Slashdot Log In
Would You Trust RFID-Enabled ATM Cards?
Posted by
Cliff
on Wed Dec 06, 2006 06:45 AM
from the bringing-new-meaning-to-'pick-pocketing' dept.
from the bringing-new-meaning-to-'pick-pocketing' dept.
race_k2 asks: "As a regular Slashdot reader I've followed the development and implementation of RFID devices in many ubiquitous areas such as clothing, passports and even people. Given that our environment is becoming increasingly tagged, often without our knowledge or consent, and can be monitored or hacked by anyone with the proper hardware, skills and motivation, I viewed the recent arrival of two new ATM cards containing RFID chips with skepticism. While this feature may bring the increased convenience of speedy checkouts, it is not something I am completely comfortable using and decided that the safety of my personal data was more important than the ability to buy things quickly. The vulnerable nature of RFID security coupled with recent, though unrelated, reports of a Possible Security Flaw In ATMs make me seriously question whether the marriage of wireless data transfer with personal finance is a wise application of technology." So race's question basically boils down to: How safe and secure are the RFID chips that are being embedded in debit and credit cards? To add another issue on to the fire: Would you trust RFID technology on your cards?
race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.
Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"
Related Stories
[+]
Mobile: Virus Jumps to RFID 109 comments
MrShaggy writes "According to a BBC article, researchers have been able to make the jump between RFID tags and viruses. They found that the mere act of scanning a mere 127 bytes could cause an attack vector that would corrupt databases. From the article;'"This is intended as a wake-up call," said Andrew Tanenbaum, one of the researchers in the computer science department at Amsterdam's Free University that did the work revealing the weaknesses on smart tags.
"We ask the RFID industry to design systems that are secure," he said.'"
[+]
IT: Hackers Clone E-Passport 185 comments
mrops writes "I guess the skeptical Slashdot community always knew that e-passports are a big waste of time and money; now German security consultants have been able to successfully clone e-passports, even onto building access cards. FTA: 'The whole passport design is totally brain damaged,' Grunwald says. 'From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all.'"
[+]
IT: RFID Passport Security "Poorly Conceived" 33 comments
tonk writes, "European expert researchers on identity and identity management summarize their findings from an analysis of passports with RFID and biometrics — Machine Readable Travel Documents or MRTDs — and recommend corrective measures that 'need to be adopted by stakeholders in governments and industry to ameliorate outstanding issues... By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international MTRDs which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilizes technologies and standards that are poorly conceived for its purpose.' The European experts therefore come to similar conclusions as the Data Privacy and Integrity Advisory Committee of the US Department of Homeland Security in a draft report, which seems to be delayed."
[+]
IT: Possible Serious Security Flaw In ATMs 167 comments
sfjoe writes "According to a story at MSNBC.com, researchers at Algorithmic Research (ARX) have shown it may be possible for 'someone with access to the ATM network to attack the special computers that transmit bank account numbers and PIN codes, called hardware security modules'. Using these methods, an attacker could trick the security modules into exposing a PIN. It has long been considered impossible to access PINs as they are traveling through the ATM network without the encryption key used by the card-issuing bank. If PINs can be compromised, the almost 8 billion transactions per year they handle may be in danger. Not to mention all the transaction at retail stores."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Disable the RFID (Score:5, Interesting)
Nuke it (Score:5, Insightful)
Putting the card in the microwave for 3-5 seconds should do the trick. The worst that can happen is you ruin your bank card, so just go to the bank and get another. They don't cost anything.
Nuke it from orbit (Score:3, Funny)
Re:Disable the RFID (Score:5, Interesting)
Funny ha ha, yes, but has anyone noticed that many science-fiction movies of recent years have included as a plot device one of the characters embedded with some sort of implant (in the brain, under the skin, etc.) or added to some common item (clothing, watch, pen, etc.) that was carried around? I recently watched Jonathan Demme's The Manchurian Candidate [imdb.com] on cable and it occurred to me that such a scenario doesn't have to involve a conspiracy of the highest order to be successful or involve a high-concept goal; unwitting or passive acceptance would work just fine, and the goal can be mundane but similarly insidious.
My guess is that monitoring technologies in various forms will increasingly become part of our daily lives. RFID chips, for example, seem destined to be everywhere [wikipedia.org], and while it's up to each of us to be as vigilant as the article's poster, the future will play out as a constant game of catch-up and workarounds for the select few in the know. Computers are part of our daily lives but knowledge of them is superficial at best. Should we expect the average person to have an inkling of how other technologies that come in smaller packages work?
Have you scanned yourself, lately?
Re: (Score:3, Interesting)
This has fascinating potential for spoofing.
If, in the future, we can expect to be tracked as a "package" of our worn and carried emitters, we can have a pre-built alternate package
Re:Disable the RFID (Score:5, Informative)
Re:Disable the RFID (Score:4, Informative)
Of course it means I have to take my Oyster card [tfl.gov.uk] out in order to use it, rather than wave the wallet at the reader - but that's the point!
Re: (Score:3, Insightful)
If you are pressing the button, the circuit closes and your card will enable a reader.
If you are not pressing the button, the circuit is open, and disables the RFID on the chip?
I mean, even my MacBook has a power button.
Not suprised about HSBC (Score:5, Interesting)
HSBC recently forced me to subscribe to the Verified by Visa marketing pseudosecurity garbageshiteware gimmick (the only one of cards I have that actually forced me to do so). During the subscription process I found out that the idiotic subscription interface does not maintain state with most non-mainstream browsers. In fact if you use Konqueror (or play around with your browser a bit) you can cruise through it with flying colours without it asking for verification information, passwords and the like. I was seriously tempted to go all the way and register a few cards for entertainment purposes, but end of the day decided not to.
So I tried to get the wankers which run the "HSBC Goodness Gracious Me" call center to give me a security contact and a reference to report the bugs. Guess what - they neither understood the concept of "Your credit card interface has a major security flaw", not could provide a contact. Still better then Amex though. Under similar circumstances 4 years ago when I tried to contact the Amex security dept with a similar bug they subscribed me to a mandatory 60 days of phone marketing and email marketing for good measure.
Frankly - they have no clue. Banking security at its best. Understanding is not required, BS and ISO numbers are.
Re:Not suprised about HSBC (Score:5, Insightful)
Re:Not suprised about HSBC (Score:5, Funny)
Hence forth all software found wanting shall be refered to as "pseudosecurity garbageshiteware". Man law???
why should they care abotu security, it's... (Score:4, Insightful)
Effing brainwashed sheep have bought into the identity theft ruse hook, line, sinker, and hummer to the fisherman.
Re:why should they care abotu security, it's... (Score:4, Insightful)
They may be at fault, but you are the one who is screwed.
Re:Not suprised about HSBC (Score:5, Interesting)
Nope for anything that needs security (Score:2, Interesting)
I'd use it for inventory management etc. like was the big hype when it first came out but I'd keep it out of ATM cards, passports... PEOPLE.
Absolutely not (Score:5, Informative)
Re: (Score:3, Insightful)
Sure why the heck not? We've got rfid passports and government IDs, rfid in our cars (toll passes), and rfid boarding passes just on the horizon. I mean, we've even got rfid in our TIRES making is possible to TRAC
Re:Absolutely not (Score:5, Insightful)
Using a credit card seems much safer than cash. If someone steals my cash, I'm out of luck. If someone steals my credit card or uses my account number without my authorization, I don't lose anything except the 10 minutes or so that I have to spend on the phone with the credit card company.
Not only no (Score:3)
Liability for unauthorised transactions? (Score:2)
My answer would depend entirely on who pays if the remotely accessible card data is used to make transactions without my authorisation:
If I pay, then it is in my interests to worry about the security of the card, and I'll want a card that's unlikely to
Re:Liability for unauthorised transactions? (Score:5, Insightful)
No matter who pays at first, in the end we all pay more because of shitty security.
Re: (Score:2)
Re: (Score:2)
Me: I've had enough of this shit, I quit
Bank: If you do, we'll have the government sieze all your money
Me: Hey, let's negot
Re: (Score:2)
New fashion accessory (Score:2, Interesting)
What use is an RFID to a bank?
--
E
um cost? (Score:4, Funny)
Oh, no, we're north american, we have to be different *cough* cdma *cough*, no way we can conform with the rest of the fucking world *cough* soccer *cough*...
Besides, RFID is not meant for privacy or security. It's meant to track inventory. The sooner these "experts" realize that the better. The sooner they realize that RFID readers are common place the even better.
Re: (Score:2)
Speaking as a guy that does RFID for a living... (Score:3, Informative)
I'd say that no, it isn't ready yet for handling security-sensitive tasks like credit card or debit card transactions. It's happening anyways, but I don't think it's mature enough to trust our bank accounts to them.
Just for a tiny bit of reassurance, RF
An article you may want to read. (Score:2)
RFID Detection (Score:4, Interesting)
Check the incentives (Score:5, Informative)
With an RFID-enabled credit card, the credit card company is the first line of defense against fraudulent usage. The customer is only secondarily responsible, and in any event does not lose any cash or interest. So, you can be certain that the security system and the implementation will be sound.
With an RFID-enabled ATM card, all of that is reversed. A fraud will cause the customer to lose his or her cash and interest... and the customer must then fight with the bank to get them back. The bank has only secondarily responsibility, and therefore only secondary incentive, to get the plan right and to maintain the implementation. It's like a config.rc file with the wrong default value: loss-paid-by = customer.
It's a given that few people in any organization (banks or otherwise) actually understand security, encryption, or the very pertinent issue of "identification versus authentication". But even if Chase or whoever has done their research, the incentives for protecting customers from atm fraud are inherently perverse.
Another solution? How about Altoids tins? (Score:5, Interesting)
At work, we have RFID security badges. Mine is, obviously, in my Altoids tin. I can hold the tin against the sensor as long as I want; it won't scan. I pop it open (which is really easy to do one-handed once you get used to it), and it'll read from several inches away.
They also have several designer colors: red peppermint, aqua wintergreen, tan ginger, and my personal favorite -- black liquorice.
Destroy the tag... (Score:3, Informative)
Re: Check the incentive (Score:5, Insightful)
As it is, they make the -merchant- pay for it! And not only do they make us cover the price of the fraudulent transaction, but they ALSO tag an extra $25 -per fraud transaction- !! Heck, at this rate they might actually be MAKING money from fraud!!
If one customer buys 3 times with same fraudulent cc over a few days (say, for $5 items!), we pay $75 in -addition- to the cc company taking back the $15!!!!!
With the hundreds of Billions they process every day, do you really think there would be so much fraud if the cc companies were the ones really paying for it??
Re:Yes but..... (Score:5, Interesting)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
If you put a power switch on them, they wouldn't send back a signal even if you were getting RF energy.
That would pretty much end the ability for someone to sniff out your RFID tags in your credit cards and pa
Re: (Score:3, Informative)
Re: (Score:3, Informative)
Re:Yes but..... (Score:5, Insightful)
Sure, it would cut down on convenience, but only a little, and would more than make up for it in added safety.
-Charlie
Willing to stand by your statement? Are you sure you still don't have a problem with other people having access to your card data?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Not really, no. For Debit cards, yes. But you can just use them as a "Credit" card, and all you have to do is sign your name. You can also make online purchases without a pin.
Re: (Score:3, Informative)
Source: I work in e-Commerce for a catalog company.
Re: (Score:2)
Step 1: Higher up finds he's got all this money, but it's tied up in the company and he wants to sneak it out into my own pocket.
Step 2: Contract out with a friend for a zany new technological upg
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Not true. I don't want to use a system I know to be insecure, no matter if it has been exploited many times or never at all.