Would You Trust RFID-Enabled ATM Cards?

race_k2 asks: "As a regular Slashdot reader I've followed the development and implementation of RFID devices in many ubiquitous areas such as clothing, passports and even people. Given that our environment is becoming increasingly tagged, often without our knowledge or consent, and can be monitored or hacked by anyone with the proper hardware, skills and motivation, I viewed the recent arrival of two new ATM cards containing RFID chips with skepticism. While this feature may bring the increased convenience of speedy checkouts, it is not something I am completely comfortable using and decided that the safety of my personal data was more important than the ability to buy things quickly. The vulnerable nature of RFID security coupled with recent, though unrelated, reports of a Possible Security Flaw In ATMs make me seriously question whether the marriage of wireless data transfer with personal finance is a wise application of technology." So race's question basically boils down to: How safe and secure are the RFID chips that are being embedded in debit and credit cards? To add another issue on to the fire: Would you trust RFID technology on your cards?

race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.

Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"

Disable the RFID

[Ice Wewe (936718)]

Just wrap the card in Tin foil. You can keep the magnetic strip (assuming it still has one) uncovered so that you can still check-out the old way. That's the only non-destructive way I'm aware of for disabling an RFID chip.

Nuke it

[brunes69 (86786)]

An RFID chip will fry in seconds in a microwave. It takes much longer than that to affect the plastic. And the magnetic stripe will not be affected at all, until the plastic starts to melt.

Putting the card in the microwave for 3-5 seconds should do the trick. The worst that can happen is you ruin your bank card, so just go to the bank and get another. They don't cost anything.

Nuke it from orbit

[krewemaynard (665044)]

It's the only way to be sure. [nukeitfromorbit.com]

Re:Disable the RFID

[value_added (719364)]

Just wrap the card in Tin foil.

Funny ha ha, yes, but has anyone noticed that many science-fiction movies of recent years have included as a plot device one of the characters embedded with some sort of implant (in the brain, under the skin, etc.) or added to some common item (clothing, watch, pen, etc.) that was carried around? I recently watched Jonathan Demme's The Manchurian Candidate [imdb.com] on cable and it occurred to me that such a scenario doesn't have to involve a conspiracy of the highest order to be successful or involve a high-concept goal; unwitting or passive acceptance would work just fine, and the goal can be mundane but similarly insidious.

My guess is that monitoring technologies in various forms will increasingly become part of our daily lives. RFID chips, for example, seem destined to be everywhere [wikipedia.org], and while it's up to each of us to be as vigilant as the article's poster, the future will play out as a constant game of catch-up and workarounds for the select few in the know. Computers are part of our daily lives but knowledge of them is superficial at best. Should we expect the average person to have an inkling of how other technologies that come in smaller packages work?

Have you scanned yourself, lately?

Re:Disable the RFID

[michaelaiello (841620)]

Even better, you can get the real deal. RFID Blocking Wallets and passport cases http://www.difrwear.com/ [difrwear.com].

Re:Disable the RFID

[StressedEd (308123)]

More stylish than tin foil, a Muji Aluminium card holder [mujionline.co.uk]. I use one as my wallet, storing everything but coins. It has the added benefit that you absolutely cannot squeeze that one last thing in to your wallet - so it doesn't end up looking like a sphere.

Of course it means I have to take my Oyster card [tfl.gov.uk] out in order to use it, rather than wave the wallet at the reader - but that's the point!

Not suprised about HSBC

[arivanov (12034)]

Not surprised about HSBC. In fact surprising about some sense from Chase.

HSBC recently forced me to subscribe to the Verified by Visa marketing pseudosecurity garbageshiteware gimmick (the only one of cards I have that actually forced me to do so). During the subscription process I found out that the idiotic subscription interface does not maintain state with most non-mainstream browsers. In fact if you use Konqueror (or play around with your browser a bit) you can cruise through it with flying colours without it asking for verification information, passwords and the like. I was seriously tempted to go all the way and register a few cards for entertainment purposes, but end of the day decided not to.

So I tried to get the wankers which run the "HSBC Goodness Gracious Me" call center to give me a security contact and a reference to report the bugs. Guess what - they neither understood the concept of "Your credit card interface has a major security flaw", not could provide a contact. Still better then Amex though. Under similar circumstances 4 years ago when I tried to contact the Amex security dept with a similar bug they subscribed me to a mandatory 60 days of phone marketing and email marketing for good measure.

Frankly - they have no clue. Banking security at its best. Understanding is not required, BS and ISO numbers are.

Re:Not suprised about HSBC

[Bazman (4849)]

Talk to a financial journalist. Not only will they have contacts at the bank, but the bank will fear them more than they fear you...

Re:Not suprised about HSBC

[canesfan (607211)]

"pseudosecurity garbageshiteware"

Hence forth all software found wanting shall be refered to as "pseudosecurity garbageshiteware". Man law???

why should they care abotu security, it's...

[by Anonymous Coward]

been made your problem by way of the 'identyty theft' myth. There's no such thing as identity theft. When someone gives your money or loas their money to the wrong person, thinking it's you, THEY ARE AT FAULT.

Effing brainwashed sheep have bought into the identity theft ruse hook, line, sinker, and hummer to the fisherman.

Re:why should they care abotu security, it's...

[multisync (218450)]

When someone gives your money or loas their money to the wrong person, thinking it's you, THEY ARE AT FAULT.

They may be at fault, but you are the one who is screwed.

Re:Not suprised about HSBC

[EatHam (597465)]

So I tried to get the wankers which run the "HSBC Goodness Gracious Me" call center to give me a security contact and a reference to report the bugs. Guess what - they neither understood the concept of "Your credit card interface has a major security flaw", not could provide a contact.

Careful doing that. I've heard of *ahem* someone *ahem* doing the same thing with a bank, and having to spend several weeks giving depositions to the police, talking to the fbi, and basically being treated like a criminal. Moral of the story, switch your account and shut up about it, or it could easily become a giant hassle for you.

Absolutely not

[techmuse (160085)]

As a security expert who has done studies on RFID security, I would have to say absolutely not. I would switch banks.

Re:Absolutely not

[nasor (690345)]

If your bank really wants to make it easy for people to rip them off, it's not really your problem is it? I've never understood why people care so much about credit card security. If someone steals your credit card number and uses it to buy something, you just report the charge as fraudulent. No credit card company charges customers from fraudulent charges made on there account.

Using a credit card seems much safer than cash. If someone steals my cash, I'm out of luck. If someone steals my credit card or uses my account number without my authorization, I don't lose anything except the 10 minutes or so that I have to spend on the phone with the credit card company.

Not only no

[bhima (46039)]

Not only no but hell no.

um cost?

[tomstdenis (446163)]

Instead of spending that money on putting RFID in, why not just release, oh, I dunno, SMART CARDS!!!

Oh, no, we're north american, we have to be different *cough* cdma *cough*, no way we can conform with the rest of the fucking world *cough* soccer *cough*...

Besides, RFID is not meant for privacy or security. It's meant to track inventory. The sooner these "experts" realize that the better. The sooner they realize that RFID readers are common place the even better.

RFID Detection

[Chaos1 (466833)]

Does anyone know if there are RFID Detection scanners available? I know there are remote readers, but I was thinking more along the lines of a scanner which simply lights up an LED, beeps or something along those lines when it comes in close proximity to RFID. It seems with all the hidden tagging of clothes, shopping carts, etc. that this might be something handy to have.

Check the incentives

[inviolet (797804)]

With an RFID-enabled credit card, the credit card company is the first line of defense against fraudulent usage. The customer is only secondarily responsible, and in any event does not lose any cash or interest. So, you can be certain that the security system and the implementation will be sound.

With an RFID-enabled ATM card, all of that is reversed. A fraud will cause the customer to lose his or her cash and interest... and the customer must then fight with the bank to get them back. The bank has only secondarily responsibility, and therefore only secondary incentive, to get the plan right and to maintain the implementation. It's like a config.rc file with the wrong default value: loss-paid-by = customer.

It's a given that few people in any organization (banks or otherwise) actually understand security, encryption, or the very pertinent issue of "identification versus authentication". But even if Chase or whoever has done their research, the incentives for protecting customers from atm fraud are inherently perverse.

Another solution? How about Altoids tins?

[ClayJar (126217)]

For several years now, I've been carrying my personal card collection (credit, discount, ID, etc) in an Altoids tin. It's the perfect size for such cards, and it protects them from me. Also, it has the added benefit of being quite the faraday cage. Unlike foil, which can easily tear, an Altoids tin can take *quite* the beating without any significant damage.

At work, we have RFID security badges. Mine is, obviously, in my Altoids tin. I can hold the tin against the sensor as long as I want; it won't scan. I pop it open (which is really easy to do one-handed once you get used to it), and it'll read from several inches away.

They also have several designer colors: red peppermint, aqua wintergreen, tan ginger, and my personal favorite -- black liquorice. :)

Destroy the tag...

[Ghostalker474 (1022885)]

I've been researching this for one of my masters classes (I know, I'm a student, but hear me out) and I came across 2 ways of non-destructively stopping the tag. The first is simply blocking the tag with another tag, so that when the RFID reader goes to energize the tag, it gets a garbled response that even error-correcting software can't figure out. The second is to broadcast a kill-code to the tag. The kill code closes the circuit to a specified part of the chip, effectively overwriting the memory. This is the equivalent of removing the CMOS password on a motherboard, close the circuit, and when energized.... game over. The best thing to do would (yes) throw it in the microwave for 3-5 seconds [so as not to melt the plastic or the magnetic strip] and then go on using it with the RFID feature disabled. Personally, after all the research I've done on the security of RFID... I doubt the encryption is strong enough to block a dedicated reader. Hell, remember when they said WEP on 802.11b was unbreakable? I'll stick with my small-hometown bank, since they likely won't upgrade for some time.

Re: Check the incentive

[Erick Lionheart (745320)]

Uh... no? If the credit card companies were the ones paying for the fraud done with credit cards, there would BE next to 0 fraud.

As it is, they make the -merchant- pay for it! And not only do they make us cover the price of the fraudulent transaction, but they ALSO tag an extra $25 -per fraud transaction- !! Heck, at this rate they might actually be MAKING money from fraud!!

If one customer buys 3 times with same fraudulent cc over a few days (say, for $5 items!), we pay $75 in -addition- to the cc company taking back the $15!!!!!

With the hundreds of Billions they process every day, do you really think there would be so much fraud if the cc companies were the ones really paying for it?? :/

Re:Yes but.....

[flyboy974 (624054)]

The reality is that by forcing a "swipe" of a card through a reader, this enforces the act of choosing to provide the information. With RFID, you can read it from across the room given a good transmitter and a sensitive receiver. Why should we need to add a new layer when the old physical layer works just fine. The new RFID does NOT save time. You can't just wave your wallet or purse over the weak reader (which is far weaker than a hacker would be using) if you had multiple cards. How would it tell it apart. You still end up having to take the card out. The difference is Mag Stripe (physical contact.. almost), or RFID, Radio Broadcast. I'll take the Mag Stripe or the Smart Card chip (which required physical contact).

Re:

[WhatAmIDoingHere (742870)]

These are non-powered RFID tags. There is no "on/off" for them. If you wanted powered RFID, you'd have to include a battery, making the new card larger and bulkier than the old cards.

Re:Yes but.....

[tttonyyy (726776)]

I would, but everyone seems to forget that you can have RFID and a PIN or other second form of ID. I would have no problem as long as there was an OPTION for a second method of authentication to be applied.

Sure, it would cut down on convenience, but only a little, and would more than make up for it in added safety.

-Charlie

Tell you what, why not post your card details here (including the three digits on the reverse), but NOT THE PIN, and we'll see how many of us can buy something with it.

Willing to stand by your statement? Are you sure you still don't have a problem with other people having access to your card data?

Re:Liability for unauthorised transactions?

[bhima (46039)]

Do you honestly think that banks don't pass every single expense they incur along to the customer?

No matter who pays at first, in the end we all pay more because of shitty security.