Blog article
See all stories »

An article relating to this blog post on Finextra:

NY commuters to trial contactless payments on buses and trains

MasterCard is working with transport operators in New York on a contactless payments trial that will enable customers to use devices such as cards, key fobs and mobile phones to pay fares on buses and...


See article

Hacker shows all - RFID ticket system for NYC, DC bad idea?

Bear in mind the ticket system uses RFID chips and in my experience the Black Hat's leave a trick or two up their sleeve so it's probably worse than one might think.
You probably have time to read this before you just check your Amex account, and yes I could just walk through Wall St during lunch and pluck a few hundred Amex cards out of the air, rather than the pockets of those I pass.

Amex - give me a call and I'll show you how to use any model mobile phone as a secure card without the dumb chip and the same to any other folks with 'smart' ideas.

Washington, 20th Feb 2008.

Hacker tool skims credit card account ID data off magnetic strips, RFID chips including Amex

Well known rocket scientist Adam Laurie  demonstrated and released a tool he developed for hacking credit-card mag strips as well as RFID chips implanted in some cards at Black Hat 2008  (the hackers conference) in Washingtion DC.

Laurie previously released Rfidiot Kit for hacking many RFID (credit cards, building passes, animal ID tags, passports, and more with it's extendable scripted kit) He used his newly released Chapy tool to read name and account, etc. data from an Amex credit card. The kit Laurie made uses Python (a script language) and, combined with a card reader, allows you to scan and clone the data stored on the credit card.

“I had been wondering what was on my credit card,” says Laurie, whose released tool will for now only works with Personal Computer/Smart Card (PCSC)-based technology.

Chapy reads the account identification information:-

:- primary account number,

:-expiration date, and

:-the card owner’s name.

Just what you need to buy something off the web or easily clone the credit card.

The tool also can hack cards with RFID tags, such as American Express cards, which he demonstrated here. “I didn’t need any authentication or PIN number,” he said as he demonstrated hacking an Amex 'smart' credit card, “And I’ve been told you can use this account number for online transactions,”

Laurie says American Express denied that the card store the name of the cardholder, however in the live demo Chapy did display the account holder’s name.

Laurie said Chapy is still “very much a work-in-progress,” and will it be available on the Rfidiots site today.

Hackers have previously shown how to scan cards at a great distance using a foil lined tube as a directional antenna. Looks like we'll all need foil lined pockets. Talk about dumb cards. I know your card supplier will be quick to try and reassure you that theirs is 100% safe, try telling that to Amex. Before you listen to the pitch about the new 'improved' card they can upgrade you with, think back to what they told you about this one.

It's just a matter of time before all those new-fangled gizmo's are out with the rubbish. Consumers have said time and time again that privacy is paramount - where's the privacy in this? Anonymous and secure transactions are what is required to keep the data where it belongs - inside the bank.

If you think it's hard securing PC networks, the chip is somewhat mentally impaired compared to a PC, how are they supposed to protect themselves? The methodology is flawed from the start and no amount of technology is going to make up for that. Best go and modify that risk assessment and have a second thought about committing vast sums of money to what is obviously a failed technology.


7369

Comments: (3)

Sriram Natarajan
Sriram Natarajan - Credit Risk Fraud Cards Professional - Gurgaon 23 February, 2008, 05:05Be the first to give this comment the thumbs up 0 likes Well, this isn't surprising. RFID technology has always been sneered at for cards. But MasterCard is merrily promoting PayPass and Visa has VisaWave; Amex offers ExpressPay. Does this mean that all these offerings are 'hackable'?
Paul Penrose
Paul Penrose - Finextra - London 25 February, 2008, 11:57Be the first to give this comment the thumbs up 0 likes Bad news also for Verichip, which manufactures RFID tags for body implants - a technology which has been used at a beach resort in Spain to enable sun-lovers to pay for treats on the beach without having to take their wallets out.  At the Black Hat magic show, Laurie, who has an injected RFID-tag, showed how easy it was not only to read the tag, but also to re-write the tag. During his demo, he used the coding sequence reserved for animal tagging to have his RFID chip declare him an animal.
A Finextra member
A Finextra member 25 February, 2008, 18:30Be the first to give this comment the thumbs up 0 likes

I can't say whether all cards have been hacked, and whether they are all 'hackable' today, but historically......

The methodology is flawed and the incentive to do so is there so in truth the answer must be yes. Any system which relies on a 'dumb' card to protect itself is doomed to failure.

Oyster kits have been on sale since before they were deployed in large numbers and there are no doubt many bright young things enjoying free travel from London to Hong Kong.

Current methodology will will always be susceptible - for instance - service station attendants can easily make extra money by simply inserting a dongle in the eftpos terminal connection. There are groups going around offering cash payments for doing just that. 

Of course the odds aren't all that great it'll happen to you yet, however perception is everything in the mind of the consumer and any quick quiz at a dinner party reveals the problem may be bigger than reported.

I suppose that's what Citi thought before their ATM cards were devastated. Amex is probably still in denial, and no doubt hard disk encryption sellers were very confident too before those nice gentlemen at Princeton revealed what some of us already knew.

Consumers are seeking, and no doubt will be soon demanding  - solutions which offer more privacy, with less personal data exposed in transactions.

4 rules for success with consumers -

Rule 1 - give them what they want. 

Rule 2 - give them what they want. 

Rule 3 -  tell them you'll give them what they want.

Rule 4 - give them what they want before someone else does.

Just ask any politician. 

The low risk answer for banks is probably - get together and give them what they want. Just remember - no amount of technology can make a flawed methodoloy into anything more than a flawed 'solution'. Wasn't there an old saying about the sow's ear?