Skimming RFID Credit Cards

It's easy to skim personal information off an RFID credit card.

From The New York Times:

They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. 'Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?' Mr. Heydt-Benjamin, a graduate student, asked.

And from The Register:

The attack uses off-the-shelf radio and card reader equipment that could cost as little as $150. Although the attack fails to yield verification codes normally needed to make online purchases, it would still be potentially possible for crooks to use the data to order goods and services from online stores that don't request this information.

Despite assurances by the issuing companies that data contained on RFID-based credit cards would be encrypted, the researchers found that the majority of cards they tested did not use encryption or other data protection technology.

And from the RFID Journal:

I don't think the exposing of potential vulnerabilities of these cards is a huge black eye for the credit-card industry or for the RFID industry. Millions of people won't suddenly have their credit-card numbers exposed to thieves the way they do when someone hacks a bank's database or an employee loses a laptop with the card numbers on it. But it is likely that these vulnerabilities will need to be addressed as the technology becomes more mature and criminals start figuring out ways to abuse it.

Posted on November 7, 2006 at 12:49 PM • 30 Comments

Comments

ChrisNovember 7, 2006 2:13 PM

Could you comment on this phrase from the NY Times article?

...and J. P. Morgan Chase has said that its cards, which it calls Blink, use “the highest level of encryption allowed by the U.S. government.��?

I wasn't aware that the US had any laws regulating encryption, except perhaps those related to its export to designated "terrorist" nations. So is the marketing copy described here simply lying, or are they admitting that their encryption is weak enough to share with the nation's top enemies?

Civil DisobedientNovember 7, 2006 2:18 PM

I'm waiting for a small mass-produced device that I can buy that will respond as if it were a huge cloud of valid (active or passsive) RFID devices, each filled with random (or programmed) data. Or perhaps an online service through which I can trade thousands of RFID chips with others to get a random assortment that I can carry with me to confuse readers.

Erik V. OlsonNovember 7, 2006 2:34 PM

I'm waiting for a device that, upon receiving the trigger pulse that activates the RFID device, responds with a 1 to 10 watt pulse.

Let's see if the front end on the reader can cope with a signal some four to six orders of magnitude stronger than it expected

Nicholas WeaverNovember 7, 2006 2:38 PM

Whats most galling is that you gain almost nothing. Ohh, you don't have to take your card out of your wallet (but you still have to take your wallet out of your pocket), ohhh, what a timesaver....

OTOH, its the credit card companies who will have to eat the loss.

Daisy DuckNovember 7, 2006 3:09 PM

It would be interesting to attach one of those readers to a turnstile at Walt Disney World.

DanielNovember 7, 2006 3:18 PM

If you don't have to take the credit card out of your wallet how do they know which one to charge? Once this rolls out and you have more than one of these it's saving only the last couple of inches of today's "swipe" action.

I'm sorry, I've never felt so burdened by the exertion that I'm willing to accept the greatly increased risks.

parityNovember 7, 2006 3:39 PM

What's interesting to me about this is that the usual tool of credit card fraud investigation -- data mining -- will be much less useful since large-scale skimming attacks could occur at various places "in the wild", as opposed to only at a point-of-sale.

Filias CupioNovember 7, 2006 6:04 PM

c1996:
Microsoft: "Look at these neat features!"
Security experts: "You're creating a security nightmare. Fix it now, or you'll regret it."
Microsoft: "I don't think the exposing of potential vulnerabilities of Windows is a huge black eye for Microsoft. Millions of people won't suddenly have their computers cracked and infected with keyloggers and botnet software. But it is likely that these vulnerabilities will need to be addressed as the technology becomes more mature and criminals start figuring out ways to abuse it. Did we remember to tell you about the neat features?"

2006:
Microsoft: "We're sorry that Windows gets compromised in less time than it takes to download the patches. We're spending billions working on a fix - any year now. We can't just close the holes, because too many people are using those features."

Credit card companies: "Look at these neat features!"

You can figure out the rest yourself.

-ac-November 7, 2006 8:35 PM

@Erik V. Olson
We're thinking alike :)
@Daniel
Great point about multiple credit cards in your wallet
Add crowded subways. I predict personal security devices to protect your RFID tags. Including Eriks's suggestion. :D

ferretNovember 7, 2006 9:22 PM

re: I'm waiting for a small mass-produced device that I can buy that will respond as if it were a huge cloud of valid (active or passsive) RFID devices, each filled with random (or programmed) data.

see http://www.rfidguardian.org/ for a prototype that goes beyond that: it monitors, logs, proxies and can selectively jam RFID activity.

TweekNovember 7, 2006 10:39 PM

I truly feel that having a credit card that has a RFID chip is really a bad idea. Even if the information is encrypted there is still the possibility of having that information get into the wrong hands. I think I’ll wait to see if the technology is sound or not.

JeffDNovember 7, 2006 11:20 PM

@Nic
No, but tinfoil in your wallet (or better yet, a Faraday cage embedded in it) would do the trick. Let the spooks watch a bunch of black holes getting on and off the subway... your tax dollars at play?

brainfartNovember 8, 2006 4:44 AM

Once more the US leads the world...

> I truly feel that having a credit card that has a RFID chip is really a bad idea.

I truely feel that having a credit card, with or without RFID chip, is really a bad idea. I don't own a credit card and I don't miss it. But then again I don't live in the US.
Cash is king. I don't comprehend why people need credit cards. Credit cards make things complicated and more expensive for ALL consumers, even those who refuse to use one.

SteveNovember 8, 2006 5:17 AM

@brainfart:

I have found it difficult to use cash online - I can cram it into the slot on the front of my PC, but apparently it doesn't fit properly down the network of tubes. Even if it did, I understand that US routers would have difficulty with British currency, so my cash might not reach amazon.com.

More seriously - credit cards don't make things all that much more expensive. The cost overhead for businesses to handle cash is probably more than you think, so credit cards are more competitive than their huge merchant charges make them look.

JakeSNovember 8, 2006 8:16 AM

Mastercad and Visa cards with RFID chips are already being issued.  You may have one already.

For transactions under $25 there's no verification - just wave the card and go.  Thus, all the crooks need is a way to spoof a RFID response with the details from your credit card.  Then they sell it to kids who use it to get into venues, buy drinks, etc. - anything under $25 - and you're left with having to deal with your card company and prove that the transactions weren't yours.  Wonderful.

http://www.mastercard.com/us/merchant/solutions_resources/paypass/
http://usa.visa.com/personal/cards/contactless/

Clive RobinsonNovember 8, 2006 9:12 AM

@Daniel


"how do they know which one to charge?"

A simple thought, the average person cannot remember one (let alone multiple) pin numbers. So they have a habit of changing them...

What is the betting/odds that the same PIN works for all the cards in a persons wallet?

supersnailNovember 8, 2006 10:47 AM

Its wierd why is it that people with no technical knowledge are such technophiles?
e.g. Bank executives, prime ministers, election officials.

There are many simple ways to reduce credit card fraud (like sticking a photo on it!, or cutting of retailers who regularly accept stolen or skimmed cards) which are not used because of tiny amounts of extra administration involved. But present them with a tech system that involves massive rollout and retooling costs for little or no improvment and they cannot wait to approve the megabudget.

Jeremy BraytonNovember 8, 2006 3:09 PM

"Millions of people won't suddenly have their credit-card numbers exposed to thieves the way they do when someone hacks a bank's database or an employee loses a laptop with the card numbers on it."
No, it won't happen suddenly but apparently it will happen EVENTUALLY.

So instead of just worrying about hackers, we have to worry about people in proximity with a RFID reader. They may not exist now but create enough "demand" and it's pretty much guaranteed.

This is possibly the worst idea of the century. I guess whoever the hell thought of it wanted to get it out of the way early? R-tards.

AlNovember 8, 2006 7:36 PM

This type of identity theft is interesting but they tell us that it is less than 30% of the problem. Your Dr. Lic., Gov. Security #, Health Care Card, and your personal character is a much greater nightmare when it comes to it's harm on you. Gov. seems to be even slower then the financial world to do anything constructive to stop it.

AnonymousNovember 9, 2006 4:44 AM

@Jeremy Brayton:

"This is possibly the worst idea of the century."

So far, maybe, but it's early days yet. I have faith that in 90 years time we'll be capable of much dumber things than this.

Steve S. in Jamaica, NYNovember 13, 2006 2:53 AM

This move toward emplacing all-too-easily-hackable RFID-chips into our credit cards (and into other such info-cards that we may carry, such as medical i.d. cards, healthcare-insurance cards, national-identification cards, even our passports) is just the beginning.

The next likely step -- already having been implemented in at least one (if not more) Mexican government agency and several US businesses, as well as voluntarily by some posh overseas resorts/nightclubs for its "elite" members, to name a few such instances -- is the implantation of RFID-readable identity-&-information chips into humans.

And the speculation is that, like it or not, the time may not be far off when such implantations may be required -- by Governments or corporations -- on a massive scale.

If the push is cleverly handled, many people -- in the same way as the above-mentioned nightclub-elite -- may be persuaded to eagerly desire such implantations because of the perceived perks that having those implanted chips may bring. But ahh, the concomitant dangers? Shhh! Not to be discussed!

But if the push toward universal implantation is Governmentally-mandated (much as various vaccinations in American children have been mandated, even over parental objections) -- perhaps with the excuse being offered that this is a necessary way to guard against terrorism or the spread of the Bird Flu, etcetera -- then what will come of us?

What will come of us if not only our Government -- with whatever its conglomeration of motives -- thus gains access to all our most personal data wherever we go and whatever we do? What if, also, other clandestine forces -- whether other regimes or corporate entities or terrorists or crime-syndicates or anyone else with the appropriate technology -- gain access to this same personal data?

In a world fraught with (so we are told) the rapidly spreading/increasing threats, on a broadening almost-global scale, of unstoppable terror-attacks, and of the unfettered -- and the quasi-legal and also illegal expansion/application of espionage-technologies so as to clandestinely wrest from us every formerly-private detail of our personal lives -- the bigger question is: where is all this headed?

And who, and with what wisdom -- or lack thereof -- and with what motives, and with what level of power, will be in charge?

For example: Look at the Credit Card Law that the Bush Administration pushed through Congress about a year or so ago: it gave the card companies and the banks huge additional powers, and tore away from all other Americans various vital previously-existing financial rights, such that while corporations could still easily declare bankruptcy and thus basically get off scot-free from having to follow-through on any previous financial responsibilities to their average American creditor, the law also now put the average American card-holder on the hook, making a declaration of individual bankruptcy next to impossible, even in the harshest and most cruel of circumstances. Become seriously ill, get screwed by your medical insurance plan (if you're fortunate enough to have one, and there are millions of Americans who cannot afford even that!), and you could lose everything through no fault of your own -- and still the card-companies will now have the right to come down on you like a ton of bricks and take anything you have left, even if doing so takes away any straggling coins that you may need for a bottle of life-giving medicine. At least that's my understanding of the situation.

Or, for a more simple case, just consider the many cases -- some of which you can easily Google-search, and many of which are never publicized by the affected companies -- in which purportedly encrypted, hacker-safe, intensely-guarded, private data from customer- and business- databases have been stolen or "inadvertently" been transmitted to the wrong parties. Hundreds of thousands of records, of social security numbers, other such extremely personal information -- hacked, lost, stolen, publicized. And that's been WITH "safeguards".

Now take any of these scenarios as a real-life parallel to what could just as well happen to our data in our new and rapidly-progressing RFID-technology world.

Against even the possibility of that sort of backdrop coming into view, who among us can feel at ease with how this RFID-technology -- promising and important as it certainly may be in many instances (such as in tracking transport-vehicles and cargo-containers to enhance business operations or guard against criminal/terrorist activity) -- is being implemented to our potential detriment?

Where are the safeguards? Where is the Congressional (and international) oversight?

Where is our (e.g., the People's) voice?

Perhaps now is an excellent time to write and fax and phone our Members of Congress, in both Houses, and urge them to design & submit & pass legislation that would require (a) the implementation of truly adequate (not cosmetic) limitations on the applications of RFID technologies and (b) the implementation of truly adequate (not cosmetic) protections for whatever data RFID-chips/technologies are supposed to handle, before those technologies/chips will be permitted to be used in any context that might involve any of our personal data.

I propose too that other international agencies be pressed to develop such safeguards as well. Perhaps the United Nations, for instance, would be a good start. And the European Union. This is, after all, a global phenomenon -- and it's just getting started. Now is the time to do something about it.

While there is still time.

-- SS.

GAO Tek Inc.November 20, 2006 9:45 AM

For their study, researchers bought a $200 commercial RFID reader to simulate a "skimming" attack. Security experts warn that this technology is increasingly available to identity thieves and others who could scan people’s cards through their pockets, wallets and purses undetected.

http://www.gaorfid.com

Kent BettsJuly 12, 2008 3:12 AM

I will give the CC companies the benefit of the doubt. It is simple to implement strong encryption using a public key system. I am not aware of a concrete example of anyone with a RFID scanner who has made a purchase with the info obtained.

"Thus, all the crooks need is a way to spoof a RFID response"

Which involves using an algorithm and a key code, which you don't have.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..