?

Log in

No account? Create an account
Adventures in Engineering
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2006-11-14 23:10
  Subject:   Current gen RFID credit cards majorly insecure...
Public
  Mood:shocker...

...nobody with a data security background even slightly surprised.

what the RFID-CUSP report highlights most significantly is the new physical dimension of vulnerability that RFID credit cards introduce. Without even removing their cards from wallets or pockets, consumers can potentially see their privacy and security compromised. A scanner in a crowded subway station might surreptitiously harvest credit-card data from passersby. Or consider what the RFID-CUSP research team has dubbed a "Johnny Carson" attack. In the comedian’s Carnac the Magnificent act, he divined the contents of sealed envelopes held against his forehead. Likewise, an attacker can quickly skim data from RFID credit cards in sealed envelopes while they are in transit or sitting in mailboxes.

Slightly stronger data protections and cryptography could largely prevent Johnny Carson attacks and most of the other vulnerabilities illustrated in the RFID-CUSP study. Given that RFID as a broad technology is already a flashpoint for consumer fears, the choice of credit-card associations not to confer stronger protections on RFID-enabled cards is somewhat surprising. Numerous media reports have drawn attention to consumer concerns about RFID privacy and security, and various government bodies are mulling over RFID-privacy regulations. In early 2005, a team of researchers (including some in RFID-CUSP) demonstrated skimming attacks against ExxonMobil SpeedPass, another RFID payment device used by millions of Americans for some number of years. (It should be noted, however, that unlike RFID credit cards, SpeedPass does not reveal personally identifying information.)



http://www.rfid-cusp.org/blog/blog-23-10-2006.html

http://www.rfid-cusp.org/blog/RFID-CC-FAQ.pdf

http://www.youtube.com/watch?v=xPkzFETzueQ


Apparently some of these RFID credit cards transmit your name, card number and expiration date in plaintext with no authentication to any radio signal that cares to ask. Nice.
Post A Comment | 5 Comments | | Link






  User: nickhalfasleep
  Date: 2006-11-15 06:14 (UTC)
  Subject:   (no subject)
Faraday wallets will be all the rage this holiday season!
Reply | Thread | Link



Alex Belits: iskra
  User: abelits
  Date: 2006-11-15 06:39 (UTC)
  Subject:   (no subject)
Keyword:iskra
Why would anyone use RADIO SIGNALS for CREDIT CARDS?

The whole point of a credit card is that it requires a specific physical action (swipe == payment) to be used.
Reply | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-11-15 06:58 (UTC)
  Subject:   (no subject)
Why would anyone use RADIO SIGNALS for CREDIT CARDS?

You can bet it was the marketing department's idea... and that they will stare with complete incomprehension at anyone who says the words "replay attack" to them.
Reply | Parent | Thread | Link



  User: nickhalfasleep
  Date: 2006-11-15 07:00 (UTC)
  Subject:   (no subject)
There is an ad on TV from VISA making fun of people who pay cash because it "gums up the beautiful capitalist choreography"..

Makes me want to use cash even more...
Reply | Parent | Thread | Link



Ashfae
  User: ashfae
  Date: 2006-11-15 12:30 (UTC)
  Subject:   (no subject)
Yeah, there's all these ads out here about how cash is inconvienent, and worse, "dirty". I laugh at them.
Reply | Parent | Thread | Link



browse
May 2015