UPDATE: Mythbusters Host Retracts RFID Censorship Comments
Credit card companies successfully nixed a Mythbusters segment exposing RFID’s security flaws, according to Arbiter of Truth and Mythbusters co-host, Adam Savage.
Despite increasingly widespread use in passports and credit cards, radio-frequency identification is notoriously insecure. Hackers have successfully hijacked RFID-enabled credit cards from almost 70-feet away. Mythbusters had arranged a conference call with Texas Instruments to explore a similarly depressing demonstration.
Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else… They were way, way outgunned and they absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it’s on Discovery’s radar and they won’t let us go near it.
In related news, here’s a post showing how to steal RFID credit card information with $8 worth of equipment from eBay.
Arphid Watch: Mythbusters and RFID [Wired via BoingBoing and Caveat Emptor]
(Photo: Getty)
More From Consumerist
-
How Do Different Credit & Debit Cards Stack Up In Terms Of Consumer Protection?
-
Ann Taylor Scrambles My Data With My Friend’s, Shrugs
-
Would You Pass Up A Discount On An Item Just To Pay With A Credit Card?
-
Barnes & Noble Warns Of Credit Card Breach At 63 Stores
-
Feds Charge 18 People With Ringing Up $200 Million In Fraudulent Credit Card Charges
Im glad rather than fix the flaws the suppress the info.
Good jorb.
@BaronVonCrogs:
It’s like DeCSS all over again.
@TechnoDestructo:
Exactly. Remember how they outlawed DeCSS and then no one ever cracked the copy protection on DVDs ever again?
@TechnoDestructo: I was thinking the exact same thing.
Similarly, I’ve refused to accept any credit card with RFID. So far every bank I’ve received a credit card from hasn’t had a problem with providing non-RFID cards.
sure…it’s called security thru obscurity.
wow. I can sorta see where they’re coming from. They don’t want people to know how to do this stuff. But if your security is that flawed, perhaps you should try something else.
@Dyscord: because, well, you know, you can’t find that information on the internet.
especially not youtube.
Talk about trying to stop a leaking dam by sticking your finger in it. Instead of using the information to make the system more resistant to hacking, they suppress the information (which you can likely still find by Googling).
Well done, companies. Hope the hackers don’t take you down too badly.
Woah…. Adam is the freakin man…. cool press conference, i deff gained even more respect for him than I previously had…… All was good, till the stupid chick had to ramble on about her STUPID myth busters idea….. why dont you submit that one to food network…. the go back to your home on whore island
@sgagnon3: Ahhhahahahahahaahaha. Ohhhh man.
@sgagnon3: And they mention Smash Lab. BOOOOOOOO. That show blows in such a hard way. You can see they are trying to save it by bringing in Gadget from Monster Garage and Big!. Then they team Gadget up with the hot “scientist”.
@Git Em SteveDave displays attention-grabbing vanity: Agreed. One of my friends and I watched Smash Lab exactly once. It was like watching MythBusters through a very thick stupidity prism.
@Git Em SteveDave is starless:
I watched one episode of Smash Lab. It was so bad I registered an account at Television Without Pity just to bitch about it.
Good to know lots of people agree with me.
Discovery – what a bunch of idiots. Those other companies advertise on TV for the eyes they get so they may threaten, but in the end they’re not going to cut their ads for long because it costs them a lot more than it’d ever cost Discovery. If it didn’t they wouldn’t be spending money on the ads to begin with – and there’s always others willing to step up and buy ads – so it’s not an all or nothing game. Step up to the plate Discovery before it’s too late and your reputation is damaged.
I remember a few years back I read some stuff for school about RFID and how it’s progressing to come into every day items. How they want to implement it into everything in place of bar codes b/c it would make it so much easier to ship/receive things with out having to manually check how many items you got from the vender. How they were working on making registers where you would just push your cart threw and it would be able to pick up all the RFID’s off the items and you’d never have to empty the cart. And how a lot of credit cards started implementing RFID technology. In all honesty it scared me to think how easy it would be to steal someone credit card info all you need is a RFID reader and your set. All you gotta do is go somewhere with a lot of people like a mall or down a busy city street with your reader for like 15-30 minutes and you could cause some serious trouble. To my knowledge none of my current credit cards have RFID I did have 2 before I researched this and I canceled both of them. I guess its another reason to use cash lol.
@pixiegirl1: RFID tech is starting to be used for some of this already, especially shipping. I’m sure once it’s rolled out on a larger scale people may stop having so many UPS/USPS/FEDEX lost my Iphone stories.
I’ll take my chances out on the street with cash.
If you ain’t got it in cards they can’t spend it.
@flipx:
But if you lose the wallet, anyone can spend the cash with no recourse on your behalf.
Unfortunately, there is no perfect method.
“Unfortunately, there is no perfect method.”
Isn’t that just the perfect method for stopping anything being done?
Yet once again, stupid company man fails to understand that in today’s information age, you cannot suppress information. You must deal with it!
That means fixing the problems, not hiding them.
They should start teaching this in the second grade… A, B, C, 1, 2, 3, “people will always find out stuff now”…
@TPK:
You can’t stop the signal Mal.
@nursetim:
This report is maybe a year old. DiscoVisAmEx buried it, and it stayed buried till Adam dug it up. This is what they feared he knew. And they were right to fear because there’s a whole world of folk who are gonna know it, too. They’re gonna see it. Somebody has to speak for these atrocities.
You all got on this blog for different reasons, but you all come to the same topic. So now I’m asking more of you than I have before. Maybe all. Sure as I know anything I know this, they will threaten to sue again. Maybe another show, maybe on Mythbusters again when they default on all the host’s loans and kick them out of their houses. A year from now, ten, they’ll swing back to the belief that they can have security through obscurity.
And I do not hold to that. So no more charging. I aim to misbehave.
Way to support the first amendment, Discovery Channel.
What would your new buddy Ted Koppel say?
Streisand effect anyone? [en.wikipedia.org]
@nightshade74: My first thought was,
“Paging Barbra Streisand, Barbra Streisand to the white courtesy phone.”
@nightshade74:
Exactly what I came here to say. Time for some viral videos…
How do we contact Contact Discovery Channel? IMO this seriously damages their reputation.
I wonder….is this the “viral hour” episode that was advertised as recent as 10 minutes before it was supposed to air, then it was pulled within those 10 minutes?
I guess this might be why if it were on that episode.
@chrisexv6: No. In the video, he said the RFID episode never got past the planning stage. The viral video episode is still on for next week. The first two episodes (Moon Landing and Viral Videos) were postponed until after the Olympics, so they would actually get decent ratings.
Great! Now that regular joe sixpacks still have no clue the possible vulnerabilities of his credit cards. So knowledge remains in the hand of few motivated, possibly ill-intentional hackers.
Great job on the speach about more science shows!
Oh and the women about “Better Pizza CRUst!”, SHUT up…sounds like you’ve had enough Pizza already!
Well, if we supress the information, no one will want it, right?
What happened to Monster House?
LOL@ that pizza crust lady, she sounded so adamant and passionate about her idea. Too bad it is a shitty idea for mythbusters..
@guroth: Agreed. She needs a copy of Cook’s Illustrated. It’s an interesting question, but only to people trying to make good pizza at home. Mythbusters is a show for everyone.
My guess: She was starstruck by an extended cable personality, and wanted to propose a cool myth but had no ideas.
Having had a merchant account since 1996 it’s been my experience that the credit card companies absolutely do not care about security except where it is congruent with PR, advertising, and revenue enhancement. A few times in my naive days I’ve come across stolen cards and tried to get the banks (and Visa) to do something about it, only to get the brushoff treatment. The failure here is systemic and the companies are not doing anything because no one wants to pay to rebuild a truly secure credit card system. Citibank’s introduction of disposable credit card numbers is a step in the right direction, though.
@timmus: Not to mention that in a disturbingly large amount of cases, the credit card companies aren’t even liable for a single penny of it. The merchant who took the bad/cloned card has to eat it. CC companies and their fees and policies can at times make the whole oil business look like a lemonade stand in terms of pure profit versus expenses. If I didn’t have to pay for my security breaches, why should I care to pay to fix it?
So, what… if Discovery had not shown the episode, then the credit companies would have pulled advertising? And Discovery would have gone public with the reason for that pulling? And people would have been pissed?
I fail to see the problem, Discovery! Show the damn episode!
I have always thought…since the beginning that it was a dumb idea to put RFID chips in credit cards. The last thing I wanted was some device capable of picking up my info if it was waved close enough to my ass. In the old days you at least got a little bit of enjoyment out of getting your credit cards stolen.
I’ve had unauthorized charges on my card before. When I called MasterCard about it, I had a new card with a new number and an affidavit to sign in the mail, and refunds for all those charges within 5 minutes of speaking to someone.
It’s obviously easier and faster for them to refund my money and give me a new card than it is to build a more secure system.
Remember those AT&T “You Will” TV adverts in the early 90′s where Tom Selleck narrated about what future technology holds?
“checking out of a supermarket, without talking to a cashier? You will!” (kid looks through the RFID checkout scanner)
We need a revision.
“Get techno-jacked because nobody actually cares about your security? You will!”
@barco: Pretty amusing that it was AT&T hinting at their spy program years ahead of the rollout.
@barco: Look over the Pacific to see how they do it. RFID-enabled cellphones in Japan have remote locks as well as PIN locks for the RFID function. It’s secure enough that JAL has been able to deploy a system called QuiC whereby you just wave your frequent flyer card at the reader at security instead of all this current fuss. It makes getting on the plane almost as easy as getting on the bus.
A colorful presentation of Rubin et.al’s original work against Texas Instruments ‘DST’: [www.math.vu.nl] (3.9MiB)
Original paper: [www.usenix.org]
This is probably the sort of thing TI and the rest of the industry they represent don’t want the masses to know about.
Excellent job, Mythbusters!!! Adam- you’ve got balls to tell the truth on this.
You have completely busted the myth that corporate media operates in the public interest. Here’s a proposal for a relatively mild investigation into RFID and the whole thing gets shut down immediately by a gaggle of immoral lawyers working for their paymasters.
If RFID gets so heavily censored like this, it’s pretty obvious how standard it was to cover up the Republican election stealing in Florida and Ohio, as well as squash investigations into dangerous drugs and national healthcare initiatives – on and on.
Molly Ivans said, “you gotta dance with the ones that brung ya’” and this is a great illustration of that. No wonder there’s “nothing on TV” – most anything valuable has been censored.
@dweebster: The Republicans really stole the 2006 elections, didn’t they? Enough with the political posts.
@TACP: Cat was out of the bag at that point. If there was a conspiracy with Diebold to rig the election for Republicans, no way they could do it in the face of all the news about hacking their voting machines, as well as criticism of the Republican administration. Not saying there was one, but Walden O’Dell’s comments REALLY didn’t help.
But that’s another episode.
@dweebster: You’re completely off topic with the political jibes. Knock it off.
@Pro-Pain: @jonworld: @crashfrog: Same with the global warming stuff. This article has nothing to do with that.
I’m embarassed to ask this, but how do I know if my card has RFID in it? I know it’s a violation of my rights to privacy, but it sounds like a violation of my privacy that could save me time. I see the new scanners around, and I am interested to try it, but I don’t want to piss off the clerk by waving around my possibly regular card next to the scanner.
I have a Wachovia Debit card, if it matters. I prefer to use it as a credit card for the float it gives me. I don’t ride with a low balance, but I try to slow my transactions down just in case I screw up or something goes wrong.
@TVarmy: I had to do a Google image search, but discovered I had an RFID Mastercard with the “blink” logo.
Did find out that microwaving is NOT recommended, which was my first thought:
[www.buzzsurf.com]
I’ve never requested RFID to be implemented in any of my cards. I knew about the security threat years ago, but now I’m paranoid about my cards. Guess I’ll just take a hammer to all of my cards just to be on the safe side.
They did an RFID thing on the show where Kerri got one implanted in her arm. That was the question not answered which I wondered when I saw the episode: Did she have it removed?? That was after I was thinking she was an idiot for having it implanted in the first place.
I got a special wallet with an interior lining made out of stainless steel that won’t allow RFID signals to penetrate. It’s made by a design house called Steward Stand. The only annoyance is that when I travel to Asia where they use RFID for metro passes and such, I have to switch to a different wallet.
Sweet, i’m going to see if we can play the video and talk about this at Hacking 201 tomorrow at Dragoncon (EFF Track).
This is exactly like how the Bush Administration deals with global warming: Hide the problem from people instead of just doing something to fix it.
@jonworld: Global warming? Are you serious or joking? I got news for you, global warming is a myth. And it needs to be busted. I sure in the hell could care less about global f’n warming when I live paycheck to paycheck. Please purchase a clue and your nearest Walmart store. Thank you.
@Pro-Pain: I got news for you, global warming is a myth.
“Global warming is a myth” is a myth.
And it needs to be busted.
When you can present the sound, peer-reviewed science that does, it will be.
They started putting RFID in the new US passport. It sounds like a lot of people just smash the RFID chip until it is unusable. While it is most likely illegal to do, it is a good idea imo, especially on credit cards.
@scooby2: RFID Passport Shield
RFID Blocking Wallet
I agree that this behaviour is obviously unethical, but many posters here have missed the point. The credit card companies are well aware that information on how to hack rfid’s is readily available on the internet – they know there is unlikely to be a increase in rfid crime because of a mythbusters episode. Their main concern is the damage it would do to consumer trust, and they can ill afford this with the current economic climate.
Maybe we should be worried as RFID is in your passport as well…although you can disable that one rather easily.
Cash is king, except the U.S. treasury prints too much of it, thus devaluing it for all of us.
Check out the news of MIT exposing the Boston Charlie card hacks. The MBTA stopped the students from exposing the flaws with a court order too.
I posted this in the RFID thread and I’ll also post it here; just call your CC company and ask to be opted out of RFID cards. The company I work for can send out replacements sans the chip, and I’d bet most companies can.
A hole punch or quick puncture from a razor blade will make any RFID card non RFID. I did this to an AmEx card with RFID a few years ago and it still works fine as swipable card. There is a chip and an antenna embedded in the card, just seperate the two and you are RFID free.
Also, maybe Mythbusters should look at moving to PBS. There the public good stands above the advertisers.
RFID isn’t the mark of the beast, folks, I can’t believe all the fear-mongering going on in this thread!
It’s a fairly new technology that is frequently used without appropriate safeguards, even when they are available, but that will get worked out as the tech becomes more common place. It’s just like cell phones, which you used to be able to hear with a police scanner, and everyone flipped out.
Yes there are tons of problems, and the security is more than lackluster. But it’s not permanent. Consumers/folks won’t stand for it for long.
But jeez… stabbing credit cards with hole punches and microwaving passports… it’s like the Salem Tech Trials conducted by the tin foil hat posse.
It’s not a problem if no one knows about?
Pure genius strikes again.
i think a better response would be to fix the leaks that the mythbusters exposed and then run the episode after the flaws in security have been closed
How about taking some responsibility and calling the bank? I did jut that with Chase and informed them my new shiny RFID-equipped card had accidentally on-purpose fallen into my shredder.
Amazing! New non-RFID equipped card showed up 4 days later… with a Slurpee!
Queue up the music for the Streisand effect.
Its sad because the miscreants that already know about this are actively doing it because the info is freely available on the internet, and the people that would find out about it for (possibly) the first time are the primarily the ones that need to defend themselves from it.
Either way, Mythbusters is a show for entertainment and not a “how to do illegal things” show. But since credit companies will never go away, and they are the ones that are putting this pointless, broken technology into credit cards for no good reason, of course it will be gagged.
almost sounds like black hat redux
AMEX’s RFID tags are slightly more secure since I think its a different account number. If you look at the last four digits of the card number on your receipt, they are different on RFID transactions.
Conspiracy theories notwithstanding, it’s always best practice to fix the problem and THEN publish the flaw.
For every pro criminal who may have already figured this out, there are probably 100 dumb ones for whom this show would just give them all the info they need.
The correct sequence of events should be:
1) Alert people that there is a problem and how to mitigate;
2) Fix the problem; and
3) Only then publish details of the flaw.
@hypnotoad: I don’t know if anybody has said this (i should read all comments before adding mine) but they would probably not give the entire secret away. Like when they don’t tell us all of the ingredients for stuff (explosives and the like)
@hypnotoad: but if they (the companies) know about the flaw, and refuse to fix the flaw, make it known.
then they’ll be forced to fix it.
In completely unrelated news, it seems that the YouTube video is mysteriously missing. I wonder why…
The real situation as I see it is not that Discovery aired it but that we must be constantly aware of technological advances in digital security (see: [www.justaskgemalto.com]) and insist from a consumer perspective that the highest standards are met at all times.
have read a few of the articles on your website now, and I really like your style of blogging. I added it to my favorites blog site list and will be checking back soon. Please check out my site as well and let me know what you think.http://www.acceptourcard.com