATM Cards?

race_k2 asks: "As a regular Slashdot reader I've followed the development and implementation of RFID devices in many ubiquitous areas such as clothing, passports and even people. Given that our environment is becoming increasingly tagged, often without our knowledge or consent, and can be monitored or hacked by anyone with the proper hardware, skills and motivation, I viewed the recent arrival of two new ATM cards containing RFID chips with skepticism. While this feature may bring the increased convenience of speedy checkouts, it is not something I am completely comfortable using and decided that the safety of my personal data was more important than the ability to buy things quickly. The vulnerable nature of RFID security coupled with recent, though unrelated, reports of a Possible Security Flaw In ATMs make me seriously question whether the marriage of wireless data transfer with personal finance is a wise application of technology." So race's question basically boils down to: How safe and secure are the RFID chips that are being embedded in debit and credit cards? To add another issue on to the fire: Would you trust RFID technology on your cards?

race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.

Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"

Absolutely not

[techmuse]

As a security expert who has done studies on RFID security, I would have to say absolutely not. I would switch banks.

Check the incentives

[inviolet]

With an RFID-enabled credit card, the credit card company is the first line of defense against fraudulent usage. The customer is only secondarily responsible, and in any event does not lose any cash or interest. So, you can be certain that the security system and the implementation will be sound.

With an RFID-enabled ATM card, all of that is reversed. A fraud will cause the customer to lose his or her cash and interest... and the customer must then fight with the bank to get them back. The bank has only secondarily responsibility, and therefore only secondary incentive, to get the plan right and to maintain the implementation. It's like a config.rc file with the wrong default value: loss-paid-by = customer.

It's a given that few people in any organization (banks or otherwise) actually understand security, encryption, or the very pertinent issue of "identification versus authentication". But even if Chase or whoever has done their research, the incentives for protecting customers from atm fraud are inherently perverse.

Destroy the tag...

[Ghostalker474]

I've been researching this for one of my masters classes (I know, I'm a student, but hear me out) and I came across 2 ways of non-destructively stopping the tag. The first is simply blocking the tag with another tag, so that when the RFID reader goes to energize the tag, it gets a garbled response that even error-correcting software can't figure out. The second is to broadcast a kill-code to the tag. The kill code closes the circuit to a specified part of the chip, effectively overwriting the memory. This is the equivalent of removing the CMOS password on a motherboard, close the circuit, and when energized.... game over. The best thing to do would (yes) throw it in the microwave for 3-5 seconds [so as not to melt the plastic or the magnetic strip] and then go on using it with the RFID feature disabled. Personally, after all the research I've done on the security of RFID... I doubt the encryption is strong enough to block a dedicated reader. Hell, remember when they said WEP on 802.11b was unbreakable? I'll stick with my small-hometown bank, since they likely won't upgrade for some time.

Re:Disable the RFID

[michaelaiello]

Even better, you can get the real deal. RFID Blocking Wallets and passport cases http://www.difrwear.com/.

Re:Disable the RFID

[StressedEd]

More stylish than tin foil, a Muji Aluminium card holder. I use one as my wallet, storing everything but coins. It has the added benefit that you absolutely cannot squeeze that one last thing in to your wallet - so it doesn't end up looking like a sphere.

Of course it means I have to take my Oyster card out in order to use it, rather than wave the wallet at the reader - but that's the point!

Re:I'll speak slowly for you

[trianglman]

The only credit card parent company that requires a CID for online purchases is American Express. Visa, MasterCard, and Discover do not enforce this policy.

Source: I work in e-Commerce for a catalog company.