News RFID credit-card attack demonstrated

[CardJoe]

http://www.bit-tech.net/news/2008/02...ttack_demoed/1

Hacker Adam Laurie has demonstrated a contactless attack on an RFID-equipped American Express card at the Black Hat DC conference.

[Shielder]

But...

But...

But...

The banks say that the security in these credit cards is hacker proof!

Seriously though, I don't want anything like this in my credit card. It took me long enough to accept a home wireless network, without having a "contactless" credit card in my wallet. If I do get sent one, it's going straight back.

"If you can't scratch glass with it, I don't accept it" - Zanywoop, HHGTTG.

Andy

[mmorgue]

Yeh, this is pretty bad. If the Ccard industries say, "We happy our products are safe and not susceptable to hacking", and you get hacked as shown, how can you argue against the £5000 purchase of neon pink crotchless knickers from Thailand?

[Arkanrais]

time to start manufacturing foil lined (or silver lined) wallets. I think I could make a few $ off this

[cjoyce1980]

dont the london oyster underground system us something like this....... and i think barclays have just release a card with similiar technology to londoners

[chicorasia]

“We are comfortable with the security of our product.”

How couldn't they be? They've probably spent a couple hundred bucks developing it!

How about setting up a scanner near an American Express office, picking up the account numbers of all the employees and executives and sending the data back to them and to the press at the same time? Let's see how comfortable that will feel...

[theevilelephant]

Quote:

Originally Posted by cjoyce1980

dont the london oyster underground system use something like this.......

yes

why would you want a wireless credit card anyway. Who is so lazy they cant b bothered to swipe it or stick it a card reader..... I can understand using it for less important data, but come on my bank account? dont think so....

[eek]

I use the aforementioned Barclay card... haven't really made much use of the pay wave feature as not many places accept it. I'm certainly lazy enough to use it where I can however!!

Having the Oyster card built in is good though, cuts down on the number cards I have to carry around

[naokaji]

Quote:

Laurie has spoken to American Express in the past and voiced his concerns over his ability to read card details remotely. The company's response? “We are comfortable with the security of our product.”

WTF? they are comfortable with that?

how can they be comfortable with that? do they have an internal guideline that no employee should use their own products or why do their employees not care? or is it just a marketing stunt to downplay the problem? (the second theory actually sounds more plausible).

[Bluephoenix]

Cold hard cash and checks are the way to go IMHO

I only use a visa when I have to. and none of this fancy RFID ****.

though the best wallet lining wouldn't be foil, but brass mesh. Faraday cages cheesecake!!!!!

[johnnyboy700]

I would have thought copper mesh would be better.

Serously though, is anyone really surprised that the big companies are about ten steps behind the determined hackers with this? The irritating thing is that with passports, you don't have a choice, you have to accept one with this technology, at least with a credit card you can opt to use one without it.

I can see a nice little aftermarket sideline opeing up here, wallets, credit card holders and passport wallets that are guaranteed to be RF shielded until you open it.

[waltaugust]

Lining with aluminum foil is effective but kind of a pain to maintain. Identity Stronghold makes a real simple shielded card sleeve you can keep your contactless credit cards or ePassports in. You can buy them online at www.idstronghold.com . If you are in the UK you could buy the skimstopper sleeves at www.smartcardfocus.com under accessories/cardholders.

This is the simplest solution around and the credit card companies should be shipping these with the cards so you don't have to buy them.

[waltaugust]

Lining with aluminum foil is effective but kind of a pain to maintain. Identity Stronghold makes a real simple shielded card sleeve you can keep your contactless credit cards or ePassports in. You can buy them online at www.idstronghold.com . If you are in the UK you could buy the skimstopper sleeves at www.smartcardfocus.com under accessories/cardholders.

This is the simplest solution around and the credit card companies should be shipping these with the cards so you don't have to buy them.

[waltaugust]

Lining with aluminum foil is effective but kind of a pain to maintain. Identity Stronghold makes a real simple shielded card sleeve you can keep your contactless credit cards or ePassports in. You can buy them online at www.idstronghold.com . If you are in the UK you could buy the skimstopper sleeves at www.smartcardfocus.com under accessories/cardholders.

This is the simplest solution around and the credit card companies should be shipping these with the cards so you don't have to buy them.

[sotu1]

if AMEX have said that they are not concerned with the security of their cards, yet it has been proven that their cards can be hacked, doesn't that make them open for a law suit because they're not paying maximum attention to keeping our details/money safe?

[LoneArchon]

Well thinkgeek.com has the RFID Blocking Wallet (http://www.thinkgeek.com/gadgets/security/8cdd/) and Passport Wallet (http://www.thinkgeek.com/gadgets/security/910f/). I am not Planning to get one of these Wave and Pay cards anytime soon I would rather swipe the card. This is a major security hole for those types of cards than need to be fix.

[Anakha]

My father (A London bus driver) has one of these RFID cards, and already knows about the "Dangers" of such a system.

An interesting anecdote for you.

When London Transport was originally trialling the Oyster pre-pay system, they were intending to put the "Reader" around the entrance doorway, so it'd read the card (And debit the card) as you got on without you having to do anything. However, in initial runs the sensitivity was a little high, so everytime an Oyster-equipped bus passed a queue of people, it would subtract a fare automatically from their cards as it drove past.

For "Staff only" areas of LT buildings, they are using "Around-the-door" detectors to tell just how long staff are taking on breaks and the like. However, my father found a neat solution to that. He uses a stainless steel business card holder (a couple of quid), which is the perfect size for storing credit-cards, and when closed, forms a perfect faraday cage around the card, blocking all signals out. So why bother with these pesky "RFID Blocking wallets" when a simple business card holder does the job just as well?

[leexgx]

even with protecting it on your self will not do as you have to remove it at some point to use it its likey its going to be read when you pull it out to use it (places that use it ID RFID) thats an bigger problem as now any one with an bag at an airport can get So much info by just getting some food (an long walk with the bag and the device to get food and ever one you walk past you get id stuff whats very poor idea )

first thing to do i guess is destroy the RFID device in the passport or card at least with the Chip and pin idea thay need to have the card at least

[DXR_13KE]

bloody idiots....

edit: not the people that hacked the thing, i am referring to the people creating and using the thing and shoving into other peoples asses....

[Fused]

Quote:

Originally Posted by leexgx

first thing to do i guess is destroy the RFID device in the passport or card at least with the Chip and pin idea thay need to have the card at least

I don't know if you mean it litteraly or not, but tampering with the rfid in your passport might just make those people at immigration just a tiny bit suspicious..

I see chip and pin as more of a convienence than anything meaningful in terms of security. In the end nothing will stop a determined thief!