Slashdot Mirror
Shmoocon Demo Shows Easy, Wireless Credit Card Fraud
Sparrowvsrevolution writes with this excerpt from a Forbes piece recounting a scary demo at the just-ended Shmoocon: "[Security researcher Kristin] Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer's credit card onstage and obtained the card's number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer's money with the counterfeit card she'd just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.) ... A stealthy attacker in a crowded public place could easily scan hundreds of cards through wallets or purses."
That is why I have lined my wallet with the aluminum foil that I had left over from making my hat.
It is news in that this has now been brought up to the credit card companies in a manner which cannot be easily ignored.
Don't know something? Look it up. Still don't know? Then ask.
Put two of these cards next to eachother, and they won't read. Put them in an aluminium card case, and they won't read. Move more than about 5 cm away from the card and it won't read.
There are numerous ways around this problem. It shouldn't stop people from using the technology.
You should be more worried about waiters and cashiers then somebody in a crowd grabbing your data.
Your hair look like poop, Bob! - Wanker.
Put her in jail for teaching others how to defraud the public!!!!
* Obvious to the credit card industry
Word game?
I remember seeing it on the news - they demonstrated someone with a cheap RFID reader and a laptop can bump into people, grab their cards, and run off. It was impressive enough that my parents got worried and checked their cards for that paypass logo.
Of course, having it more in the news isn't a bad thing. Add in a few elaborations (attackers can read your credit card without having to be close to you!) and you'll find great retraction on this. Especially when considering that it applies to debit cards as well. (Anyone with $50 worth of equipment can drain your bank account!).
And yes, while it's a bit of hyperbole, it makes a nice soundbite to get people to change.
Its been well known that RFID cards are suspectible to this kind of threat. The only reason why jammers and blocks havent been enforced as much is because there haven't been enough cases of this happening to justify wide-scale enforcement. I really like the convenience of contactless payment systems and hope jammers and guards become ubitquitous enough for banks to provide them along with these cards.
So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here. Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals. The RFID spec for these cards has no provision for collision detection or avoidance.
For your security, this post has been encrypted with ROT-13, twice.
I've been using a Faraday Cage wallet and passport holder by DIFRwear: http://difrwear.com/ for several years now. I don't work for them, but with the very cheap wallet prices and sturdy construction I've been very pleased with the products. I can testify that they do work as I have an RFID key card and it won't activate the door if in the wallet.
And in other news anytime you take your credit card out to do anything and it is out of sight for a moment people could record your number, expiration date and your security code and then use it to buy things using your credit card. But of course we won't worry about that because technology is SCARY!!! Despite the fact that this doesn't work if you:
Have more than 1 credit/debit card with an RFID chip.
Aren't really close to the card.
Store your card in an aluminum wallet.
Sure, it is possible, but we focus so much on the possible technological side while totally neglecting the fact that people could quite easily just record your credit card info when you pay for things.
Taxation is legalized theft, no more, no less.
(sarcasm) Well, the obvious solution is to prosecute Randy for violation of some type of copyright/jail-breaking/illegal use law. If we don't have one yet for this -- we can write one quickly! No need to have people worry about this type of stuff. Our economy is in shambles, we need people to use their cards! You can't grow GDP without breaking a few eggs! (/sarcasm)
The fact that you can make a payment via Square without any form of authentication is the biggest failure here. At least with the RFID payment you've got a cryptographically strong authentication method which is pretty hard to fake. The sooner the credit card companies get rid of the magstripe the better...
Kristin Paget used to be Chris Paget, famous GSM hacker. With that out of the way, we return you to this awesome hack.
What exactly is the advantage to these RFID credit cards? All the readers I've seen still require you to get the card close to it to work. Has the world really grown so lazy that we can no longer be bothered to make a vertical swiping motion? I can see the benefit for payment-enabled cell phones or key fobs, but credit cards? Seems like a solution to a problem that didn't exist.
Why is it "hyperbole" if somebody can drain hundreds of bank accounts wirelessly with a $50 device?
To me that sounds more like "panic stations, block all cards now!!"
Why anybody needs RFID credit cards is beyond me anyway. Is it sooooo hard to swipe a card through a reader?
PS: Why would the CVV number be on the RFID chip? Surely that's the secret only you and the company are supposed to know?
No sig today...
The CVV used here, I believe, isn't the one printed on the back of the card. I believe that it's a one-time use CVV that changes for the next transaction (think rolling-code garage door opener or http://en.wikipedia.org/wiki/One_time_password)
So, someone who steals one can do a single transaction.
And the worms ate into his brain.
You can read RFID cards in peoples wallets at 30 ft with a transponder with higher send signal and a better antenna. The same applied for multiple cards. Some reading devices won't process if there is more than one card in it's reach, but that's a software decision. Devices purpose made to leech RFIDs do not play by the rules and legislation set out for "proper" RFID equipment.
I was promised a flying car. Where is my flying car?
They actually have to bump the device up against your wallet.
Not according to TFA:
In a demonstration just before her talk, Paget read a card in my wallet through my back pocket without touching me, successfully obtaining the card’s information.
There are many situations where we get close enough to random strangers for someone to pull this off.
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
Wasn't RFID the subject of the Mythbusters episode that was "squelched" by Visa ? Adam made a few comments and the issue was clamped down upon by all. The credit card companies (huge advertisers-when you get 29% interest you have lots of money) made it clear that RFID weaknesses were not a subject to be discussed in public to a lay audience.
As a non-idiot I knew this was possible. I fight Chase regularly on this, they send a new card with the stupid chip, I call and roast em, they mail me a new one without the chip. But they tell me at the time that it is a one time only deal and sure enough they send another later in the year on a different card. Yes, because of mergermania I now have three credit cards but they are all Chase. They simply refuse to allow you to permanently opt out of this madness.
Same with wanting to move me to a debit card instead of an ATM card. The ATM card requires a PIN for all transactions and has other safeguards which work in my favor. The debit cards can be used in all sorts of places without a PIN and since it isn't a credit card (despite the Visa logo) the stolen money is gone from your account and you are getting to pay NSF fees all over the place while you fight over it. So I just keep cutting those cards every time they send a new one out and keep using my ancient ATM card. When it stops working I'm out of there.
Democrat delenda est
You can steal it for one transaction. However, you can read a card multiple times and if they haven't used the paypass since, you can replay those transactions in order and use it multiple times.
I think if I get it within 2 or three millimeters of the reader it will work. But I never do it that way. I just slap my wallet against the reader. Suggesting that a criminal would do it differently is just silly.
Researchers seem to be able to do it from several feet away...just google for "rfid maximum distance" (or something similar).
No sig today...
As a non-idiot I knew this was possible. I fight Chase regularly on this, they send a new card with the stupid chip, I call and roast em, they mail me a new one without the chip. But they tell me at the time that it is a one time only deal and sure enough they send another later in the year on a different card. Yes, because of mergermania I now have three credit cards but they are all Chase. They simply refuse to allow you to permanently opt out of this madness.
Stop! Hammer time!
If you have an unusually thin wallet, that may work. But the attacker isn't going to get closer and closer to you until it works. That would be pretty silly, and rather conspicuous. They are going to bump up against you.
In a crowded commuter train or bus an attacker can inconspicuously bump his RFID reader containing backpack against 100 people without arising suspicion while pusing his way from one end of the train to the other. On a less crowded train, he can put his reader under the seat in front of him (many transit agencies use thin fiberglass or plastic seats) and get it to within 1/4 inch of the seated passenger's back pocket wallet.
I have an RFID access key I keep in my wallet. I think if I get it within 2 or three millimeters of the reader it will work. But I never do it that way. I just slap my wallet against the reader. Suggesting that a criminal would do it differently is just silly.
My RFID card key works 3 or 4 centimeters from the reader. Like you I usually slap it against the reader, but I'm not worried about making the reader suspicious about why I'm touching it. I've seen people who keep the card in their wallet do a butt touch on the reader and the card works fine through their wallet and clothes. If RFID card keys are any indication, then it would be trivial for a thief to get close enough to read the card without actually touching you - after all, pickpockets are already able to slip a wallet from a pocket undetected, so I think they can manage to get a card reader a few cm from your wallet without touching you.
I'm not sure how Credit Card RFID chips differ from the RFID chips used in passports, but Passport RFID readers with high gain antennas have been used to read a passport RFID chip from hundreds of feet away.
i get that close to hundreds of strangers each week on the train to and from work. this is also a situation where people will most likely be able to figure out where my wallet is, because i just pulled it out when i swiped my transit card.
There are multiple CVV numbers assigned to a single card. The first is present on the magstripe. The second one is what we know as the security code and is printed, not embossed, on the signature panel on the back of the card. For chip cards and contactless cards you get other schemes such as this single use CVV numbers produced by the card.
Also, a card can only be blocked if it is presented to the reader for long enough to download a couple of scripts feom the issuing institution. A paypass card's offline wallet is fair game for anyone who picks up the card.
obviously it is much more complicated than the space/time available here
A "hot wire?" What is a "hot wire?" Are you talking about AC mains voltage? The same concept would apply to vehicles, building doors, household appliances, etc. This has nothing to do with RF.
I never said it did, moron. Yes, one of the reasons it is a good idea to ground a Faraday cage is exactly the "same concept" as why it is good to ground household appliances, etc.
Umm, NO. The idea of a Faraday cage is that you create an RF short as the cage is larger than lambda/2.
You're confusing signals getting into a Faraday cage with signals getting out of one. If the cage's mesh is larger than lambda/2, the signal will penetrate it. If it's not, the signal will not.
The earth does NOT become an antenna. You merely increase the VSWR at the transmitter.
If a charge is placed inside an ungrounded Faraday cage, the internal face of the cage will be charged (in the same manner described for an external charge) to prevent the existence of a field inside the body of the cage. However, this charging of the inner face would re-distribute the charges in the body of the cage. This charges the outer face of the cage with a charge equal in sign and magnitude to the one placed inside the cage. Since the internal charge and the inner face cancel each other out, the spread of charges on the outer face is not affected by the position of the internal charge inside the cage. So for all intents and purposes, the cage will generate the same electric field it would generate if it was simply charged by the charge placed inside.
I.e. the Faraday cage becomes the antenna. You're welcome.
I have an RFID access key I keep in my wallet. I think if I get it within 2 or three millimeters of the reader it will work.
Mine works from 3 inches away. At a regional office, there's a reader that is twice as large on the wall, and just walking near it with my wallet in my pocket opens the door. It's not the card that determines distance; it's the reader. So maybe the crooks don't buy the $50 reader, maybe they go for the $2000 reader that works from two feet away, and set up shop in a van parked next to a busy sidewalk.
An anisotropic radiator? THE FUCK does directionality have to do with anything?
An "electrostatic charge" is just an electric charge that isn't moving, by the way. Move an electric charge with an AC current and you get... wait for it... EM radiation.
An antenna radiates EM energy by moving charges around. The radiated energy from an antenna, in turn, induces movement of electrons in other conductors. The Faraday cage is a conductor, so the radiated energy causes electrons to move in it. That movement of electrons also radiates energy, as if the Faraday cage were itself an antenna. Hence the Faraday cage might as well be pinned directly (electrically shorted) to the antenna of the transmitter inside it.
I think you're using big words about concepts you don't really understand.
I once worked for Tektronix, back in the 1990s when they were pioneering this technology. As a demonstration, one door on main headquarters had a reader that could read from 12 feet away- the light would go green as you approached that door.
I have *NO* doubt that with a suitable antenna, line of sight, and enough power, you could read an RFID chip from a mile or two away.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
It's hyperbole because the attacker has to be incredibly close to you. They actually have to bump the device up against your wallet. While it's technically "wireless" that's not what most people have in mind when they hear the word.
I was at Kristin's talk. The range with a standard cheap-ass reader is a few cm. With your own higher-power add-on (13.56MHz is right next to the 14MHz amateur band for which you can get off-the-shelf gear), it's tens of feet.
Also the CVV number it gives you works for one use only.
So you perform multiple reads and get one CVV per read.
"That would be pretty silly, and rather conspicuous. They are going to bump up against you."
Never used public transportation, I see.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Yet my RFID enabled work badge seems to work within a 2-3 inches (5-8 cm for the rest of you) of the reader, now in a crowded elevator that would easily within range.
Time to offend someone