Become a fan of Slashdot on Facebook


Forgot your password?
Security Privacy The Almighty Buck

Would You Trust RFID-Enabled ATM Cards? 214

race_k2 asks: "As a regular Slashdot reader I've followed the development and implementation of RFID devices in many ubiquitous areas such as clothing, passports and even people. Given that our environment is becoming increasingly tagged, often without our knowledge or consent, and can be monitored or hacked by anyone with the proper hardware, skills and motivation, I viewed the recent arrival of two new ATM cards containing RFID chips with skepticism. While this feature may bring the increased convenience of speedy checkouts, it is not something I am completely comfortable using and decided that the safety of my personal data was more important than the ability to buy things quickly. The vulnerable nature of RFID security coupled with recent, though unrelated, reports of a Possible Security Flaw In ATMs make me seriously question whether the marriage of wireless data transfer with personal finance is a wise application of technology." So race's question basically boils down to: How safe and secure are the RFID chips that are being embedded in debit and credit cards? To add another issue on to the fire: Would you trust RFID technology on your cards?

race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.

Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"
This discussion has been archived. No new comments can be posted.

Would You Trust RFID-Enabled ATM Cards?

Comments Filter:
  • Disable the RFID (Score:5, Interesting)

    by Ice Wewe ( 936718 ) on Wednesday December 06, 2006 @07:52AM (#17127008)
    Just wrap the card in Tin foil. You can keep the magnetic strip (assuming it still has one) uncovered so that you can still check-out the old way. That's the only non-destructive way I'm aware of for disabling an RFID chip.
    • Nuke it (Score:5, Insightful)

      by brunes69 ( 86786 ) <slashdot.keirstead@org> on Wednesday December 06, 2006 @08:08AM (#17127132) Homepage
      An RFID chip will fry in seconds in a microwave. It takes much longer than that to affect the plastic. And the magnetic stripe will not be affected at all, until the plastic starts to melt.

      Putting the card in the microwave for 3-5 seconds should do the trick. The worst that can happen is you ruin your bank card, so just go to the bank and get another. They don't cost anything.

      • Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"
        IMO, a microwave isn't terribly passive.

        Now a hammer...

        /if you beat the shit out of the RFID, you'll either break the antenna or crush the ID chip.
        //works on mag strips too (like your driver's license)
      • by Wolfger ( 96957 )
        You are assuming that these items (ATM card, passport, etc) continue to function or be valid with a disabled chip. I sincerely doubt that is the case. These things are being put there for more than cosmetic reasons.
        • by nasor ( 690345 )
          How many cashiers today bat an eye at a card whose magnetic strip is damaged/erased?
          • by Wolfger ( 96957 )
            You give your ATM card to cashiers? I put mine into an ATM. It does care very strongly about the magnetic strip. I'm sure it will care about the RFID when that takes over. You have a valid point that cards won't become completely useless... Just like I'm sure I could leave the USA with a passport that has a disabled RFID, but I'm not so confident I would be able to return. Certain venues will ignore the RFID, while others will absolutely require it.
      • Re: (Score:2, Informative)

        by loki_2525 ( 173281 )
        Chase was pushing hard on the RFID atm card, until i told them i would cancel my account :)

        Since i had a junk chase RFID ATM, i wanted to try the whole microwave thing, here are the results:

        Used a microwave on low for 3 sec, POP went the RFID chip. Leaving the rest of the card looking/working fine.
        Wanting to push the limit of the ATM card, 15 sec on low starts melting process, after 35 sec the atm card becomes a small glob of goo.

        We dont need RFID chips in atm/credit cards, really how hard is it to pull y
    • Re:Disable the RFID (Score:5, Interesting)

      by value_added ( 719364 ) on Wednesday December 06, 2006 @08:33AM (#17127300)
      Just wrap the card in Tin foil.

      Funny ha ha, yes, but has anyone noticed that many science-fiction movies of recent years have included as a plot device one of the characters embedded with some sort of implant (in the brain, under the skin, etc.) or added to some common item (clothing, watch, pen, etc.) that was carried around? I recently watched Jonathan Demme's The Manchurian Candidate [] on cable and it occurred to me that such a scenario doesn't have to involve a conspiracy of the highest order to be successful or involve a high-concept goal; unwitting or passive acceptance would work just fine, and the goal can be mundane but similarly insidious.

      My guess is that monitoring technologies in various forms will increasingly become part of our daily lives. RFID chips, for example, seem destined to be everywhere [], and while it's up to each of us to be as vigilant as the article's poster, the future will play out as a constant game of catch-up and workarounds for the select few in the know. Computers are part of our daily lives but knowledge of them is superficial at best. Should we expect the average person to have an inkling of how other technologies that come in smaller packages work?

      Have you scanned yourself, lately?
      • by msobkow ( 48369 )

        I don't see RFID itself as a problem, but my understanding is that the security of the currently deployed RFID chips has already been cracked. Therefore, I would not want it used for bank cards.

        The idea of an encrypted wireless short-range link instead of a mag-stripe swipe doesn't seem too outre to me. But using a technology that is known to be insecure is foolish.

      • Re: (Score:3, Interesting)

        by couchslug ( 175151 )
        "constant game of catch-up and workarounds for the select few in the know"

        This has fascinating potential for spoofing.
        If, in the future, we can expect to be tracked as a "package" of our worn and carried emitters, we can have a pre-built alternate package ready for use.

        While "my" emitters could be providing an alibi, a throwaway set could mask my actions elsewhere.
    • Re:Disable the RFID (Score:5, Informative)

      by michaelaiello ( 841620 ) on Wednesday December 06, 2006 @10:11AM (#17128414) Homepage
      Even better, you can get the real deal. RFID Blocking Wallets and passport cases [].
    • Re:Disable the RFID (Score:4, Informative)

      by StressedEd ( 308123 ) <(ej.grace) (at) (> on Wednesday December 06, 2006 @10:34AM (#17128798) Homepage
      More stylish than tin foil, a Muji Aluminium card holder []. I use one as my wallet, storing everything but coins. It has the added benefit that you absolutely cannot squeeze that one last thing in to your wallet - so it doesn't end up looking like a sphere.

      Of course it means I have to take my Oyster card [] out in order to use it, rather than wave the wallet at the reader - but that's the point!

    • Re: (Score:2, Insightful)

      by race_k2 ( 820208 )
      Ha, and a tinfoil hat for me to wear in the checkout line as an accessory. I seriously doubt that wrapping a card in foil is a 'practical', not to mention durable, day to day solution to this issue. I can imagine the skeptical look of cashiers everywhere when they see my foil wrapped card. I wonder how long it would take before someone was accused of possible identity theft or similar mis-deeds using this method
    • Re: (Score:3, Insightful)

      by gsfprez ( 27403 )
      how about a read button?

      If you are pressing the button, the circuit closes and your card will enable a reader.

      If you are not pressing the button, the circuit is open, and disables the RFID on the chip?

      I mean, even my MacBook has a power button.
  • by arivanov ( 12034 ) on Wednesday December 06, 2006 @07:55AM (#17127026) Homepage
    Not surprised about HSBC. In fact surprising about some sense from Chase.

    HSBC recently forced me to subscribe to the Verified by Visa marketing pseudosecurity garbageshiteware gimmick (the only one of cards I have that actually forced me to do so). During the subscription process I found out that the idiotic subscription interface does not maintain state with most non-mainstream browsers. In fact if you use Konqueror (or play around with your browser a bit) you can cruise through it with flying colours without it asking for verification information, passwords and the like. I was seriously tempted to go all the way and register a few cards for entertainment purposes, but end of the day decided not to.

    So I tried to get the wankers which run the "HSBC Goodness Gracious Me" call center to give me a security contact and a reference to report the bugs. Guess what - they neither understood the concept of "Your credit card interface has a major security flaw", not could provide a contact. Still better then Amex though. Under similar circumstances 4 years ago when I tried to contact the Amex security dept with a similar bug they subscribed me to a mandatory 60 days of phone marketing and email marketing for good measure.

    Frankly - they have no clue. Banking security at its best. Understanding is not required, BS and ISO numbers are.
    • by Bazman ( 4849 ) on Wednesday December 06, 2006 @08:14AM (#17127162) Journal
      Talk to a financial journalist. Not only will they have contacts at the bank, but the bank will fear them more than they fear you...

    • by canesfan ( 607211 ) on Wednesday December 06, 2006 @09:01AM (#17127538)
      "pseudosecurity garbageshiteware"

      Hence forth all software found wanting shall be refered to as "pseudosecurity garbageshiteware". Man law???

      • Re: (Score:2, Funny)

        by Anonymous Coward
        Man Law

        he proclaimed from his parent's basement
    • by Anonymous Coward on Wednesday December 06, 2006 @09:20AM (#17127748)
      been made your problem by way of the 'identyty theft' myth. There's no such thing as identity theft. When someone gives your money or loas their money to the wrong person, thinking it's you, THEY ARE AT FAULT.

      Effing brainwashed sheep have bought into the identity theft ruse hook, line, sinker, and hummer to the fisherman.
    • by EatHam ( 597465 ) on Wednesday December 06, 2006 @10:27AM (#17128670)
      So I tried to get the wankers which run the "HSBC Goodness Gracious Me" call center to give me a security contact and a reference to report the bugs. Guess what - they neither understood the concept of "Your credit card interface has a major security flaw", not could provide a contact.
      Careful doing that. I've heard of *ahem* someone *ahem* doing the same thing with a bank, and having to spend several weeks giving depositions to the police, talking to the fbi, and basically being treated like a criminal. Moral of the story, switch your account and shut up about it, or it could easily become a giant hassle for you.
    • by plover ( 150551 ) *
      I wouldn't say you were "forced" to do anything. You're perfectly free to cancel any accounts with them and open a different card at a different bank. Not that anyone at HSBC will shed a tear to see you leave; after all, you're just a "privacy kook" in their eyes.

      But maybe someday us "privacy kooks" will leave in statistically significant numbers, and eventually someone might notice.

  • No can do, I wouldn't trust RFID for anything that requires a password or requires any sort of security.

    I'd use it for inventory management etc. like was the big hype when it first came out but I'd keep it out of ATM cards, passports... PEOPLE.

  • Absolutely not (Score:5, Informative)

    by techmuse ( 160085 ) on Wednesday December 06, 2006 @08:03AM (#17127080)
    As a security expert who has done studies on RFID security, I would have to say absolutely not. I would switch banks.
    • Re: (Score:3, Insightful)

      by jambarama ( 784670 )
      Would You Trust RFID-Enabled ATM Cards?

      Sure why the heck not? We've got rfid passports and government IDs, rfid in our cars (toll passes), and rfid boarding passes just on the horizon. I mean, we've even got rfid in our TIRES making is possible to TRACK OUR CARS!!

      Would /. trust rfid atm cards? No. Will the general public? If it is either pushed on them (see the rfid tires) or if it adds some kind of convenience (see the toll passes) you bet they'll trust it and they'll love it.

      I don't think thi
    • Re:Absolutely not (Score:5, Insightful)

      by nasor ( 690345 ) on Wednesday December 06, 2006 @12:23PM (#17130962)
      If your bank really wants to make it easy for people to rip them off, it's not really your problem is it? I've never understood why people care so much about credit card security. If someone steals your credit card number and uses it to buy something, you just report the charge as fraudulent. No credit card company charges customers from fraudulent charges made on there account.

      Using a credit card seems much safer than cash. If someone steals my cash, I'm out of luck. If someone steals my credit card or uses my account number without my authorization, I don't lose anything except the 10 minutes or so that I have to spend on the phone with the credit card company.
      • If your bank really wants to make it easy for people to rip them off, it's not really your problem is it? [blah blah, waffle waffle, etc...]

        That's absolute crap. As someone who's been on the pointy end of the stick by having their Visa card abused after its details were stolen from a vendor's supposedly-secure (PCI compliance be damned) database I can tell you it is a big problem for the consumer. The bank has nothing to do with it: Visa themselves took every single one of their 45 business days to "inve

      • Using a credit card seems much safer than cash. If someone steals my cash, I'm out of luck. If someone steals my credit card or uses my account number without my authorization, I don't lose anything except the 10 minutes or so that I have to spend on the phone with the credit card company.

        Until you try and buy a house, and find out the mortgage lender won't lend you any money because some asshole in Los Angeles you've never heard of has run up a $5000 unpaid bill in your name.

        Happened to me.

  • by bhima ( 46039 ) <Bhima.Pandava@gmail. c o m> on Wednesday December 06, 2006 @08:05AM (#17127098) Journal
    Not only no but hell no.
  • My answer would depend entirely on who pays if the remotely accessible card data is used to make transactions without my authorisation:

    If I pay, then it is in my interests to worry about the security of the card, and I'll want a card that's unlikely to be used without my authorisation (a PIN I set required, mechanical action needed to start the process etc). I do not want to risk paying for fraudulent transactions, and I will do what I can to minimise that risk.

    If the bank pays, then I can leave the se

    • by bhima ( 46039 ) <Bhima.Pandava@gmail. c o m> on Wednesday December 06, 2006 @08:28AM (#17127258) Journal
      Do you honestly think that banks don't pass every single expense they incur along to the customer?

      No matter who pays at first, in the end we all pay more because of shitty security.
      • by farnz ( 625056 )
        No, but I have the option to switch banks, which keeps the charges under control; if HSBC has to charge me more/pay me less interest than Chase to make the same profit (because HSBC's RFID cards are insecure, and Chase doesn't issue RFID cards), then I'll switch to Chase. Thus, HSBC either has to fix the security issues with their RFID cards, stop issuing RFID cards, or make less money.
        • I thought moving more than X dollars between accounts automagically flagged you as a terrorist? Pretty sweet deal for the bank:

          Me: I've had enough of this shit, I quit
          Bank: If you do, we'll have the government sieze all your money
          Me: Hey, let's negotiate!
    • The problem is that, even if it's nominally the bank's responsibility, it will still hurt you. You still have to check on the bank to see if they're not letting any unauthorized transactions slip, you will still be the victim if someone uses your account data (and cleaning up the resulting mess can take years), etc. Also, as another poster pointed out, any costs that the bank incurs will be passed on to you. So, in short, when your bank's security sucks, you lose.
  • by eeyore ( 78059 )
    Your grandfather's old silver cigarette case has just acquired a new lease of life as a Faraday cage.

    What use is an RFID to a bank?



  • um cost? (Score:4, Funny)

    by tomstdenis ( 446163 ) < minus punct> on Wednesday December 06, 2006 @08:29AM (#17127262) Homepage
    Instead of spending that money on putting RFID in, why not just release, oh, I dunno, SMART CARDS!!!

    Oh, no, we're north american, we have to be different *cough* cdma *cough*, no way we can conform with the rest of the fucking world *cough* soccer *cough*...

    Besides, RFID is not meant for privacy or security. It's meant to track inventory. The sooner these "experts" realize that the better. The sooner they realize that RFID readers are common place the even better.
    • American Express released the smart card American Express Blue many years ago. I still have the free smart card reader they gave out with it. It was pretty worthless and not widely adopted. They probably still have chips in them, but no-one cares. I now have an RFID Citi paypass keychain which I find incredibly convenient, and I can't say I lose sleep over the security.
      • The problem with Blue is that they didn't work with others on it. For a smart card system to work all of the banks have to participate.

        And it's not like we don't have the readers here. All of the common retail stores I go to here in Ottawa (that have debit/credit) have a reader built-in (I imagine because the machines are made in one factory and chances are it's good for tourism).

        So really the only problem left is to actually roll out the cards and start enforcing their use.

        The point of the smart card, is
  • My answer is no, as well. []

    Despite assurances by the issuing companies that data contained on RFID-based credit cards would be encrypted, the researchers found that the majority of cards they tested did not use encryption or other data protection technology.
  • RFID Detection (Score:4, Interesting)

    by Chaos1 ( 466833 ) on Wednesday December 06, 2006 @08:51AM (#17127424) Homepage
    Does anyone know if there are RFID Detection scanners available? I know there are remote readers, but I was thinking more along the lines of a scanner which simply lights up an LED, beeps or something along those lines when it comes in close proximity to RFID. It seems with all the hidden tagging of clothes, shopping carts, etc. that this might be something handy to have.
  • Check the incentives (Score:5, Informative)

    by inviolet ( 797804 ) <> on Wednesday December 06, 2006 @08:51AM (#17127432) Journal

    With an RFID-enabled credit card, the credit card company is the first line of defense against fraudulent usage. The customer is only secondarily responsible, and in any event does not lose any cash or interest. So, you can be certain that the security system and the implementation will be sound.

    With an RFID-enabled ATM card, all of that is reversed. A fraud will cause the customer to lose his or her cash and interest... and the customer must then fight with the bank to get them back. The bank has only secondarily responsibility, and therefore only secondary incentive, to get the plan right and to maintain the implementation. It's like a config.rc file with the wrong default value: loss-paid-by = customer.

    It's a given that few people in any organization (banks or otherwise) actually understand security, encryption, or the very pertinent issue of "identification versus authentication". But even if Chase or whoever has done their research, the incentives for protecting customers from atm fraud are inherently perverse.

    • It's like a config.rc file with the wrong default value: loss-paid-by = customer.

      Wow. You must be the biggest geek on earth.
  • by ClayJar ( 126217 ) on Wednesday December 06, 2006 @09:06AM (#17127590) Homepage
    For several years now, I've been carrying my personal card collection (credit, discount, ID, etc) in an Altoids tin. It's the perfect size for such cards, and it protects them from me. Also, it has the added benefit of being quite the faraday cage. Unlike foil, which can easily tear, an Altoids tin can take *quite* the beating without any significant damage.

    At work, we have RFID security badges. Mine is, obviously, in my Altoids tin. I can hold the tin against the sensor as long as I want; it won't scan. I pop it open (which is really easy to do one-handed once you get used to it), and it'll read from several inches away.

    They also have several designer colors: red peppermint, aqua wintergreen, tan ginger, and my personal favorite -- black liquorice. :)
    • I pop it open (which is really easy to do one-handed once you get used to it)

      One-handed manipulation of electronic devices shouldn't pose much of a problem to the majority of the /. readers...

  • Destroy the tag... (Score:3, Informative)

    by Ghostalker474 ( 1022885 ) <Ghostalker@g m a i l . c om> on Wednesday December 06, 2006 @09:32AM (#17127884)
    I've been researching this for one of my masters classes (I know, I'm a student, but hear me out) and I came across 2 ways of non-destructively stopping the tag. The first is simply blocking the tag with another tag, so that when the RFID reader goes to energize the tag, it gets a garbled response that even error-correcting software can't figure out. The second is to broadcast a kill-code to the tag. The kill code closes the circuit to a specified part of the chip, effectively overwriting the memory. This is the equivalent of removing the CMOS password on a motherboard, close the circuit, and when energized.... game over. The best thing to do would (yes) throw it in the microwave for 3-5 seconds [so as not to melt the plastic or the magnetic strip] and then go on using it with the RFID feature disabled. Personally, after all the research I've done on the security of RFID... I doubt the encryption is strong enough to block a dedicated reader. Hell, remember when they said WEP on 802.11b was unbreakable? I'll stick with my small-hometown bank, since they likely won't upgrade for some time.
  • First of all it probably isn't an RFID tag but a contactless smart card. Yes there is a meaningful distinction.

    Second, do you know whether there is any security around it or not? Some implementations have no security at all, others do mutual authentication and create encrypted sessions. You are considerably more secure using the latter of these than your traditional mag stripe.

    Get educated before sticking your head in the sand. Mag stripe is going to go away. Hopefully EMV will come to the US soon and
  • No! Because it is way too easy to compromise the system
  • So, How long until wallets start coming with built in shielding to discourage unauthorized RFID readout?
  • I called chase for an rfid-less card. they said they would send one. They did not. they sent YA 'blink' card. I called again and was told that if I want one that is still a 'check card' I have to pay a fee. So basically, in order to get the same security I had before I have to *pay* for it, but for free I get a feature I don't want.

    I have already written my senator.
  • A European guy asked me recently why American companies are using unproven RFID technology in their credit cards, when Smart Cards are not only proven, but more easily shown to be secure.

    I think there are several reasons.

    First, when Smart Card technology was first proposed some twenty years ago, the idea got earlier traction in Europe. One reason, if I recall correctly, was that at the time the cost of installing and using phones under many state telecom monopolies made the kind of system we use in the US
  • by Erick Lionheart ( 745320 ) on Wednesday December 06, 2006 @10:33AM (#17128770) Homepage
    Uh... no? If the credit card companies were the ones paying for the fraud done with credit cards, there would BE next to 0 fraud.

    As it is, they make the -merchant- pay for it! And not only do they make us cover the price of the fraudulent transaction, but they ALSO tag an extra $25 -per fraud transaction- !! Heck, at this rate they might actually be MAKING money from fraud!!

    If one customer buys 3 times with same fraudulent cc over a few days (say, for $5 items!), we pay $75 in -addition- to the cc company taking back the $15!!!!!

    With the hundreds of Billions they process every day, do you really think there would be so much fraud if the cc companies were the ones really paying for it?? :/
    • You're quite right. I've been through a PCI audit - the requirements are both unreasonable, non-helpful, wildly unclear, and leave gaping holes in security if you comply with all of it. The requirements document sounds like a college intern went through an event log and came up with requirements based on single vectors from prior events.

      But, all that aside, the real problem is that merchants need to store credit card numbers. This is entirely bogus.

      As a real simple first blush at a solution, you take the
  • by rlp ( 11898 )
    Next question.
  • When you have two or more RFID cards in your wallet, chances are neither of them will work on any given attempt to use them unless you take the card you want to use out of your wallet....

    So what's the benefit?
  • While I carry around a Lead Lined wallet :)
  • Wholely crap NO!!! A question to you is, what the hell is wrong with you that you'd even need to ask this question?
  • Lets be clear what we are talking about here. The risk is that with special equipment someone might be able to read the same information that is printed on the card. RFID credit and debit cards have been around for awhile speedpass being an example. And while it is possible to read the information passed between the card and reader with enough effort, you probably hand your credit card to the waiter in a restaurant and don't even think about it. That person walks out of your sight and in some cases steals t
  • RFID is getting to be like VoIP: there are a wide variety of applications which fit the acronym but are otherwise unrelated, and people lump them together. These bank cards and inventory tags in clothing have about as much similarity to each other as they have to 802.11. They use radio waves, and they use identification.

    A well-designed smart bank card will use SASL to prove its identity to the bank without revealing information that would allow anybody else to use the identity. So it doesn't matter if peopl
  • Yes! Bring it on, baby. What with all these old ladies doing pilates and such, it's getting too dangerous to snatch purses anymore.
  • A common garage door opener has more security than these RFID ATM cards. At LEAST a garage door opener has a table of codes that gets rotated through, it could take literally thousands of uses before the same code shows up twice. Yet what does an RFID ATM have to protect from cloning? Sad.
  • You know, like on everything else?

    If you aren't pressing the button/leaving the circuit open, zapping the RFID device does nothing.

    If you are pressing the button/closing teh circuit, the RFIC device will read?

    Why the FSCK am i the only person alive that seems to see RFID as not a problem if you put a power button on it?
  • Aside from the security issue, I don't think most people would care if their ATM card was RFID vs swipe.

    It doesn't save anyone any time, really. At an ATM, I've got my wallet open anyway, to put the cash in. In the grocery checkout, I've got plenty of time to reach briefly into my pocket or purse, while waiting for the checker.

    It's a solution in search of a problem.
  • If you could print your credit card information in X-ray ink, bold face, on the back of your jacket, such that only people with special x-ray spec could read them, would you? We don't do that now, why would we suddenly want to change?

    Of course "we use encryption". So the info on your jacket is encrypted. But we didn't use encryption before, even though we should have been (depending on how good it was).

    By using RFID, companies are trying to trade off the very intuitive insecurities of radio broadcasting wi

"Hey Ivan, check your six." -- Sidewinder missile jacket patch, showing a Sidewinder driving up the tail of a Russian Su-27