Would You Trust RFID-Enabled ATM Cards? 214
race_k2 asks: "As a regular Slashdot reader I've followed the development and implementation of RFID devices in many ubiquitous areas such as clothing, passports and even people. Given that our environment is becoming increasingly tagged, often without our knowledge or consent, and can be monitored or hacked by anyone with the proper hardware, skills and motivation, I viewed the recent arrival of two new ATM cards containing RFID chips with skepticism. While this feature may bring the increased convenience of speedy checkouts, it is not something I am completely comfortable using and decided that the safety of my personal data was more important than the ability to buy things quickly. The vulnerable nature of RFID security coupled with recent, though unrelated, reports of a Possible Security Flaw In ATMs make me seriously question whether the marriage of wireless data transfer with personal finance is a wise application of technology." So race's question basically boils down to: How safe and secure are the RFID chips that are being embedded in debit and credit cards? To add another issue on to the fire: Would you trust RFID technology on your cards?
race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.
Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"
Absolutely not (Score:5, Informative)
RFID Hacking kits avaliable here. (Score:1, Informative)
Buy your RFID Readers http://froogle.google.co.uk/froogle?q=RFID+reader
Buy your RFID Tag/Chips http://www.gaotek.com/index.php?main_page=index&c
Buy your blank credit sized cards http://www.smartcardsupply.com/Content/Cards/card
What was the question again "Would You Trust RFID Enabled ATM Cards" mmm let me ponder that, NOOOOO.
Personally i have little hope or no, for are open/free society, mainly after talking to friends, people on the train anyone who understands RFID, and most people that i have talked/chatted to really do believe that rfid is a good thing, when questioned about some basic fact they just do not get it but follow on blind F^^KING FAITH.
RFID good for packages and tracking your stuff you ordered, useful for the company and client.
RFID good for making people belive that if a dick fits up your arse then it is compatible and you should adopt, even if it is not comfortable or useful, no questions just sit on it and smile.
Check the incentives (Score:5, Informative)
With an RFID-enabled credit card, the credit card company is the first line of defense against fraudulent usage. The customer is only secondarily responsible, and in any event does not lose any cash or interest. So, you can be certain that the security system and the implementation will be sound.
With an RFID-enabled ATM card, all of that is reversed. A fraud will cause the customer to lose his or her cash and interest... and the customer must then fight with the bank to get them back. The bank has only secondarily responsibility, and therefore only secondary incentive, to get the plan right and to maintain the implementation. It's like a config.rc file with the wrong default value: loss-paid-by = customer.
It's a given that few people in any organization (banks or otherwise) actually understand security, encryption, or the very pertinent issue of "identification versus authentication". But even if Chase or whoever has done their research, the incentives for protecting customers from atm fraud are inherently perverse.
Re:Benefits? (Score:2, Informative)
Re:Yes but..... (Score:3, Informative)
Destroy the tag... (Score:3, Informative)
Re:Metal wallet (Score:2, Informative)
Or, much easier, find someplace with an RFID reader at the cash register and find someplace to hide a high-gain directional antenna. Let the legitimate reader do the work of powering the tag on the card, and then log the data being broadcast by the tag with the antenna.
RFID tags broadcast omni-directionally. So the reader doesn't have to be in a specific spot. It just has to be close enough to the tag. RFID tags' usable range (distance between tag and reader) is limited by two factors:
1) The tag has to be in a "strong enough" EM field to run.
2) The reader has to have a sensitive enough antenna to be able to receive the data being transmitted by the tag.
Re:Disable the RFID (Score:5, Informative)
Re:Disable the RFID (Score:4, Informative)
Of course it means I have to take my Oyster card [tfl.gov.uk] out in order to use it, rather than wave the wallet at the reader - but that's the point!
Re:I'll speak slowly for you (Score:2, Informative)
Account Number
Expiration Date
Amount to charge
That's it. No PIN, no 3 digit code from the back, no name, and no address required. It's a little frightening that you don't even need a name.
Speaking as a guy that does RFID for a living... (Score:3, Informative)
I'd say that no, it isn't ready yet for handling security-sensitive tasks like credit card or debit card transactions. It's happening anyways, but I don't think it's mature enough to trust our bank accounts to them.
Just for a tiny bit of reassurance, RFID tags and readers used in credit card/debit card applications (I know because I help make these readers, though I'm still new to the business) include cryptography features such as encrypted data transfer and authentication. In other words, if you don't have the correct crypto keys in the RFID tag and the RFID reader, they will refuse to speak to each other, and anyone trying to listen to the signals will get nothing but encrypted data.
That helps to ensure that random Joe Scumbag can't get himself a handheld reader, wave it a few feet from people's wallets and electronically pick pockets in the simple case. We're assuming that crypto keys are kept secure, so that only authorized card readers have the crypto keys required to authenticate themselves to the cards, and only authorized people have the keys required to encode the cards in such a way that they'll authenticate to the readers, and that the readers have secure connections to the credit card networks. Unfortunately, that's a big assumption to make.
Personally, the scenario of electronic pickpocketing does concern me. I've seen RFID tags read from 30 feet away (though you need a reader with a relatively powerful transceiver, which isn't as portable.) Handheld readers are more likely to have ranges between a few inches and a few feet, depending on the power level of the reader's signal, the type of tag, the phase of the moon, and the number of RF gremlins present. If the authentication can be circumvented, it probably will be, since there is significant money involved.
Re:I'll speak slowly for you (Score:3, Informative)
Source: I work in e-Commerce for a catalog company.
Re:Nuke it (Score:1, Informative)
Make sure you go slow to get the most enjoyment out of it.
In the top left hand corner of the front of card there is a small square indentation. Aim there.
Re:Nuke it (Score:2, Informative)
Since i had a junk chase RFID ATM, i wanted to try the whole microwave thing, here are the results:
Used a microwave on low for 3 sec, POP went the RFID chip. Leaving the rest of the card looking/working fine.
Wanting to push the limit of the ATM card, 15 sec on low starts melting process, after 35 sec the atm card becomes a small glob of goo.
We dont need RFID chips in atm/credit cards, really how hard is it to pull your wallet out and swipe the card thru a reader?
PS -- I still request paper statements as well.
Re:Yes but..... (Score:3, Informative)
Anyone stating "max distance" for RF is creating limits where none exist. With a correctly-sized transmitter, a sensitive enough receiver, and a large enough antenna, there's nothing preventing reading over much greater distances.
The "hacker" world distance record for reading RFID tags (not necessarily the same technology that's in these credit cards) was set at Defcon in August 2005. It was 69 feet, or over 21 meters. You can see the Make Photo Blog [makezine.com] pictures of the gear used. While the kit may look bulky, 69 feet would allow you to have it in a van parked outside a store shooting in through the windows.
Regarding the correctly sized antenna, the WiFi shootout [wifi-shootout.com] that year scored a record 125 miles for an unamplified 802.11 link. 125 miles from a pair of hundred-milliwatt transceivers chatting at 11 mbps.
And don't assume it's not worth the trouble, either. You don't know what dollar values may be transacted via RFID, nor what thefts may be possible with the intercepted data.
That's not to say that encryption isn't capable of rendering the data useless to an eavesdropper. We don't know if it is or isn't good encryption, but that's immaterial. Don't rely on distance alone to protect you. It won't.
Re:Disable the RFID (Score:2, Informative)
If you want information from the industry side, go look at: Smart Card Alliance [smartcardalliance.org]. They provide a wealth of information on the subject.
There is also a paper [chi-publishing.com] on "contactless" smartcard security.
From the other side, you can read the paper [iacr.org] on "Relay Attacks" by Kfir and Wool.
There is also a piece [nytimes.com] in the New York Times.
Most credit card companies are going to be coming out with these cards. This is what the MasterCard PayPass commercials are about. The main issues will be with the way the individual banks implement security. They aren't supposed to transmit your name, or provide the number from your card. What you are hearing about are the situations where the security wasn't implemented. I'm not saying there aren't concerns.
My question is what is going to happen when we have three of these cards in our wallet and we go to pay. Do we get prompted for which one to use? On a further note. It looks like they want to put the chip in your cell phone and you would be able to select your method of payment from your phone.
Re:Yes but..... (Score:3, Informative)
My assumption in this case is that the RFID technology will be of some standard similar to those stated in my parent post (ISO 15693, 14443 or other HF standards). In this case, the tags are inductively coupled [com.com] with the reader antenna primarily through the Magnetic field produced by the current through the antenna wire. This field loses strength very quickly as you move from the source which means a VERY limited read range. The technologies mentioned (UHF and WiFi) interact with the Electromagnetic field which propagates nicely through the air and thus gives longer range. (we can, of course, try to discuss all the lovely physics if needed, but this is my attempt at simplification)
Basically, my point is that while I concede it is possible to hack into RFID credit cards, it is NOT as easy as many like to believe, and I don't feel nearly as threatened as some would suggest I should feel. Also, RFID is NOT one technology. It is a mishmash of all kinds of different standards comprising multiple frequencies and technologies and so should not be lumped together as the one evil tech it is commonly identified as.
Re:Disable the RFID (Score:2, Informative)