Slashdot Mirror
Shmoocon Demo Shows Easy, Wireless Credit Card Fraud
Sparrowvsrevolution writes with this excerpt from a Forbes piece recounting a scary demo at the just-ended Shmoocon: "[Security researcher Kristin] Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer's credit card onstage and obtained the card's number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer's money with the counterfeit card she'd just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.) ... A stealthy attacker in a crowded public place could easily scan hundreds of cards through wallets or purses."
That is why I have lined my wallet with the aluminum foil that I had left over from making my hat.
It is news in that this has now been brought up to the credit card companies in a manner which cannot be easily ignored.
Don't know something? Look it up. Still don't know? Then ask.
Put two of these cards next to eachother, and they won't read. Put them in an aluminium card case, and they won't read. Move more than about 5 cm away from the card and it won't read.
There are numerous ways around this problem. It shouldn't stop people from using the technology.
You should be more worried about waiters and cashiers then somebody in a crowd grabbing your data.
Your hair look like poop, Bob! - Wanker.
Put her in jail for teaching others how to defraud the public!!!!
* Obvious to the credit card industry
Word game?
I remember seeing it on the news - they demonstrated someone with a cheap RFID reader and a laptop can bump into people, grab their cards, and run off. It was impressive enough that my parents got worried and checked their cards for that paypass logo.
Of course, having it more in the news isn't a bad thing. Add in a few elaborations (attackers can read your credit card without having to be close to you!) and you'll find great retraction on this. Especially when considering that it applies to debit cards as well. (Anyone with $50 worth of equipment can drain your bank account!).
And yes, while it's a bit of hyperbole, it makes a nice soundbite to get people to change.
Its been well known that RFID cards are suspectible to this kind of threat. The only reason why jammers and blocks havent been enforced as much is because there haven't been enough cases of this happening to justify wide-scale enforcement. I really like the convenience of contactless payment systems and hope jammers and guards become ubitquitous enough for banks to provide them along with these cards.
So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here. Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals. The RFID spec for these cards has no provision for collision detection or avoidance.
For your security, this post has been encrypted with ROT-13, twice.
I've been using a Faraday Cage wallet and passport holder by DIFRwear: http://difrwear.com/ for several years now. I don't work for them, but with the very cheap wallet prices and sturdy construction I've been very pleased with the products. I can testify that they do work as I have an RFID key card and it won't activate the door if in the wallet.
And in other news anytime you take your credit card out to do anything and it is out of sight for a moment people could record your number, expiration date and your security code and then use it to buy things using your credit card. But of course we won't worry about that because technology is SCARY!!! Despite the fact that this doesn't work if you:
Have more than 1 credit/debit card with an RFID chip.
Aren't really close to the card.
Store your card in an aluminum wallet.
Sure, it is possible, but we focus so much on the possible technological side while totally neglecting the fact that people could quite easily just record your credit card info when you pay for things.
Taxation is legalized theft, no more, no less.
(sarcasm) Well, the obvious solution is to prosecute Randy for violation of some type of copyright/jail-breaking/illegal use law. If we don't have one yet for this -- we can write one quickly! No need to have people worry about this type of stuff. Our economy is in shambles, we need people to use their cards! You can't grow GDP without breaking a few eggs! (/sarcasm)
The fact that you can make a payment via Square without any form of authentication is the biggest failure here. At least with the RFID payment you've got a cryptographically strong authentication method which is pretty hard to fake. The sooner the credit card companies get rid of the magstripe the better...
Clearly the problem is the iPhone and eBay.
Hurry, oh wonderful American government, censor both of these things!
What do I know, I'm just an idiot, right?
Kristin Paget used to be Chris Paget, famous GSM hacker. With that out of the way, we return you to this awesome hack.
The article also mentions that Paget's company is working on a jamming device called GuardBunny that slips into your wallet, complete with a rabbit head logo and eyes that glow (there's a picture on page two) when it's activated. I'm not sure if this is meant to be a humorous Monty Python reference? "Run away, High-Tech Pickpocket! Run away!" Or a creepy Donnie Darko reference? "Why do you wear that stupid bunny suit?" "Why do you wear that stupid smart credit card that broadcasts its credentials?"
I've been warning everybody who gets a new Barclaycard with this "feature" since I first saw it advertised.
My thoughts were somebody selling newspapers at a underground (subway) station swiping everybody who walks past at rush hour. Going home and cashing in on 1000's of £1 - 10 transactions. Not a bad afternoons work.
What exactly is the advantage to these RFID credit cards? All the readers I've seen still require you to get the card close to it to work. Has the world really grown so lazy that we can no longer be bothered to make a vertical swiping motion? I can see the benefit for payment-enabled cell phones or key fobs, but credit cards? Seems like a solution to a problem that didn't exist.
Who needs to read the zipcode? 90% of them are going to be the same zipcode as the gas station unless you pick a station on a turnpike or something.
If the companies that makes these cards and the banks that back them know they have issues like this then why on Earth would the push them? It can't be that much cheaper to use RFID on a card instead of swiping, why does this smell so funny?
Are they making money from this?
"If any question why we died, Tell them because our fathers lied."
Why is it "hyperbole" if somebody can drain hundreds of bank accounts wirelessly with a $50 device?
To me that sounds more like "panic stations, block all cards now!!"
Why anybody needs RFID credit cards is beyond me anyway. Is it sooooo hard to swipe a card through a reader?
PS: Why would the CVV number be on the RFID chip? Surely that's the secret only you and the company are supposed to know?
No sig today...
Anyone with $50 worth of equipment can drain your bank account!
Which is one of several reasons why I only have Credit Cards.
It's hyperbole because the attacker has to be incredibly close to you. They actually have to bump the device up against your wallet. While it's technically "wireless" that's not what most people have in mind when they hear the word.
Also the CVV number it gives you works for one use only. It's used to authenticate the transaction.
My cell phone is has NFC and it is able to scan one of my credit cards for a decent sized payload. I'm not knowledgeable enough to decrypt the payload so I guess that's probably good.
Would this protect the card?
http://www.thinkgeek.com/homeoffice/gear/9964/
UNIX/Linux Consulting
It's news because s/he's spewing FUD to make a buck.
While that GuardBunny thing did make me suspicious, there is a mitigating factor here. It is not only not available for sale, they don't know when it will be. So even if she is just out to make a buck, she failed spectacularly as anyone now interested in an rfid shielding wallet will have to buy from someone else.
Also, "she" not "s/he". Leave your prejudice at home.
The CVV used here, I believe, isn't the one printed on the back of the card. I believe that it's a one-time use CVV that changes for the next transaction (think rolling-code garage door opener or http://en.wikipedia.org/wiki/One_time_password)
So, someone who steals one can do a single transaction.
And the worms ate into his brain.
Probably should be modded as off topic for this, but why did the article feel the need to point out Paget's gender change? did it make her a better programmer, or design better hardware? or were there lots of people reading the article were like "Hey, I knew I guy with the last name Paget that worked there, I wonder if they are related? ... Oh!" /scratches head
https://www.accountkiller.com/removal-requested
You can read RFID cards in peoples wallets at 30 ft with a transponder with higher send signal and a better antenna. The same applied for multiple cards. Some reading devices won't process if there is more than one card in it's reach, but that's a software decision. Devices purpose made to leech RFIDs do not play by the rules and legislation set out for "proper" RFID equipment.
I was promised a flying car. Where is my flying car?
They actually have to bump the device up against your wallet.
Not according to TFA:
In a demonstration just before her talk, Paget read a card in my wallet through my back pocket without touching me, successfully obtaining the card’s information.
There are many situations where we get close enough to random strangers for someone to pull this off.
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
The bit not mentioned in the article is the reason why you need to be close to the card to read it: bad aerials in the card terminal.
If you build a better aerial (larger) and ensure the receiver stage has a decent low noise entry you can read those RFIDs from quite a distance..
Insert
So I take it you've never been in a crowded area with lots of people around like rush hour on a subway, at a ball game, etc. If your life is such this situation rarely occurs, then you don't really have to worry. For anyone who lives in congested metropolitan areas, it is a worry.
Well, there's spam egg sausage and spam, that's not got much spam in it.
that's only if you were to copy the RFID contents. The CCV2 is a one-time thing and isn't copied on the magnetic strip. The blank card she made can be used until it's blocked by the CC company, as long as no CCV1 or PIN are requested by the vendor. Typically, for low amount purchases, that's not the case, so it may take a while before the card gets blocked.
I was promised a flying car. Where is my flying car?
Wasn't RFID the subject of the Mythbusters episode that was "squelched" by Visa ? Adam made a few comments and the issue was clamped down upon by all. The credit card companies (huge advertisers-when you get 29% interest you have lots of money) made it clear that RFID weaknesses were not a subject to be discussed in public to a lay audience.
http://www.radio-canada.ca/emissions/la_facture/2011-2012/Reportage.asp?idDoc=194638 (video)
As a non-idiot I knew this was possible. I fight Chase regularly on this, they send a new card with the stupid chip, I call and roast em, they mail me a new one without the chip. But they tell me at the time that it is a one time only deal and sure enough they send another later in the year on a different card. Yes, because of mergermania I now have three credit cards but they are all Chase. They simply refuse to allow you to permanently opt out of this madness.
Same with wanting to move me to a debit card instead of an ATM card. The ATM card requires a PIN for all transactions and has other safeguards which work in my favor. The debit cards can be used in all sorts of places without a PIN and since it isn't a credit card (despite the Visa logo) the stolen money is gone from your account and you are getting to pay NSF fees all over the place while you fight over it. So I just keep cutting those cards every time they send a new one out and keep using my ancient ATM card. When it stops working I'm out of there.
Democrat delenda est
That was a rerun, it was over a year ago. This is the next part where people get to see that it wasn't one of those things that can only happen in television land.
You can steal it for one transaction. However, you can read a card multiple times and if they haven't used the paypass since, you can replay those transactions in order and use it multiple times.
And I would guess he has to make the transaction before the card is next used or the one time CVV will be out of step with the server.
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
If you have an unusually thin wallet, that may work. But the attacker isn't going to get closer and closer to you until it works. That would be pretty silly, and rather conspicuous. They are going to bump up against you.
I have an RFID access key I keep in my wallet. I think if I get it within 2 or three millimeters of the reader it will work. But I never do it that way. I just slap my wallet against the reader. Suggesting that a criminal would do it differently is just silly.
And that claim is hyperbolic because when you hear the claim, its easy to imagine (as you did) that there can actually be a significant distance between you and the attacker. In reality, the reader has to be incredibly close to the card. You need to know where the card is on the person, and put the reader right next to it.
Also, I am not claiming the card is secure. I am only pointing out that the claims in the article are exaggerated for dramatic effect.
Walk through Grand Central during rush hour. You can say excuse me if you like, but everyone might think you're weird.
For the cost of one subway fare you can rack up a few hundred credit cards.
If you put a RECCO chip on you wallet I bet it would foil (ha ha) a RFID reader. The RECCO is basicly a radio signal reflector. It works in reverse, a RECCO scanner will hit off of key FOBs, cellphones and other integrated boards. If you don't know; RECCO is a search and rescue tool used in avalanche rescue. You by the chip in two packs and apply them to your boots or helmet. They are also integrated into some mountian outerwear.
They come in the dark, only in the darkest.
Cannot assume distance. Just because the card and a reader in a shop have to be close, does not mean someone could not make a much better antenna and work from safe distance. Witness the people getting tens of kilometers out of wifi using special antennas. Not a stretch to use similar gear to scarf credit cards at a hundred meters or so.
For the same reason, bluetooth is vulnerable. Maybe it only works 20feet for you but somebody three blocks away with the right antenna can snarf just fine. You'd never even see them.
You just watch how easy it is for them to ignore it.
Are there banks that really allow that? because I've never worried about my debit card because my bank has always covered any BS. They are so good about it I've been using it to buy parts for the shop for years since i don't have to worry about any fees or interest. Once in awhile i'll get some merchant that double dips then i just walk in and tell one of the gals and voila! it takes less than 10 minutes and its all back to normal.
Maybe this should be a lesson not to use shitty megabanks that suck. Use the little Co-Ops and small state banks that still treat you like a customer and not a wallet with feet. When the housing market cratered my bank was bragging on their little opening jingle how they didn't throw money around at crazy housing schemes and therefor had tons of money to loan to local businesses. They made out like bandits as all the local businesses ended up going to them, the last jingle of theirs i heard said they were never doing better and were ready to loan to local folks so come on in. i guess that's what happens when you treat folks decently, your business grows. All I know is they get even the tiniest whiff of fraud they call you and give you a new card as SOP, i'm waiting for a new card right now as a matter of fact, should be here tomorrow. One of the places i shop at had a minor breach and even though I wasn't affected they said "better safe than sorry" and sent me a new card. I like that, nice to see a bank say "better safe than sorry" and be proactive on security.
ACs don't waste your time replying, your posts are never seen by me.
"Where the wired things are".
The costumes are as practical as they are scary!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I think if I get it within 2 or three millimeters of the reader it will work. But I never do it that way. I just slap my wallet against the reader. Suggesting that a criminal would do it differently is just silly.
Researchers seem to be able to do it from several feet away...just google for "rfid maximum distance" (or something similar).
No sig today...
As a non-idiot I knew this was possible. I fight Chase regularly on this, they send a new card with the stupid chip, I call and roast em, they mail me a new one without the chip. But they tell me at the time that it is a one time only deal and sure enough they send another later in the year on a different card. Yes, because of mergermania I now have three credit cards but they are all Chase. They simply refuse to allow you to permanently opt out of this madness.
Stop! Hammer time!
If you have an unusually thin wallet, that may work. But the attacker isn't going to get closer and closer to you until it works. That would be pretty silly, and rather conspicuous. They are going to bump up against you.
In a crowded commuter train or bus an attacker can inconspicuously bump his RFID reader containing backpack against 100 people without arising suspicion while pusing his way from one end of the train to the other. On a less crowded train, he can put his reader under the seat in front of him (many transit agencies use thin fiberglass or plastic seats) and get it to within 1/4 inch of the seated passenger's back pocket wallet.
I have an RFID access key I keep in my wallet. I think if I get it within 2 or three millimeters of the reader it will work. But I never do it that way. I just slap my wallet against the reader. Suggesting that a criminal would do it differently is just silly.
My RFID card key works 3 or 4 centimeters from the reader. Like you I usually slap it against the reader, but I'm not worried about making the reader suspicious about why I'm touching it. I've seen people who keep the card in their wallet do a butt touch on the reader and the card works fine through their wallet and clothes. If RFID card keys are any indication, then it would be trivial for a thief to get close enough to read the card without actually touching you - after all, pickpockets are already able to slip a wallet from a pocket undetected, so I think they can manage to get a card reader a few cm from your wallet without touching you.
I'm not sure how Credit Card RFID chips differ from the RFID chips used in passports, but Passport RFID readers with high gain antennas have been used to read a passport RFID chip from hundreds of feet away.
i get that close to hundreds of strangers each week on the train to and from work. this is also a situation where people will most likely be able to figure out where my wallet is, because i just pulled it out when i swiped my transit card.
There are multiple CVV numbers assigned to a single card. The first is present on the magstripe. The second one is what we know as the security code and is printed, not embossed, on the signature panel on the back of the card. For chip cards and contactless cards you get other schemes such as this single use CVV numbers produced by the card.
Also, a card can only be blocked if it is presented to the reader for long enough to download a couple of scripts feom the issuing institution. A paypass card's offline wallet is fair game for anyone who picks up the card.
obviously it is much more complicated than the space/time available here
Nowhere in the poster that you replied to does he/she refer to this as an area wide instantaneous wireless attack. The only time distance is brought up is by you which you used to dismiss the potential impact as hyperbole. Even if distance is a factor in this attack, what you are still missing is the point that the ease of the exploit makes it so that many people can be exploited. Anyone can brush up against hundreds of people a day in crowded metropolitan areas.
Well, there's spam egg sausage and spam, that's not got much spam in it.
There's a reason we don't have chip+PIN in the US, and its the same reason the RFID cards are all the rage with banks -- the risk of fraudulent transactions is already calculated into the rates the banks charge merchants, and they know through direct studies that they make more money if they make it faster to charge.
Case in point -- a merchant can be fined by Visa if they make a customer sign a receipt for a sub-$25 purchase. Big retailers know it, which is why you don't get asked at them, but smaller retailers haven't always gotten the message.
This is exactly the same thing. The risk of theft is already known and managed, they just want you to tap your card as much as you can.
A "hot wire?" What is a "hot wire?" Are you talking about AC mains voltage? The same concept would apply to vehicles, building doors, household appliances, etc. This has nothing to do with RF.
I never said it did, moron. Yes, one of the reasons it is a good idea to ground a Faraday cage is exactly the "same concept" as why it is good to ground household appliances, etc.
Umm, NO. The idea of a Faraday cage is that you create an RF short as the cage is larger than lambda/2.
You're confusing signals getting into a Faraday cage with signals getting out of one. If the cage's mesh is larger than lambda/2, the signal will penetrate it. If it's not, the signal will not.
The earth does NOT become an antenna. You merely increase the VSWR at the transmitter.
If a charge is placed inside an ungrounded Faraday cage, the internal face of the cage will be charged (in the same manner described for an external charge) to prevent the existence of a field inside the body of the cage. However, this charging of the inner face would re-distribute the charges in the body of the cage. This charges the outer face of the cage with a charge equal in sign and magnitude to the one placed inside the cage. Since the internal charge and the inner face cancel each other out, the spread of charges on the outer face is not affected by the position of the internal charge inside the cage. So for all intents and purposes, the cage will generate the same electric field it would generate if it was simply charged by the charge placed inside.
I.e. the Faraday cage becomes the antenna. You're welcome.
I tried to disable this 'feature' with bank and they say that Visa is basically forcing them to have wireless thing on the card. So I was thinking - would it be possible to disable this thing yourself? I'd assume that antenna is run on the perimeter of the card, so a hole in the right place would make the trick. Have anybody tried this? Does this work? Will merchants accept card with a hole in it?
Apparently Visa does cover fradulent purchases.
Also, "she" not "s/he". Leave your prejudice at home.
while i agree with the sentiment, i think it's very likely they never left home. spewing your prejudices anonymously onto the world from the safety and comfort of your chair is what the internet is for.
insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
No, it is not conspicuous. Stop saying that, because it isn't even remotely true. People stand withing touching distance of strangers every single day, with no exceptions. Ever stand in an elevator? On a subway? In an airplane? In line at a bank? Ever go to a grocery store? Ever walk past someone on the street?
I have an RFID access key I keep in my wallet. I think if I get it within 2 or three millimeters of the reader it will work.
Mine works from 3 inches away. At a regional office, there's a reader that is twice as large on the wall, and just walking near it with my wallet in my pocket opens the door. It's not the card that determines distance; it's the reader. So maybe the crooks don't buy the $50 reader, maybe they go for the $2000 reader that works from two feet away, and set up shop in a van parked next to a busy sidewalk.
This is why you put your cards in a SmartCard GUARD. I bought 12 of them, am using only 3. The others I hand to friends and relations when I think to check their credit cards for the RFID logo.
BTW, fraud isn't the only problem with being able to read these cards from a distance. The info could also be used for surveillance.
An anisotropic radiator? THE FUCK does directionality have to do with anything?
An "electrostatic charge" is just an electric charge that isn't moving, by the way. Move an electric charge with an AC current and you get... wait for it... EM radiation.
An antenna radiates EM energy by moving charges around. The radiated energy from an antenna, in turn, induces movement of electrons in other conductors. The Faraday cage is a conductor, so the radiated energy causes electrons to move in it. That movement of electrons also radiates energy, as if the Faraday cage were itself an antenna. Hence the Faraday cage might as well be pinned directly (electrically shorted) to the antenna of the transmitter inside it.
I think you're using big words about concepts you don't really understand.
I think if I get it within 2 or three millimeters of the reader it will work.
The distance to read a card is a function of the reader which provides the wireless power signal much more than it's a function of the card you're using. So your work reader is configured to be lower power and have your familiar slap the wallet functionality, while anyone wanting to read your card buys a different reader that works fine from several feet away (or more, but it just gets noisy when you activate 100 cards at once).
//TODO: signature
Never had an issue with such refunds. Perhaps if you weren't such a prick with the people you call, you'd get more from them.
Learn to love Alaska
It can, and will be easily ignored. Did you know that when you hand the server at your local restaurant your credit card they can easily write down the card number and other information needed to "steal" the card and make fraudulent purchases? The credit card companies do. They consider this acceptable loss, and factor it in to the costs of doing business. It amazes me to think that people believe that they are telling credit card companies something they don't already know.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Alumawallet has been advertising the fact that it is possible for a couple of years now.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
From the article- more like about $500 worth of equipment. Still, a $500 investment for several million worth of the money of idiots, might be worth it.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
I once worked for Tektronix, back in the 1990s when they were pioneering this technology. As a demonstration, one door on main headquarters had a reader that could read from 12 feet away- the light would go green as you approached that door.
I have *NO* doubt that with a suitable antenna, line of sight, and enough power, you could read an RFID chip from a mile or two away.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
It's hyperbole because the attacker has to be incredibly close to you. They actually have to bump the device up against your wallet. While it's technically "wireless" that's not what most people have in mind when they hear the word.
I was at Kristin's talk. The range with a standard cheap-ass reader is a few cm. With your own higher-power add-on (13.56MHz is right next to the 14MHz amateur band for which you can get off-the-shelf gear), it's tens of feet.
Also the CVV number it gives you works for one use only.
So you perform multiple reads and get one CVV per read.
"That would be pretty silly, and rather conspicuous. They are going to bump up against you."
Never used public transportation, I see.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I take it you've never ridden a subway during rush hour?
If you wanted a long range unit, you would just have to pump more power into it (IIRC RFID chips power themselves from the EM waves output by the reader device so sending more power out gets a stronger signal back). You could probably put out enough power that you might even damage cards that you make contact with (not like a criminal cares about breaking FCC restrictions) but it would let you pick up info from cards a reasonable distance away.
Bottles.
Actually, that was the END of my contracting there- when Danaher bought them out, cut the employment in Beaverton from 20,000 to 500, and started renting out 3/4ths of the campus.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
The CCV doesn't change until it has been used. So you would need to scan the card, use the information for a transaction before the cardholder uses it, then scan it again to get the next CCV. Realistically, you would only get a single use out of each card. But that would be fine, since the idea would be to harvest many cards.
This is curious to me... how does the card know there has been a transaction? Is it just the act of sending the card information that triggers the change to the CCV? And then it stands to reason that there is a pre-programmed sequence of CCVs that the card and the central bank shares?
Or he could just keep enough money in the account.
This is hard to do if the thief doesn't tell you how much he plans to attempt to steal from you beforehand. The lack of the use of your money is the biggest reason (in my mind) to use a credit card instead of a debit card.
The idea of contactless credit card payments was that the reduced costs due to increase in transaction speed would more than make up for any increases in fraud.
I thought that one of the goals was to reduce the potential for fraud by making it more difficult to duplicate the card?
I am think that if RFID-enable credit card is present at known point in spacetime, attacker need only to go to that point in space and then move card reader along fourth dimension axis until card information can be read. The banks should really giving solution to this problem soon I hope so they will.
You just described a dude sitting on the sidewalk (moving through time) until cards come to him.
So the Royal Bank believes in security through obscurity, and then tries to destroy said obscurity through ad campaigns. Real clever.
Those "printed" codes are getting closer and closer to embossed. A recent card I received (technically it's tied to my FSA) has a CVV number that I can read from the front with the correct angle a light source. I'm sure a photograph of that same card could be processed with GIMP to make it readable as well.
Yet my RFID enabled work badge seems to work within a 2-3 inches (5-8 cm for the rest of you) of the reader, now in a crowded elevator that would easily within range.
Time to offend someone
Why is it "hyperbole" if somebody can drain hundreds of bank accounts wirelessly with a $50 device?
To me that sounds more like "panic stations, block all cards now!!"
Just because Paypass/wave is limited to A$35 per transaction doesn't mean one cant do a lot of damage. That money, at least in Australia must be returned to the rightful owner in the case of fraud, this means that the money comes out of the banks bottom line which must be made up in the only way a bank knows how, higher fees. So there is a net cost to everyone when it comes to fraud.
With a lot of online stores all you need is the card number and expiration date (no CVV), there is no $35 limit here.
Also, I am confident this will only be the first of such exploits. There's a lot of money in it so the research will be there. Eventually they'll be forced to put in a form of user authentication on there.
Why anybody needs RFID credit cards is beyond me anyway. Is it sooooo hard to swipe a card through a reader?
They need them because Visa and Mastercard can charge a higher merchant fee for Paypass/wave then they can for an ordinary transaction.
Merchant fees are how credit cards make money for their owners (the banks, not you). Merchant fees are invisible to the average card user as they have to be built into the price of goods. The higher the fees for the merchant, the more goods cost for you.
Calling someone a "hater" only means you can not rationally rebut their argument.
If the antenna can't receive, it also can't transmit. The system (where "system" is an antenna wrapped in aluminum foil, or inside of a Faraday cage, or whatever) does not behave as an antenna, because it can't do either thing. The system therefore is not an antenna, although it may contain one.
(In other news, a resistor or capacitor or inductor or whatever with a wire shorting it no longer behaves as a resistor or capacitor or inductor or whatever, and mules are neither donkeys nor horses although they're made from one of each.)
Meanwhile, here's what happens to RF energy as it attempts to pass through a Faraday cage: All of it, to the limit of the efficiency of the cage itself (which itself is ultimately limited by the conductivity of the material), is eventually converted to heat. Whether it is converted to heat rather directly (in a manner just like any other short circuit), or somewhat indirectly (nobody said a Faraday cage does not have reflectance: things can/do bounce inside/off of it), it still turns into heat.
As to microwave ovens in particular, some of the energy is absorbed by the interior surfaces and the Faraday cage itself and converted to heat. Much of it finds its way back to the magnetron and associated kit, where it also gets converted to heat. (And obviously nothing is lost, because nothing can be lost. It's the law.)
Yes, this can be hard on things, and yes, microwave ovens tend to survive it OK anyway.
(This, incidentally, is why it's a good idea to have a bit of water in the microwave when doing fun things like making plasma balls, nuking light bulbs, punishing CDs, and otherwise playing with things that deal with 2.4GHz RF inefficiently: The water helps convert and store excess energy in the form of heat, which saves the guts of the microwave the pain and suffering of doing that itself.)
It's not complicated -- it's just a simple, passive component called a Faraday cage.
Kid-proof tablet..
false. I've build my own reader, sat at the front of the bus and was able to glean 90% of the people who had cards with this. Both cc and bus fare cards.
In our institute the higher powered readers will read your card from more than 50cm away. Pack the bulky equipment in your backpack, get in the tube during rush-hour and that's it.
Enough for what? I've bought two cars on credit cards (paid off first month, no interest, but lots of bonus miles). You are saying that I should keep an extra $100,000 in my checking account on the off chance that the bank gives away two cars and asserts it was my money they gave away?
Learn to love Alaska
Are you deliberately misreading me? I said that slowly approaching you until they read the card successfully would be conspicuous. I was specifically saying that bumping up against you would be the way to go, because it would not be conspicuous.