The hands-free way to steal a credit card
Unsecured RFID Technology
WASHINGTON D.C.--Adam Laurie, an RFID security expert, used the Black Hat DC 2008 conference here, to demonstrate a new Python script he's working on to read the contents of smart-chip-enabled credit cards.
As part of his presentation Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer's wallet, Laurie both read and displayed its contents on the presentation screen--the person's name, account number, and expiration clearly visible.
Demonstrations like that show the potential misuse of RFID technology in the near future. Without touching someone, a thief could sniff the contents of an RFID-enabled credit card just in passing. The same is true for embedded RFID chips in the human body, work access badges, some public transit cards, and even the new passports in use in more than 45 countries.
(As a disclaimer, Laurie said he spoke to American Express, the company that issued the volunteer's card. Laurie said that American Express told him: "We are comfortable with the security of our product." Laurie added that the company told him the number he displayed on the presentation screen was not the account number printed on the card, which Laurie proved by opening the wallet and comparing.
"The alias number on American Express' ExpressPay cannot be used for online transactions," said Molly Faust, American Express' Public Affairs representative, in an e-mail to CNET News.com. "ExpressPay has multiple security mechanisms. As the payment host, American Express would not verify/authorize an online transaction using just the alias account number. There are several other security mechanisms that would be required in order for payment authorization to take place.")
The credit card industry has argued that use of the RFID-enabled cards will save customers time when processing payments.
An extreme example can be found in Spain. Laurie said a public beach there encourages visitors to have RFID tags injected into their bodies. The point? Merchants along the beach scan your wrist to obtain a unique ID from which they can debit your account. The advantage? You won't have to go to the beach with your wallet, which might get stolen.
Laurie, who has an injected RFID-tag, showed how easy it was not only to read the tag, but also to re-write the tag. During his demo, he used the coding sequence reserved for animal tagging to have his RFID chip declare him an animal.
On his RFIDiot Web site, Laurie offers the Python scripts free of charge and also sells the hardware necessary to read and write to RFID tags and cards.
See Adam Laurie’s site d3f3nc3 in d3pth at http://news.cnet.com/defense-in-depth/?keyword=Adam+Laurie&tag=mncol;tags
Update from February 22, 2008, at 3:20 p.m PST: This was updated to include a response from American Express.
Xtra Image - http://www.peratech.com/press/RFIDBiometricPassport_SkimStory.jpg
For further enlightenment enter a word or phrase into the search box @ New Illuminati:
or http://newilluminati.blog-city.com (this one only works with Firefox)
The Her(m)etic Hermit - http://hermetic.blog.com
New Illuminati – http://nexusilluminati.blogspot.com
http://newilluminati.blog-city.com (this one only works with Firefox)
New Illuminati on Facebook - http://www.facebook.com/pages/New-Illuminati/320674219559
This material is published under Creative Commons Copyright (unless an individual item is declared otherwise by copyright holder) – reproduction for non-profit use is permitted & encouraged, if you give attribution to the work & author - and please include a (preferably active) link to the original along with this notice. Feel free to make non-commercial hard (printed) or software copies or mirror sites - you never know how long something will stay glued to the web – but remember attribution! If you like what you see, please send a tiny donation or leave a comment – and thanks for reading this far…
From the New Illuminati – http://nexusilluminati.blogspot.com