bit-tech.net

RFID credit-card attack demo'd

RFID credit-card attack demo'd

The attack can be carried out with off-the-shelf hardware and freely available Python scripts.

Paranoiacs of the world unite: they really are out to get you. Python hacker and Adam Laurie took the stand at the Black Hat DC 2008 conference to demonstrate major security failings in the radio frequency identification tags used in modern credit cards and passports.

Asking for a volunteer from the audience who had a smart-card on or about his person, hacker Laurie waved his magic RFID reader at the suddenly famous attendee and suceeded in popping their name along with the account number and expiration date for their RFID-enabled American Express credit card up on the big screen – without ever touching the man in question or even removing the card from his wallet.

Laurie has spoken to American Express in the past and voiced his concerns over his ability to read card details remotely. The company's response? “We are comfortable with the security of our product.” I wonder if their customers are quite as comfortable right now.

In mitigation, the company issued a statement that the account number visible from this magic-wand attack isn't the same as the one on the front of the card, but Laurie has countered with reports that the account number is still valid for on-line transactions. Which isn't very reassuring.

RFID tags – tiny chips which use the power gained from a radio field of a particular frequency to broadcast stored information – are popping up pretty much everywhere these days from pets (stores a unique identifier so lost pets can be returned to their owners) to clothes (allows for efficient tracking of stock levels and for theft protection), but the worrying trend is for rather more valuable items to come equipped. Anyone who has renewed their passport here in the UK in recent years will be familiar with the sight of an RFID chip attached to a full-page size antenna which contains the full details of the passport – including a digital photograph of the owner. The sort of information, in fact, which would be of interest to identity thieves who must be rubbing their hands with glee at the thought of being able to harvest personal details from anyone who walks within a ten meter radius of a scanner.

Laurie makes the tools he used to carry out the attack available to interested parties on his website. Until such a time as companies start taking the security of contactless data transfer more seriously, I would recommend lining your wallets with tinfoil: it's not just for blocking out the alien mind-rays, y'know.

What's your take on this: a plausible attack that could take the place of traditional mugging – hey, at least it's violence-free – or just a curiosity with no real risk attached? Share your thoughts over in the forums.

21 Comments

Discuss in the forums Reply
Shielder 22nd February 2008, 09:52 Quote
But...

But...

But...

The banks say that the security in these credit cards is hacker proof!

Seriously though, I don't want anything like this in my credit card. It took me long enough to accept a home wireless network, without having a "contactless" credit card in my wallet. If I do get sent one, it's going straight back.

"If you can't scratch glass with it, I don't accept it" - Zanywoop, HHGTTG.

Andy
mmorgue 22nd February 2008, 10:14 Quote
Yeh, this is pretty bad. If the Ccard industries say, "We happy our products are safe and not susceptable to hacking", and you get hacked as shown, how can you argue against the £5000 purchase of neon pink crotchless knickers from Thailand?
Arkanrais 22nd February 2008, 10:41 Quote
time to start manufacturing foil lined (or silver lined) wallets. I think I could make a few $ off this
cjoyce1980 22nd February 2008, 11:22 Quote
dont the london oyster underground system us something like this....... and i think barclays have just release a card with similiar technology to londoners
chicorasia 22nd February 2008, 11:37 Quote
“We are comfortable with the security of our product.”

How couldn't they be? They've probably spent a couple hundred bucks developing it! :D

How about setting up a scanner near an American Express office, picking up the account numbers of all the employees and executives and sending the data back to them and to the press at the same time? Let's see how comfortable that will feel...
theevilelephant 22nd February 2008, 12:32 Quote
Quote:
Originally Posted by cjoyce1980
dont the london oyster underground system use something like this.......
yes

why would you want a wireless credit card anyway. Who is so lazy they cant b bothered to swipe it or stick it a card reader..... I can understand using it for less important data, but come on my bank account? dont think so....
eek 22nd February 2008, 13:07 Quote
I use the aforementioned Barclay card... haven't really made much use of the pay wave feature as not many places accept it. I'm certainly lazy enough to use it where I can however!!

Having the Oyster card built in is good though, cuts down on the number cards I have to carry around :)
naokaji 22nd February 2008, 13:31 Quote
Quote:
Laurie has spoken to American Express in the past and voiced his concerns over his ability to read card details remotely. The company's response? “We are comfortable with the security of our product.”

WTF? they are comfortable with that?

how can they be comfortable with that? do they have an internal guideline that no employee should use their own products or why do their employees not care? or is it just a marketing stunt to downplay the problem? (the second theory actually sounds more plausible).
Bluephoenix 22nd February 2008, 14:12 Quote
Cold hard cash and checks are the way to go IMHO

I only use a visa when I have to. and none of this fancy RFID ****.

though the best wallet lining wouldn't be foil, but brass mesh. Faraday cages FTW!!!!!
johnnyboy700 22nd February 2008, 15:16 Quote
I would have thought copper mesh would be better.

Serously though, is anyone really surprised that the big companies are about ten steps behind the determined hackers with this? The irritating thing is that with passports, you don't have a choice, you have to accept one with this technology, at least with a credit card you can opt to use one without it.

I can see a nice little aftermarket sideline opeing up here, wallets, credit card holders and passport wallets that are guaranteed to be RF shielded until you open it.
waltaugust 22nd February 2008, 16:02 Quote
Lining with aluminum foil is effective but kind of a pain to maintain. Identity Stronghold makes a real simple shielded card sleeve you can keep your contactless credit cards or ePassports in. You can buy them online at www.idstronghold.com . If you are in the UK you could buy the skimstopper sleeves at www.smartcardfocus.com under accessories/cardholders.

This is the simplest solution around and the credit card companies should be shipping these with the cards so you don't have to buy them.
waltaugust 22nd February 2008, 16:03 Quote
Lining with aluminum foil is effective but kind of a pain to maintain. Identity Stronghold makes a real simple shielded card sleeve you can keep your contactless credit cards or ePassports in. You can buy them online at www.idstronghold.com . If you are in the UK you could buy the skimstopper sleeves at www.smartcardfocus.com under accessories/cardholders.

This is the simplest solution around and the credit card companies should be shipping these with the cards so you don't have to buy them.
waltaugust 22nd February 2008, 16:03 Quote
Lining with aluminum foil is effective but kind of a pain to maintain. Identity Stronghold makes a real simple shielded card sleeve you can keep your contactless credit cards or ePassports in. You can buy them online at www.idstronghold.com . If you are in the UK you could buy the skimstopper sleeves at www.smartcardfocus.com under accessories/cardholders.

This is the simplest solution around and the credit card companies should be shipping these with the cards so you don't have to buy them.
sotu1 22nd February 2008, 16:09 Quote
if AMEX have said that they are not concerned with the security of their cards, yet it has been proven that their cards can be hacked, doesn't that make them open for a law suit because they're not paying maximum attention to keeping our details/money safe?
LoneArchon 22nd February 2008, 16:38 Quote
Well thinkgeek.com has the RFID Blocking Wallet (http://www.thinkgeek.com/gadgets/security/8cdd/) and Passport Wallet (http://www.thinkgeek.com/gadgets/security/910f/). I am not Planning to get one of these Wave and Pay cards anytime soon I would rather swipe the card. This is a major security hole for those types of cards than need to be fix.
Anakha 22nd February 2008, 16:57 Quote
My father (A London bus driver) has one of these RFID cards, and already knows about the "Dangers" of such a system.

An interesting anecdote for you.

When London Transport was originally trialling the Oyster pre-pay system, they were intending to put the "Reader" around the entrance doorway, so it'd read the card (And debit the card) as you got on without you having to do anything. However, in initial runs the sensitivity was a little high, so everytime an Oyster-equipped bus passed a queue of people, it would subtract a fare automatically from their cards as it drove past.

For "Staff only" areas of LT buildings, they are using "Around-the-door" detectors to tell just how long staff are taking on breaks and the like. However, my father found a neat solution to that. He uses a stainless steel business card holder (a couple of quid), which is the perfect size for storing credit-cards, and when closed, forms a perfect faraday cage around the card, blocking all signals out. So why bother with these pesky "RFID Blocking wallets" when a simple business card holder does the job just as well? :)
leexgx 22nd February 2008, 23:08 Quote
even with protecting it on your self will not do as you have to remove it at some point to use it its likey its going to be read when you pull it out to use it (places that use it ID RFID) thats an bigger problem as now any one with an bag at an airport can get So much info by just getting some food (an long walk with the bag and the device to get food and ever one you walk past you get id stuff whats very poor idea )

first thing to do i guess is destroy the RFID device in the passport or card at least with the Chip and pin idea thay need to have the card at least
DXR_13KE 22nd February 2008, 23:35 Quote
bloody idiots....

edit: not the people that hacked the thing, i am referring to the people creating and using the thing and shoving into other peoples asses....
Fused 22nd February 2008, 23:57 Quote
Quote:
Originally Posted by leexgx

first thing to do i guess is destroy the RFID device in the passport or card at least with the Chip and pin idea thay need to have the card at least

I don't know if you mean it litteraly or not, but tampering with the rfid in your passport might just make those people at immigration just a tiny bit suspicious..

I see chip and pin as more of a convienence than anything meaningful in terms of security. In the end nothing will stop a determined thief!
Xir 25th February 2008, 08:55 Quote
Quote:
Originally Posted by leexgx
first thing to do i guess is destroy the RFID device in the passport or card

So, how to go about this? 2 Sec's in the microwave?

:D
DarkReaper 25th February 2008, 23:23 Quote
Time to rebuild my Duct Tape Wallet with a shiny crinkly lining!
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums