funsec mailing list archives
Vulnerabilities in First-Generation RFID-Enabled Credit Cards
From: <rms () bsf-llc com>
Date: Mon, 23 Oct 2006 09:29:45 -0400
Here are all of the technical details. I'm still scratching my head why a RFID credit card doesn't have a little momentary contact switch which must be pushed in order to activate the RFID chip. With this simple addition, cards can't be read on the sly. Richard _____ http://www.rfid-cusp.org/blog/blog-23-10-2006.html Vulnerabilities in First-Generation RFID-Enabled Credit Cards Monday, October 23, 2006 RFID CUSP scientists have studied the security and privacy of RFID-enabled credit cards. Here Ari Juels gives an overview of the results. Consumers in the United States today carry some twenty million or so credit cards and debit cards equipped with RFID (Radio-Frequency IDentification) chips. RFID chips communicate transaction data over short distances via radio. They eliminate the need to swipe cards or hand them to merchants. Consumers can instead make payments simply by waving their cards-or even just their wallets-near point-of-sale terminals. While appealing to both consumers and merchants, the convenience of RFID credit cards has a flip side. What a legitimate merchant terminal can read, a malicious scanning device can also read without a consumer's consent or knowledge. RFID credit cards therefore call for particularly careful security design. A report released today by a team of scientists in the RFID Consortium for Security and Privacy <http://www.rfid-cusp.org/> (RFID-CUSP) reveals lapses in the security and privacy features of several types of currently deployed RFID credit cards. The report (of which I am a co-author) highlights two basic vulnerabilities in the cards under study: 1. Names in the clear: The RFID credit cards transmit bearer names promiscuously. Any device capable of scanning a card can learn the name imprinted on it-with or without the owner's consent. 1. Payment fraud: In varying degrees, the RFID credit cards are vulnerable to an attack called "skimming." An attacker with an RFID reader can harvest information from a card, create an inexpensive clone device, and make charges against the legitimate card. (Alternatively, an attacker may be able to perform online transactions with harvested credit-card information.) Skimming requires minimal technical expertise and expense. ... For details on the RFID-CUSP study, visit www.rfid-cusp.org <http://www.rfid-cusp.org/> . Technical manuscript Our technical paper is available in draft form: PDF <http://prisms.cs.umass.edu/~kevinfu/papers/RFID-CC-manuscript.pdf> Video demonstration We have a short video demonstrating some of the attacks from a technical perspective. Please excuse our poor-quality video techniques: 11MB <http://www.rfid-cusp.org.nyud.net:8090/videos/RFID-CC-video-part1.mov> Quicktime (coralized) Check back next week for Part 2, a non-technical video.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Vulnerabilities in First-Generation RFID-Enabled Credit Cards rms (Oct 23)
- RE: Vulnerabilities in First-Generation RFID-Enabled CreditCards Larry Seltzer (Oct 23)
- RE: Vulnerabilities in First-Generation RFID-Enabled CreditCards Richard M. Smith (Oct 23)
- Re: Vulnerabilities in First-Generation RFID-Enabled CreditCards Dude VanWinkle (Oct 23)
- RE: Vulnerabilities in First-Generation RFID-Enabled CreditCards Richard M. Smith (Oct 23)
- Re: Vulnerabilities in First-Generation RFID-Enabled Credit Cards Valdis . Kletnieks (Oct 23)
- RE: Vulnerabilities in First-Generation RFID-Enabled Credit Cards Richard M. Smith (Oct 23)
- RE: Vulnerabilities in First-Generation RFID-Enabled CreditCards Larry Seltzer (Oct 23)
- Re: Vulnerabilities in First-Generation RFID-Enabled Credit Cards Valdis . Kletnieks (Oct 23)
- RE: Vulnerabilities in First-Generation RFID-Enabled Credit Cards Richard M. Smith (Oct 23)
- RE: Vulnerabilities in First-Generation RFID-Enabled CreditCards Larry Seltzer (Oct 23)