The attack can be carried out with off-the-shelf hardware and freely available Python scripts.
Paranoiacs of the world unite: they really are
out to get you. Python hacker and Adam Laurie took the stand at the Black Hat DC 2008
conference to demonstrate major security failings in the radio frequency identification tags used in modern credit cards and passports.
Asking for a volunteer from the audience who had a smart-card on or about his person, hacker Laurie waved his magic RFID reader at the suddenly famous attendee and suceeded in popping their name along with the account number and expiration date for their RFID-enabled American Express credit card up on the big screen – without ever touching the man in question or even removing the card from his wallet.
Laurie has spoken to American Express in the past and voiced his concerns over his ability to read card details remotely. The company's response? “We are comfortable with the security of our product.
” I wonder if their customers are quite as comfortable right now.
In mitigation, the company issued a statement that the account number visible from this magic-wand attack isn't the same as the one on the front of the card, but Laurie has countered with reports that the account number is
still valid for on-line transactions. Which isn't very reassuring.
RFID tags – tiny chips which use the power gained from a radio field of a particular frequency to broadcast stored information – are popping up pretty much everywhere these days from pets (stores a unique identifier so lost pets can be returned to their owners) to clothes (allows for efficient tracking of stock levels and for theft protection), but the worrying trend is for rather more valuable items to come equipped. Anyone who has renewed their passport here in the UK in recent years will be familiar with the sight of an RFID chip attached to a full-page size antenna which contains the full details of the passport – including a digital photograph of the owner. The sort of information, in fact, which would be of interest to identity thieves who must be rubbing their hands with glee at the thought of being able to harvest personal details from anyone who walks within a ten meter radius of a scanner.
Laurie makes the tools he used to carry out the attack available to interested parties on his website
. Until such a time as companies start taking the security of contactless data transfer more seriously, I would recommend lining your wallets with tinfoil: it's not just for blocking out the alien mind-rays, y'know.
What's your take on this: a plausible attack that could take the place of traditional mugging – hey, at least it's violence-free – or just a curiosity with no real risk attached? Share your thoughts over in the forums