Slashdot Mirror
Would You Trust RFID-Enabled ATM Cards?
race_k2 asks: "As a regular Slashdot reader I've followed the development and implementation of RFID devices in many ubiquitous areas such as clothing, passports and even people. Given that our environment is becoming increasingly tagged, often without our knowledge or consent, and can be monitored or hacked by anyone with the proper hardware, skills and motivation, I viewed the recent arrival of two new ATM cards containing RFID chips with skepticism. While this feature may bring the increased convenience of speedy checkouts, it is not something I am completely comfortable using and decided that the safety of my personal data was more important than the ability to buy things quickly. The vulnerable nature of RFID security coupled with recent, though unrelated, reports of a Possible Security Flaw In ATMs make me seriously question whether the marriage of wireless data transfer with personal finance is a wise application of technology." So race's question basically boils down to: How safe and secure are the RFID chips that are being embedded in debit and credit cards? To add another issue on to the fire: Would you trust RFID technology on your cards?
race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.
Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"
race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.
Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"
Just wrap the card in Tin foil. You can keep the magnetic strip (assuming it still has one) uncovered so that you can still check-out the old way. That's the only non-destructive way I'm aware of for disabling an RFID chip.
Not surprised about HSBC. In fact surprising about some sense from Chase.
HSBC recently forced me to subscribe to the Verified by Visa marketing pseudosecurity garbageshiteware gimmick (the only one of cards I have that actually forced me to do so). During the subscription process I found out that the idiotic subscription interface does not maintain state with most non-mainstream browsers. In fact if you use Konqueror (or play around with your browser a bit) you can cruise through it with flying colours without it asking for verification information, passwords and the like. I was seriously tempted to go all the way and register a few cards for entertainment purposes, but end of the day decided not to.
So I tried to get the wankers which run the "HSBC Goodness Gracious Me" call center to give me a security contact and a reference to report the bugs. Guess what - they neither understood the concept of "Your credit card interface has a major security flaw", not could provide a contact. Still better then Amex though. Under similar circumstances 4 years ago when I tried to contact the Amex security dept with a similar bug they subscribed me to a mandatory 60 days of phone marketing and email marketing for good measure.
Frankly - they have no clue. Banking security at its best. Understanding is not required, BS and ISO numbers are.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
No can do, I wouldn't trust RFID for anything that requires a password or requires any sort of security.
I'd use it for inventory management etc. like was the big hype when it first came out but I'd keep it out of ATM cards, passports... PEOPLE.
As a security expert who has done studies on RFID security, I would have to say absolutely not. I would switch banks.
The reality is that by forcing a "swipe" of a card through a reader, this enforces the act of choosing to provide the information. With RFID, you can read it from across the room given a good transmitter and a sensitive receiver. Why should we need to add a new layer when the old physical layer works just fine. The new RFID does NOT save time. You can't just wave your wallet or purse over the weak reader (which is far weaker than a hacker would be using) if you had multiple cards. How would it tell it apart. You still end up having to take the card out. The difference is Mag Stripe (physical contact.. almost), or RFID, Radio Broadcast. I'll take the Mag Stripe or the Smart Card chip (which required physical contact).
Not only no but hell no.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
Sure, it would cut down on convenience, but only a little, and would more than make up for it in added safety.
-Charlie Tell you what, why not post your card details here (including the three digits on the reverse), but NOT THE PIN, and we'll see how many of us can buy something with it.
Willing to stand by your statement? Are you sure you still don't have a problem with other people having access to your card data?
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
An RFID chip will fry in seconds in a microwave. It takes much longer than that to affect the plastic. And the magnetic stripe will not be affected at all, until the plastic starts to melt.
Putting the card in the microwave for 3-5 seconds should do the trick. The worst that can happen is you ruin your bank card, so just go to the bank and get another. They don't cost anything.
What use is an RFID to a bank?
--
E
Do you honestly think that banks don't pass every single expense they incur along to the customer?
No matter who pays at first, in the end we all pay more because of shitty security.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
Instead of spending that money on putting RFID in, why not just release, oh, I dunno, SMART CARDS!!!
Oh, no, we're north american, we have to be different *cough* cdma *cough*, no way we can conform with the rest of the fucking world *cough* soccer *cough*...
Besides, RFID is not meant for privacy or security. It's meant to track inventory. The sooner these "experts" realize that the better. The sooner they realize that RFID readers are common place the even better.
Someday, I'll have a real sig.
Does anyone know if there are RFID Detection scanners available? I know there are remote readers, but I was thinking more along the lines of a scanner which simply lights up an LED, beeps or something along those lines when it comes in close proximity to RFID. It seems with all the hidden tagging of clothes, shopping carts, etc. that this might be something handy to have.
I only need the Preview button when I haven't used the Preview button.
With an RFID-enabled credit card, the credit card company is the first line of defense against fraudulent usage. The customer is only secondarily responsible, and in any event does not lose any cash or interest. So, you can be certain that the security system and the implementation will be sound.
With an RFID-enabled ATM card, all of that is reversed. A fraud will cause the customer to lose his or her cash and interest... and the customer must then fight with the bank to get them back. The bank has only secondarily responsibility, and therefore only secondary incentive, to get the plan right and to maintain the implementation. It's like a config.rc file with the wrong default value: loss-paid-by = customer.
It's a given that few people in any organization (banks or otherwise) actually understand security, encryption, or the very pertinent issue of "identification versus authentication". But even if Chase or whoever has done their research, the incentives for protecting customers from atm fraud are inherently perverse.
FATMOUSE + YOU = FATMOUSE
For several years now, I've been carrying my personal card collection (credit, discount, ID, etc) in an Altoids tin. It's the perfect size for such cards, and it protects them from me. Also, it has the added benefit of being quite the faraday cage. Unlike foil, which can easily tear, an Altoids tin can take *quite* the beating without any significant damage.
:)
At work, we have RFID security badges. Mine is, obviously, in my Altoids tin. I can hold the tin against the sensor as long as I want; it won't scan. I pop it open (which is really easy to do one-handed once you get used to it), and it'll read from several inches away.
They also have several designer colors: red peppermint, aqua wintergreen, tan ginger, and my personal favorite -- black liquorice.
The problem with RFID encoded is they can be viewed by anyone that has the right equipment. I work for a company that uses RFID encoded labels because of there ease of reading the data off the label. Since you don't have to be within close proximity of the RFID chip to get a good read, someone can point a RFID reader at your butt and read the card from thirty yards away. Also, some RFID chips are very fragile and can be altered given the right condition which are not that extreme. My vote is we go back to the day where ten cows would buy you a year supply of donuts and fig newtons.
These are non-powered RFID tags. There is no "on/off" for them. If you wanted powered RFID, you'd have to include a battery, making the new card larger and bulkier than the old cards.
Not a Twitter sockpuppet... but I wish I was.
been made your problem by way of the 'identyty theft' myth. There's no such thing as identity theft. When someone gives your money or loas their money to the wrong person, thinking it's you, THEY ARE AT FAULT.
Effing brainwashed sheep have bought into the identity theft ruse hook, line, sinker, and hummer to the fisherman.
I've been researching this for one of my masters classes (I know, I'm a student, but hear me out) and I came across 2 ways of non-destructively stopping the tag. The first is simply blocking the tag with another tag, so that when the RFID reader goes to energize the tag, it gets a garbled response that even error-correcting software can't figure out. The second is to broadcast a kill-code to the tag. The kill code closes the circuit to a specified part of the chip, effectively overwriting the memory. This is the equivalent of removing the CMOS password on a motherboard, close the circuit, and when energized.... game over. The best thing to do would (yes) throw it in the microwave for 3-5 seconds [so as not to melt the plastic or the magnetic strip] and then go on using it with the RFID feature disabled. Personally, after all the research I've done on the security of RFID... I doubt the encryption is strong enough to block a dedicated reader. Hell, remember when they said WEP on 802.11b was unbreakable? I'll stick with my small-hometown bank, since they likely won't upgrade for some time.
Keeping your RFID tagged cards in a metal case only prevents them from being read while you've got them stored away. Anytime you pull your card out to use it, someone could have an RFID reader nearby to scan it mid-air.
Or, much easier, find someplace with an RFID reader at the cash register and find someplace to hide a high-gain directional antenna. Let the legitimate reader do the work of powering the tag on the card, and then log the data being broadcast by the tag with the antenna.
RFID tags broadcast omni-directionally. So the reader doesn't have to be in a specific spot. It just has to be close enough to the tag. RFID tags' usable range (distance between tag and reader) is limited by two factors:
1) The tag has to be in a "strong enough" EM field to run.
2) The reader has to have a sensitive enough antenna to be able to receive the data being transmitted by the tag.
It's the only way to be sure.
I saw it on Slashdot, it must be true!
Uh... no? If the credit card companies were the ones paying for the fraud done with credit cards, there would BE next to 0 fraud.
:/
As it is, they make the -merchant- pay for it! And not only do they make us cover the price of the fraudulent transaction, but they ALSO tag an extra $25 -per fraud transaction- !! Heck, at this rate they might actually be MAKING money from fraud!!
If one customer buys 3 times with same fraudulent cc over a few days (say, for $5 items!), we pay $75 in -addition- to the cc company taking back the $15!!!!!
With the hundreds of Billions they process every day, do you really think there would be so much fraud if the cc companies were the ones really paying for it??
I have a merchant account, so I tested it to see the minimum amout of info needed to complete a transaction.
Account Number
Expiration Date
Amount to charge
That's it. No PIN, no 3 digit code from the back, no name, and no address required. It's a little frightening that you don't even need a name.
I'd say that no, it isn't ready yet for handling security-sensitive tasks like credit card or debit card transactions. It's happening anyways, but I don't think it's mature enough to trust our bank accounts to them.
Just for a tiny bit of reassurance, RFID tags and readers used in credit card/debit card applications (I know because I help make these readers, though I'm still new to the business) include cryptography features such as encrypted data transfer and authentication. In other words, if you don't have the correct crypto keys in the RFID tag and the RFID reader, they will refuse to speak to each other, and anyone trying to listen to the signals will get nothing but encrypted data.
That helps to ensure that random Joe Scumbag can't get himself a handheld reader, wave it a few feet from people's wallets and electronically pick pockets in the simple case. We're assuming that crypto keys are kept secure, so that only authorized card readers have the crypto keys required to authenticate themselves to the cards, and only authorized people have the keys required to encode the cards in such a way that they'll authenticate to the readers, and that the readers have secure connections to the credit card networks. Unfortunately, that's a big assumption to make.
Personally, the scenario of electronic pickpocketing does concern me. I've seen RFID tags read from 30 feet away (though you need a reader with a relatively powerful transceiver, which isn't as portable.) Handheld readers are more likely to have ranges between a few inches and a few feet, depending on the power level of the reader's signal, the type of tag, the phase of the moon, and the number of RF gremlins present. If the authentication can be circumvented, it probably will be, since there is significant money involved.
Meldroc, Waster of Electrons
The only credit card parent company that requires a CID for online purchases is American Express. Visa, MasterCard, and Discover do not enforce this policy.
Source: I work in e-Commerce for a catalog company.
Clones are people two.
And what happens when someone doesn't follow the standard? When they put more juice into the card and use a stronger antenna?
A standard dictates how something should work but has nothing to do with how it does work. It is entirely possible to follow the standard to the letter and still have the card readable at over 1.5 m.
Shit we buried an ethernet cable to the building next door for a project. Yes that was the easiest way at the time. The run was much longer than the standard dictated. The cable worked.
I find being offended by me offensive.
Anyone stating "max distance" for RF is creating limits where none exist. With a correctly-sized transmitter, a sensitive enough receiver, and a large enough antenna, there's nothing preventing reading over much greater distances.
The "hacker" world distance record for reading RFID tags (not necessarily the same technology that's in these credit cards) was set at Defcon in August 2005. It was 69 feet, or over 21 meters. You can see the Make Photo Blog pictures of the gear used. While the kit may look bulky, 69 feet would allow you to have it in a van parked outside a store shooting in through the windows.
Regarding the correctly sized antenna, the WiFi shootout that year scored a record 125 miles for an unamplified 802.11 link. 125 miles from a pair of hundred-milliwatt transceivers chatting at 11 mbps.
And don't assume it's not worth the trouble, either. You don't know what dollar values may be transacted via RFID, nor what thefts may be possible with the intercepted data.
That's not to say that encryption isn't capable of rendering the data useless to an eavesdropper. We don't know if it is or isn't good encryption, but that's immaterial. Don't rely on distance alone to protect you. It won't.
John
My assumption in this case is that the RFID technology will be of some standard similar to those stated in my parent post (ISO 15693, 14443 or other HF standards). In this case, the tags are inductively coupled with the reader antenna primarily through the Magnetic field produced by the current through the antenna wire. This field loses strength very quickly as you move from the source which means a VERY limited read range. The technologies mentioned (UHF and WiFi) interact with the Electromagnetic field which propagates nicely through the air and thus gives longer range. (we can, of course, try to discuss all the lovely physics if needed, but this is my attempt at simplification)
Basically, my point is that while I concede it is possible to hack into RFID credit cards, it is NOT as easy as many like to believe, and I don't feel nearly as threatened as some would suggest I should feel. Also, RFID is NOT one technology. It is a mishmash of all kinds of different standards comprising multiple frequencies and technologies and so should not be lumped together as the one evil tech it is commonly identified as.
Yes, they are powered. They are powered by RF.
If you put a power switch on them, they wouldn't send back a signal even if you were getting RF energy.
That would pretty much end the ability for someone to sniff out your RFID tags in your credit cards and passports until you pressed the button - closing the circuit between the antenna recieving the RF power signal and the part that generates and broadcasts the signal back.
how it would work in the real world is - you'd pull our your credit card at the store, squeeze the pressure button, and wave the card over the reader. If you waved the card over the reader without squeezing the button, nothing would happen.
Don't worry, no one else seems to understand how insanely simple this is.
guns kill people like spoons make Rosie O'Donnell fat.