Bear in mind the ticket system uses RFID chips and in my experience the Black Hat's leave a trick or two up their sleeve so it's probably worse than one might think.
You probably have time to read this before you just check your Amex account, and yes I could just walk through Wall St during lunch and pluck a few hundred Amex cards out of the air, rather than the pockets of those I pass.
Amex - give me a call and I'll show you how to use any model mobile phone as a secure card without the dumb chip and the same to any other folks with 'smart' ideas.
Washington, 20th Feb 2008.
Hacker tool skims credit card account ID data off magnetic strips, RFID chips including Amex
Well known rocket scientist Adam Laurie demonstrated and released a tool he developed for hacking credit-card mag strips as well as RFID chips implanted in some cards at Black Hat 2008 (the hackers conference) in Washingtion DC.
Laurie previously released Rfidiot Kit for hacking many RFID (credit cards, building passes, animal ID tags, passports, and more with it's extendable scripted kit) He used his newly released Chapy tool to read name and account,
etc. data from an Amex credit card. The kit Laurie made uses Python (a script language) and, combined with a card reader, allows you to scan and clone the data stored on the credit card.
“I had been wondering what was on my credit card,” says Laurie, whose released tool will for now only works with Personal Computer/Smart Card (PCSC)-based technology.
Chapy reads the account identification information:-
:- primary account number,
:-expiration date, and
:-the card owner’s name.
Just what you need to buy something off the web or easily clone the credit card.
The tool also can hack cards with RFID tags, such as American Express cards, which he demonstrated here. “I didn’t need any authentication or PIN number,” he said as he demonstrated hacking an Amex 'smart' credit card, “And I’ve been told you can use this
account number for online transactions,”
Laurie says American Express denied that the card store the name of the cardholder, however in the live demo Chapy did display the account holder’s name.
Laurie said Chapy is still “very much a work-in-progress,” and will it be available on the Rfidiots site today.
Hackers have previously shown how to scan cards at a great distance using a foil lined tube as a directional antenna. Looks like we'll all need foil lined pockets. Talk about dumb cards. I know your card supplier will be quick to try and reassure you that
theirs is 100% safe, try telling that to Amex. Before you listen to the pitch about the new 'improved' card they can upgrade you with, think back to what they told you about this one.
It's just a matter of time before all those new-fangled gizmo's are out with the rubbish. Consumers have said time and time again that privacy is paramount - where's the privacy in this? Anonymous and secure transactions are what is required to keep the
data where it belongs - inside the bank.
If you think it's hard securing PC networks, the chip is somewhat mentally impaired compared to a PC, how are they supposed to protect themselves? The methodology is flawed from the start and no amount of technology is going to make up for that. Best go
and modify that risk assessment and have a second thought about committing vast sums of money to what is obviously a failed technology.