Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

The hands-free way to steal a credit card

From: InfoSec News <alerts () infosecnews org>
Date: Fri, 22 Feb 2008 05:28:04 -0600 (CST)
http://www.news.com/8301-10789_3-9875961-57.html

By Robert Vamosi
Defense in Depth
February 21, 2008 

WASHINGTON D.C. -- Adam Laurie, an RFID security expert, used the Black 
Hat DC 2008 conference here, to demonstrate a new Python script he's 
working on to read the contents of smart-chip-enabled credit cards.

As part of his presentation Wednesday, Laurie asked for someone from the 
audience to volunteer a smart card. Without taking the card out of the 
volunteer's wallet, Laurie both read and displayed its contents on the 
presentation screen--the person's name, account number, and expiration 
clearly visible.

Demonstrations like that show the potential misuse of RFID technology in 
the near future. Without touching someone, a thief could sniff the 
contents of an RFID-enabled credit card just in passing. The same is 
true for embedded RFID chips in the human body, work access badges, some 
public transit cards, and even the new passports in use in more than 45 
countries. 

As a disclaimer, Laurie said he spoke to American Express, the company 
that issued the volunteer's card. Laurie said that American Express told 
him: "We are comfortable with the security of our product." Laurie added 
that the company told him the number he displayed on the presentation 
screen was not the account number printed on the card, which Laurie 
proved by opening the wallet and comparing. However, Laurie noted that 
the captured account number could still be used for online transactions.

The credit card industry has argued that use of the RFID-enabled cards 
will save customers time when processing payments.

An extreme example can be found in Spain. Laurie said a public beach 
there encourages visitors to have RFID tags injected into their bodies. 
The point? Merchants along the beach scan your wrist to obtain a unique 
ID from which they can debit your account. The advantage? You won't have 
to go to the beach with your wallet, which might get stolen.

Laurie, who has an injected RFID-tag, showed how easy it was not only to 
read the tag, but also to re-write the tag. During his demo, he used the 
coding sequence reserved for animal tagging to have his RFID chip 
declare him an animal.

On his RFIDiot Web site, Laurie offers the Python scripts free of charge 
and also sells the hardware necessary to read and write to RFID tags and 
cards. 


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Previous By Date Next
Previous By Thread Next

Current thread: