Please support our Tech Talk advertiser:
Featured Entry 
Feb 23rd, 2008, 6:49 pm
The Black Hat security conferences are always good for a crowd pleasing demonstration or two, and security researcher Adam Laurie was happy to oblige at the latest DC based event. In a 'look no hands' fashion, he was able to pull up account data including name, account number and expiration date from an AMEX credit card and display it on the big screen to the attending masses, without actually removing the card from the wallet of the man who owned it.
Yet this was no trick, but rather a demonstration to get a debate started on the potential security weakness of the RFID smart-chip-enabled technology implemented on some credit cards these days. Laurie combined some simple hardware with a Python-based script to performing his magic. The impact was lessened a little by the fact that the account number shown on-screen was not the one embossed on the card itself and cannot actually be used to make an online transaction. Indeed, American Express has confirmed that this 'alias' number alone would not be accepted as transactionally valid and numerous other security mechanisms would need to kick in to authenticate the payment authorisation. As such, all that was demonstrated here was the potential ease with which data can be read from smart-cards using RFID scanning techniques, without any actual physical contact.
With close on 50 countries around the world using RFID enabled passports, many places also opting for RFID enabled public transit cards and so on, the security implications are still worrying. In Spain, there are apparently even some operations where users can get a RFID tag implanted under the skin. One such application being a beach resort which allows bars and shops to scan your wrist for payment, yet you can enjoy the beach and sea without requiring a wallet.
As always though, convenience needs to be balanced with confidentiality and as the Black Hat demo proves perhaps this particular angle of the RFID transaction is not being given as much serious thought as it should.
Yet this was no trick, but rather a demonstration to get a debate started on the potential security weakness of the RFID smart-chip-enabled technology implemented on some credit cards these days. Laurie combined some simple hardware with a Python-based script to performing his magic. The impact was lessened a little by the fact that the account number shown on-screen was not the one embossed on the card itself and cannot actually be used to make an online transaction. Indeed, American Express has confirmed that this 'alias' number alone would not be accepted as transactionally valid and numerous other security mechanisms would need to kick in to authenticate the payment authorisation. As such, all that was demonstrated here was the potential ease with which data can be read from smart-cards using RFID scanning techniques, without any actual physical contact.
With close on 50 countries around the world using RFID enabled passports, many places also opting for RFID enabled public transit cards and so on, the security implications are still worrying. In Spain, there are apparently even some operations where users can get a RFID tag implanted under the skin. One such application being a beach resort which allows bars and shops to scan your wrist for payment, yet you can enjoy the beach and sea without requiring a wallet.
As always though, convenience needs to be balanced with confidentiality and as the Black Hat demo proves perhaps this particular angle of the RFID transaction is not being given as much serious thought as it should.
This blog entry was written by Bill Andad, staff writer aka newsguy. It has received 2,845 views, 1 comment, and 22 linkbacks. 3 voters have rated this entry an average of 5 out of 5 stars. It was promoted to featured status Feb 23rd, 2008.
•
•
•
•
advertising apple botnet business crime data development email environment europe facebook firefox gaming google hacker hacking hardware ibm internet iphone ipod itunes law legal linux malware marketing microsoft mobile mozilla news privacy red hat research search security social networking software spam survey technology trojan uk video virus vista web windows yahoo youtube
All Recent Tags Comments (Newest First)
waltaugust | Newbie Poster | Feb 26th, 2008
•
•
•
•
I can do this on my Chase blink card too. On the Chase card it is the same number as on the front of the card.
This can be blocked by keeping the card in one of the Identity Stronghold sleeves that he shows on his website rfidiot.org
Why don't the credit card companies just send out the sleeve with their cards?
You can buy them at www.idstronghold.com or in the UK www.smartcardfocus.com/skimstopper
This can be blocked by keeping the card in one of the Identity Stronghold sleeves that he shows on his website rfidiot.org
Why don't the credit card companies just send out the sleeve with their cards?
You can buy them at www.idstronghold.com or in the UK www.smartcardfocus.com/skimstopper
Post Comment
•
•
•
•
Only community members can start a blog or comment on blog entries. You must register or log in to contribute.
•
•
•
•
•
•
•
•
DaniWeb Tech Talk Marketplace
Related Blog Entries
- Apple fixes iPhone 2.0.1 software to break Pwnage tool (2 Days Ago)
- IE8 Beta Testers wanted, only great people need apply (3 Days Ago)
- An Eventful Week for Apple, iPhone (4 Days Ago)
- Faster Firewire, Faster! (5 Days Ago)
- British MPs go for the YouTube jugular (5 Days Ago)
- Amazon sells 240,000 Kindles (5 Days Ago)
- The "Mojave Experiment" - My "Microsoft Experience" (7 Days Ago)
- HD Moore gets owned (8 Days Ago)
- Crystal Ball Sunday #9: Intelligent Control (11 Days Ago)
- Microsoft Live Search for Facebook (11 Days Ago)
