Skimming RFID Credit Cards
It’s easy to skim personal information off an RFID credit card.
From The New York Times:
They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. ‘Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?’ Mr. Heydt-Benjamin, a graduate student, asked.
And from The Register:
The attack uses off-the-shelf radio and card reader equipment that could cost as little as $150. Although the attack fails to yield verification codes normally needed to make online purchases, it would still be potentially possible for crooks to use the data to order goods and services from online stores that don’t request this information.
Despite assurances by the issuing companies that data contained on RFID-based credit cards would be encrypted, the researchers found that the majority of cards they tested did not use encryption or other data protection technology.
And from the RFID Journal:
I don’t think the exposing of potential vulnerabilities of these cards is a huge black eye for the credit-card industry or for the RFID industry. Millions of people won’t suddenly have their credit-card numbers exposed to thieves the way they do when someone hacks a bank’s database or an employee loses a laptop with the card numbers on it. But it is likely that these vulnerabilities will need to be addressed as the technology becomes more mature and criminals start figuring out ways to abuse it.
Pat Cahalan • November 7, 2006 1:08 PM
“Everything under control, situation normal”