Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Shmoocon Demo Shows Easy, Wireless Credit Card Fraud

timothy posted more than 2 years ago | from the now-how-much-would-you-pay dept.

Crime 273

Sparrowvsrevolution writes with this excerpt from a Forbes piece recounting a scary demo at the just-ended Shmoocon: "[Security researcher Kristin] Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer's credit card onstage and obtained the card's number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer's money with the counterfeit card she'd just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.) ... A stealthy attacker in a crowded public place could easily scan hundreds of cards through wallets or purses."

cancel ×

273 comments

Sorry! There are no comments related to the filter you selected.

Is this news? (0)

Anonymous Coward | more than 2 years ago | (#38866469)

I am pretty sure I saw this on NCIS like two months ago... Obviously this crime is possible.

Re:Is this news? (5, Insightful)

Jeng (926980) | more than 2 years ago | (#38866545)

It is news in that this has now been brought up to the credit card companies in a manner which cannot be easily ignored.

Re:Is this news? (2)

tlhIngan (30335) | more than 2 years ago | (#38866595)

It is news in that this has now been brought up to the credit card companies in a manner which cannot be easily ignored.

I remember seeing it on the news - they demonstrated someone with a cheap RFID reader and a laptop can bump into people, grab their cards, and run off. It was impressive enough that my parents got worried and checked their cards for that paypass logo.

Of course, having it more in the news isn't a bad thing. Add in a few elaborations (attackers can read your credit card without having to be close to you!) and you'll find great retraction on this. Especially when considering that it applies to debit cards as well. (Anyone with $50 worth of equipment can drain your bank account!).

And yes, while it's a bit of hyperbole, it makes a nice soundbite to get people to change.

Re:Is this news? (5, Insightful)

Joce640k (829181) | more than 2 years ago | (#38867051)

Why is it "hyperbole" if somebody can drain hundreds of bank accounts wirelessly with a $50 device?

To me that sounds more like "panic stations, block all cards now!!"

Why anybody needs RFID credit cards is beyond me anyway. Is it sooooo hard to swipe a card through a reader?

PS: Why would the CVV number be on the RFID chip? Surely that's the secret only you and the company are supposed to know?

Re:Is this news? (1, Informative)

mosb1000 (710161) | more than 2 years ago | (#38867149)

It's hyperbole because the attacker has to be incredibly close to you. They actually have to bump the device up against your wallet. While it's technically "wireless" that's not what most people have in mind when they hear the word.

Also the CVV number it gives you works for one use only. It's used to authenticate the transaction.

Re:Is this news? (4, Informative)

Rary (566291) | more than 2 years ago | (#38867323)

They actually have to bump the device up against your wallet.

Not according to TFA:

In a demonstration just before her talk, Paget read a card in my wallet through my back pocket without touching me, successfully obtaining the card’s information.

There are many situations where we get close enough to random strangers for someone to pull this off.

Re:Is this news? (1)

UnknowingFool (672806) | more than 2 years ago | (#38867379)

So I take it you've never been in a crowded area with lots of people around like rush hour on a subway, at a ball game, etc. If your life is such this situation rarely occurs, then you don't really have to worry. For anyone who lives in congested metropolitan areas, it is a worry.

Re:Is this news? (2, Interesting)

FrankSchwab (675585) | more than 2 years ago | (#38867217)

The CVV used here, I believe, isn't the one printed on the back of the card. I believe that it's a one-time use CVV that changes for the next transaction (think rolling-code garage door opener or http://en.wikipedia.org/wiki/One_time_password [wikipedia.org] )

So, someone who steals one can do a single transaction.

Re:Is this news? (1)

John Bresnahan (638668) | more than 2 years ago | (#38867143)

Anyone with $50 worth of equipment can drain your bank account!

Which is one of several reasons why I only have Credit Cards.

Re:Is this news? (1)

CodeReign (2426810) | more than 2 years ago | (#38867161)

My cell phone is has NFC and it is able to scan one of my credit cards for a decent sized payload. I'm not knowledgeable enough to decrypt the payload so I guess that's probably good.

Re:Is this news? (-1, Troll)

OverlordQ (264228) | more than 2 years ago | (#38866627)

Paget’s firm has been working on a more sophisticated fix: a credit-card-shaped protection device known as GuardBunny that sits in a wallet alongside payment cards and blocks any would-be RFID fraudster.

It's news because s/he's spewing FUD to make a buck.

Re:Is this news? (1)

Anonymous Coward | more than 2 years ago | (#38867209)

Paget’s firm has been working on a more sophisticated fix: a credit-card-shaped protection device known as GuardBunny that sits in a wallet alongside payment cards and blocks any would-be RFID fraudster.

It's news because s/he's spewing FUD to make a buck.

While that GuardBunny thing did make me suspicious, there is a mitigating factor here. It is not only not available for sale, they don't know when it will be. So even if she is just out to make a buck, she failed spectacularly as anyone now interested in an rfid shielding wallet will have to buy from someone else.

Also, "she" not "s/he". Leave your prejudice at home.

Re:Is this news? (0)

Anonymous Coward | more than 2 years ago | (#38866883)

Yeah, and another newsflash: Abby/Pauley is hot.

Aluminum Foil in the Wallet (5, Funny)

Anonymous Coward | more than 2 years ago | (#38866503)

That is why I have lined my wallet with the aluminum foil that I had left over from making my hat.

Re:Aluminum Foil in the Wallet (0, Interesting)

Anonymous Coward | more than 2 years ago | (#38866637)

They also discussed in the same presentation that most of the foil coverings you can buy to protect your credit card don't work since unlike faraday cages they are not grounded

Re:Aluminum Foil in the Wallet (1)

Lord Lode (1290856) | more than 2 years ago | (#38866765)

Then what you need is aluminium foil AND a metal tail touching the ground.

Re:Aluminum Foil in the Wallet (1)

tibman (623933) | more than 2 years ago | (#38866881)

i have a copper-like envelope and can't scan the card when it's inside. It came with the card so i have no idea what brand or material.

Re:Aluminum Foil in the Wallet (5, Interesting)

FictionPimp (712802) | more than 2 years ago | (#38866995)

I have a RFID blocking wallet. My security badge for work will not scan when inside the wallet (but it will scan inside all my co-workers wallets and my old wallet).

Same price as a normal wallet and not a bad investment.

Re:Aluminum Foil in the Wallet (5, Informative)

_0xd0ad (1974778) | more than 2 years ago | (#38867031)

Grounding a Faraday cage accomplishes two things:

1) The cage is made from a conductive material. If a hot wire shorts against it, and you touch the cage, you could be electrocuted. Grounding it is therefore prudent.

2) If anything inside the cage is trying to transmit, it turns the entire planet into its antenna. Your transmission is going to be pretty weak if you're trying to drive a planet-sized antenna with a few milliwatts of power. (Actually, no weaker than normal, but only if you're far enough away from the antenna that it looks like a point-source.)

Note the significant absence of "prevents radio signals from getting into the Faraday cage". It doesn't. Grounding has nothing to do with preventing radio signals from getting into the Faraday cage. The cage's mesh diameter is the only factor that affects which radio signals can get into the cage.

Re:Aluminum Foil in the Wallet (0)

Anonymous Coward | more than 2 years ago | (#38867341)

1) Indeed if you are grounded and touch the Faraday cage, you could be electrocuted. On the other hand, if you are not grounded, or if you are inside the Faraday cage, nothing happens.

2) If anything inside the cage tries to transmit, nothing happens outside. The transmission is bottled up inside. The Faraday cage is a barrier between the outside and inside.

Re:Aluminum Foil in the Wallet (1)

isama (1537121) | more than 2 years ago | (#38867241)

I did that when I made my ducktape wallet, but it doesn't block the RFID cards I use every day :( I think I need a copper mesh or something better..

Mitigating factors (2, Informative)

Annirak (181684) | more than 2 years ago | (#38866563)

Put two of these cards next to eachother, and they won't read. Put them in an aluminium card case, and they won't read. Move more than about 5 cm away from the card and it won't read.

There are numerous ways around this problem. It shouldn't stop people from using the technology.

Re:Mitigating factors (4, Insightful)

vlm (69642) | more than 2 years ago | (#38866625)

Put two of these cards next to eachother, and they won't read. Put them in an aluminium card case, and they won't read. Move more than about 5 cm away from the card and it won't read.

Stand in line at the convenience store behind victim. Tada, you just got owned.

There are numerous ways around this problem. It shouldn't stop people from using the technology.

Its about as secure as tatooing your social security number on your forehead, then telling people its safe because you need a telephoto lens from over 100 feet, or you can just wear a skimask all the time.

Re:Mitigating factors (1)

jasno (124830) | more than 2 years ago | (#38867263)

I think the point everyone is missing is that credit cards are already utterly insecure. If you haven't been a victim yet you've just been lucky - there are a lot of CC's out there and only so many theives.

The only way to fix it is to block CC companies from writing-off fraud losses while preventing them from passing them onto the consumer. Right now, they perform a cursory 'investigation' only for the purposes of justifying the write-off, effectively passing the costs back onto consumers(taxpayers).

false (4, Interesting)

dutchwhizzman (817898) | more than 2 years ago | (#38867313)

You can read RFID cards in peoples wallets at 30 ft with a transponder with higher send signal and a better antenna. The same applied for multiple cards. Some reading devices won't process if there is more than one card in it's reach, but that's a software decision. Devices purpose made to leech RFIDs do not play by the rules and legislation set out for "proper" RFID equipment.

Re:Mitigating factors (5, Insightful)

berashith (222128) | more than 2 years ago | (#38866629)

The issue isnt being able to mitigate, the issue is that if the CC companies convince everyone that this isnt possible, then they have an easy path to never having to pay out against fraud. They can just refuse to believe this exists, and tell anyone who had their card info stolen that the cause was their behavior, and then never have to honor a dime of repayment. This is enough to let everyone know that theft can occur this way, and liability remains with the CC companies.

Re:Mitigating factors (1)

John Napkintosh (140126) | more than 2 years ago | (#38866879)

This is the real concern - not how easy or difficult it is to actually perform the actions, but that the credit card companies are awfully mistaken about it being possible at all. With a flawed fundamental understanding of how the technology actually works, who knows what they may attempt to do with it in the future based on this flawed understanding.

Re:Mitigating factors (1)

Tanktalus (794810) | more than 2 years ago | (#38867093)

What I don't understand is how the CC companies can't be employing anyone with any knowledge in the field. Seriously, they don't have anyone on staff that doesn't have a hobby in this area who could have explained it to them? Or are they just putting a banana in their ear and claiming they didn't hear anything?

Then again, tobacco companies seem to have plenty of people on staff to tell them how safe tobacco is, so I guess I shouldn't be quite so surprised.

Re:Mitigating factors (1)

Insightfill (554828) | more than 2 years ago | (#38867349)

The issue isnt being able to mitigate, the issue is that if the CC companies convince everyone that this isnt possible, then they have an easy path to never having to pay out against fraud.

It was posted here several years ago that some insurance companies were using the same line to claim that RFID cars were 'impossible to steal' [slashdot.org] and were refusing to pay out on claims because of it.

Re:Mitigating factors (1)

hardtofindanick (1105361) | more than 2 years ago | (#38866681)

Put them in an aluminium card case, and they won't read.

This is not something people typically do. You cant get the majority to store their cards in faraday cages just because of this.

Move more than about 5 cm away from the card and it won't read.

People typically carry their wallets in their back pockets and purses, both of which a hacker can get arbitrarily close to. 5cm is way too much.

Put two of these cards next to eachother, and they won't read.

Care to point to some resources? Because that would mean the fixed readers at warehouses are pretty much useless.

Re:Mitigating factors (3, Informative)

Joce640k (829181) | more than 2 years ago | (#38867111)

People typically carry their wallets in their back pockets and purses, both of which a hacker can get arbitrarily close to. 5cm is way too much.

Yep, at a Kevin Mitnick conference last year he showed an RFID reader which fit in the palm of your hand (with a wire up the sleeve to the main unit). It worked at more than 5cm, too.

Re:Mitigating factors (1)

Tsingi (870990) | more than 2 years ago | (#38867369)

Put them in an aluminium card case, and they won't read.

This is not something people typically do. You cant get the majority to store their cards in faraday cages just because of this.

I have one. I know lots of people who have them.

Re:Mitigating factors (2)

Big Smirk (692056) | more than 2 years ago | (#38866929)

The RFID technology used in credit cards is more based on magnetic fields than electric fields. As such, stacking the cards doesn't help. The magnetic ones were somehow assumed to be more secure because they can only be read from a few inches away. Then again, store security systems use magnetic fields as well and they can read at least 4 ft away.

A Faraday cage is one defense.

Or, burn out the chip and just use the magnetic stripe (best defense). I have yet to use one of these no-contact credit card readers and have never even found a need for it. Technology that makes me less safe.... correction, makes my credit card company more expensive/less safe.

Re:Mitigating factors (1)

Joce640k (829181) | more than 2 years ago | (#38867077)

There are numerous ways around this problem. It shouldn't stop people from using the technology.

Remember the security motto: "Attacks always get better..."

FUD (5, Insightful)

OverlordQ (264228) | more than 2 years ago | (#38866579)

In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor that detects multiple transactions with the same code or codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number for one transaction, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.

You should be more worried about waiters and cashiers then somebody in a crowd grabbing your data.

Re:FUD (-1)

Anonymous Coward | more than 2 years ago | (#38866645)

Easily solved, avoid patronizing any business that employs blacks.

Re:FUD (1)

rgbrenner (317308) | more than 2 years ago | (#38866655)

There are still plenty of online sites that don't require the CVV at all... And if you can use a card-magnetizing tool, then you could use the card at any physical location. Can't remember the last time a cashier looked at my card or asked for the CVV.

Re:FUD (2)

OverlordQ (264228) | more than 2 years ago | (#38866791)

Can't remember the last time a cashier looked at my card or asked for the CVV.

Because that information is on the stripe.

Re:FUD (2)

Dr_Barnowl (709838) | more than 2 years ago | (#38867075)

The CVV1 is on the stripe, the CVV2 code is not on the stripe - it's the second code on the signature strip.

In many countries in Europe, it's mandatory to provide the CVV2 code for authorization of "cardholder not present" transactions. Online retailers that don't ask for it now make me nervous.

Re:FUD (0)

Anonymous Coward | more than 2 years ago | (#38867167)

If some don't ask, then they don't know. And if they can make a transaction anyway, then it is moot... so why have it to begin with?

Re:FUD (1)

arcctgx (607542) | more than 2 years ago | (#38867331)

Modded you down by mistake, posting to undo... Sorry.

Re:FUD (4, Insightful)

Dr_Barnowl (709838) | more than 2 years ago | (#38867019)

Untrue ; waiters and cashiers will eventually get busted by data mining - you just need to correlate the transactions that pay for food and note the common location, then go through their time cards.

Whereas with wireless, you could collect the data in a location not covered by security cams, and transmit it, encrypted (how ironic) to avoid detection, to another location where payments are processed. A crowded subway car would be ideal - people are not going to be using their cards, and it's the ultimate in cultured anonymity - everyone goes out of their way not to notice anyone else.

Re:FUD (1)

gandhi_2 (1108023) | more than 2 years ago | (#38867125)

You are more likely to die of heart disease than cancer.

So what?

There may at least a paper trail when a cashier is involved.

The Obvious Solution* (5, Funny)

nick357 (108909) | more than 2 years ago | (#38866591)

Put her in jail for teaching others how to defraud the public!!!!

* Obvious to the credit card industry

To gitmo! (-1)

Anonymous Coward | more than 2 years ago | (#38866609)

She's obviously a terrorist, where's the TSA when you need them?

Re:To gitmo! (0)

Anonymous Coward | more than 2 years ago | (#38866641)

They don't have the opportunity to molest her, thus the lack of interest.

This is sort of old news. (4, Insightful)

MrCrassic (994046) | more than 2 years ago | (#38866619)

Its been well known that RFID cards are suspectible to this kind of threat. The only reason why jammers and blocks havent been enforced as much is because there haven't been enough cases of this happening to justify wide-scale enforcement. I really like the convenience of contactless payment systems and hope jammers and guards become ubitquitous enough for banks to provide them along with these cards.

Re:This is sort of old news. (0)

Anonymous Coward | more than 2 years ago | (#38867273)

So how the hell is it more convenient? The only convience I found was that I don't have to replace it when the mag stripe wears out, except that I do because not all POS termianls I use are RFID. I'm going with the assumption that in bumfuckia I live in there's a negligible risk of skimming it. However, riding the subway or going to a movie would be a beautiful place to give it away. Directional antennas are easy and cheap.

Glossing over one problem... (5, Informative)

Shoten (260439) | more than 2 years ago | (#38866623)

Randy Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. “We’ve got six years of history, a hundred million users of these cards, and we haven’t seen any documented cases of this kind of fraudulent transaction. The reason we think that’s the case is that it’s very difficult to monetize this as a criminal,” says Vanderhoof. “The premise that this is a new threat is absolutely false and isn’t supported by [Paget's] demonstration.”

In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor that detects multiple transactions with the same code or codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number for one transaction, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.

So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here. Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals. The RFID spec for these cards has no provision for collision detection or avoidance.

Re:Glossing over one problem... (1)

RichMan (8097) | more than 2 years ago | (#38866707)

You don't need a big field. You need a high gain directional antenna. Preferably one made by beam forming that could be steered to sweep a room.
High gain directional beam formed steerable antennas and control hardware are mass produced and small enough to go in handheld devices.

An 802.11n basestation is an example of a steerable beam forming device that could suit the purpose.

Re:Glossing over one problem... (1)

Shoten (260439) | more than 2 years ago | (#38866823)

You need a big field. You're confusing reading a signal from a card with energizing the card in the first place. The cards have no internal power source; they start up when they are in an induction field that is generated by the reader. These fields are very weak...so it doesn't take much to power the card, but on the flip side, the cards can't handle much because of the need for them to operate at low power levels. And even if you could shape the field to a beam, it still remains a range issue. You can't energize the card 20 feet away without frying the one that is 3 feet away. Oh, and good luck being subtle while waving a high gain directional antenna around...swinging a YAGI around isn't the pinnacle of being surreptitious.

Re:Glossing over one problem... (0)

Anonymous Coward | more than 2 years ago | (#38867013)

In a crowded area, I'd have no trouble holding a briefcase near enough to dozens of wallets very quickly. I could have a fairly large coil in there and a nice decent yagi if I felt I needed to increase the range some.

Re:Glossing over one problem... (0)

Anonymous Coward | more than 2 years ago | (#38867015)

Also, a yagi is a far field antenna and this type of link (for the credit cards) is only inductive. They do NOT have UHF RFID chips in them. You just are not going to get farther than a 1m reading these cards. The idea of high directionality does not really apply to coils as it does to far-field antennas.

Re:Glossing over one problem... (5, Informative)

Big Smirk (692056) | more than 2 years ago | (#38867045)

Both, wrong... you less so.

The credit cards use an induction form of RFID. The wavelengths in question are very long - would require a big antenna to transmitt and an equally big antenna on the card to receive.... well the cards aren't big enough. So you see this spiral pattern (inductive loop) that is the antenna.
YAGI won't do it. You need something more along the lines of the magnetic sensors as you leave a store (EAS - Electronic Article surveillance).

Credit cards are 13.56 MHz RFID. That's a wavelength of ~75ft. Not going to hide that YAGI very well....

Nope, inductive loops. That's why it only works over about a meter because the strengths of the magnetic fields.

Re:Glossing over one problem... (1)

Dr_Barnowl (709838) | more than 2 years ago | (#38867115)

It would be easy enough to swing around a YAGI antenna from the confines of a mesh hide - net curtains would be enough to conceal a distant antenna spook from view without obscuring his view of potential targets.

Combine a YAGI with an invisible laser rangefinder to set the power and you have yourself a range-safe power snooper for RFID cards.

Re:Glossing over one problem... (1)

fahrbot-bot (874524) | more than 2 years ago | (#38866997)

You need a high gain directional antenna. Preferably one ... could be steered to sweep a room.

Say... Is that a high gain directional antenna in your pocket or are you just happy to see me?

Re:Glossing over one problem... (4, Interesting)

barc0001 (173002) | more than 2 years ago | (#38866741)

"with this attack you MUST be the next person to use the card's credentials." "the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base"

Because it's impossible to build a rig that fits in a briefcase or backpack that scans cards within a meter or two of the holder and automatically runs scripted transactions as soon as a card is detected in range, right?

Just because it's not AS bad a picture as the doomsayers are painting as a worst-case scenario doesn't mean it isn't ripe for exploitation.

Re:Glossing over one problem... (4, Insightful)

oneiros27 (46144) | more than 2 years ago | (#38866773)

So we'd have to funnel people through a chokepoint to isolate them ... and it might not work if they had more than one RFID enabled card in their wallet? And then you have to use it quickly, like this was done (while still on stage), rather than waiting for the person to try to make a legit transaction.

I'm guessing that someone standing near the entrance to a subway system could work within those restrictions well enough that even if they got less than 1% success rate per person entering could still turn a nice little "profit" during rush-hour.

Re:Glossing over one problem... (1)

DeadCatX2 (950953) | more than 2 years ago | (#38866811)

with this attack you MUST be the next person to use the card's credentials. If not, the attack fails.

Implicit in this statement is the assumption that the hacker will be unable to discover the sequence of CVV codes based on the one they have right now. Given Sony's epic failure to implement proper encryption on the PS3, are you willing to take the chance that the CVV code generation algorithm will remain a secret forever?

Re:Glossing over one problem... (1)

Princeofcups (150855) | more than 2 years ago | (#38866827)

So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here. Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals. The RFID spec for these cards has no provision for collision detection or avoidance.

You've never been to a train station have you? Or sat outside at a coffee shop? Or sat in a car at a busy mall? Sounds pretty trivial to me. Wait for a good signal to walk by, swipe and swipe. Wait for next good signal. Rinse and repeat.

Re:Glossing over one problem... (1)

realisticradical (969181) | more than 2 years ago | (#38866839)

Still:

It wouldn't be too hard to come up with a scheme to steal a bunch of cards and use the number immediately. You just hook the scanner up to a device that can make purchases at the same time the scan happens. Heck, build it into some sort of anonymous money scheme paypal account where you pay yourself and you could simply steal money. (Quick note, I don't know if or how anyone would actually do this but there must be ways.)

Beyond that it seems a bit to me like the real reasons there aren't recorded instances of stolen credit cards via RFID is that it's pretty technically complicated and thieves (at least the first world variety) and engineers aren't the same people. Also just because it hasn't been found doesn't mean it hasn't happened. How do you tell that the guy who stole your credit card did it with an RFID scan vs that he was your waiter or gas station attendant or something.

Finally, one time use CVV codes is fine but I would think that the 16-digit number and expiration date is enough to at least get some money off the card.

Re:Glossing over one problem... (5, Insightful)

CimmerianX (2478270) | more than 2 years ago | (#38866861)

>> the cards are set to offer up a one-time CVV code with every scan

Wait, I thought RFID only offered up static information. Does this infer that the cards have some sort of logic onboard to generate these 'one-time codes' and have create a new code on every scan that matches up with its processor? How does this effect an inadvertent scan, do the codes get all out of sync? Is there resync logic as well? How would this be handled throught payment processors and 3rd party clearing houses?

Now, someone enlighten me on this if it's true. But this sounds to me like total bullcrap.

Re:Glossing over one problem... (1)

Big Smirk (692056) | more than 2 years ago | (#38866951)

A big magnetic field... or a choke point, like a door to the conference center.

Re:Glossing over one problem... (2)

Yakasha (42321) | more than 2 years ago | (#38866961)

So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails.

Not hard to have a scanner & processor working at the same time.

It's not quite as bad as they make it out to be here.

Perhaps financially for individual consumers, but it can be a huge problem in other ways. Wouldn't it suck if your RFID enabled credit card & passport were read at the same time and you purchased a 1-way ticket for some terrorist (Does Godwin's law include terrorism references yet?).

Naturally restricting the liability to just a couple (or 1) transaction means individuals will not be out a lot of money. But it can still cause problems for the credit card company if a large number of people are hit. For poor individuals, even $50 1 time just as they get to the supermarket can be devastating.

Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals.

No, you just stand at a high traffic point and use a weak field to get the cards right next to you: Union Square, public transit, shopping malls, airport.

Re:Glossing over one problem... (1)

Joce640k (829181) | more than 2 years ago | (#38867157)

Those codes can only be used for one transaction, and have to used in the order they’re generated.

So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here.

Ummm....yes it is. Being the next person use the card isn't very difficult if you can do it via an iPhone. The chances of somebody using their card in the ten minutes after you grab their details is very small.

Re:Glossing over one problem... (0)

Anonymous Coward | more than 2 years ago | (#38867305)

I see you lack the creativity that we see from these scammers on a daily basis. For one, since you are lacking the understanding of how a digital transmission works, scammer A with the RFID scanner, captures the card, transmits the data via a cellular network to scammer B, miles across town (state, country, etc) where scammer B replicates the card and uses it, all while the victim is still held. As for the snifing the entire room, you're probably correct, with the "at once" statement, but substitute "in one sitting" and its entirely plausable and even easy. Since most people will enter an auditorium through a select number of entrances passing by the sniffer individual. You then have a captive audience for upwards of an hour plus (depending on the lecture). Not many people will be utilizing their cards at this time, thus giving you a large enough window to defraud the entire audience. Is it easy no, can it be done, I think that's rather obvious. Are you concerned? I myself don't carry one of these cards, but there are shielding options. If anything I believe this should be like a Checkbook. (i.e., here's our Aluminum shielding sleeve to protect your card, pay more for additional options). Granted I don't trust RFID that far, and don't stand behind it one bit as a platform for anything other then inventory tracking. Just my 2 penny's.

Not the last person (1)

dutchwhizzman (817898) | more than 2 years ago | (#38867383)

that's only if you were to copy the RFID contents. The CCV2 is a one-time thing and isn't copied on the magnetic strip. The blank card she made can be used until it's blocked by the CC company, as long as no CCV1 or PIN are requested by the vendor. Typically, for low amount purchases, that's not the case, so it may take a while before the card gets blocked.

Use a Faraday Cage wallet (5, Interesting)

Woil (25266) | more than 2 years ago | (#38866635)

I've been using a Faraday Cage wallet and passport holder by DIFRwear: http://difrwear.com/ for several years now. I don't work for them, but with the very cheap wallet prices and sturdy construction I've been very pleased with the products. I can testify that they do work as I have an RFID key card and it won't activate the door if in the wallet.

She used Teh iPhone!1!! (0, Flamebait)

Oh Gawwd Peak Oil (1000227) | more than 2 years ago | (#38866657)

Since this is Slashdot, with its misleading sensationalism and all, I'm surprised they didn't title the headline: "iPhone Allows Easy, Wireless Credit Card Fraud."

Re:She used Teh iPhone!1!! (0)

chrish (4714) | more than 2 years ago | (#38867057)

If she'd used a BlackBerry it would've certainly been "BlackBerry Allows Easy, Wireless Credit Card Fraud."

4th Dimension Attack Vector (1)

hantarto (2421914) | more than 2 years ago | (#38866661)

I am think that if RFID-enable credit card is present at known point in spacetime, attacker need only to go to that point in space and then move card reader along fourth dimension axis until card information can be read. The banks should really giving solution to this problem soon I hope so they will.

And in other news... (2)

Darkness404 (1287218) | more than 2 years ago | (#38866665)

And in other news anytime you take your credit card out to do anything and it is out of sight for a moment people could record your number, expiration date and your security code and then use it to buy things using your credit card. But of course we won't worry about that because technology is SCARY!!! Despite the fact that this doesn't work if you:

Have more than 1 credit/debit card with an RFID chip.

Aren't really close to the card.

Store your card in an aluminum wallet.

Sure, it is possible, but we focus so much on the possible technological side while totally neglecting the fact that people could quite easily just record your credit card info when you pay for things.

Re:And in other news... (2)

Baloroth (2370816) | more than 2 years ago | (#38866875)

However, when people record the info when you pay for something, that person becomes directly traceable. I.e. if the police look into the matter, they can almost certainly quickly find out who is responsible. The RFID method is completely 100% anonymous (unless you memorize the faces of everyone you pass on the street, and even then you simply will not be able to trace down the person responsible). This adds a psychological, if not a real, barrier to CC skimming for employees.

The RFID system is quick, anonymous, and can collect potentially hundreds of cards in a matter of hours, just by standing at a subway station with the right equipment.

Such 'demos' should be illegal. (2)

JohnMurtari (829882) | more than 2 years ago | (#38866671)

(sarcasm) Well, the obvious solution is to prosecute Randy for violation of some type of copyright/jail-breaking/illegal use law. If we don't have one yet for this -- we can write one quickly! No need to have people worry about this type of stuff. Our economy is in shambles, we need people to use their cards! You can't grow GDP without breaking a few eggs! (/sarcasm)

Square is the big security fail here... (3, Insightful)

randomlogin (448414) | more than 2 years ago | (#38866701)

The fact that you can make a payment via Square without any form of authentication is the biggest failure here. At least with the RFID payment you've got a cryptographically strong authentication method which is pretty hard to fake. The sooner the credit card companies get rid of the magstripe the better...

Re:Square is the big security fail here... (1)

Anonymous Coward | more than 2 years ago | (#38867121)

The authentication would have worked with any and every terminal in which she would have swiped the card. There is no strong security here.

The objective of the new cards is to transfer all responsibility to the cardholder.Your PIN is being recorded at every store by cameras. You are no longer obliged to sign the transaction. How can you prove that you did not use or authorize the use of the card.

I don't have the energy to repeat this argument. I lowered the limit of my cards to a level which I can pay if I am scammed. I don't trust this system any more than the last.

Real Problem. (1)

JustAnotherIdiot (1980292) | more than 2 years ago | (#38866727)

Clearly the problem is the iPhone and eBay.
Hurry, oh wonderful American government, censor both of these things!

No PayPass? What are your vulnerabilities? (0)

Anonymous Coward | more than 2 years ago | (#38866735)

So without that PayPass or other such similar feature, what other ways might a traditional CC be compromised remotely? For a traditional card to be skimmed, it needs to be put through a false card reader to skim the info off the magnetic strip, correct?

If the name Paget rings a bell... (2, Informative)

Anonymous Coward | more than 2 years ago | (#38866743)

Kristin Paget [twitter.com] used to be Chris Paget [tombom.co.uk] , famous GSM hacker. With that out of the way, we return you to this awesome hack.

Re:If the name Paget rings a bell... (-1)

Anonymous Coward | more than 2 years ago | (#38866891)

so she was a dude? hahaha

Moncler Jackets (-1)

Anonymous Coward | more than 2 years ago | (#38866767)

Cheap Moncler [moncler-outletsmall.com] comes at various hot-sale styles and colors that you will find your favorite.2011 Moncler Jackets [moncler-outletsmall.com] is a good choice if you don't know what to choose,you can go our Moncler Outlet [moncler-outletsmall.com] shop or Moncler Online [moncler-outletsmall.com] store,discount price Moncler Sale [moncler-outletsmall.com] for you.

GuardBunny (1)

guttentag (313541) | more than 2 years ago | (#38866789)

The article also mentions that Paget's company is working on a jamming device called GuardBunny that slips into your wallet, complete with a rabbit head logo and eyes that glow (there's a picture on page two) when it's activated. I'm not sure if this is meant to be a humorous Monty Python [youtube.com] reference? "Run away, High-Tech Pickpocket! Run away!" Or a creepy Donnie Darko [youtube.com] reference? "Why do you wear that stupid bunny suit?" "Why do you wear that stupid smart credit card that broadcasts its credentials?"

That's nothing... (0)

Anonymous Coward | more than 2 years ago | (#38866817)

Takes my buddy 10 seconds to pick-lock open a gas station payment terminal, install a skimmer and connect it to the PCB under the keypads.

Within hours he gets card numbers, zipcodes* and PIN.

*zipcodes were put in place by gas companies to help stop unauthorized charges because the owner the card knows their billing zip code and the thief... well these can be picked up by keypad skimmers...

Always pay cash at gas stations people... doesn't matter what type of gas station... only 8 different type of keys are used by the industry open these terminals up (because service techs tend to "lose" them).

Re:That's nothing... (1)

Anonymous Coward | more than 2 years ago | (#38866913)

Who needs to read the zipcode? 90% of them are going to be the same zipcode as the gas station unless you pick a station on a turnpike or something.

Re:That's nothing... (0)

Anonymous Coward | more than 2 years ago | (#38867347)

I like it when visa gets owned by my stolen cc number. It in no way hassles me.

Obvious fraud opurtunity (1)

sce7mjm (558058) | more than 2 years ago | (#38866835)

I've been warning everybody who gets a new Barclaycard with this "feature" since I first saw it advertised.

My thoughts were somebody selling newspapers at a underground (subway) station swiping everybody who walks past at rush hour. Going home and cashing in on 1000's of £1 - 10 transactions. Not a bad afternoons work.

What's the point of these? (4, Interesting)

twotacocombo (1529393) | more than 2 years ago | (#38866859)

What exactly is the advantage to these RFID credit cards? All the readers I've seen still require you to get the card close to it to work. Has the world really grown so lazy that we can no longer be bothered to make a vertical swiping motion? I can see the benefit for payment-enabled cell phones or key fobs, but credit cards? Seems like a solution to a problem that didn't exist.

Re:What's the point of these? (2)

MozeeToby (1163751) | more than 2 years ago | (#38867047)

Ostensibly, they allow for more brains behind the card than is possible with a magstripe. The current solution is simply a one time use CCV code, if a more recent code has been used it rejects all the codes that came before it, meaning that A) A stolen card can only be used once and B) Not even once if the legitimate user makes a purchase in the meantime. To me, with a bit more processing power, it seems like it should be possible to set up an encryption scheme where the person reading the card only ever sees encrypted data that would go stale in a matter of minutes (and yes, that includes stores). You could probably, of course, still clone the information and process a purchase quickly enough to commit fraud, but doing it on a large scale would be all but impossible.

Re:What's the point of these? (1)

twotacocombo (1529393) | more than 2 years ago | (#38867399)

Well, all that is encoded in a credit card's 2 tracks is account number, expiration date, and name. What is keeping someone from grabbing this information via RFID, then encoding it into a standard magstripe card and going on the usual spending bender? Seems like a lot of extra work to make a counterfeit RFID card when you can just go the quick and dirty route and make a card that can be used anywhere they take plastic, not just the places with contactless readers.

Re:What's the point of these? (0)

Anonymous Coward | more than 2 years ago | (#38867063)

You already recognized one advantage: The same readers can be used with cellphones and other devices acting as cards. Another advantage is that you no longer need to insert the card into the reader in one specific way (label side this way, this edge first...). RFID cards are also cheaper to make than smart cards with contacts, which is what they're superseding, not magstripe cards. And they last longer (no wear on contact pads). And they're more reliable (no contact pads means no dirty contact pads).

Re:What's the point of these? (1)

xanthos (73578) | more than 2 years ago | (#38867345)

What people fail to notice is the "Analog Hole" part of this demonstration. Paget did not clone the RFID card. She transferred information from a secure environment (RFID) to an insecure environment (mag stripe). As long as the amount of money lost through theft is a fraction of the cost of upgrading the infrastructure to get rid of magstripe, this capabillity will remain.

FWIW, the who needs RFID cards is defintely an American bias. When I was in Paris last year there were a number of times where not having a RFID card was a real PITA.

-Xanthos

Easy Solution (0)

Anonymous Coward | more than 2 years ago | (#38866939)

I have an easy solution: Just pay cash.

I know its a foreign concept for the white guys, but it is still accepted.

I wonder (1)

koan (80826) | more than 2 years ago | (#38867023)

If the companies that makes these cards and the banks that back them know they have issues like this then why on Earth would the push them? It can't be that much cheaper to use RFID on a card instead of swiping, why does this smell so funny?

Are they making money from this?

gender (1, Insightful)

Sebastopol (189276) | more than 2 years ago | (#38867231)

Probably should be modded as off topic for this, but why did the article feel the need to point out Paget's gender change? did it make her a better programmer, or design better hardware? or were there lots of people reading the article were like "Hey, I knew I guy with the last name Paget that worked there, I wonder if they are related? ... Oh!" /scratches head

Mythbusters (0)

Anonymous Coward | more than 2 years ago | (#38867303)

Mythbusters were going to tackle this, but somebody didn't want them to.
http://www.youtube.com/watch?v=X034R3yzDhw

It's worse than you think.. (1)

cheros (223479) | more than 2 years ago | (#38867371)

The bit not mentioned in the article is the reason why you need to be close to the card to read it: bad aerials in the card terminal.

If you build a better aerial (larger) and ensure the receiver stage has a decent low noise entry you can read those RFIDs from quite a distance..

Mythbusters lost episode (4, Interesting)

speedlaw (878924) | more than 2 years ago | (#38867385)

Wasn't RFID the subject of the Mythbusters episode that was "squelched" by Visa ? Adam made a few comments and the issue was clamped down upon by all. The credit card companies (huge advertisers-when you get 29% interest you have lots of money) made it clear that RFID weaknesses were not a subject to be discussed in public to a lay audience.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>