Log in

No account? Create an account
November 14th, 2006 - Adventures in Engineering — LiveJournal
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2006-11-14 13:33
  Subject:   [Digg] Frank Abagnale (Catch Me If You Can) on identify theft.

He says it's even easier these days:

"It was all on paper," he said. "Now it's all done online. Electronic records just make it easier."

To illustrate, he pulled up a copy of a mortgage document he obtained electronically about Porter Goss, the former director of the Central Intelligence Agency and U.S. representative from Florida. The Social Security numbers of Goss and his wife were part of the document, though they were crossed out on the PowerPoint screen onstage.

"Technology breeds crime," said Abagnale, who designed the birth certificate form now used in Florida. There are "no con men anymore because the victim will never see them. They can be a thousand miles away." While banks and companies lose laptops and other records containing sensitive personal information, kids with cellphones secretly shoot pictures of checks being written in checkout lines of grocery stores. They can blow up the images on a computer and get all the information they need to commit bank fraud.

"Fraud has just gotten easier," he said. "I never in my life saw a simpler crime."

7 Comments | Post A Comment | | Link

Ben Cantrick
  Date: 2006-11-14 23:10
  Subject:   Current gen RFID credit cards majorly insecure...

...nobody with a data security background even slightly surprised.

what the RFID-CUSP report highlights most significantly is the new physical dimension of vulnerability that RFID credit cards introduce. Without even removing their cards from wallets or pockets, consumers can potentially see their privacy and security compromised. A scanner in a crowded subway station might surreptitiously harvest credit-card data from passersby. Or consider what the RFID-CUSP research team has dubbed a "Johnny Carson" attack. In the comedian’s Carnac the Magnificent act, he divined the contents of sealed envelopes held against his forehead. Likewise, an attacker can quickly skim data from RFID credit cards in sealed envelopes while they are in transit or sitting in mailboxes.

Slightly stronger data protections and cryptography could largely prevent Johnny Carson attacks and most of the other vulnerabilities illustrated in the RFID-CUSP study. Given that RFID as a broad technology is already a flashpoint for consumer fears, the choice of credit-card associations not to confer stronger protections on RFID-enabled cards is somewhat surprising. Numerous media reports have drawn attention to consumer concerns about RFID privacy and security, and various government bodies are mulling over RFID-privacy regulations. In early 2005, a team of researchers (including some in RFID-CUSP) demonstrated skimming attacks against ExxonMobil SpeedPass, another RFID payment device used by millions of Americans for some number of years. (It should be noted, however, that unlike RFID credit cards, SpeedPass does not reveal personally identifying information.)




Apparently some of these RFID credit cards transmit your name, card number and expiration date in plaintext with no authentication to any radio signal that cares to ask. Nice.
5 Comments | Post A Comment | | Link

May 2015