No-Swipe Credit Card No Problem For Thieves

Radio-frequency enabled credit cards allow consumers to complete transactions with a flick of the wrist, but new research shows that it’s not just consumers and merchants who will find the new system easier.

Thieves, equipped with a device about the size of a pack of gum and costing less than $50 in readily available electronic parts, can intercept the credit cards.

Equipped with such a device, a fraudster could walk through a crowd of people, harvesting cards into a portable reader. An unauthorized reader could be placed behind a legitimate reader and transmit the numbers back to the thieves’ lair. Or a reader could be embedded in an innocuous-looking package and placed in mailboxes, culling and transmitting numbers on newly issued credit cards.

Until these security vulnerabilities are addressed, hold off on getting a credit card wand. Their most breath-taking magic may be how swiftly they’re used to rack up a mountain of jewels, embossed leather jackets, and spinning hubcaps, all in your good name.

Researchers See Privacy Pitfalls in No-Swipe Credit Cards” [NYT]
Vulnerabilities in First-Generation RFID-enabled Credit Cards (pdf)
RFID Payment Card Vulnerabilities Technical Report (pdf)

Comments

Edit Your Comment

  1. So I tell my friend, about two months ago, “Robert, those new RFID credit cards, they may be a boon to ease of use and really handy, but boy-oh-boy, talk about a security risk!” Robert, whom I might add is in the process of getting the 3.27 billion certifications he requires to make it in the IT field, and is generally my go-to guy when it comes to electronic security, says to me, he says, “Aron, I don’t think thieves would go for those. It just isn’t worth it.” Well, Rob, looks like I told you so.

    EEEP! I just realized that I gave away 1/3 of the identity of the great super hero Captain Lumpy Dog!!! Everyone who’s read this, would you please forget part of the fifth line. There you go.

    Captain Lumpy Dog, Away!

  2. The_Truth says:

    ” and transmit the numbers back to the thieves’ lair.”

    Shouldent that read

    ” and transmit the numbers back to the thieves’ house.”

    Im tired of the villification of thieves and their supposed living in lairs. They live in houses like you and me, only they steal things, which I never do.

  3. nweaver says:

    Whats really ridiculous is you can make them far better, using a challenge/response protocol (a’la speedpass). But even then, you have to get the crypto right.

    Is it worth all the security holes not to have to take your credit card out of your wallett? It takes what, 3 seconds?

  4. Brian D. says:

    nweaver said: “Is it worth all the security holes not to have to take your credit card out of your wallett? It takes what, 3 seconds?”

    I’d like to second that question.

  5. Incidentally, the first “sentence” of this story has an incomplete clause. “Radio-frequency enabled credit cards that allow consumers to complete transactions with a flick of the wrist,” is not a complete statement – it’s one big subject. Which means that your next clause, which begins with “But” doesn’t relate to the initial. Also, you might want to lower-case-ize that “But.”

    Sorry, I always wanted to be an English teacher, but got stuck in the glamorous world of pornography.

  6. LeopardSeal says:

    This is bad, but not as bad as those new RFID Passports and Identity Cards currently being issued in the US. They’re just as vulnerable, but instead of some guy walking off with your credit card number he just as easily take your entire identity. And the worst part is that the US government doesn’t really consider that to be a problem. If you’ve got that little symbol on the front of your passport that indicates it has the RFID chip, be very careful where your wave it around.

  7. Mike_ says:

    It helps to know your rights and obligations as a cardholder. Briefly:

    For credit cards, your maximum liability is $50 per card. If the loss involves theft of your card number (e.g. by RFID sniffing or other means), but not the card itself, you have no liability.

    For debit & ATM cards, simply keep an eye on your bank statements. If your card number (but not the card itself) is stolen, and you report the fraudulent transactions within 60 days, you have no liability. (If you don’t report a stolen card, or you’re too lazy to look at your bank statements, you could get hosed.)

    Stop spreading fear about financial liability. Consumers are fairly well-protected.

    The bigger threat is to our privacy. You’re carrying a device that identifies you to anyone with a reader and the ability to get close enough to scan it.

  8. etinterrapax says:

    I still would like to commend the use of the colorful term “lair.” If thieves just operate out of a house like the rest of us schlubs, it becomes more difficult to vilify them and attract the attention of our local superheroes.

  9. emjsea says:

    I’m curious as to what’s going to happen when everyone has a bunch of these suckers on their keychain… how is the machine going to be able to tell which one you mean to use? They’ll all be so close together anyone of them could be read.

  10. Is it worth all the security holes not to have to take your credit card out of your wallett? It takes what, 3 seconds?”

    You bet it’s worth it. Maybe not to you, but to AMEX, VISA, and MC. The less you have to do to spend money that isn’t yours, the better. Unconsciously consumers spend about 15% more by swiping a card than by using cash. And the more they spend, the more likely they are to have a balance.

  11. AcilletaM says:

    It’s time for the aluminum foil wallets and purses.

  12. I’m willing to argue about this… I think as far as security concerns go this is blown out of proportion. While it may be possible to harvest credit card numbers merely by walking through a gauntlet of people with RFID enabled credit cards, it remains merely just theoretical– simply because the power emitted from the credit cards isn’t enough to harvest numbers from just feet away or even within touching proximity in many cases.

    How can you prove this? Leave the credit card in your wallet and try to use the scanner near the cash register. I would be curious to hear people’s experiences in this regard.

  13. TedOnion says:

    What ever happened to three layer security?! It is so simple, yet no one seems willing to do it. If you are confused, thats something you have, something you are, and something you know.

    I would be happy to swipe my card, type in my pin, and scan my fingerprint, or show photo ID. Let’s see a thief steal from that account.

    Oh, and lets get rid of crap like signitures, what a waste.

    Banks and merchants are more concerned about selling their latest “easy to use” features than security. It is time we focus on security, but as long as people run out to buy the latest thing with no regard for how it will screw them in the future, we are stuck with crap like RFID as the only thing protecting us.

    And AcilletaM, you are more right than you know.

  14. emjsea:

    I’m curious as to what’s going to happen when everyone has a bunch of these suckers on their keychain… how is the machine going to be able to tell which one you mean to use? They’ll all be so close together anyone of them could be read.

    I think in a way you are illustrating my point. People have this mental image of the RFID chips in credit cards as being super-powered devices like a bluetooth device but they simply are not. They need to be within close proximity, and when I say close, I mean within two inches without anything blocking the way.

  15. FLConsumer says:

    AcilletaM’s not all that far off on this one. I’ve not seen an RFID credit card yet, but have seen the machines.

    In theory, one could build a higher-power RFID reader and just walk in public places and pick up RFID info without the victims having to take their cards out of their wallets/purses. I’m imagining that the RFID credit cards aren’t all that much different than the proximity access control cards many buildings use, which can have a pretty good range on them.

  16. tz says:

    I actually have what looks like a small cigarette case but is credit-card sized, so that is where I keep them.

    For RFID elsewhere, I wonder how they would react to one of those million volt stun-guns…

    These things can so easily be spoofed. I wonder if Walmart will like them when people substitute the 8oz size chip for the 32oz and no one notices.

    This technology cannot be made secure (at least not without making it a real pain to use). When they become common, someone will come out with a repeater antenna that will amplify the chirp and response until the closest person with one has it repeated.

  17. DeeJayQueue says:

    I have and use the RFID cards. you have to pretty much touch the card to the reader in order for it to work. If a thief can get close enough to you to steal your number with a fancy-schmancy RFID reader, they’re good enough to pull the whole wallet.
    The process is pretty much the same as using the card for debit, only there’s no pin involved. You still have to have the physical card to use it, and you don’t have to worry about the stripe wearing out or breaking.
    Plus if theives are high-tech enough to be able to construct RFID sniffers, and the machines that can put the stolen codes onto new cards and tags, they’ve got better and more important things to do than steal my credit card.

  18. aka Cat says:

    Time for eel-skin wallets to make a comeback!

    (I forget — did Mythbusters prove that one, or disprove it?)

  19. jacques says:

    I have to wonder…
    In the Chicago area, one of our Supermarkets uses “pay by fingerprint”, where they take down your payment info and tie it to your fingerprint (does Albertsons do this nationwide?). Wouldn’t that be a more secure method, providing that the fingerprint readers are more sensitive to heat, copies, etc than lower-end readers?

    Also, the Chicago mass transit system uses a radio-chipped card for passes. The signal strength on those is horrid.

  20. AcilletaM says:

    That’s not entirely true s_a. Standard passive rfid tags can have a range from a few inches to a few yards based on design.

    For a fun read about this, http://en.wikipedia.org/wiki/RFID is a decent but no where near thorough start.

  21. Trai_Dep says:

    “Lair” is awesome. Nuff said.

    Dueling quotes from NYT article:

    “This is an interesting technical exercise,” said Brian Triplett, SVP for emerging-product development for Visa, “but as a real threat to a consumer – [it] really doesn’t exist.”

    “Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?”

    I think the latter one takes the match.

    The point is, what benefit does this serve? Saving 5secs of having a clerk swipe a card doesn’t seem to be enough.

    I can see techs boosting the reading range of readers, of marketing keychain sized off-the-shelf units for under $100 for technically inept thieves, of some credit card mfrs making noobie mistakes increasing vulnerability, and dozens of other ways to increase the risk.

    Gawd don’t even get me started about US Passports.

    This is a solution in search of a problem, that opens consumers to additional risk. HATE the idea of it.

  22. AcilletaM: You make a good point, but I’m certain that they aren’t designing passive RFID in credit cards to be read a few yards away. Proximity is important, and I’ll give you an example why:

    You’re buying a piece of merchandise and you are standing in the front of a line with five people behind you. You don’t have an RFID credit card, but the person behind you does and she’s got hers out because she’s ready to pay for her merchandise. If you presume that the card can transmit meters away, then it’s likely that the person standing behind her will have her card “read” during the transaction. Uhh.. why would credit card companies make a system like that, something that would HARM them significantly?

    Loyal consumerist readers know that credit card companies are often good about eating the cost of stolen cards so why would they make it easier for people to steal them? These companies are experts at negotiating cost versus benefit, it’s technically what they do for a living and for them to release a system where they are pushing widescale fraud and allowing for the chaos of people paying for the wrong goods is patently ridiculous.

  23. acambras says:

    Seriously, is any company marketing passport holders or wallets to protect the contents from unauthorized scanning?

    Kind of like the tinfoil hat I wear to keep the extraterrestrial invaders from reading my thoughts?

  24. CatMoran,

    Mythbusters proved it was busted. They couldn’t get the credit card stripe erased.

  25. AcilletaM says:

    s_a, I don’t deny what you’re saying or your example. I don’t think they are creating cc’s with rfids with a 2 yard range. But I know someone at a credit card company and from what she has told me, it’s all about the rush to get something, anything, out there. Driven by marketing and sales people, who in my experience are mostly like they are portrayed in Dilbert (sorry if that seems insulting but fuck me I’m not redesigning something hundreds of other customers like because you might get a sale). I’m not willing to put that much faith into the planning and preparation of people behind a moving deadline. Especially ones who’s previous security experience was adding a strip on the back to allow for a signature and most recently printing a check digit like thing on the back of the card.

  26. Ben Popken says:

    I’m no RFID expert, but wouldn’t it be possible to build an RFID snagger that’s more sensitive and thereby extend the range the signal could be picked up?

  27. FLConsumer says:

    Keep in mind that the RFID credit cards are passive devices, that is, they require an external power source (RF energy) to make them come alive. (1) Therefore, the transmitter is far more involved with range than the card itself is.

    For example, there’s the HID iCLASS proximity access cards out there, very standard fare, many readers here probably have them for work. These work at 13.56Mhz, exactly the same frequency used by the RFID credit cards in the NYTimes article. (2) Well, HID makes a long-range reader which works up to 18-24″ away from the card. (3) So, there you go. Chances are that Visa/Mastercard put very weak transmitters/readers in their terminals to prevent cross-talk between readers where multiple terminals are clustered close together, such as at mall kiosks & retail store checkout lanes. Just because they used weak ones doesn’t meant criminals/hacker types are limited to those same weak transmitters.

    References:
    1)http://www.nytimes.com/packages/pdf/business/20061023_CARD/fc2007-submission.pdf
    2)http://www.hidcorp.com/pdfs/products/irg_us.pdf
    3)http://www.hidcorp.com/prod_detail.php?prod_id=74

  28. Daytonna says:

    That is correct Ben. There is an anual “hacker” convention in Vegas called “Def-con”, a group of hackers demonstrated the ability to read RFID’s from almost 70 feet away.

    “A group of twentysomethings from Southern California climbed onto the hotel roof to show that RFID tags could be read from as far as 69 feet. That’s important because the tags have been proposed for such things as U.S. passports, and critics have raised fears that kidnappers could use RFID readers to pick traveling U.S. citizens out of a crowd.

    RFID companies had said the signals didn’t reach more than 20 feet, said John Hering, one of the founders of Flexilis, the company that conducted the experiment.

    “Our goal is to raise awareness,” said Hering, 22. “Our hope is to spawn other research so that people will move to secure this technology before it becomes a problem.”

    http://www.usatoday.com/tech/conventions/2005-08-01-hacker

  29. pete says:

    For all you thinking otherwise, distance is not an issue with these. Garden-variety passive RFID tags, like the ones used in speedpass and credit cards, have been read from 69 feet away, and this was done in 2005.
    http://www.makezine.com/blog/archive/2005/07/_defcon_rfid_
    Yes the equipment was pretty big, but I’m sure it can be and has been refined.

    What does it mean to the average joe? Not much.
    I’m sure it’s better odds that you’re hit by lightning than your RFID ez-pay card is randomly snarfed. If you’re uber-paranoid (like me) just cut the liner of your wallet open and insert tinfoil, seriously, it works.

    What’s more troubling is RFID US passports. US passports are worth big money overseas. It won’t be long before we see devices used to not necessarily read the contents of the passports, but merely to dectect their presence. A nice steal-me, mug-me, or blow-me-up beacon that I don’t want to be carrying.

  30. pete says:

    dam you Daytona for being faster than me :P

  31. Can someone provide details as to exactly what kind of RFID chips were used in the defcon experiments? According to the data in wikipedia it would seem to support the idea that their hacker-built RFID readers were meant for “Active” RFID– which doesn’t apply to the passports and the credit cards which are passive.

    In which case, reading the Active RFID at 70 feet is more of a publicity stunt, like when an antenna was built for WiFi signals over a kilometer away. You’re just building a fancy shmancy receiver, so who gives a shit? If you want to read passive RFID it needs to supply induction to the passive RFID chip itself.

    Another person gave the example of a smart tag: Smart tag’s are active RFID which means they are actually transmitting from a power supply. Again, credit cards and passports are passive RFID– no built in power. The process used to transmit power back to the receiver is by backscattering the original signal which would make it hard for a passive RFID “sniffer” since it’s highly directional based and based on the presumption of the amount of power being sent back out from the passive device.

  32. masterhibb says:

    CatMoran,

    I used an eelskin wallet for years, and the RFID badge readers at work had no trouble reading my badge through the wallet. In fact, if I was feeling particularly lazy, I could just bump up against the reader without even removing the wallet from my pocket. So eelskin is not going to keep your RFID gear from being snooped.

    However, LifeHacker’s got plans for a DIY RFID-blocking wallet. I’ve got no personal experience to go from, but if you search for “RFID blocking wallet,” you’ll find this is pretty popular (on the Internet, at least).

    If, on the other hand, you’re concerned about style, and you don’t feel that a duct tape wallet fits well within yours, there are professionally available models out there designed specficially to keep your data to yourself.

    Or for a more permanent solution, you could simply fry the sucker.

  33. pete says:

    It was a passive tag at Defcon -
    “DefCon 13 also was notable for being the location where two new world records were set — both involved shooting certain electronic signals unprecedented distances. Los Angeles-based Flexilis set the world record for transmitting data to and from a “passive” radio frequency identification (RFID) card — covering a distance of more than 69 feet.

    http://blog.washingtonpost.com/securityfix/2005/08/leaving

  34. Daytonna says:

    Amazing,

    “RFID companies had said the signals didn’t reach more than 20 feet, said John Hering, one of the founders of Flexilis, the company that conducted the experiment.”

    Definately an active RFID. Good catch. But the point is still valid that hackers able to read the signal 50 feet further than the manufacturer said was possible.

  35. Daytonna says:

    Wow, my turn to be slow on the post Pete.
    ATTN: all please disregard my last post. :)

  36. thrillhouse says:

    “Stop spreading fear about financial liability. Consumers are fairly well-protected.”

    Its not so much a matter of financial loss, but more the time it takes to put your life back together after a real identity theft.

  37. Ben Popken says:

    Mike_ re: liability… I would rather be protected before the fact rather than trying to wrest my money back after.

  38. FLConsumer says:

    Does anyone know how much one of these prox reader terminals for Visa/Mastercard cost the merchant? Also, how are Visa/MC handling the access fees? I’d hope/assume they’re charging the “swiped” rate rather than “manual/telephone” rate for this service.

  39. SpamFighterLoy says:

    FLConsumer: given how much V/MC want these used, they’re probably offering an even or better percentage. Consider that MC recently gave away 5,000 pre-loaded $25 cards for people to try out.

    Just noticed something interesting … with this new tech, V/MC is only requiring a signature for purchases of $25 or more. Could that be why Wegmans is no longer asking for my sig for under $25 when other stores still require it? I know I don’t have RFID, but maybe they do and figure it’s just easier to do it that way for everyone. Or maybe I’m wrong.

    On the passports, the most interesting experiment I saw was a couple of geeks that rigged a trash barrel to explode when an American (and only an American) passport passed by. The passport was open about 1/8 of an inch. That’s enough.

    Time for tinfoil to go mainstream :)

  40. Grrrrrrr, now with two buns made of bacon. says:

    Well, that’s certainly going to reduce the market for old-fashioned pickpockets. Yet another case of technology putting (dis)honest working people out of business.

  41. FLConsumer says:

    I believe it was Visa who started the no sig for purchases under $25, in an effort to get people to use their CC for everything, but I’m not 100% sure on how this works as I’ve seen many places which still require a signature no matter how small the charge.

    As far as the passport issue, I usually leave mine at the friend’s house where I’m staying and carry a photocopy of it with me. Far less chance of it getting knicked that way, and no exploding trash cans to worry ’bout. :)