Shmoocon Demo Shows Easy, Wireless Credit Card Fraud

Sparrowvsrevolution writes with this excerpt from a Forbes piece recounting a scary demo at the just-ended Shmoocon: "[Security researcher Kristin] Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer's credit card onstage and obtained the card's number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer's money with the counterfeit card she'd just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.) ... A stealthy attacker in a crowded public place could easily scan hundreds of cards through wallets or purses."

Is this news?

I am pretty sure I saw this on NCIS like two months ago... Obviously this crime is possible.

Re:Is this news?

[Jeng]

It is news in that this has now been brought up to the credit card companies in a manner which cannot be easily ignored.

Re:Is this news?

[tlhIngan]

It is news in that this has now been brought up to the credit card companies in a manner which cannot be easily ignored.

I remember seeing it on the news - they demonstrated someone with a cheap RFID reader and a laptop can bump into people, grab their cards, and run off. It was impressive enough that my parents got worried and checked their cards for that paypass logo.

Of course, having it more in the news isn't a bad thing. Add in a few elaborations (attackers can read your credit card without having to be close to you!) and you'll find great retraction on this. Especially when considering that it applies to debit cards as well. (Anyone with $50 worth of equipment can drain your bank account!).

And yes, while it's a bit of hyperbole, it makes a nice soundbite to get people to change.

Re:Is this news?

Yeah, and another newsflash: Abby/Pauley is hot.

Re:Is this news?

[Joce640k]

Why is it "hyperbole" if somebody can drain hundreds of bank accounts wirelessly with a $50 device?

To me that sounds more like "panic stations, block all cards now!!"

Why anybody needs RFID credit cards is beyond me anyway. Is it sooooo hard to swipe a card through a reader?

PS: Why would the CVV number be on the RFID chip? Surely that's the secret only you and the company are supposed to know?

Re:Is this news?

[John+Bresnahan]

Anyone with $50 worth of equipment can drain your bank account!

Which is one of several reasons why I only have Credit Cards.

Re:Is this news?

[mosb1000]

It's hyperbole because the attacker has to be incredibly close to you. They actually have to bump the device up against your wallet. While it's technically "wireless" that's not what most people have in mind when they hear the word.

Also the CVV number it gives you works for one use only. It's used to authenticate the transaction.

Re:Is this news?

[CodeReign]

My cell phone is has NFC and it is able to scan one of my credit cards for a decent sized payload. I'm not knowledgeable enough to decrypt the payload so I guess that's probably good.

Re:Is this news?

Paget’s firm has been working on a more sophisticated fix: a credit-card-shaped protection device known as GuardBunny that sits in a wallet alongside payment cards and blocks any would-be RFID fraudster.

It's news because s/he's spewing FUD to make a buck.

While that GuardBunny thing did make me suspicious, there is a mitigating factor here. It is not only not available for sale, they don't know when it will be. So even if she is just out to make a buck, she failed spectacularly as anyone now interested in an rfid shielding wallet will have to buy from someone else.

Also, "she" not "s/he". Leave your prejudice at home.

Re:Is this news?

[FrankSchwab]

The CVV used here, I believe, isn't the one printed on the back of the card. I believe that it's a one-time use CVV that changes for the next transaction (think rolling-code garage door opener or http://en.wikipedia.org/wiki/One_time_password)

So, someone who steals one can do a single transaction.

Re:Is this news?

[Rary]

They actually have to bump the device up against your wallet.

Not according to TFA:

In a demonstration just before her talk, Paget read a card in my wallet through my back pocket without touching me, successfully obtaining the card’s information.

There are many situations where we get close enough to random strangers for someone to pull this off.

Re:Is this news?

[UnknowingFool]

So I take it you've never been in a crowded area with lots of people around like rush hour on a subway, at a ball game, etc. If your life is such this situation rarely occurs, then you don't really have to worry. For anyone who lives in congested metropolitan areas, it is a worry.

Re:Is this news?

[jmorris42]

As a non-idiot I knew this was possible. I fight Chase regularly on this, they send a new card with the stupid chip, I call and roast em, they mail me a new one without the chip. But they tell me at the time that it is a one time only deal and sure enough they send another later in the year on a different card. Yes, because of mergermania I now have three credit cards but they are all Chase. They simply refuse to allow you to permanently opt out of this madness.

Same with wanting to move me to a debit card instead of an ATM card. The ATM card requires a PIN for all transactions and has other safeguards which work in my favor. The debit cards can be used in all sorts of places without a PIN and since it isn't a credit card (despite the Visa logo) the stolen money is gone from your account and you are getting to pay NSF fees all over the place while you fight over it. So I just keep cutting those cards every time they send a new one out and keep using my ancient ATM card. When it stops working I'm out of there.

Re:Is this news?

[mosb1000]

I was replying to the person before me who was saying it wasn't hyperbole to say the card could be read wirelessly. It is hyperbole because people think wireless means a signifanct distance and that's not the case here. You should always take the time to read all relevant comments before posting.

Re:Is this news?

[sjames]

That was a rerun, it was over a year ago. This is the next part where people get to see that it wasn't one of those things that can only happen in television land.

Re:Is this news?

[soleblaze]

You can steal it for one transaction. However, you can read a card multiple times and if they haven't used the paypass since, you can replay those transactions in order and use it multiple times.

Re:Is this news?

[Captain+Hook]

And I would guess he has to make the transaction before the card is next used or the one time CVV will be out of step with the server.

Re:Is this news?

[mosb1000]

If you have an unusually thin wallet, that may work. But the attacker isn't going to get closer and closer to you until it works. That would be pretty silly, and rather conspicuous. They are going to bump up against you.

I have an RFID access key I keep in my wallet. I think if I get it within 2 or three millimeters of the reader it will work. But I never do it that way. I just slap my wallet against the reader. Suggesting that a criminal would do it differently is just silly.

And that claim is hyperbolic because when you hear the claim, its easy to imagine (as you did) that there can actually be a significant distance between you and the attacker. In reality, the reader has to be incredibly close to the card. You need to know where the card is on the person, and put the reader right next to it.

Also, I am not claiming the card is secure. I am only pointing out that the claims in the article are exaggerated for dramatic effect.

Re:Is this news?

[sjames]

Walk through Grand Central during rush hour. You can say excuse me if you like, but everyone might think you're weird.

For the cost of one subway fare you can rack up a few hundred credit cards.

Re:Is this news?

Cannot assume distance. Just because the card and a reader in a shop have to be close, does not mean someone could not make a much better antenna and work from safe distance. Witness the people getting tens of kilometers out of wifi using special antennas. Not a stretch to use similar gear to scarf credit cards at a hundred meters or so.

For the same reason, bluetooth is vulnerable. Maybe it only works 20feet for you but somebody three blocks away with the right antenna can snarf just fine. You'd never even see them.

Re:Is this news?

[Charliemopps]

You just watch how easy it is for them to ignore it.

Re:Is this news?

[hairyfeet]

Are there banks that really allow that? because I've never worried about my debit card because my bank has always covered any BS. They are so good about it I've been using it to buy parts for the shop for years since i don't have to worry about any fees or interest. Once in awhile i'll get some merchant that double dips then i just walk in and tell one of the gals and voila! it takes less than 10 minutes and its all back to normal.

Maybe this should be a lesson not to use shitty megabanks that suck. Use the little Co-Ops and small state banks that still treat you like a customer and not a wallet with feet. When the housing market cratered my bank was bragging on their little opening jingle how they didn't throw money around at crazy housing schemes and therefor had tons of money to loan to local businesses. They made out like bandits as all the local businesses ended up going to them, the last jingle of theirs i heard said they were never doing better and were ready to loan to local folks so come on in. i guess that's what happens when you treat folks decently, your business grows. All I know is they get even the tiniest whiff of fraud they call you and give you a new card as SOP, i'm waiting for a new card right now as a matter of fact, should be here tomorrow. One of the places i shop at had a minor breach and even though I wasn't affected they said "better safe than sorry" and sent me a new card. I like that, nice to see a bank say "better safe than sorry" and be proactive on security.

Re:Is this news?

Why anybody needs RFID credit cards is beyond me anyway. Is it sooooo hard to swipe a card through a reader?

If you'll watch people try to do that, the answer is yes. Many people have trouble putting the card in the slot, many people can't/won't read the instructions so they put the card in the wrong way, etc.

The idea of contactless credit card payments was that the reduced costs due to increase in transaction speed would more than make up for any increases in fraud.

Re:Is this news?

[Joce640k]

I think if I get it within 2 or three millimeters of the reader it will work. But I never do it that way. I just slap my wallet against the reader. Suggesting that a criminal would do it differently is just silly.

Researchers seem to be able to do it from several feet away...just google for "rfid maximum distance" (or something similar).

Re:Is this news?

[Sczi]

As a non-idiot I knew this was possible. I fight Chase regularly on this, they send a new card with the stupid chip, I call and roast em, they mail me a new one without the chip. But they tell me at the time that it is a one time only deal and sure enough they send another later in the year on a different card. Yes, because of mergermania I now have three credit cards but they are all Chase. They simply refuse to allow you to permanently opt out of this madness.

Stop! Hammer time!

Re:Is this news?

[hawguy]

If you have an unusually thin wallet, that may work. But the attacker isn't going to get closer and closer to you until it works. That would be pretty silly, and rather conspicuous. They are going to bump up against you.

In a crowded commuter train or bus an attacker can inconspicuously bump his RFID reader containing backpack against 100 people without arising suspicion while pusing his way from one end of the train to the other. On a less crowded train, he can put his reader under the seat in front of him (many transit agencies use thin fiberglass or plastic seats) and get it to within 1/4 inch of the seated passenger's back pocket wallet.

I have an RFID access key I keep in my wallet. I think if I get it within 2 or three millimeters of the reader it will work. But I never do it that way. I just slap my wallet against the reader. Suggesting that a criminal would do it differently is just silly.

My RFID card key works 3 or 4 centimeters from the reader. Like you I usually slap it against the reader, but I'm not worried about making the reader suspicious about why I'm touching it. I've seen people who keep the card in their wallet do a butt touch on the reader and the card works fine through their wallet and clothes. If RFID card keys are any indication, then it would be trivial for a thief to get close enough to read the card without actually touching you - after all, pickpockets are already able to slip a wallet from a pocket undetected, so I think they can manage to get a card reader a few cm from your wallet without touching you.

I'm not sure how Credit Card RFID chips differ from the RFID chips used in passports, but Passport RFID readers with high gain antennas have been used to read a passport RFID chip from hundreds of feet away.

Re:Is this news?

[hierophanta]

i get that close to hundreds of strangers each week on the train to and from work. this is also a situation where people will most likely be able to figure out where my wallet is, because i just pulled it out when i swiped my transit card.

Re:Is this news?

[thinuspollard]

There are multiple CVV numbers assigned to a single card. The first is present on the magstripe. The second one is what we know as the security code and is printed, not embossed, on the signature panel on the back of the card. For chip cards and contactless cards you get other schemes such as this single use CVV numbers produced by the card.

Also, a card can only be blocked if it is presented to the reader for long enough to download a couple of scripts feom the issuing institution. A paypass card's offline wallet is fair game for anyone who picks up the card.

obviously it is much more complicated than the space/time available here

Re:Is this news?

[UnknowingFool]

Nowhere in the poster that you replied to does he/she refer to this as an area wide instantaneous wireless attack. The only time distance is brought up is by you which you used to dismiss the potential impact as hyperbole. Even if distance is a factor in this attack, what you are still missing is the point that the ease of the exploit makes it so that many people can be exploited. Anyone can brush up against hundreds of people a day in crowded metropolitan areas.

Re:Is this news?

So basically you think the article is hyperbole because you didn't read it properly, and now you are crying that people don't read your earlier comments that make it clear you didn't read it properly?

Re:Is this news?

[MattSausage]

Apparently Visa does cover fradulent purchases.

Re:Is this news?

[Eponymous+Hero]

Also, "she" not "s/he". Leave your prejudice at home.

while i agree with the sentiment, i think it's very likely they never left home. spewing your prejudices anonymously onto the world from the safety and comfort of your chair is what the internet is for.

Re:Is this news?

[Myopic]

No, it is not conspicuous. Stop saying that, because it isn't even remotely true. People stand withing touching distance of strangers every single day, with no exceptions. Ever stand in an elevator? On a subway? In an airplane? In line at a bank? Ever go to a grocery store? Ever walk past someone on the street?

Re:Is this news?

You need to know where the card is on the person...

Targeting the right butt cheek will probably net at least about a 25-30% success rate. On a crowded subway, that's a lot of credit cards in a very short period of time with almost no effort.

Re:Is this news?

[Culture20]

I have an RFID access key I keep in my wallet. I think if I get it within 2 or three millimeters of the reader it will work.

Mine works from 3 inches away. At a regional office, there's a reader that is twice as large on the wall, and just walking near it with my wallet in my pocket opens the door. It's not the card that determines distance; it's the reader. So maybe the crooks don't buy the $50 reader, maybe they go for the $2000 reader that works from two feet away, and set up shop in a van parked next to a busy sidewalk.

Re:Is this news?

He never said they didn't. Federal law requires them to, so of course they cover it. However, federal law also gives the bank up to (I think) 10 business days to reverse the transactions and issue you a temporary credit while they investigate. So in those 10 days, how many bills could come in and bounce. When they bounce, you may get charged an NSF fee by not only your bank, but your mortgage company, your other credit cards, your utilities, etc. So now not only do you now have to deal with the bank and getting the fraud corrected, you also have to deal with several other companies (very time consuming) and you may not even get credited (I don't believe there is any law requiring them to credit you in such a case). If you do get credited, it may take many hours of your time to get it straightened out. And then god forbid one of your bounced checks gets reported to ChexSystems and you've got to go to them and get your record straightened out with them too. Or that someone pulls your ChexSystems report before you get it cleaned up. Can you see how this can cascade into a massive, time consuming headache? And it may have long term consequences that some people might not discover for months or years. Or maybe they might not ever find out about it, but the impact will still be there. Think about insurance rates going up because of a negative on your credit report, and now you've just overpaid for the last 6 months. Good luck getting that adjusted after the fact.

Re:Is this news?

[Talennor]

I think if I get it within 2 or three millimeters of the reader it will work.

The distance to read a card is a function of the reader which provides the wireless power signal much more than it's a function of the card you're using. So your work reader is configured to be lower power and have your familiar slap the wallet functionality, while anyone wanting to read your card buys a different reader that works fine from several feet away (or more, but it just gets noisy when you activate 100 cards at once).

Re:Is this news?

[AK+Marc]

Never had an issue with such refunds. Perhaps if you weren't such a prick with the people you call, you'd get more from them.

Re:Is this news?

[Marxist+Hacker+42]

Alumawallet has been advertising the fact that it is possible for a couple of years now.

Re:Is this news?

[Marxist+Hacker+42]

From the article- more like about $500 worth of equipment. Still, a $500 investment for several million worth of the money of idiots, might be worth it.

Re:Is this news?

[Marxist+Hacker+42]

I once worked for Tektronix, back in the 1990s when they were pioneering this technology. As a demonstration, one door on main headquarters had a reader that could read from 12 feet away- the light would go green as you approached that door.

I have *NO* doubt that with a suitable antenna, line of sight, and enough power, you could read an RFID chip from a mile or two away.

Re:Is this news?

[arglebargle_xiv]

It's hyperbole because the attacker has to be incredibly close to you. They actually have to bump the device up against your wallet. While it's technically "wireless" that's not what most people have in mind when they hear the word.

I was at Kristin's talk. The range with a standard cheap-ass reader is a few cm. With your own higher-power add-on (13.56MHz is right next to the 14MHz amateur band for which you can get off-the-shelf gear), it's tens of feet.

Also the CVV number it gives you works for one use only.

So you perform multiple reads and get one CVV per read.

Re:Is this news?

[Khyber]

"That would be pretty silly, and rather conspicuous. They are going to bump up against you."

Never used public transportation, I see.

Re:Is this news?

[Grishnakh]

I take it you've never ridden a subway during rush hour?

Re:Is this news?

[Grishnakh]

I once worked for Tektronix, back in the 1990s when they were pioneering this technology.

Ah yes, back when Tektronix was a pioneering company, instead of a pathetic has-been bought out by Danaher.

Re:Is this news?

[ottothecow]

Yeah, but the door reader is designed to only work from close, intentional scans. It would be a huge security risk if the scan would go any time a card passed within a few feet of the door--just wait for (or trick) someone into walking near the door and fake swipe your own wallet as you walk on through like you belong there.

If you wanted a long range unit, you would just have to pump more power into it (IIRC RFID chips power themselves from the EM waves output by the reader device so sending more power out gets a stronger signal back). You could probably put out enough power that you might even damage cards that you make contact with (not like a criminal cares about breaking FCC restrictions) but it would let you pick up info from cards a reasonable distance away.

Re:Is this news?

Or he could just keep enough money in the account.

Re:Is this news?

[Marxist+Hacker+42]

Actually, that was the END of my contracting there- when Danaher bought them out, cut the employment in Beaverton from 20,000 to 500, and started renting out 3/4ths of the campus.

Re:Is this news?

[n7ytd]

Or he could just keep enough money in the account.

This is hard to do if the thief doesn't tell you how much he plans to attempt to steal from you beforehand. The lack of the use of your money is the biggest reason (in my mind) to use a credit card instead of a debit card.

Re:Is this news?

[n7ytd]

The idea of contactless credit card payments was that the reduced costs due to increase in transaction speed would more than make up for any increases in fraud.

I thought that one of the goals was to reduce the potential for fraud by making it more difficult to duplicate the card?

Re:Is this news?

[SQLGuru]

Those "printed" codes are getting closer and closer to embossed. A recent card I received (technically it's tied to my FSA) has a CVV number that I can read from the front with the correct angle a light source. I'm sure a photograph of that same card could be processed with GIMP to make it readable as well.

Re:Is this news?

[Bob+the+Super+Hamste]

Yet my RFID enabled work badge seems to work within a 2-3 inches (5-8 cm for the rest of you) of the reader, now in a crowded elevator that would easily within range.

Re:Is this news?

[mjwx]

Why is it "hyperbole" if somebody can drain hundreds of bank accounts wirelessly with a $50 device?

To me that sounds more like "panic stations, block all cards now!!"

Just because Paypass/wave is limited to A$35 per transaction doesn't mean one cant do a lot of damage. That money, at least in Australia must be returned to the rightful owner in the case of fraud, this means that the money comes out of the banks bottom line which must be made up in the only way a bank knows how, higher fees. So there is a net cost to everyone when it comes to fraud.

With a lot of online stores all you need is the card number and expiration date (no CVV), there is no $35 limit here.

Also, I am confident this will only be the first of such exploits. There's a lot of money in it so the research will be there. Eventually they'll be forced to put in a form of user authentication on there.

Why anybody needs RFID credit cards is beyond me anyway. Is it sooooo hard to swipe a card through a reader?

They need them because Visa and Mastercard can charge a higher merchant fee for Paypass/wave then they can for an ordinary transaction.

Merchant fees are how credit cards make money for their owners (the banks, not you). Merchant fees are invisible to the average card user as they have to be built into the price of goods. The higher the fees for the merchant, the more goods cost for you.

Re:Is this news?

Use Google wallet and a Nexus 4S. At least you need to type your pin and then the send payment button on the phone before it will send payment data. Not something a RFID credit card has the ability to do. I use mine all of the time and instead of having it tied to a credit card, I use a credit card to charge up the built in Google payment card. Worst case, they drain up to what I have it filled to.

Re:Is this news?

Not to be the bearer of bad news, but the Chip+Pin ALSO does this.

Allow me to demonstrate: http://code.google.com/p/javaemvreader/

Application
                        AID: a0 00 00 00 03 80 10
                              RID: a0 00 00 00 03 (Visa International [US])
                              PIX: 80 10
                        Label: PLUS
                        Preferred Name:
                        Application Effective Date: Fri *** 01 00:00:00 PDT 20**
                        Application Expiration Date: Fri *** 30 00:00:00 PDT 20**
                        Application Version Number: 140
                        Application Currency Code (ISO 4217): ***
                        Issuer Country Code (ISO 3166-1): ***
                        Application Transaction Counter (ATC): 6
                        Last Online ATC Register: 0
                        PIN Try Counter: 6 (Number of PIN tries remaining)
                        Cardholder Name:
                        Primary Account Number (PAN) - 4***************
                              Major Industry Identifier = 4 (Banking and financial)
                              Issuer Identifier Number: ******
                              Account Number: *********
                              Check Digit: * (Valid)

There's the Card number, there's the expiry date. The card data this comes from is not an actual VISA card, rather it's a ATM/Debit card, and there is no physical name on the card.

So as I just demonstrated, if I have a computer with a 20$ card reader, I can pop your card into it, and get enough information to create a fake magstripe card with. It takes only one second, which is no different from other card skimming techniques. This is why if you have a chip card, you never let it out of your sight.

Re:Is this news?

[zoloto]

false. I've build my own reader, sat at the front of the bus and was able to glean 90% of the people who had cards with this. Both cc and bus fare cards.

Re:Is this news?

[Niedi]

In our institute the higher powered readers will read your card from more than 50cm away. Pack the bulky equipment in your backpack, get in the tube during rush-hour and that's it.

Re:Is this news?

[AK+Marc]

Enough for what? I've bought two cars on credit cards (paid off first month, no interest, but lots of bonus miles). You are saying that I should keep an extra $100,000 in my checking account on the off chance that the bank gives away two cars and asserts it was my money they gave away?

Re:Is this news?

[mosb1000]

Are you deliberately misreading me? I said that slowly approaching you until they read the card successfully would be conspicuous. I was specifically saying that bumping up against you would be the way to go, because it would not be conspicuous.

Aluminum Foil in the Wallet

That is why I have lined my wallet with the aluminum foil that I had left over from making my hat.

Re:Aluminum Foil in the Wallet

They also discussed in the same presentation that most of the foil coverings you can buy to protect your credit card don't work since unlike faraday cages they are not grounded

Re:Aluminum Foil in the Wallet

[cvtan]

A Faraday cage need not be grounded. http://en.wikipedia.org/wiki/Faraday_cage

Re:Aluminum Foil in the Wallet

[Lord+Lode]

Then what you need is aluminium foil AND a metal tail touching the ground.

Re:Aluminum Foil in the Wallet

[tibman]

i have a copper-like envelope and can't scan the card when it's inside. It came with the card so i have no idea what brand or material.

Re:Aluminum Foil in the Wallet

[FictionPimp]

I have a RFID blocking wallet. My security badge for work will not scan when inside the wallet (but it will scan inside all my co-workers wallets and my old wallet).

Same price as a normal wallet and not a bad investment.

Re:Aluminum Foil in the Wallet

[_0xd0ad]

Grounding a Faraday cage accomplishes two things:

1) The cage is made from a conductive material. If a hot wire shorts against it, and you touch the cage, you could be electrocuted. Grounding it is therefore prudent.

2) If anything inside the cage is trying to transmit, it turns the entire planet into its antenna. Your transmission is going to be pretty weak if you're trying to drive a planet-sized antenna with a few milliwatts of power. (Actually, no weaker than normal, but only if you're far enough away from the antenna that it looks like a point-source.)

Note the significant absence of "prevents radio signals from getting into the Faraday cage". It doesn't. Grounding has nothing to do with preventing radio signals from getting into the Faraday cage. The cage's mesh diameter is the only factor that affects which radio signals can get into the cage.

Re:Aluminum Foil in the Wallet

[isama]

I did that when I made my ducktape wallet, but it doesn't block the RFID cards I use every day :( I think I need a copper mesh or something better..

Re:Aluminum Foil in the Wallet

1) Indeed if you are grounded and touch the Faraday cage, you could be electrocuted. On the other hand, if you are not grounded, or if you are inside the Faraday cage, nothing happens.

2) If anything inside the cage tries to transmit, nothing happens outside. The transmission is bottled up inside. The Faraday cage is a barrier between the outside and inside.

Re:Aluminum Foil in the Wallet

[_0xd0ad]

2) If anything inside the cage tries to transmit, nothing happens outside. The transmission is bottled up inside. The Faraday cage is a barrier between the outside and inside.

No.

Re:Aluminum Foil in the Wallet

I have a RFID blocking wallet. My security badge for work will not scan when inside the wallet (but it will scan inside all my co-workers wallets and my old wallet).

Same price as a normal wallet and not a bad investment.

Identity Strong has a good one. http://www.idstronghold.com/ This guy was the first to demo this crime, I believe: http://www.idstronghold.com/news.asp

Re:Aluminum Foil in the Wallet

Great, so now on top of everything else we have to worry about paranoid robo-furries?

Re:Aluminum Foil in the Wallet

[citylivin]

Except now you cant open doors with your ass. That's the best part of having a rfid proxy card!

Re:Aluminum Foil in the Wallet

[LBt1st]

I've drilled holes through the RFID chips in all my cards that have them. No need for silly wallets or wraps.

Re:Aluminum Foil in the Wallet

Later in another presentation someone showed that all those foil sleeves are basically useless for all NFC frequencies. Some sleeves were better at 13.56mhz others at 125khz but none were totally effective and none showed consistent performance at different frequencies.

Re:Aluminum Foil in the Wallet

[BigLonn]

ya, it's always funny till you get your card jack'd for $2400.00, then it acrimony and histrionics time! But, of course, it'll never happen to you, right,,,,,,,,?

Re:Aluminum Foil in the Wallet

[BigLonn]

dude have a heart, publish a link to where you got it?

Re:Aluminum Foil in the Wallet

[FictionPimp]

my wife bought it for me, but a quick google shows me it looks exactly like http://www.thinkgeek.com/gadgets/security/8cdd/?srp=1

Mitigating factors

[Annirak]

Put two of these cards next to eachother, and they won't read. Put them in an aluminium card case, and they won't read. Move more than about 5 cm away from the card and it won't read.

There are numerous ways around this problem. It shouldn't stop people from using the technology.

Re:Mitigating factors

[vlm]

Put two of these cards next to eachother, and they won't read. Put them in an aluminium card case, and they won't read. Move more than about 5 cm away from the card and it won't read.

Stand in line at the convenience store behind victim. Tada, you just got owned.

There are numerous ways around this problem. It shouldn't stop people from using the technology.

Its about as secure as tatooing your social security number on your forehead, then telling people its safe because you need a telephoto lens from over 100 feet, or you can just wear a skimask all the time.

Re:Mitigating factors

[berashith]

The issue isnt being able to mitigate, the issue is that if the CC companies convince everyone that this isnt possible, then they have an easy path to never having to pay out against fraud. They can just refuse to believe this exists, and tell anyone who had their card info stolen that the cause was their behavior, and then never have to honor a dime of repayment. This is enough to let everyone know that theft can occur this way, and liability remains with the CC companies.

Re:Mitigating factors

[hardtofindanick]

Put them in an aluminium card case, and they won't read.

This is not something people typically do. You cant get the majority to store their cards in faraday cages just because of this.

Move more than about 5 cm away from the card and it won't read.

People typically carry their wallets in their back pockets and purses, both of which a hacker can get arbitrarily close to. 5cm is way too much.

Put two of these cards next to eachother, and they won't read.

Care to point to some resources? Because that would mean the fixed readers at warehouses are pretty much useless.

Re:Mitigating factors

[John+Napkintosh]

This is the real concern - not how easy or difficult it is to actually perform the actions, but that the credit card companies are awfully mistaken about it being possible at all. With a flawed fundamental understanding of how the technology actually works, who knows what they may attempt to do with it in the future based on this flawed understanding.

Re:Mitigating factors

[Big+Smirk]

The RFID technology used in credit cards is more based on magnetic fields than electric fields. As such, stacking the cards doesn't help. The magnetic ones were somehow assumed to be more secure because they can only be read from a few inches away. Then again, store security systems use magnetic fields as well and they can read at least 4 ft away.

A Faraday cage is one defense.

Or, burn out the chip and just use the magnetic stripe (best defense). I have yet to use one of these no-contact credit card readers and have never even found a need for it. Technology that makes me less safe.... correction, makes my credit card company more expensive/less safe.

Re:Mitigating factors

[Joce640k]

There are numerous ways around this problem. It shouldn't stop people from using the technology.

Remember the security motto: "Attacks always get better..."

Re:Mitigating factors

[Tanktalus]

What I don't understand is how the CC companies can't be employing anyone with any knowledge in the field. Seriously, they don't have anyone on staff that doesn't have a hobby in this area who could have explained it to them? Or are they just putting a banana in their ear and claiming they didn't hear anything?

Then again, tobacco companies seem to have plenty of people on staff to tell them how safe tobacco is, so I guess I shouldn't be quite so surprised.

Re:Mitigating factors

[Joce640k]

People typically carry their wallets in their back pockets and purses, both of which a hacker can get arbitrarily close to. 5cm is way too much.

Yep, at a Kevin Mitnick conference last year he showed an RFID reader which fit in the palm of your hand (with a wire up the sleeve to the main unit). It worked at more than 5cm, too.

Re:Mitigating factors

[jasno]

I think the point everyone is missing is that credit cards are already utterly insecure. If you haven't been a victim yet you've just been lucky - there are a lot of CC's out there and only so many theives.

The only way to fix it is to block CC companies from writing-off fraud losses while preventing them from passing them onto the consumer. Right now, they perform a cursory 'investigation' only for the purposes of justifying the write-off, effectively passing the costs back onto consumers(taxpayers).

Re:Mitigating factors

[Insightfill]

The issue isnt being able to mitigate, the issue is that if the CC companies convince everyone that this isnt possible, then they have an easy path to never having to pay out against fraud.

It was posted here several years ago that some insurance companies were using the same line to claim that RFID cars were 'impossible to steal' and were refusing to pay out on claims because of it.

Re:Mitigating factors

[Tsingi]

Put them in an aluminium card case, and they won't read.

This is not something people typically do. You cant get the majority to store their cards in faraday cages just because of this.

I have one. I know lots of people who have them.

Re:Mitigating factors

It's about as secure as keeping your wallet in your pocket, then telling people it's safe because you need to reach into your pocket to steal it.

Everyone has a level of risk they're comfortable wth, and if what the GP says is true, I'd be perfectly accepting this for the convenience it provides. Doubly so as card fraud is a risk for my bank, not me.

Re:Mitigating factors

[glodime]

The only way to fix it is to block CC companies from writing-off fraud losses

This doesn't make sense.

 

while preventing them from passing them onto the consumer.

This doesn't seem possible.

Right now, they perform a cursory 'investigation' only for the purposes of justifying the write-off, effectively passing the costs back onto consumers(taxpayers).

The "cursory investigation" is just a means to determine the legal indemnity for the cost of the fraud. i.e. does the merchant, customer, issuing bank, transaction possessor network (e.g. VISA) or an insurance company pay for the fraud? The merchant pays most often. Customers are almost never charged. This however says nothing of the global incidence of the cost, which may be influenced but probably not entirely controlled via statutory means.

Re:Mitigating factors

[Captain+Hook]

They are working on the basis that potential fraud will be less than the cost to improve the security.

It's why wireless/pinless transactions are limited to £15 and what ever the limit in the US is.

Re:Mitigating factors

[sjames]

Since the only way to be safe is to have a special shield so you have to take your card out to use it anyway, it might as well ditch the near field and go back to contact only.

The new technology gains you nothing (it actually cost you the price of the special case) and exposes a lot of people to fraud. (which still costs you since those losses are recouped through fees that show up on the retail price).

Re:Mitigating factors

[mcsqueak]

Exactly, this technology gains you nothing and exposes you to more potential fraud vectors. I don't see the point - I'd rather swipe my own card through a standard pad and type in my PIN. I'm already standing there; I don't need some stupid tap technology to go "DURRR, IT TOOK MUH MONEY AND I DIDN'T EVEN HAFTA ENTER MUH PIN!!".

The one place I think contactless cards make a difference is in transit systems. While in Japan I used the refillable PASMO card, and it was nice to be able to tap my wallet on the train "turnstiles" to go though, I hardly had to reduce my walking speed. I could also use it on buses, rather than cash. However I have no comment/knowledge on the security of those, or potential vulnerabilities that may exist.

Re:Mitigating factors

[sjames]

The transit card is a special case. I imagine it's no more secure than the credit card, but it has the advantage of being a much less valuable target and the results are harder to exploit en-mass. I steal a token for a ride from you, so I can now take 1 ride on the mass transit system. In a few months, I can possibly recoup the cost of the gear I used to rip you off.

Re:Mitigating factors

[AK+Marc]

The "cursory investigation" is just a means to determine the legal indemnity for the cost of the fraud. i.e. does the merchant, customer, issuing bank, transaction possessor network (e.g. VISA) or an insurance company pay for the fraud? The merchant pays most often. Customers are almost never charged. This however says nothing of the global incidence of the cost, which may be influenced but probably not entirely controlled via statutory means.

I think the point was that they investigate just enough to determine whether it was a lent card that was used with authorization, or a systemic abuse/leak from a merchant/processor, but no actual investigation to find out who did it and how is ever done. They just line up the top 3 reasons, look at those, and if it isn't one of those, file it in the "too hard" bin and increase rates and fees to cover the cost. If they were fined the amount of the loss (payable to a charity in the state of the people who "owned" the account compromised) and the police encouraged criminal investigations into every fraud report, then fraud would mostly stop. The fines would make them think twice about the "security improvements" of RFID and such that are worse, in many cases, than the original. And actual criminal investigations (tracking signatures, looking for store CCTV footage and such) would make it clear that fraud would be bad. Instead, people who steal a wallet and rack up $10,000 in charges get away with it in almost all cases (and likely would even if they used it for an Amazon purchase delivered to their real name and real home address).

Nobody cares about credit card fraud. Allowing a low level of easy fraud is cheaper than stopping it, and it mainly inconvenient for the end users. So nothing will happen unless the end users pressure the government to make regulatory changes. Either that, or suing the credit bureaus for inaccurate information actually worked. Why yes, I've had incorrect information end up on there, and not get removed when properly challenged (it was noted I owed Sham Company A $$$$ - Sham company failed to fulfill its contract with me, so I failed to pay them and had a letter from them indicating that they were OK with that. But 5 years later, the "debt" was sold, and the collection agency believes I owe sham company $$$$, so it stays on my record when challenged). Everyone knows the system has major flaws, but it's better than most of the alternatives, so nobody wants to improve it.

Re:Mitigating factors

[vlm]

people who steal a wallet and rack up $10,000 in charges get away with it in almost all cases (and likely would even if they used it for an Amazon purchase delivered to their real name and real home address).

Sometimes I wonder about that. Many years ago, well, about 20 years ago, I worked retail management at a locally owned supermarket and we received otherwise apparently serious job applications from juveniles who were busted for credit card fraud applying to be cashiers. Yes, we did take credit cards. Always wondered what those kids were thinking, if they thought they were criminal masterminds or if they thought we were idiots. Probably both.

Re:Mitigating factors

I've only seen one person with their cards in a Faraday cage, and that's my wife; she uses a metal cigarette case to hold her cards (it's just about the right size and shape for standard credit cards and other such sized-cards, just a little oversized). It has a big skull on the front, and she gets a lot of comments about it. She's not really a conventional woman, and if things had gone just a little differently in life for her, probably would have been a biker or something (in fact, I think she got this thing from some local art fair from a booth selling biker-type stuff--leather, skulls, that kind of thing). Everyone else I've ever seen has a more normal wallet, made of leather or nylon.

Re:Mitigating factors

[bcmm]

Move more than about 5 cm away from the card and it won't read.

... if for some reason you are a fraudster with some sort of objection to violating specs and potentially created temporary interference. Otherwise, crank up the power!

Re:Mitigating factors

"Put two of these cards next to eachother, and they won't read."

Not true actually, they will still read quite well. The technology allows for the reader to select the card it wishes to communicate with if more than one is present.

Re:Mitigating factors

[Tsingi]

Since the only way to be safe is to have a special shield so you have to take your card out to use it anyway, it might as well ditch the near field and go back to contact only.

The new technology gains you nothing (it actually cost you the price of the special case) and exposes a lot of people to fraud. (which still costs you since those losses are recouped through fees that show up on the retail price).

I didn't ask for the rfid on my card, they made me take it. I'm not defending it, I'm keeping it in an aluminum case.

Re:Mitigating factors

[sjames]

I realize that, I'm just reasoning that their decision is in no way shape of form a good one. It's all downside.

Re:Mitigating factors

[mcsqueak]

The only exception to this, I think, would be when transit cards are connected to debit cards or bank accounts, to auto-refill when your transit pass runs low. You could potentially siphon money from someone's account that way, but safeguards could be in place (such as the transit company not authorizing any transactions that would result in the purchase of more than "xx number days worth" of transit fare, for example.)

Re:Mitigating factors

[sjames]

There would potentially be more damage there, but only if the damage rather than financial gain was the motive (you still could only spend the tokens on transit). At least it would be fairly obvious that the card holder didn't actually board 100 buses in a single hour.

FUD

[OverlordQ]

In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor that detects multiple transactions with the same code or codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number for one transaction, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.

You should be more worried about waiters and cashiers then somebody in a crowd grabbing your data.

Re:FUD

[rgbrenner]

There are still plenty of online sites that don't require the CVV at all... And if you can use a card-magnetizing tool, then you could use the card at any physical location. Can't remember the last time a cashier looked at my card or asked for the CVV.

Re:FUD

[OverlordQ]

Can't remember the last time a cashier looked at my card or asked for the CVV.

Because that information is on the stripe.

Re:FUD

[Dr_Barnowl]

Untrue ; waiters and cashiers will eventually get busted by data mining - you just need to correlate the transactions that pay for food and note the common location, then go through their time cards.

Whereas with wireless, you could collect the data in a location not covered by security cams, and transmit it, encrypted (how ironic) to avoid detection, to another location where payments are processed. A crowded subway car would be ideal - people are not going to be using their cards, and it's the ultimate in cultured anonymity - everyone goes out of their way not to notice anyone else.

Re:FUD

[Dr_Barnowl]

The CVV1 is on the stripe, the CVV2 code is not on the stripe - it's the second code on the signature strip.

In many countries in Europe, it's mandatory to provide the CVV2 code for authorization of "cardholder not present" transactions. Online retailers that don't ask for it now make me nervous.

Re:FUD

[gandhi_2]

You are more likely to die of heart disease than cancer.

So what?

There may at least a paper trail when a cashier is involved.

Re:FUD

If some don't ask, then they don't know. And if they can make a transaction anyway, then it is moot... so why have it to begin with?

Re:FUD

[arcctgx]

Modded you down by mistake, posting to undo... Sorry.

Re:FUD

[quietbob]

The merchant can make a transaction without the CVV, but they will almost certainly be charged a higher fee by the card company for doing so. Also, asking for the CVV goes some way towards reducing fraud since it eliminates any bad guys who only managed to get the PAN & expiry date, e.g. by swiping the track data since CVV2 isn't on the magstripe. This is very much in the merchant's interest since generally they are the ones who lose out if the transaction is fraudulent.

Re:FUD

[sjames]

So you then tell it to someone somewhere. You know not who or where but it makes you feel safe?

Re:FUD

[Uhyve]

Probably in case you're doing business with a person or a business outside of Europe. Though yeah, the fact that the transfer gets through without CCV2 does make the whole thing pretty pointless, except you at least know when you're dealing with a dodgy site.

Re:FUD

[sjames]

Or they're smart and pass the numbers on to someone else who collects the info from many waiters and runs charges the next day.

Re:FUD

[suomynonAyletamitlU]

Err. The point is that they MADE a normal, magnetic strip card out of the data.

Assuming they can pass off a forged swipe card (by for example, using the self-swipe stations at many retail stores, where nobody looks at it), that particular security device does jack shit.

Re:FUD

[tlhIngan]

Can't remember the last time a cashier looked at my card or asked for the CVV.

I do. It was the last time I swiped my card - you hand your card to the cashier, they swipe it, and then they looked at the back and key in the CVV.

I know this because I've seen them and know my CVV so I can tell what keys they're hitting.

Actually, it was a bit more involved. The cashier had to enter in the last 4 digits AND the CVV.

Re:FUD

You misspelled "crooks".

And why bother trying to use the data to make a purchase. just stick one of these near a subway escalator and increment everyone's transaction count by 1 and NONE of them will be able to buy lunch....

Re:FUD

[the_raptor]

They still get busted regularly by this as it is trivial for a CC company to run an analysis and find the common factors amongst multiple stolen numbers.

Sure in theory you could dilute the numbers enough to make this kind of tracking infeasible, but most low-level criminals are too stupid and lazy to run a secure scam. Smart criminals either never touch the money and run things from the dark, or they go big into corporate crime.

Re:FUD

[sjames]

The really high end criminals are called CEO and run multinationals into the ground for their own benefit. They are generally serial offenders.

Criminals come in all IQs and degrees of cunning. The dumbest of the lot end up on cops. The smartest (or at least best connected) get bailout checks from their buddies in Washington. In between, some are caught and many never are.

The Obvious Solution*

[nick357]

Put her in jail for teaching others how to defraud the public!!!!

* Obvious to the credit card industry

This is sort of old news.

[MrCrassic]

Its been well known that RFID cards are suspectible to this kind of threat. The only reason why jammers and blocks havent been enforced as much is because there haven't been enough cases of this happening to justify wide-scale enforcement. I really like the convenience of contactless payment systems and hope jammers and guards become ubitquitous enough for banks to provide them along with these cards.

Re:This is sort of old news.

So how the hell is it more convenient? The only convience I found was that I don't have to replace it when the mag stripe wears out, except that I do because not all POS termianls I use are RFID. I'm going with the assumption that in bumfuckia I live in there's a negligible risk of skimming it. However, riding the subway or going to a movie would be a beautiful place to give it away. Directional antennas are easy and cheap.

Re:This is sort of old news.

[dargaud]

Maybe I'm out of touch, but it's the 1st time I hear of RFID credit card. WTF thought that this would be a good idea ? Is it a US only thing ? If so it means that the US went from (easy to copy) magnetic only credit cards to (easy to copy) RFID cards without the intermediate step of (hard to copy) chip card which are in use everywhere else. I knew that at the begining it was to avoid paying royalties to the french inventor, but come on, the patent has now expired, get on with it !

Re:This is sort of old news.

Uh, better idea: (1) require the owner of the credit card to activate explicitly for each transaction (either just pressing a button on the card or somehow typing a pin into the card) so you can't skim the RFID when the card is just sitting in your pocket and (2) use some actual crypto so replay attacks like the one in the article don't work.

Re:This is sort of old news.

[PCM2]

Maybe I'm out of touch, but it's the 1st time I hear of RFID credit card. WTF thought that this would be a good idea ? Is it a US only thing ?

I'm from the U.S. and I've never heard of such a thing either. None of my banks has ever mentioned to me that they were sending me a credit card with an RFID chip. None of my cards have any obvious evidence of having such a chip in them.

Glossing over one problem...

[Shoten]

Randy Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. “We’ve got six years of history, a hundred million users of these cards, and we haven’t seen any documented cases of this kind of fraudulent transaction. The reason we think that’s the case is that it’s very difficult to monetize this as a criminal,” says Vanderhoof. “The premise that this is a new threat is absolutely false and isn’t supported by [Paget's] demonstration.”

In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor that detects multiple transactions with the same code or codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number for one transaction, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.

So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here. Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals. The RFID spec for these cards has no provision for collision detection or avoidance.

Re:Glossing over one problem...

[RichMan]

You don't need a big field. You need a high gain directional antenna. Preferably one made by beam forming that could be steered to sweep a room.
High gain directional beam formed steerable antennas and control hardware are mass produced and small enough to go in handheld devices.

An 802.11n basestation is an example of a steerable beam forming device that could suit the purpose.

Re:Glossing over one problem...

[barc0001]

"with this attack you MUST be the next person to use the card's credentials." "the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base"

Because it's impossible to build a rig that fits in a briefcase or backpack that scans cards within a meter or two of the holder and automatically runs scripted transactions as soon as a card is detected in range, right?

Just because it's not AS bad a picture as the doomsayers are painting as a worst-case scenario doesn't mean it isn't ripe for exploitation.

Re:Glossing over one problem...

[oneiros27]

So we'd have to funnel people through a chokepoint to isolate them ... and it might not work if they had more than one RFID enabled card in their wallet? And then you have to use it quickly, like this was done (while still on stage), rather than waiting for the person to try to make a legit transaction.

I'm guessing that someone standing near the entrance to a subway system could work within those restrictions well enough that even if they got less than 1% success rate per person entering could still turn a nice little "profit" during rush-hour.

Re:Glossing over one problem...

[DeadCatX2]

with this attack you MUST be the next person to use the card's credentials. If not, the attack fails.

Implicit in this statement is the assumption that the hacker will be unable to discover the sequence of CVV codes based on the one they have right now. Given Sony's epic failure to implement proper encryption on the PS3, are you willing to take the chance that the CVV code generation algorithm will remain a secret forever?

Re:Glossing over one problem...

[Shoten]

You need a big field. You're confusing reading a signal from a card with energizing the card in the first place. The cards have no internal power source; they start up when they are in an induction field that is generated by the reader. These fields are very weak...so it doesn't take much to power the card, but on the flip side, the cards can't handle much because of the need for them to operate at low power levels. And even if you could shape the field to a beam, it still remains a range issue. You can't energize the card 20 feet away without frying the one that is 3 feet away. Oh, and good luck being subtle while waving a high gain directional antenna around...swinging a YAGI around isn't the pinnacle of being surreptitious.

Re:Glossing over one problem...

[Princeofcups]

So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here. Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals. The RFID spec for these cards has no provision for collision detection or avoidance.

You've never been to a train station have you? Or sat outside at a coffee shop? Or sat in a car at a busy mall? Sounds pretty trivial to me. Wait for a good signal to walk by, swipe and swipe. Wait for next good signal. Rinse and repeat.

Re:Glossing over one problem...

[realisticradical]

Still:

It wouldn't be too hard to come up with a scheme to steal a bunch of cards and use the number immediately. You just hook the scanner up to a device that can make purchases at the same time the scan happens. Heck, build it into some sort of anonymous money scheme paypal account where you pay yourself and you could simply steal money. (Quick note, I don't know if or how anyone would actually do this but there must be ways.)

Beyond that it seems a bit to me like the real reasons there aren't recorded instances of stolen credit cards via RFID is that it's pretty technically complicated and thieves (at least the first world variety) and engineers aren't the same people. Also just because it hasn't been found doesn't mean it hasn't happened. How do you tell that the guy who stole your credit card did it with an RFID scan vs that he was your waiter or gas station attendant or something.

Finally, one time use CVV codes is fine but I would think that the 16-digit number and expiration date is enough to at least get some money off the card.

Re:Glossing over one problem...

[CimmerianX]

>> the cards are set to offer up a one-time CVV code with every scan

Wait, I thought RFID only offered up static information. Does this infer that the cards have some sort of logic onboard to generate these 'one-time codes' and have create a new code on every scan that matches up with its processor? How does this effect an inadvertent scan, do the codes get all out of sync? Is there resync logic as well? How would this be handled throught payment processors and 3rd party clearing houses?

Now, someone enlighten me on this if it's true. But this sounds to me like total bullcrap.

Re:Glossing over one problem...

[Big+Smirk]

A big magnetic field... or a choke point, like a door to the conference center.

Re:Glossing over one problem...

[Yakasha]

So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails.

Not hard to have a scanner & processor working at the same time.

It's not quite as bad as they make it out to be here.

Perhaps financially for individual consumers, but it can be a huge problem in other ways. Wouldn't it suck if your RFID enabled credit card & passport were read at the same time and you purchased a 1-way ticket for some terrorist (Does Godwin's law include terrorism references yet?).

Naturally restricting the liability to just a couple (or 1) transaction means individuals will not be out a lot of money. But it can still cause problems for the credit card company if a large number of people are hit. For poor individuals, even $50 1 time just as they get to the supermarket can be devastating.

Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals.

No, you just stand at a high traffic point and use a weak field to get the cards right next to you: Union Square, public transit, shopping malls, airport.

Re:Glossing over one problem...

[fahrbot-bot]

You need a high gain directional antenna. Preferably one ... could be steered to sweep a room.

Say... Is that a high gain directional antenna in your pocket or are you just happy to see me?

Re:Glossing over one problem...

In a crowded area, I'd have no trouble holding a briefcase near enough to dozens of wallets very quickly. I could have a fairly large coil in there and a nice decent yagi if I felt I needed to increase the range some.

Re:Glossing over one problem...

Also, a yagi is a far field antenna and this type of link (for the credit cards) is only inductive. They do NOT have UHF RFID chips in them. You just are not going to get farther than a 1m reading these cards. The idea of high directionality does not really apply to coils as it does to far-field antennas.

Re:Glossing over one problem...

[Big+Smirk]

Both, wrong... you less so.

The credit cards use an induction form of RFID. The wavelengths in question are very long - would require a big antenna to transmitt and an equally big antenna on the card to receive.... well the cards aren't big enough. So you see this spiral pattern (inductive loop) that is the antenna.
YAGI won't do it. You need something more along the lines of the magnetic sensors as you leave a store (EAS - Electronic Article surveillance).

Credit cards are 13.56 MHz RFID. That's a wavelength of ~75ft. Not going to hide that YAGI very well....

Nope, inductive loops. That's why it only works over about a meter because the strengths of the magnetic fields.

Re:Glossing over one problem...

[Dr_Barnowl]

It would be easy enough to swing around a YAGI antenna from the confines of a mesh hide - net curtains would be enough to conceal a distant antenna spook from view without obscuring his view of potential targets.

Combine a YAGI with an invisible laser rangefinder to set the power and you have yourself a range-safe power snooper for RFID cards.

Re:Glossing over one problem...

[Joce640k]

Those codes can only be used for one transaction, and have to used in the order they’re generated.

So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here.

Ummm....yes it is. Being the next person use the card isn't very difficult if you can do it via an iPhone. The chances of somebody using their card in the ten minutes after you grab their details is very small.

Re:Glossing over one problem...

I see you lack the creativity that we see from these scammers on a daily basis. For one, since you are lacking the understanding of how a digital transmission works, scammer A with the RFID scanner, captures the card, transmits the data via a cellular network to scammer B, miles across town (state, country, etc) where scammer B replicates the card and uses it, all while the victim is still held. As for the snifing the entire room, you're probably correct, with the "at once" statement, but substitute "in one sitting" and its entirely plausable and even easy. Since most people will enter an auditorium through a select number of entrances passing by the sniffer individual. You then have a captive audience for upwards of an hour plus (depending on the lecture). Not many people will be utilizing their cards at this time, thus giving you a large enough window to defraud the entire audience. Is it easy no, can it be done, I think that's rather obvious. Are you concerned? I myself don't carry one of these cards, but there are shielding options. If anything I believe this should be like a Checkbook. (i.e., here's our Aluminum shielding sleeve to protect your card, pay more for additional options). Granted I don't trust RFID that far, and don't stand behind it one bit as a platform for anything other then inventory tracking. Just my 2 penny's.

Re:Glossing over one problem...

[Rary]

with this attack you MUST be the next person to use the card's credentials.

I don't know about you, but I don't use my credit card every day, but I do come into contact with strangers every day. If someone were to sit next to me on my morning bus ride to work and read the card in my wallet, they'd have anywhere from as little as four hours, if I happen to go shopping at lunchtime, to as much as a few days to put the information to use.

Re:Glossing over one problem...

[Captain+Hook]

And yet the card readers at stores are still the same size as normal chip and pin card readers. Like a very chunky PDA.

Besides, scanning a room is a stupid way to do it, everyone has to walk though a narrow door to get into the room, stick the reader near the door frame.

Re:Glossing over one problem...

[sjames]

It's not exactly hard to relay the info over wireless and run the charges from elsewhere as you scan the cards. There's a good chance the scanner will be connected to a cellphone anyway so that next step is painfully obvious.

Re:Glossing over one problem...

"If a payment processor THAT detects multiple transactions with the same code or codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number for one transaction, and if the victim OF A THE scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked."

Huh?

Re:Glossing over one problem...

Does this infer that the cards have some sort of logic onboard

no, it implies it. you infer it.

Re:Glossing over one problem...

[sjames]

Directional antennae don't all look like a yagi anymore. These days it's done synthetically through signal processing. Who cares if you energize the card 3 feet away and the one 20 feet away? They will be out of phase, so you can read both. Unlike in the primary application, it doesn't matter if you read 100% of the time or even 50%, just so long as you get a few good reads for your trouble. In fact, the statistical; nature of the reading makes it harder to correlate your location and the frauds.

Re:Glossing over one problem...

Nah. TSA security airport lines (at least in the USA). Up close, personal, all the time in the world, and a somewhat wealthier and higher-tech clientele.

Getting your reader box through the security at the end might be a little trickier - Put it into a box labeled 'Scientology E-Meter' or pretend a bathroom emergency when you near the head of the line.

AC

Re:Glossing over one problem...

Oh, and good luck being subtle while waving a high gain directional antenna around...swinging a YAGI around isn't the pinnacle of being surreptitious.

In other news, Propeller Hats have made a comeback.

Re:Glossing over one problem...

[Myopic]

+1, Elementary Composition

Re:Glossing over one problem...

[Grishnakh]

So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here.

No, this really is as bad as it's made out to be. From what I've read above, the attacker has to be the next person to use the card's credentials from the RFID part, not just any credentials. So if the cardholder gets his credentials stolen, and then uses the card for a whole month but only using the magstripe (for in-person transactions) or the CVV2 (for online transaction), and never uses the RFID part ("paypass"), then the attacker will still be able to make fraudulent charges.

I don't know about you, but I've NEVER used Paypass or other RFID charging schemes. My business Amex has this chip, but I've never made use of it; I only use the magstripe and the CVV2 as outlined above. I actually don't even know where to use Paypass, maybe some gas stations. Since almost everyplace that takes credit cards uses magstripe readers, I've never felt the need for this wireless thing. So if someone stole my card's credentials, they could easily run up tens of thousands of dollars worth of charges on my employer's account.

Luckily, it's only my business Amex that has this stupid "feature" embedded in it. My personal cards don't seem to have any such thing. If my employer gets hit, that's their problem, not mine, and they'll have to talk with Amex about not issuing these stupid cards.

Re:Glossing over one problem...

[Grishnakh]

Who cares, 1 meter is far more than enough. Just walk around with a briefcase in a NYC subway station or down a sidewalk there and you'll have more card numbers than you know what to do with.

Re:Glossing over one problem...

[n7ytd]

In a crowded area, I'd have no trouble holding a briefcase near enough to dozens of wallets very quickly. I could have a fairly large coil in there and a nice decent yagi if I felt I needed to increase the range some.

That sounds like a lot of work. I'd just stick the skimmer under the bench at the bus stop. Let the victims come to me!

Re:Glossing over one problem...

Wait, I thought RFID only offered up static information. Does this infer that the cards have some sort of logic onboard to generate these 'one-time codes' and have create a new code on every scan that matches up with its processor?

Why not just store a static list of a few million codes? The only onboard logic you need is a counter to go to the next one.

Re:Glossing over one problem...

[kevmeister]

The "Smart" in SmartCard indeed means that they are smart. The ones we use at work are programmable, run a tiny OS, and can be logged into (after a fashion). The CPUs do real crypto using RSA. A SmartCard has flash to store data, so a one-time key (like CVV2) is not hard at all. My SmartCard can generate an SSH key-pair and does not ever release the private key. It does the RSA challenge-response operations allowing secure login to a standard SSH client.

While I don't know if the CVV stuff is true, it is certainly possible.

Re:Glossing over one problem...

[mjwx]

Credit cards are 13.56 MHz RFID. That's a wavelength of ~75ft. Not going to hide that YAGI very well....

High vis vest, safety glasses, work boots, who's going to question it. If they do, "I'm with the council ma'am, we're just measuring ambient noise, nothing to worry about." or "I'm from the phone company, just testing signal strength ma'am, nothing to worry about"

There are a dozen ways to hide something strange, not the least of which is to ignore it, If you see someone walking around with an antenna on their back do you think he's stealing your secrets or not right in the head? A big part of any attack is social.

Anyway I'll be displaying my modern art masterpiece in the mall this weekend, I have a feeling this hunk of metal is going to earn me a fortune.

Re:Glossing over one problem...

So what you are saying is that we need very smart criminals ...

uh... like the ones that build skimmers for ATMs? Perhaps the ones that hack websites and steal card numbers?

Most countermeasures work until they don't. This industry is about not being the weakest target.

Re:Glossing over one problem...

It wouldn't be too hard to come up with a scheme to steal a bunch of cards and use the number immediately. You just hook the scanner up to a device that can make purchases at the same time the scan happens. Heck, build it into some sort of anonymous money scheme paypal account where you pay yourself and you could simply steal money. (Quick note, I don't know if or how anyone would actually do this but there must be ways.)

Even better, a system which automatically makes $5 donations to a political campaign or non-profit that you dislike.

Use a Faraday Cage wallet

[Woil]

I've been using a Faraday Cage wallet and passport holder by DIFRwear: http://difrwear.com/ for several years now. I don't work for them, but with the very cheap wallet prices and sturdy construction I've been very pleased with the products. I can testify that they do work as I have an RFID key card and it won't activate the door if in the wallet.

Re:To gitmo!

They don't have the opportunity to molest her, thus the lack of interest.

She used Teh iPhone!1!!

[Oh+Gawwd+Peak+Oil]

Since this is Slashdot, with its misleading sensationalism and all, I'm surprised they didn't title the headline: "iPhone Allows Easy, Wireless Credit Card Fraud."

Re:She used Teh iPhone!1!!

[chrish]

If she'd used a BlackBerry it would've certainly been "BlackBerry Allows Easy, Wireless Credit Card Fraud."

4th Dimension Attack Vector

[hantarto]

I am think that if RFID-enable credit card is present at known point in spacetime, attacker need only to go to that point in space and then move card reader along fourth dimension axis until card information can be read. The banks should really giving solution to this problem soon I hope so they will.

Re:4th Dimension Attack Vector

[Culture20]

I am think that if RFID-enable credit card is present at known point in spacetime, attacker need only to go to that point in space and then move card reader along fourth dimension axis until card information can be read. The banks should really giving solution to this problem soon I hope so they will.

You just described a dude sitting on the sidewalk (moving through time) until cards come to him.

Re:4th Dimension Attack Vector

[hantarto]

You are suggest one possible way for this to be working yes, but one must know that card will arrive on sidewalk and exactly where. Better to put card reader device near point of sale machine and then alter it position along fourth dimension axis I am think. But I believe you are getting the idea my friend, haha!

And in other news...

[Darkness404]

And in other news anytime you take your credit card out to do anything and it is out of sight for a moment people could record your number, expiration date and your security code and then use it to buy things using your credit card. But of course we won't worry about that because technology is SCARY!!! Despite the fact that this doesn't work if you:

Have more than 1 credit/debit card with an RFID chip.

Aren't really close to the card.

Store your card in an aluminum wallet.

Sure, it is possible, but we focus so much on the possible technological side while totally neglecting the fact that people could quite easily just record your credit card info when you pay for things.

Re:And in other news...

[Baloroth]

However, when people record the info when you pay for something, that person becomes directly traceable. I.e. if the police look into the matter, they can almost certainly quickly find out who is responsible. The RFID method is completely 100% anonymous (unless you memorize the faces of everyone you pass on the street, and even then you simply will not be able to trace down the person responsible). This adds a psychological, if not a real, barrier to CC skimming for employees.

The RFID system is quick, anonymous, and can collect potentially hundreds of cards in a matter of hours, just by standing at a subway station with the right equipment.

Re:And in other news...

[Rary]

I must've missed the part of the article where it said "don't worry about any other form of credit card theft, because this one is all that matters".

This is yet another potential attack. Other attacks are well documented. The fact that those other attacks exist, or even that many of them are more likely to occur, does not in any way mean this threat should not be publicized so that it can be mitigated.

I have one card with a chip. I wander through busy public areas daily where multiple strangers brush past me while I'm carrying that one chipped card. I, like the vast majority of people all over the world, do not have an aluminum wallet. Perhaps more people will buy aluminum wallets or take other steps to further minimize the risk, but only if they are aware of the need... which is precisely why this is being discussed.

Re:And in other news...

Umm, no. I've had my cc info compromised 3 or 4 times now and not once has there even been a police investigation. The only entity involved that has the ability to press charges is the store used to purchase stuff with the stolen CC number. How much time and effort do you think it's worth to Wal-Mart to stop even a $500 theft? That's what, 2 hours of lawyer time? Not worth it. So the store doesn't press charges and there's no further investigation.
 
  That story is precisely the reason why I make zero additional effort to protect my CC information. I'm not liable for those things, and I have no control over the CC companies to force them to embrace secure systems. Only the stores do. Aside from a few minutes of paperwork every couple years I don't really have any skin in the game wrt cc fraud.

Re:And in other news...

[Cainam]

The problem isn't that technology is scary, it's that the contactless payment stuff is being billed as MORE SECURE than other ways of using your card. This demo shows that the technology is vulnerable to being exploited with commonly available hardware.

Such 'demos' should be illegal.

[JohnMurtari]

(sarcasm) Well, the obvious solution is to prosecute Randy for violation of some type of copyright/jail-breaking/illegal use law. If we don't have one yet for this -- we can write one quickly! No need to have people worry about this type of stuff. Our economy is in shambles, we need people to use their cards! You can't grow GDP without breaking a few eggs! (/sarcasm)

Square is the big security fail here...

[randomlogin]

The fact that you can make a payment via Square without any form of authentication is the biggest failure here. At least with the RFID payment you've got a cryptographically strong authentication method which is pretty hard to fake. The sooner the credit card companies get rid of the magstripe the better...

Re:Square is the big security fail here...

The authentication would have worked with any and every terminal in which she would have swiped the card. There is no strong security here.

The objective of the new cards is to transfer all responsibility to the cardholder.Your PIN is being recorded at every store by cameras. You are no longer obliged to sign the transaction. How can you prove that you did not use or authorize the use of the card.

I don't have the energy to repeat this argument. I lowered the limit of my cards to a level which I can pay if I am scammed. I don't trust this system any more than the last.

Re:Square is the big security fail here...

[Cainam]

How is Square the problem? They didn't invent the mag stripe.

Real Problem.

[JustAnotherIdiot]

Clearly the problem is the iPhone and eBay.
Hurry, oh wonderful American government, censor both of these things!

No PayPass? What are your vulnerabilities?

So without that PayPass or other such similar feature, what other ways might a traditional CC be compromised remotely? For a traditional card to be skimmed, it needs to be put through a false card reader to skim the info off the magnetic strip, correct?

If the name Paget rings a bell...

Kristin Paget used to be Chris Paget, famous GSM hacker. With that out of the way, we return you to this awesome hack.

GuardBunny

[guttentag]

The article also mentions that Paget's company is working on a jamming device called GuardBunny that slips into your wallet, complete with a rabbit head logo and eyes that glow (there's a picture on page two) when it's activated. I'm not sure if this is meant to be a humorous Monty Python reference? "Run away, High-Tech Pickpocket! Run away!" Or a creepy Donnie Darko reference? "Why do you wear that stupid bunny suit?" "Why do you wear that stupid smart credit card that broadcasts its credentials?"

That's nothing...

Takes my buddy 10 seconds to pick-lock open a gas station payment terminal, install a skimmer and connect it to the PCB under the keypads.

Within hours he gets card numbers, zipcodes* and PIN.

*zipcodes were put in place by gas companies to help stop unauthorized charges because the owner the card knows their billing zip code and the thief... well these can be picked up by keypad skimmers...

Always pay cash at gas stations people... doesn't matter what type of gas station... only 8 different type of keys are used by the industry open these terminals up (because service techs tend to "lose" them).

Re:That's nothing...

Who needs to read the zipcode? 90% of them are going to be the same zipcode as the gas station unless you pick a station on a turnpike or something.

Re:That's nothing...

I like it when visa gets owned by my stolen cc number. It in no way hassles me.

Obvious fraud opurtunity

[sce7mjm]

I've been warning everybody who gets a new Barclaycard with this "feature" since I first saw it advertised.

My thoughts were somebody selling newspapers at a underground (subway) station swiping everybody who walks past at rush hour. Going home and cashing in on 1000's of £1 - 10 transactions. Not a bad afternoons work.

Re:Obvious fraud opurtunity

[DamonHD]

I haven't been able to get Barclaycard to issue me a personal credit card without NFC/Paywave/contactless (even after going a long way in their complaints escalation) and thus instead got a card from a different issuer that *doesn't* issue such cards, at least not without asking.

I also find this a ReallyBadIdea(TM), at least not being able to have it turned off, as I frequently travel in crowded areas rips for the sort of proximity attacks described.

Rgds

Damon

Re:Obvious fraud opurtunity

[Pow]

I also find this a ReallyBadIdea(TM), at least not being able to have it turned off, as I frequently travel in crowded areas rips for the sort of proximity attacks described.

You can turn the chip off with a hammer.

Re:Obvious fraud opurtunity

[DamonHD]

But then I can't use it for any other transactions since no one is going to accept the card without the chip working. That was the nub of my complaint to Barclaycard: the whole device is unsafe and I cannot take it out of my house. Maybe I can use it for telephone transactions, the handful I do each year. I already refuse to do Internet-based transactions because of the complete ineffectual crapness of VbV/3DS which makes it very hard for me (even inspecting page source) to see if I'm being phished and doesn't work for me anyway.

Rgds

Damon

What's the point of these?

[twotacocombo]

What exactly is the advantage to these RFID credit cards? All the readers I've seen still require you to get the card close to it to work. Has the world really grown so lazy that we can no longer be bothered to make a vertical swiping motion? I can see the benefit for payment-enabled cell phones or key fobs, but credit cards? Seems like a solution to a problem that didn't exist.

Re:What's the point of these?

[MozeeToby]

Ostensibly, they allow for more brains behind the card than is possible with a magstripe. The current solution is simply a one time use CCV code, if a more recent code has been used it rejects all the codes that came before it, meaning that A) A stolen card can only be used once and B) Not even once if the legitimate user makes a purchase in the meantime. To me, with a bit more processing power, it seems like it should be possible to set up an encryption scheme where the person reading the card only ever sees encrypted data that would go stale in a matter of minutes (and yes, that includes stores). You could probably, of course, still clone the information and process a purchase quickly enough to commit fraud, but doing it on a large scale would be all but impossible.

Re:What's the point of these?

You already recognized one advantage: The same readers can be used with cellphones and other devices acting as cards. Another advantage is that you no longer need to insert the card into the reader in one specific way (label side this way, this edge first...). RFID cards are also cheaper to make than smart cards with contacts, which is what they're superseding, not magstripe cards. And they last longer (no wear on contact pads). And they're more reliable (no contact pads means no dirty contact pads).

Re:What's the point of these?

[xanthos]

What people fail to notice is the "Analog Hole" part of this demonstration. Paget did not clone the RFID card. She transferred information from a secure environment (RFID) to an insecure environment (mag stripe). As long as the amount of money lost through theft is a fraction of the cost of upgrading the infrastructure to get rid of magstripe, this capabillity will remain.

FWIW, the who needs RFID cards is defintely an American bias. When I was in Paris last year there were a number of times where not having a RFID card was a real PITA.

-Xanthos

Re:What's the point of these?

[twotacocombo]

Well, all that is encoded in a credit card's 2 tracks is account number, expiration date, and name. What is keeping someone from grabbing this information via RFID, then encoding it into a standard magstripe card and going on the usual spending bender? Seems like a lot of extra work to make a counterfeit RFID card when you can just go the quick and dirty route and make a card that can be used anywhere they take plastic, not just the places with contactless readers.

Re:What's the point of these?

[twotacocombo]

Paget did not clone the RFID card. She transferred information from a secure environment (RFID) to an insecure environment (mag stripe).

FWIW, the who needs RFID cards is defintely an American bias. When I was in Paris last year there were a number of times where not having a RFID card was a real PITA.

Ah, this is what I just asked about in another reply. Until they lock out mag stripe reads on an account, they will always be the weakest link.

I was in Paris in '10 as well, and the only place I recall where RFID would have been worth using was at the Metro ticket counters, so that the card didn't need to be passed through the safety glass. Places like gift shops and restaurants wouldn't have seen much of a benefit...

Re:What's the point of these?

[pz]

What exactly is the advantage to these RFID credit cards?

One advantage is that magnetic stripes wear out. RFID cards won't. Similarly, swipe readers wear out, get gummed up, etc., whereas RF readers don't.

Personally, neither is a compelling enough argument for me as a consumer to get one. If I were responsible for the maintenance of POS terminals for a store, especially one with non-trivial traffic, that might be a different story.

Re:What's the point of these?

[mmontour]

Ostensibly, they allow for more brains behind the card than is possible with a magstripe.

You get that benefit from having a microprocessor on the card, such as a standard "chip card" with metal pads (like a SIM card) that you insert into the reader. Adding all of the RFID nonsense on top of that just makes it less secure.

(I'm aware that "chip+pin" also has known security flaws, but it's better than the alternatives).

Re:What's the point of these?

[glodime]

In addition to the the reasons given below, I would like to point out that you are assuming an advantage exists for consumers. It is the transaction possessors and merchants that reduce risks and costs from RFID cards. It is sold as a novelty to consumers and card holders.

Re:What's the point of these?

[twotacocombo]

One advantage is that magnetic stripes wear out. RFID cards won't. Similarly, swipe readers wear out, get gummed up, etc., whereas RF readers don't.

If I were responsible for the maintenance of POS terminals for a store, especially one with non-trivial traffic, that might be a different story.

The magstripe can wear out, but you can still key in the number manually when this happens. RFID chips are not invincible, and can be damaged, but certainly not as easily as a magstripe.

I did phone tech support for 7 years, working on various makes and models of credit card machines. The number of units that I personally saw during that time that genuinely had the reader head worn down to the point of malfunction was less than 10. I replaced far more units due to beer damage. Most read failures were either due to a badly abused card, or a slightly dirty head. Wrapping a dollar bill around a card and running it through a few times cleared up the read problems almost 100% of the time. And no, it doesn't have to be a $1 bill. If I had one for every time I was asked THAT question...

Re:What's the point of these?

[twotacocombo]

In addition to the the reasons given below, I would like to point out that you are assuming an advantage exists for consumers. It is the transaction possessors and merchants that reduce risks and costs from RFID cards. It is sold as a novelty to consumers and card holders.

In my 7 years of experience in the processing end of the industry, face to face fraud is extremely low, and I can't recall ever hearing a story about a cloned card being used. A physically stolen card, yes, but not a duplicated one. Not to say it doesn't happen, but the majority of fraud is MOTO/Internet based with stolen numbers or dishonest customers, or is fraud being committed by the merchants themselves. I fail to see how RFID is going to make any major impact on credit card fraud, seeing as how all it's doing is adding an additional, more discreet method of obtaining stolen card numbers. Also, the issuers and processors don't care about risk as much as you may think. We made loads of money off of chargeback fees and the percentage of any returns we forced the merchant to make in addition to the original, disputed sale. It was usually the merchant who was ultimately left taking the loss, and sometimes it was big enough to put them out of business. Getting Visa/Mastercard to ever take the hit was laughable

Re:What's the point of these?

[Captain+Hook]

It all about speed. No PIN numbers and no direct contact in a small fiddly slot means the transaction will be quicker, which makes cards usable in those low value high volume transactions where cash still reigns supreme.

PayWave and those types of authentication schemes are not about security, they are about finding away to replace the last of the legal anonymous cash transactions.

And the CC companies are quiet happy to refund any fraudulent transactions in the short term in order to get to that long term goal, as is pretty much every government I would be as well.

Re:What's the point of these?

[glodime]

It is possible that it is purely marketing to increase market share that is driving the push for RFID cards. However, the continued existence gas station card readers are certainly a threat that seems to be limited by the one-time CVV feature of RFID transactions, thus reducing the risks and cost of the transaction possessors and merchants.

Re:What's the point of these?

[eth1]

What they should be doing is putting a chip on the card that contains a private key (which you can't read from the card). Plug the card into the POS system, and the POS system uploads the transaction information, the card attaches your account number and signs it, then returns it to the POS system which can then forward it to the bank.

Doesn't help if someone physically steals the card, but any sort of "skimming" would be impossible. (unless it's using a gimmicked point-of-sale system that's fiddling with the transaction information before it's signed, but if the card could display merchant name & amount, that would take care of that, too)

Re:What's the point of these?

[twotacocombo]

usable in those low value high volume transactions where cash still reigns supreme. finding away to replace the last of the legal anonymous cash transactions. And the CC companies are quiet happy to refund any fraudulent transactions in the short term in order to get to that long term goal,

I think you may have hit the nail on the head here, but a bit differently than you think. Processors make a flat (authorization) fee on each transaction, as well as a percentage of it. The more they can get customers to use credit on small transactions, instead of cash or debit, the more money they can make. Meanwhile, the merchants get the shaft. A $.25 auth fee on a $100 purchase is not much, but if you have to pay $.25, plus 1.5-3.5% per transaction on a $5 sale that you may run a hundred times a day (say, a pack of smokes at your gas station), that cuts into your bottom line much more severely than if you were to deal in cash. Visa/MC prohibit any sort of minimum purchase amount, so somebody could walk into your gas station, buy one of those 25 cent candies on the counter, and you'd be better off just giving it to them for free instead of running their card.

Also on the subject of speedy, low dollar transactions. Many places now no longer require a signed receipt on sales below a certain dollar amount. Many of those transactions aren't even being authorized at that time. The machine just records the info, spits out a receipt, then worries about it later at batch time. Why's this? Because the merchants ultimately bear the burden of most fraud, and they've found it's better to clear the line of customers as quickly as possible and worry about the small chance of loss on a bad card. This being said, the CC companies do NOT refund your money. The merchant does. The processors get paid no matter what, which is why they allow these practices. Please don't make the mistake of thinking Visa and Mastercard are there to look out for everybody, and take the hit when fraud occurs. It's the merchant who has to pony up, but V/MC love the great PR for their "$50 max fraud liability" guarantee and whatnot...

Re:What's the point of these?

[pz]

I imagine that any paper would work well to clean the head, especially if you were to wet it with alcohol or some other solvent.

A number of times I've seen clerks wrap a single layer from a plastic bag around a poorly-reading card to improve the chances of getting a read from it. I suspect that the plastic serves mostly as a spacer to hold the card at a more consistent distance from the head.

Re:What's the point of these?

[twotacocombo]

Well, paper can be abrasive. USD bills are made of a fabric, so as long are they're clean they should be a bit better for the life of the head. Plus, there's just something satisfying about cleaning a credit card machine with cash. George would probably have a good laugh.

I used the plastic bag method numerous times, and it did have a fairly decent success rate. The science of it completely escapes me, but it made me sound like a wizard and it got people off the phone. Great success!

Re:What's the point of these?

But there is not need for the RFID chip to return sufficient data to allow you to make even a mag stripe copy of the card, that is the gigantic security hole!
Like this they added to a system mostly based on physical security (only "trusted" people get the card) a system that removed the need for physical acces.

Re:What's the point of these?

[Grishnakh]

I remember back in the 80s, in the TV show "Max Headroom", they showed people using payment devices that were like a small cylinder that you plugged into a small receptacle to pay for things (like a cab fare). It required physical contact, it wasn't wireless, and when payment was made some lights lit up and it beeped.

It amazes me how sci-fi from back then had much better ideas about how thing in the future should work, instead of the crap we actually got that barely works at all and is fraught with stupid problems that shouldn't exist. Sci-fi writers back then explored how future technologies would affect humans socially, but they never predicted that we'd implement utterly stupid systems with little to no security that would be easily cracked by people with few skills.

Re:What's the point of these?

[Grishnakh]

Because this would make too much sense. It's pathetic: we've had public-key encryption technology for what? 15-20 years now? But our payment systems are using security technology that's right out of the 1950s if that.

Re:What's the point of these?

Least in Japan, we have similar technology, but the cards are prepaid. Instead of a card just being a pointer to you account, it *is* your account. The card is the cash. (it can be recharged from paper cash or credit card).

In this sense, it's good because:
1. It means you don't have 1000 small transactions on your cc statement.
2. It doesn't need to contact the bank to authorize. Payment works instantly, offline.

Re:What's the point of these?

First there was the signature, which was horribly insecure.
Then there was the mag stripe, which was horribly insecure, after a few years.
Then there was "chip and pin" which is horribly slow, and apart from shoulder surfing and physical loss of the card, is reasonably secure.
Then they came up with RFID to address the speed issue of c&p

Honestly, if C&P was "push your card in, type the number, pull it out" then we'd have no need of RFID. The thing is, the actual workflow is "insert card, wait 30 seconds, type the number, wait 30 more seconds, remove card, wait 30 more seconds for the receipt" which is pretty pathetic given the resources available to the technology.

Easy Solution

I have an easy solution: Just pay cash.

I know its a foreign concept for the white guys, but it is still accepted.

I wonder

[koan]

If the companies that makes these cards and the banks that back them know they have issues like this then why on Earth would the push them? It can't be that much cheaper to use RFID on a card instead of swiping, why does this smell so funny?

Are they making money from this?

Re:I wonder

[Captain+Hook]

If the companies that makes these cards and the banks that back them know they have issues like this then why on Earth would the push them?

As I said here higher up in the thread but after your post.

It's about making cards fast enough to replace cash, when they do, they can take a small percentage of every transaction made in the legal economy, and log all those transactions as well.

Stainless steel wallet?

[Neil+Watson]

Would this protect the card?
http://www.thinkgeek.com/homeoffice/gear/9964/

gender

[Sebastopol]

Probably should be modded as off topic for this, but why did the article feel the need to point out Paget's gender change? did it make her a better programmer, or design better hardware? or were there lots of people reading the article were like "Hey, I knew I guy with the last name Paget that worked there, I wonder if they are related? ... Oh!" /scratches head

Re:gender

It did make me go oh that guy when I realized it was Chris Paget not someone else with the same last name, so I dunno maybe just a "Kristin Paget (formerly Chris)" would have worked.

Re:gender

It was probably because the sentence had just referred to her as "well-known", but most people probably knew her better as him.

Re:gender

For the same reason Edgar Winter's albinism is pointed out. Because it's a characteristic that few people have.

Re:gender

[Grishnakh]

Sorry if this is insensitive, but I've never understood why anyone would want to do a M-F gender change with modern medical technology. They always end up looking like guys dressing in drag, and badly (like guys doing it for Halloween, not the professionals). In fact, the gay guys who do it as a profession are far, far more convincing, and they never seem to be interested in actually switching to F, they just like to be drag queens. The people who do the conversion almost never have the body for it.

If you could just step into a machine like a Star Trek transporter and step out looking and functioning like a hottie, it'd be understandable. But the way it's done now, it really boggles the mind. Even flamey gay guys get a whole lot more respect and less weird looks.

Re:gender

It's not about how you look at the end of a gender change - it's about how you're unable to continue living without changing. It's about the suicidal depression that will plague you for your entire life if you *don't* change gender, and the significant boost to your quality of life when you're living as the person you feel you are.

For the record - the people who you say don't look good are far outnumbered by the MTF's that you doubtless know, but haven't yet realised are transexuals. It's not something that's generally advertised (for obvious reasons); respect to Kristin for continuing such a public life regardless of her gender change.

(Yes, I'm an MTF transexual).

Re:gender

[Grishnakh]

Thanks for the honest reply. I'm not trying to be mean, I'm just saying I don't quite understand when it seems like (though you say this is probably just perception bias, as with the convincing ones, we just can't tell there's been a conversion) with many, it's utterly obvious that the person is someone who did a gender change because of the male physical features (broad shoulders, facial bones/jawline, big hands/feet, etc.) which aren't easily modified with surgery. Anyway, good luck to you. Sounds like a bad spot to be in.

Mythbusters

Mythbusters were going to tackle this, but somebody didn't want them to.
http://www.youtube.com/watch?v=X034R3yzDhw

false

[dutchwhizzman]

You can read RFID cards in peoples wallets at 30 ft with a transponder with higher send signal and a better antenna. The same applied for multiple cards. Some reading devices won't process if there is more than one card in it's reach, but that's a software decision. Devices purpose made to leech RFIDs do not play by the rules and legislation set out for "proper" RFID equipment.

Re:false

[colbaz]

I just lined my leather wallet with ordinary tin foil and ran it by a commercial RFID scanner. It did not read. I opened my wallet and it read. There is a small 1cm gap where the wallet comes together that might allow a signal through, but it would have to be at the right angle.

Re:false

You can read RFID cards in peoples wallets at 30 ft with a transponder with higher send signal and a better antenna. The same applied for multiple cards. Some reading devices won't process if there is more than one card in it's reach, but that's a software decision. Devices purpose made to leech RFIDs do not play by the rules and legislation set out for "proper" RFID equipment.

Where are you getting this information? Good luck trying to read a passive RFID tag at 3 ft, let alone 30 ft. Multiple tags pressed against each other won't read, either. This has nothing to do with software.

Re:false

You have no idea what you are talking about. Look closely at your (uncited) sources. They will all say they use "Gen 2" or "EPC global" protocols. This means they are working at UHF frequencies and are far-field devices. Credit cards are all near-field coupled and will not have anywhere near that operating range. It will only be a few cm, at most 1 meter.

Re:false

[swillden]

You can read RFID cards in peoples wallets at 30 ft with a transponder with higher send signal and a better antenna.

Depends on what you mean by "RFID". There are a bunch of different technologies that fall under that large umbrella, some active, some passive, some of the passive powered inductively, some via capacitance, with different antenna sizes, communicating on different frequencies, etc.

In the case of the ISO 14443-related technologies used by payment cards, no, you can't. Under laboratory conditions with specialized equipment you might be able to get 20 cm. Maybe. 10 cm is difficult. Under real-world conditions, with off-the-shelf readers, max range is about 2 cm.

Re:false

[Dan541]

I have two RFID credit cards and an RFID transit card in my wallet. Before the old credit cards were replaced with the newer RFID ones I used to be able to swipe my wallet across the reader for the train without removing the transit card. Now with the addition of two more RFID cards I need to remove the transit card from my wallet or the read fails.

I'm sure more sophisticated readers may be capable of reading multiple cards at once. But as RFID becomes more prevalent the noise ratio is sure to increase as each wallet become filled with RFID cards.

It's worse than you think..

[cheros]

The bit not mentioned in the article is the reason why you need to be close to the card to read it: bad aerials in the card terminal.

If you build a better aerial (larger) and ensure the receiver stage has a decent low noise entry you can read those RFIDs from quite a distance..

Not the last person

[dutchwhizzman]

that's only if you were to copy the RFID contents. The CCV2 is a one-time thing and isn't copied on the magnetic strip. The blank card she made can be used until it's blocked by the CC company, as long as no CCV1 or PIN are requested by the vendor. Typically, for low amount purchases, that's not the case, so it may take a while before the card gets blocked.

Mythbusters lost episode

[speedlaw]

Wasn't RFID the subject of the Mythbusters episode that was "squelched" by Visa ? Adam made a few comments and the issue was clamped down upon by all. The credit card companies (huge advertisers-when you get 29% interest you have lots of money) made it clear that RFID weaknesses were not a subject to be discussed in public to a lay audience.

Re:Mythbusters lost episode

[Culture20]

An anon coward a few posts up gave the youtube link:
http://www.youtube.com/watch?v=X034R3yzDhw

French CBC covered that last month

[Stavr0]

http://www.radio-canada.ca/emissions/la_facture/2011-2012/Reportage.asp?idDoc=194638 (video)

I wonder about using a RECCO chip?

[Adam+Appel]

If you put a RECCO chip on you wallet I bet it would foil (ha ha) a RFID reader. The RECCO is basicly a radio signal reflector. It works in reverse, a RECCO scanner will hit off of key FOBs, cellphones and other integrated boards. If you don't know; RECCO is a search and rescue tool used in avalanche rescue. You by the chip in two packs and apply them to your boots or helmet. They are also integrated into some mountian outerwear.

A Microwave...

...means no worries about RFID data being stolen. Just a few seconds is all it takes.

Of course, I can't just wave my card at the reader anymore, but that's OK. I'm retired, I ain't in that big of a hurry.

New book idea

[SuperKendall]

"Where the wired things are".

The costumes are as practical as they are scary!

MOD PARENT DOWN!

Score +5? Goes to show the technical illiteracy of those with modpoints.

1) The cage is made from a conductive material. If a hot wire shorts against it, and you touch the cage, you could be electrocuted. Grounding it is therefore prudent.

A "hot wire?" What is a "hot wire?" Are you talking about AC mains voltage? The same concept would apply to vehicles, building doors, household appliances, etc. This has nothing to do with RF.

2) If anything inside the cage is trying to transmit, it turns the entire planet into its antenna. Your transmission is going to be pretty weak if you're trying to drive a planet-sized antenna with a few milliwatts of power. (Actually, no weaker than normal, but only if you're far enough away from the antenna that it looks like a point-source.)

Umm, NO. The idea of a Faraday cage is that you create an RF short as the cage is larger than lambda/2. The earth does NOT become an antenna. You merely increase the VSWR at the transmitter.

Re:MOD PARENT DOWN!

[_0xd0ad]

A "hot wire?" What is a "hot wire?" Are you talking about AC mains voltage? The same concept would apply to vehicles, building doors, household appliances, etc. This has nothing to do with RF.

I never said it did, moron. Yes, one of the reasons it is a good idea to ground a Faraday cage is exactly the "same concept" as why it is good to ground household appliances, etc.

Umm, NO. The idea of a Faraday cage is that you create an RF short as the cage is larger than lambda/2.

You're confusing signals getting into a Faraday cage with signals getting out of one. If the cage's mesh is larger than lambda/2, the signal will penetrate it. If it's not, the signal will not.

The earth does NOT become an antenna. You merely increase the VSWR at the transmitter.

If a charge is placed inside an ungrounded Faraday cage, the internal face of the cage will be charged (in the same manner described for an external charge) to prevent the existence of a field inside the body of the cage. However, this charging of the inner face would re-distribute the charges in the body of the cage. This charges the outer face of the cage with a charge equal in sign and magnitude to the one placed inside the cage. Since the internal charge and the inner face cancel each other out, the spread of charges on the outer face is not affected by the position of the internal charge inside the cage. So for all intents and purposes, the cage will generate the same electric field it would generate if it was simply charged by the charge placed inside.

I.e. the Faraday cage becomes the antenna. You're welcome.

Re:MOD PARENT DOWN!

You stupid IDIOT. I'm not referring to an ELECTROSTATIC CHARGE. I'm referring to an ANISOTROPIC RADIATOR placed inside the cage. The cage does NOT become an antenna.

Re:MOD PARENT DOWN!

[_0xd0ad]

An anisotropic radiator? THE FUCK does directionality have to do with anything?

An "electrostatic charge" is just an electric charge that isn't moving, by the way. Move an electric charge with an AC current and you get... wait for it... EM radiation.

An antenna radiates EM energy by moving charges around. The radiated energy from an antenna, in turn, induces movement of electrons in other conductors. The Faraday cage is a conductor, so the radiated energy causes electrons to move in it. That movement of electrons also radiates energy, as if the Faraday cage were itself an antenna. Hence the Faraday cage might as well be pinned directly (electrically shorted) to the antenna of the transmitter inside it.

I think you're using big words about concepts you don't really understand.

Re:MOD PARENT DOWN!

Dude, no need to get your Depends in a wad

Re:MOD PARENT DOWN!

Just to let you know, many people stop reading as soon as they see the word moron used for name calling. It makes you like juvenile.

Re:MOD PARENT DOWN!

What's with you two...??

The faraday cage by definition is a cage where the charge is completely surrounded by a conductor. It acts as a short. You might want to read up on waveguide boundary conditions as a refresher.

http://www.fnrf.science.cmu.ac.th/waveguide/Waveguide%20theory%204.html

If you don't believe me, explain why putting foil around the antenna of a wireless router works to block the signal. And then try to explain why the cooking chamber of a microwave oven does not radiate EM waves except where it's expected to leak.

Re:MOD PARENT DOWN!

If you don't believe me, explain why putting foil around the antenna of a wireless router works to block the signal.

Because if the antenna can transmit but not receive, the router doesn't work?

And then try to explain why the cooking chamber of a microwave oven does not radiate EM waves except where it's expected to leak.

No, you try to explain what happens to the energy if the entire Faraday cage doesn't radiate it somehow. Suppose the microwave is empty and closed. There is no food for the energy to cook. So where does the energy go?

The microwave *has* to radiate it somehow, albeit very poorly because the Faraday cage makes a lousy antenna. Where "very poorly" means that a significant amount of it is reflected back into the magnetron (in fact, you can ruin a microwave that way).

Re:MOD PARENT DOWN!

Well, his comment struck me as rather moronic, considering that he asked "what is a hot wire". That is a moronic question. Any electrician knows what a hot wire is.

And then he then acted like the shock hazard is completely irrelevant just because it has nothing to do with RF. When, in fact, the fact that it has nothing to do with RF is what is irrelevant: YES, you ground it because of the shock hazard. (Among other reasons.)

Re:MOD PARENT DOWN!

[adolf]

If the antenna can't receive, it also can't transmit. The system (where "system" is an antenna wrapped in aluminum foil, or inside of a Faraday cage, or whatever) does not behave as an antenna, because it can't do either thing. The system therefore is not an antenna, although it may contain one.

(In other news, a resistor or capacitor or inductor or whatever with a wire shorting it no longer behaves as a resistor or capacitor or inductor or whatever, and mules are neither donkeys nor horses although they're made from one of each.)

Meanwhile, here's what happens to RF energy as it attempts to pass through a Faraday cage: All of it, to the limit of the efficiency of the cage itself (which itself is ultimately limited by the conductivity of the material), is eventually converted to heat. Whether it is converted to heat rather directly (in a manner just like any other short circuit), or somewhat indirectly (nobody said a Faraday cage does not have reflectance: things can/do bounce inside/off of it), it still turns into heat.

As to microwave ovens in particular, some of the energy is absorbed by the interior surfaces and the Faraday cage itself and converted to heat. Much of it finds its way back to the magnetron and associated kit, where it also gets converted to heat. (And obviously nothing is lost, because nothing can be lost. It's the law.)

Yes, this can be hard on things, and yes, microwave ovens tend to survive it OK anyway.

(This, incidentally, is why it's a good idea to have a bit of water in the microwave when doing fun things like making plasma balls, nuking light bulbs, punishing CDs, and otherwise playing with things that deal with 2.4GHz RF inefficiently: The water helps convert and store excess energy in the form of heat, which saves the guts of the microwave the pain and suffering of doing that itself.)

It's not complicated -- it's just a simple, passive component called a Faraday cage.

Re:MOD PARENT DOWN!

Because if the antenna can transmit but not receive, the router doesn't work?

Douche nozzle,

You do know that the router continues to transmit SSID data regardless of whether anything is trying to connect to it, right? Go home, order a couple of SMA/SMA-RP adapters, a 2.4GHz isolator, and put the isolator in place so that the router can transmit but not receive. You *WILL* be able to see the router but will not be able to connect to it.

The microwave *has* to radiate it somehow

As said before, the magnetron's VSWR goes through the roof. You basically short out the magnetron, and if you're unlucky, you blow up the magnetron or a fuse. NEARLY ALL ENERGY IS REFLECTED BACK TO THE SOURCE. Modern magnetrons can handle a reflective load (e.g. pure resonance chamber) for a few minutes before overheating.

YOU'RE WELCOME.

RFID is American answer to smartcard cards

Everywhere in Europe, you see people with credit cards with a smartcard chip in them.

To use your credit card as a credit card, you put it in a reader and enter a PIN, just like you do with ATMs.

To gauge the American take up of this idea, I had a look at CitiBank's credit card application page: 0 credit cards with smart card chips in them.

Whilst there are flaws (such as MITM attacks) on the smartcard mechanism, all of them require someone to actually have the card in their possession.

It would seem to me that the American credit card companies are trying to come up with a new, quick, method that doesn't actually improve the security of the credit card.

The banks don't care.

[tgd]

There's a reason we don't have chip+PIN in the US, and its the same reason the RFID cards are all the rage with banks -- the risk of fraudulent transactions is already calculated into the rates the banks charge merchants, and they know through direct studies that they make more money if they make it faster to charge.

Case in point -- a merchant can be fined by Visa if they make a customer sign a receipt for a sub-$25 purchase. Big retailers know it, which is why you don't get asked at them, but smaller retailers haven't always gotten the message.

This is exactly the same thing. The risk of theft is already known and managed, they just want you to tap your card as much as you can.

Is it possible to disable it on the card?

[mar.kolya]

I tried to disable this 'feature' with bank and they say that Visa is basically forcing them to have wireless thing on the card. So I was thinking - would it be possible to disable this thing yourself? I'd assume that antenna is run on the perimeter of the card, so a hole in the right place would make the trick. Have anybody tried this? Does this work? Will merchants accept card with a hole in it?

Re:Is it possible to disable it on the card?

[Pow]

You can disable this "feature" with a hammer. It's pretty straightforward and I've done that with my Visa Paywave cards. Punching the hole will also work but I'm not sure if such card will be accepted by merchants.
If your credit card has both RFid (like Visa Paywave) and chip/pin contacts, destroying RFid chip will also most likely destroy chip/pin interface because they would likely be packaged on the same chip.

Re:Is it possible to disable it on the card?

[Grishnakh]

Probably depends on the merchant and if you have to hand them your card. In most retail places, you just swipe your card and enter your PIN (or sign your signature on the touchscreen). The cashier never handles your card, so they'd never know there's a hole there. For those rare cases where you have to hand them your card (either they've disabled the cardreader like at Macy's for some odd reason, or it's not reading your card properly so they have to key it in manually), they might say something, but as long as the card reads OK, I can't imagine why they'd refuse you. If they do, just tell them why you drilled a hole in your card, to prevent your card info from being stolen wirelessly (this might even get them very interested, esp. if they've ever experienced credit card fraud, as many people have).

Re: Wireless Credit Card Fraud

I don't qualify for a Credit Card. maybe I should buy a prepaid card or at least an American Express card. Just saying

I didn't find it this easy

  I once tried to duplicate a pass using a RFID & ariel.

I couldn't get it to work. I read a few guides and it seemed to be easy in theory but when it came down to it I couldn't get the firmware to record and emit the same signal even though a very straightforward guide was written on it. I tried the same with a low frequency keycard and a hi freq ski pass, no joy there either.

I can't remember the name of the device now but what I took away from it was that it's not as easy as I was expecting. This is probably because I'm thicker than expected.

I don't have the details on this demo (encryption?) but I'd just make a minor comment that it's probably needing a programmer level rather than script kiddie level right now. This isn't to talk it down, I'm just saying don't spend the £500 on readers for fun if you think it's gonna be easy.

Have RFID attacks moved on with better documentation and cheaper tech in the last 2 years?

p.s. Bitcoin QRcodes...

13.56MHz

Credit cards are 13.56 MHz RFID. That's a wavelength of ~75ft. Not going to hide that YAGI very well....

Great! Then I can just carry around my old CB radio (27MHz) with a 100 watt linear amp, and keep it dead-keyed all the time and hope the 2nd-order harmonics drown out all the RFID readers I come near.

Protection

[Leolo]

This is why you put your cards in a SmartCard GUARD. I bought 12 of them, am using only 3. The others I hand to friends and relations when I think to check their credit cards for the RFID logo.

BTW, fraud isn't the only problem with being able to read these cards from a distance. The info could also be used for surveillance.

It is called a security landscape

[Zero__Kelvin]

"It is news in that this has now been brought up to the credit card companies in a manner which cannot be easily ignored."

It can, and will be easily ignored. Did you know that when you hand the server at your local restaurant your credit card they can easily write down the card number and other information needed to "steal" the card and make fraudulent purchases? The credit card companies do. They consider this acceptable loss, and factor it in to the costs of doing business. It amazes me to think that people believe that they are telling credit card companies something they don't already know.

Re:It is called a security landscape

[SQLGuru]

Why write it down? A piece of thermal paper (available at the register) and a quick rubbing. Won't even take long enough to make you think they considered it. And you can remember the CVV long enough to scratch it in the thermal paper with your nail

Turnstiles...

If you mounted this in a turnstile (i.e. New York Subway) you would get very close to very many wallets in a
short time.

You could also scan each card 3 or 4 times to get several CCV numbers, so you could get multiple transactions,
off of each card (or does it mutate once a second or some such?)

Re:Turnstiles...

You could also scan each card 3 or 4 times to get several CCV numbers, so you could get multiple transactions, off of each card (or does it mutate once a second or some such?)

The CCV doesn't change until it has been used. So you would need to scan the card, use the information for a transaction before the cardholder uses it, then scan it again to get the next CCV. Realistically, you would only get a single use out of each card. But that would be fine, since the idea would be to harvest many cards.

Re:Turnstiles...

[n7ytd]

The CCV doesn't change until it has been used. So you would need to scan the card, use the information for a transaction before the cardholder uses it, then scan it again to get the next CCV. Realistically, you would only get a single use out of each card. But that would be fine, since the idea would be to harvest many cards.

This is curious to me... how does the card know there has been a transaction? Is it just the act of sending the card information that triggers the change to the CCV? And then it stands to reason that there is a pre-programmed sequence of CCVs that the card and the central bank shares?

Re:Turnstiles...

TFA's explanation of it:

In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor detects multiple transactions with the same code or even codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number once, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.

The chip generates the next CVV using some unknown algorithm, which sounds very much like good old fashioned security through obscurity. They're assuming no one will ever figure out the algorithm.

Mod parent up!

nice explanation

Selling $20 bill for $15

It is illegal under federal law, in the United States, to "sell" U.S. currency for less or more than the stated value. This does not apply to coins or items of rarity or interest.

Banks don't care

[The+Archon+V2.0]

My bank (Royal Bank of Canada, the bastards) sent me a new debit card with a note explaining it was preactivated and was usable without using a PIN for up to $200 of purchases. They didn't even inform me they were sending a card, it just showed up one day. Gee, thanks for putting my rent cheque at risk, Royal Bank! When I called them they insisted it wasn't a security risk because "Not many places can do contactless purchases yet." When I pointed out they were trying hard to change that, they just offered canned assurances that didn't address the issue.

So the Royal Bank believes in security through obscurity, and then tries to destroy said obscurity through ad campaigns. Real clever.

My experience

My Capital One card was hacked three times last year - they noticed the activity pattern every time and called me - pretty darn good fraud detection if you asked me. I queried the guy the third time, and he recommended an RFID wallet. I fly about 100k miles a year, and take a commuter train when not on the road, so I am apparently high risk. It's high time we moved to 'chip and pin' tech like they use in most of the rest of the world, but apparently the CC companies here feel the fraud cost is less than equipping the country with the new equipment to deal with it. Terrible pain in the ass convenience wise to change all the auto-bills, but it's not cost me a dime.

RFID blocking Smartphone Privacy with MIAmobi

“Fashion Meets Tech” The MIAmobi SilentPocket is made with high quality leather and a 99.9% pure Nano Silver lining, with easy reach in design. The MIAmobi provides Instant Privacy, it completely takes your mobile device off the grid. It stops GPS tracking, and provides RFID Blocking ,data protection, and prevents texting and driving. Voicemail rings, beeps, blings or vibes will not be heard. Voicemail, Texts and email will be received once the device is taken out of the SilentPocket. The MIAmobi SilentPocket also sanitizes your mobile device by using Silver as an antimicrobial agent to eliminate bacteria. Simply put, no signals in or out. If you really need to know for sure that you are in control of your mobile device, empower yourself with MIAmobi.

Mobile Device Privacy. MIAmobi's SilentPocket addresses this issue of RFID blocking along with many more problems associated with Credit Cards and mobile devices. With over 500,000 mobile app developed for smartphones, many of which are stealth and are ease dropping on your every move capable of turning on functions on your phone like your mic, camera, GPS, address book and more, even when it has been turned off. There is only one sure way to stop this if you really want to know for sure that you have control of your mobile device is to block all wifi coming in or going out. But we don’t all have to be worried about that do we. The conveyance of instantly silencing your phone or putting the phone away when getting in your car without having to powering it down. (out of site out of mine) may save a few lives in 2012. Website http:/www.mia-mobi.com/