Mythbusters Gagged: Credit Card Companies Kill Episode Exposing RFID Security Flaws

UPDATE: Mythbusters Host Retracts RFID Censorship Comments

Credit card companies successfully nixed a Mythbusters segment exposing RFID’s security flaws, according to Arbiter of Truth and Mythbusters co-host, Adam Savage.

Despite increasingly widespread use in passports and credit cards, radio-frequency identification is notoriously insecure. Hackers have successfully hijacked RFID-enabled credit cards from almost 70-feet away. Mythbusters had arranged a conference call with Texas Instruments to explore a similarly depressing demonstration.

Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else… They were way, way outgunned and they absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it’s on Discovery’s radar and they won’t let us go near it.

In related news, here’s a post showing how to steal RFID credit card information with $8 worth of equipment from eBay.

Arphid Watch: Mythbusters and RFID [Wired via BoingBoing and Caveat Emptor]
(Photo: Getty)

Comments

Edit Your Comment

  1. Baron Von Crogs says:

    Im glad rather than fix the flaws the suppress the info.

    Good jorb.

  2. Sandtiger says:

    sure…it’s called security thru obscurity.

  3. Dyscord says:

    wow. I can sorta see where they’re coming from. They don’t want people to know how to do this stuff. But if your security is that flawed, perhaps you should try something else.

  4. SabyneWired says:

    Talk about trying to stop a leaking dam by sticking your finger in it. Instead of using the information to make the system more resistant to hacking, they suppress the information (which you can likely still find by Googling).

    Well done, companies. Hope the hackers don’t take you down too badly.

  5. sgagnon3 says:

    Woah…. Adam is the freakin man…. cool press conference, i deff gained even more respect for him than I previously had…… All was good, till the stupid chick had to ramble on about her STUPID myth busters idea….. why dont you submit that one to food network…. the go back to your home on whore island

  6. WaywardSoul says:

    Discovery – what a bunch of idiots. Those other companies advertise on TV for the eyes they get so they may threaten, but in the end they’re not going to cut their ads for long because it costs them a lot more than it’d ever cost Discovery. If it didn’t they wouldn’t be spending money on the ads to begin with – and there’s always others willing to step up and buy ads – so it’s not an all or nothing game. Step up to the plate Discovery before it’s too late and your reputation is damaged.

  7. pixiegirl1 says:

    I remember a few years back I read some stuff for school about RFID and how it’s progressing to come into every day items. How they want to implement it into everything in place of bar codes b/c it would make it so much easier to ship/receive things with out having to manually check how many items you got from the vender. How they were working on making registers where you would just push your cart threw and it would be able to pick up all the RFID’s off the items and you’d never have to empty the cart. And how a lot of credit cards started implementing RFID technology. In all honesty it scared me to think how easy it would be to steal someone credit card info all you need is a RFID reader and your set. All you gotta do is go somewhere with a lot of people like a mall or down a busy city street with your reader for like 15-30 minutes and you could cause some serious trouble. To my knowledge none of my current credit cards have RFID I did have 2 before I researched this and I canceled both of them. I guess its another reason to use cash lol.

    • TangDrinker says:

      @pixiegirl1: RFID tech is starting to be used for some of this already, especially shipping. I’m sure once it’s rolled out on a larger scale people may stop having so many UPS/USPS/FEDEX lost my Iphone stories.

  8. flipx says:

    I’ll take my chances out on the street with cash.
    If you ain’t got it in cards they can’t spend it.

    • Hawk07 says:

      @flipx:

      But if you lose the wallet, anyone can spend the cash with no recourse on your behalf.

      Unfortunately, there is no perfect method.

  9. Fredex says:

    “Unfortunately, there is no perfect method.”

    Isn’t that just the perfect method for stopping anything being done?

  10. TPK says:

    Yet once again, stupid company man fails to understand that in today’s information age, you cannot suppress information. You must deal with it!

    That means fixing the problems, not hiding them.

    They should start teaching this in the second grade… A, B, C, 1, 2, 3, “people will always find out stuff now”…

    • nursetim says:

      @TPK:
      You can’t stop the signal Mal.

      • Phydeaux says:

        @nursetim:
        This report is maybe a year old. DiscoVisAmEx buried it, and it stayed buried till Adam dug it up. This is what they feared he knew. And they were right to fear because there’s a whole world of folk who are gonna know it, too. They’re gonna see it. Somebody has to speak for these atrocities.

        You all got on this blog for different reasons, but you all come to the same topic. So now I’m asking more of you than I have before. Maybe all. Sure as I know anything I know this, they will threaten to sue again. Maybe another show, maybe on Mythbusters again when they default on all the host’s loans and kick them out of their houses. A year from now, ten, they’ll swing back to the belief that they can have security through obscurity.

        And I do not hold to that. So no more charging. I aim to misbehave.

  11. Way to support the first amendment, Discovery Channel.

    What would your new buddy Ted Koppel say?

  12. nightshade74 says:

    Streisand effect anyone? [en.wikipedia.org]

  13. seawolf2000 says:

    How do we contact Contact Discovery Channel? IMO this seriously damages their reputation.

  14. chrisexv6 says:

    I wonder….is this the “viral hour” episode that was advertised as recent as 10 minutes before it was supposed to air, then it was pulled within those 10 minutes?

    I guess this might be why if it were on that episode.

    • TACP says:

      @chrisexv6: No. In the video, he said the RFID episode never got past the planning stage. The viral video episode is still on for next week. The first two episodes (Moon Landing and Viral Videos) were postponed until after the Olympics, so they would actually get decent ratings.

  15. mathfeel says:

    Great! Now that regular joe sixpacks still have no clue the possible vulnerabilities of his credit cards. So knowledge remains in the hand of few motivated, possibly ill-intentional hackers.

  16. georgi55 says:

    Great job on the speach about more science shows!

    Oh and the women about “Better Pizza CRUst!”, SHUT up…sounds like you’ve had enough Pizza already!

  17. doctor_cos wants you to remain calm says:

    Well, if we supress the information, no one will want it, right?

    What happened to Monster House?

  18. guroth says:

    LOL@ that pizza crust lady, she sounded so adamant and passionate about her idea. Too bad it is a shitty idea for mythbusters..

    • TVarmy says:

      @guroth: Agreed. She needs a copy of Cook’s Illustrated. It’s an interesting question, but only to people trying to make good pizza at home. Mythbusters is a show for everyone.

      My guess: She was starstruck by an extended cable personality, and wanted to propose a cool myth but had no ideas.

  19. timmus says:

    Having had a merchant account since 1996 it’s been my experience that the credit card companies absolutely do not care about security except where it is congruent with PR, advertising, and revenue enhancement. A few times in my naive days I’ve come across stolen cards and tried to get the banks (and Visa) to do something about it, only to get the brushoff treatment. The failure here is systemic and the companies are not doing anything because no one wants to pay to rebuild a truly secure credit card system. Citibank’s introduction of disposable credit card numbers is a step in the right direction, though.

    • goodkitty says:

      @timmus: Not to mention that in a disturbingly large amount of cases, the credit card companies aren’t even liable for a single penny of it. The merchant who took the bad/cloned card has to eat it. CC companies and their fees and policies can at times make the whole oil business look like a lemonade stand in terms of pure profit versus expenses. If I didn’t have to pay for my security breaches, why should I care to pay to fix it?

  20. Shadowfire says:

    So, what… if Discovery had not shown the episode, then the credit companies would have pulled advertising? And Discovery would have gone public with the reason for that pulling? And people would have been pissed?

    I fail to see the problem, Discovery! Show the damn episode!

  21. mrosedal says:

    I have always thought…since the beginning that it was a dumb idea to put RFID chips in credit cards. The last thing I wanted was some device capable of picking up my info if it was waved close enough to my ass. In the old days you at least got a little bit of enjoyment out of getting your credit cards stolen. ;-)

  22. sk1d says:

    I’ve had unauthorized charges on my card before. When I called MasterCard about it, I had a new card with a new number and an affidavit to sign in the mail, and refunds for all those charges within 5 minutes of speaking to someone.

    It’s obviously easier and faster for them to refund my money and give me a new card than it is to build a more secure system.

  23. barco says:

    Remember those AT&T “You Will” TV adverts in the early 90’s where Tom Selleck narrated about what future technology holds?

    “checking out of a supermarket, without talking to a cashier? You will!” (kid looks through the RFID checkout scanner)

    We need a revision.

    “Get techno-jacked because nobody actually cares about your security? You will!”

    • dweebster says:

      @barco: Pretty amusing that it was AT&T hinting at their spy program years ahead of the rollout.

    • jamar0303 says:

      @barco: Look over the Pacific to see how they do it. RFID-enabled cellphones in Japan have remote locks as well as PIN locks for the RFID function. It’s secure enough that JAL has been able to deploy a system called QuiC whereby you just wave your frequent flyer card at the reader at security instead of all this current fuss. It makes getting on the plane almost as easy as getting on the bus.

  24. eloj says:

    A colorful presentation of Rubin et.al’s original work against Texas Instruments ‘DST': [www.math.vu.nl] (3.9MiB)

    Original paper: [www.usenix.org]

    This is probably the sort of thing TI and the rest of the industry they represent don’t want the masses to know about.

  25. dweebster says:

    Excellent job, Mythbusters!!! Adam- you’ve got balls to tell the truth on this.

    You have completely busted the myth that corporate media operates in the public interest. Here’s a proposal for a relatively mild investigation into RFID and the whole thing gets shut down immediately by a gaggle of immoral lawyers working for their paymasters.

    If RFID gets so heavily censored like this, it’s pretty obvious how standard it was to cover up the Republican election stealing in Florida and Ohio, as well as squash investigations into dangerous drugs and national healthcare initiatives – on and on.

    Molly Ivans said, “you gotta dance with the ones that brung ya'” and this is a great illustration of that. No wonder there’s “nothing on TV” – most anything valuable has been censored.

    • TACP says:

      @dweebster: The Republicans really stole the 2006 elections, didn’t they? Enough with the political posts.

      • drjayphd says:

        @TACP: Cat was out of the bag at that point. If there was a conspiracy with Diebold to rig the election for Republicans, no way they could do it in the face of all the news about hacking their voting machines, as well as criticism of the Republican administration. Not saying there was one, but Walden O’Dell’s comments REALLY didn’t help.

        But that’s another episode.

    • Consumerist-Moderator-Roz says:

      @dweebster: You’re completely off topic with the political jibes. Knock it off.

      @Pro-Pain: @jonworld: @crashfrog: Same with the global warming stuff. This article has nothing to do with that.

  26. TVarmy says:

    I’m embarassed to ask this, but how do I know if my card has RFID in it? I know it’s a violation of my rights to privacy, but it sounds like a violation of my privacy that could save me time. I see the new scanners around, and I am interested to try it, but I don’t want to piss off the clerk by waving around my possibly regular card next to the scanner.

    I have a Wachovia Debit card, if it matters. I prefer to use it as a credit card for the float it gives me. I don’t ride with a low balance, but I try to slow my transactions down just in case I screw up or something goes wrong.

  27. quail says:

    I’ve never requested RFID to be implemented in any of my cards. I knew about the security threat years ago, but now I’m paranoid about my cards. Guess I’ll just take a hammer to all of my cards just to be on the safe side.

  28. AgentTuttle says:

    They did an RFID thing on the show where Kerri got one implanted in her arm. That was the question not answered which I wondered when I saw the episode: Did she have it removed?? That was after I was thinking she was an idiot for having it implanted in the first place.

  29. Eric1285 says:

    I got a special wallet with an interior lining made out of stainless steel that won’t allow RFID signals to penetrate. It’s made by a design house called Steward Stand. The only annoyance is that when I travel to Asia where they use RFID for metro passes and such, I have to switch to a different wallet.

  30. Technick says:

    Sweet, i’m going to see if we can play the video and talk about this at Hacking 201 tomorrow at Dragoncon (EFF Track).

  31. jonworld says:

    This is exactly like how the Bush Administration deals with global warming: Hide the problem from people instead of just doing something to fix it.

    • Pro-Pain says:

      @jonworld: Global warming? Are you serious or joking? I got news for you, global warming is a myth. And it needs to be busted. I sure in the hell could care less about global f’n warming when I live paycheck to paycheck. Please purchase a clue and your nearest Walmart store. Thank you.

      • crashfrog says:

        @Pro-Pain: I got news for you, global warming is a myth.

        “Global warming is a myth” is a myth.

        And it needs to be busted.

        When you can present the sound, peer-reviewed science that does, it will be.

  32. scooby2 says:

    They started putting RFID in the new US passport. It sounds like a lot of people just smash the RFID chip until it is unusable. While it is most likely illegal to do, it is a good idea imo, especially on credit cards.

  33. gropil says:

    I agree that this behaviour is obviously unethical, but many posters here have missed the point. The credit card companies are well aware that information on how to hack rfid’s is readily available on the internet – they know there is unlikely to be a increase in rfid crime because of a mythbusters episode. Their main concern is the damage it would do to consumer trust, and they can ill afford this with the current economic climate.

  34. doctor_cos wants you to remain calm says:

    Maybe we should be worried as RFID is in your passport as well…although you can disable that one rather easily.

  35. vastrightwing says:

    Cash is king, except the U.S. treasury prints too much of it, thus devaluing it for all of us.

    Check out the news of MIT exposing the Boston Charlie card hacks. The MBTA stopped the students from exposing the flaws with a court order too.

  36. deadspork says:

    I posted this in the RFID thread and I’ll also post it here; just call your CC company and ask to be opted out of RFID cards. The company I work for can send out replacements sans the chip, and I’d bet most companies can.

  37. dopplerd says:

    A hole punch or quick puncture from a razor blade will make any RFID card non RFID. I did this to an AmEx card with RFID a few years ago and it still works fine as swipable card. There is a chip and an antenna embedded in the card, just seperate the two and you are RFID free.

    Also, maybe Mythbusters should look at moving to PBS. There the public good stands above the advertisers.

  38. hairyseaword says:

    RFID isn’t the mark of the beast, folks, I can’t believe all the fear-mongering going on in this thread!

    It’s a fairly new technology that is frequently used without appropriate safeguards, even when they are available, but that will get worked out as the tech becomes more common place. It’s just like cell phones, which you used to be able to hear with a police scanner, and everyone flipped out.

    Yes there are tons of problems, and the security is more than lackluster. But it’s not permanent. Consumers/folks won’t stand for it for long.

    But jeez… stabbing credit cards with hole punches and microwaving passports… it’s like the Salem Tech Trials conducted by the tin foil hat posse.

  39. uberbucket says:

    It’s not a problem if no one knows about?

    Pure genius strikes again.

  40. chartrule says:

    i think a better response would be to fix the leaks that the mythbusters exposed and then run the episode after the flaws in security have been closed

  41. Cary says:

    How about taking some responsibility and calling the bank? I did jut that with Chase and informed them my new shiny RFID-equipped card had accidentally on-purpose fallen into my shredder.

    Amazing! New non-RFID equipped card showed up 4 days later… with a Slurpee!

  42. Red_Eye says:

    Queue up the music for the Streisand effect.

  43. DashTheHand says:

    Its sad because the miscreants that already know about this are actively doing it because the info is freely available on the internet, and the people that would find out about it for (possibly) the first time are the primarily the ones that need to defend themselves from it.

    Either way, Mythbusters is a show for entertainment and not a “how to do illegal things” show. But since credit companies will never go away, and they are the ones that are putting this pointless, broken technology into credit cards for no good reason, of course it will be gagged.

  44. t0fu says:

    almost sounds like black hat redux

  45. Jesse says:

    AMEX’s RFID tags are slightly more secure since I think its a different account number. If you look at the last four digits of the card number on your receipt, they are different on RFID transactions.

  46. hypnotoad says:

    Conspiracy theories notwithstanding, it’s always best practice to fix the problem and THEN publish the flaw.

    For every pro criminal who may have already figured this out, there are probably 100 dumb ones for whom this show would just give them all the info they need.

    The correct sequence of events should be:

    1) Alert people that there is a problem and how to mitigate;
    2) Fix the problem; and
    3) Only then publish details of the flaw.

  47. seancron says:

    In completely unrelated news, it seems that the YouTube video is mysteriously missing. I wonder why…

  48. Janet Altman says:

    The real situation as I see it is not that Discovery aired it but that we must be constantly aware of technological advances in digital security (see: [www.justaskgemalto.com]) and insist from a consumer perspective that the highest standards are met at all times.

  49. ali23sha says:

    have read a few of the articles on your website now, and I really like your style of blogging. I added it to my favorites blog site list and will be checking back soon. Please check out my site as well and let me know what you think.http://www.acceptourcard.com