RE: [funsec] Vulnerabilities in First-Generation RFID-Enabled CreditCards

Larry Seltzer Larry at larryseltzer.com
Mon Oct 23 09:24:03 CDT 2006


I read the NYT article. It smelled of laziness that could be relatively
easily addressed in gen 2.
 
How about a fingerprint reader on the card that you nave to contact in
order for it to transmit? 
 
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/ <blocked::http://security.eweek.com/> 
http://blog.eweek.com/blogs/larry%5Fseltzer/
<http://blog.ziffdavis.com/seltzer> 
Contributing Editor, PC Magazine
larryseltzer at ziffdavis.com 
 

________________________________

From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org]
On Behalf Of rms at bsf-llc.com
Sent: Monday, October 23, 2006 9:30 AM
To: funsec at linuxbox.org
Subject: [funsec] Vulnerabilities in First-Generation RFID-Enabled
CreditCards


Here are all of the technical details.  I'm still scratching my head why
a RFID credit card doesn't have a little momentary contact switch which
must be pushed in order to activate the RFID chip.  With this simple
addition, cards can't be read on the sly.
 
Richard
 
________________________________

 
http://www.rfid-cusp.org/blog/blog-23-10-2006.html

Vulnerabilities in First-Generation RFID-Enabled Credit Cards


Monday, October 23, 2006 


RFID CUSP scientists have studied the security and privacy of
RFID-enabled credit cards. Here Ari Juels gives an overview of the
results.

Consumers in the United States today carry some twenty million or so
credit cards and debit cards equipped with RFID (Radio-Frequency
IDentification) chips. RFID chips communicate transaction data over
short distances via radio. They eliminate the need to swipe cards or
hand them to merchants. Consumers can instead make payments simply by
waving their cards-or even just their wallets-near point-of-sale
terminals. 

While appealing to both consumers and merchants, the convenience of RFID
credit cards has a flip side. What a legitimate merchant terminal can
read, a malicious scanning device can also read without a consumer's
consent or knowledge. RFID credit cards therefore call for particularly
careful security design.

A report released today by a team of scientists in the RFID Consortium
for Security and Privacy (RFID-CUSP) <http://www.rfid-cusp.org/>
reveals lapses in the security and privacy features of several types of
currently deployed RFID credit cards. The report (of which I am a
co-author) highlights two basic vulnerabilities in the cards under
study:

1.	Names in the clear: The RFID credit cards transmit bearer names
promiscuously. Any device capable of scanning a card can learn the name
imprinted on it-with or without the owner's consent. 

1.	Payment fraud: In varying degrees, the RFID credit cards are
vulnerable to an attack called "skimming." An attacker with an RFID
reader can harvest information from a card, create an inexpensive clone
device, and make charges against the legitimate card. (Alternatively, an
attacker may be able to perform online transactions with harvested
credit-card information.) Skimming requires minimal technical expertise
and expense. 

...

For details on the RFID-CUSP study, visit www.rfid-cusp.org
<http://www.rfid-cusp.org/> .


Technical manuscript 


Our technical paper is available in draft form: PDF
<http://prisms.cs.umass.edu/~kevinfu/papers/RFID-CC-manuscript.pdf>  


Video demonstration 


We have a short video demonstrating some of the attacks from a technical
perspective. Please excuse our poor-quality video techniques: 11MB
Quicktime
<http://www.rfid-cusp.org.nyud.net:8090/videos/RFID-CC-video-part1.mov>
(coralized)

Check back next week for Part 2, a non-technical video.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxbox.org/pipermail/funsec/attachments/20061023/903d13a6/attachment.htm


More information about the funsec mailing list