Join the Community

22,188
Expert opinions
44,252
Total members
405
New members (last 30 days)
212
New opinions (last 30 days)
28,727
Total comments

Hacker shows all - RFID ticket system for NYC, DC bad idea?

  0 2 comments

Bear in mind the ticket system uses RFID chips and in my experience the Black Hat's leave a trick or two up their sleeve so it's probably worse than one might think.
You probably have time to read this before you just check your Amex account, and yes I could just walk through Wall St during lunch and pluck a few hundred Amex cards out of the air, rather than the pockets of those I pass.

Amex - give me a call and I'll show you how to use any model mobile phone as a secure card without the dumb chip and the same to any other folks with 'smart' ideas.

Washington, 20th Feb 2008.

Hacker tool skims credit card account ID data off magnetic strips, RFID chips including Amex

Well known rocket scientist Adam Laurie  demonstrated and released a tool he developed for hacking credit-card mag strips as well as RFID chips implanted in some cards at Black Hat 2008  (the hackers conference) in Washingtion DC.

Laurie previously released Rfidiot Kit for hacking many RFID (credit cards, building passes, animal ID tags, passports, and more with it's extendable scripted kit) He used his newly released Chapy tool to read name and account, etc. data from an Amex credit card. The kit Laurie made uses Python (a script language) and, combined with a card reader, allows you to scan and clone the data stored on the credit card.

“I had been wondering what was on my credit card,” says Laurie, whose released tool will for now only works with Personal Computer/Smart Card (PCSC)-based technology.

Chapy reads the account identification information:-

:- primary account number,

:-expiration date, and

:-the card owner’s name.

Just what you need to buy something off the web or easily clone the credit card.

The tool also can hack cards with RFID tags, such as American Express cards, which he demonstrated here. “I didn’t need any authentication or PIN number,” he said as he demonstrated hacking an Amex 'smart' credit card, “And I’ve been told you can use this account number for online transactions,”

Laurie says American Express denied that the card store the name of the cardholder, however in the live demo Chapy did display the account holder’s name.

Laurie said Chapy is still “very much a work-in-progress,” and will it be available on the Rfidiots site today.

Hackers have previously shown how to scan cards at a great distance using a foil lined tube as a directional antenna. Looks like we'll all need foil lined pockets. Talk about dumb cards. I know your card supplier will be quick to try and reassure you that theirs is 100% safe, try telling that to Amex. Before you listen to the pitch about the new 'improved' card they can upgrade you with, think back to what they told you about this one.

It's just a matter of time before all those new-fangled gizmo's are out with the rubbish. Consumers have said time and time again that privacy is paramount - where's the privacy in this? Anonymous and secure transactions are what is required to keep the data where it belongs - inside the bank.

If you think it's hard securing PC networks, the chip is somewhat mentally impaired compared to a PC, how are they supposed to protect themselves? The methodology is flawed from the start and no amount of technology is going to make up for that. Best go and modify that risk assessment and have a second thought about committing vast sums of money to what is obviously a failed technology.


External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

22,188
Expert opinions
44,252
Total members
405
New members (last 30 days)
212
New opinions (last 30 days)
28,727
Total comments

Trending

Boris Bialek

Boris Bialek Vice President and Field CTO, Industry Solutions at MongoDB

Enhancing Digital Banking Experiences with AI

Barley Laing

Barley Laing UK Managing Director at Melissa

Reducing the impact of AI-driven fraud in 2025

Now Hiring