Another Debit Card Skimmer
This one is installed inside gas pumps. There’s nothing the customer can detect.
EDITED TO ADD (3/5): Pictures.
LVMPD found that one of these skimmers can be installed in eight minutes flat.
Entries Tagged "skimmers"
Page 2 of 2
ATM Skimmer
Neat pictures. I would never have noticed it, which is precisely the point.
Skimming RFID Credit Cards
It’s easy to skim personal information off an RFID credit card.
From The New York Times:
They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. ‘Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?’ Mr. Heydt-Benjamin, a graduate student, asked.
And from The Register:
The attack uses off-the-shelf radio and card reader equipment that could cost as little as $150. Although the attack fails to yield verification codes normally needed to make online purchases, it would still be potentially possible for crooks to use the data to order goods and services from online stores that don’t request this information.
Despite assurances by the issuing companies that data contained on RFID-based credit cards would be encrypted, the researchers found that the majority of cards they tested did not use encryption or other data protection technology.
And from the RFID Journal:
I don’t think the exposing of potential vulnerabilities of these cards is a huge black eye for the credit-card industry or for the RFID industry. Millions of people won’t suddenly have their credit-card numbers exposed to thieves the way they do when someone hacks a bank’s database or an employee loses a laptop with the card numbers on it. But it is likely that these vulnerabilities will need to be addressed as the technology becomes more mature and criminals start figuring out ways to abuse it.
Build Your Own RFID Skimmer
“How to build a low-cost, extended-range RFID skimmer,” by Ilan Kirschenbaum and Avishai Wool. To appear in 15th USENIX Security Symposium, Vancouver, Canada, August 2006.
Danish ATM-Card Skimming
Criminals are breaking into stores and pretending to ransack them, as a cover for installing ATM skimming hardware, complete with a transmitter.
Note the last paragraph of the story—it’s in Danish, sorry—where the company admits that this is the fourth attempt they know of criminals installing reader equipment inside ATM terminals for the purpose of skimming numbers and PINs.
RFID Passport Security Revisited
I’ve written previously (including this op ed in the International Herald Tribune) about RFID chips in passports. An article in today’s USA Today (the paper version has a really good graphic) summarizes the latest State Department proposal, and it looks pretty good. They’re addressing privacy concerns, and they’re doing it right.
The most important feature they’ve included is an access-control system for the RFID chip. The data on the chip is encrypted, and the key is printed on the passport. The officer swipes the passport through an optical reader to get the key, and then the RFID reader uses the key to communicate with the RFID chip. This means that the passport-holder can control who has access to the information on the chip; someone cannot skim information from the passport without first opening it up and reading the information inside. Good security.
The new design also includes a thin radio shield in the cover, protecting the chip when the passport is closed. More good security.
Assuming that the RFID passport works as advertised (a big “if,” I grant you), then I am no longer opposed to the idea. And, more importantly, we have an example of an RFID identification system with good privacy safeguards. We should demand that any other RFID identification cards have similar privacy safeguards.
EDITED TO ADD: There’s more information in a Wired story:
The 64-KB chips store a copy of the information from a passport’s data page, including name, date of birth and a digitized version of the passport photo. To prevent counterfeiting or alterations, the chips are digitally signed….
“We are seriously considering the adoption of basic access control,” [Frank] Moss [the State Department’s deputy assistant secretary for passport services] said, referring to a process where chips remain locked until a code on the data page is first read by an optical scanner. The chip would then also transmit only encrypted data in order to prevent eavesdropping.
So it sounds like this access-control mechanism is not definite. In any case, I believe the system described in the USA Today article is a good one.
Sidebar photo of Bruce Schneier by Joe MacInnis.