Black Hat reveals credit data via RFID insecurity

newsguy 0 Tallied Votes 380 Views Share

The Black Hat security conferences are always good for a crowd pleasing demonstration or two, and security researcher Adam Laurie was happy to oblige at the latest DC based event. In a 'look no hands' fashion, he was able to pull up account data including name, account number and expiration date from an AMEX credit card and display it on the big screen to the attending masses, without actually removing the card from the wallet of the man who owned it.

Yet this was no trick, but rather a demonstration to get a debate started on the potential security weakness of the RFID smart-chip-enabled technology implemented on some credit cards these days. Laurie combined some simple hardware with a Python-based script to performing his magic. The impact was lessened a little by the fact that the account number shown on-screen was not the one embossed on the card itself and cannot actually be used to make an online transaction. Indeed, American Express has confirmed that this 'alias' number alone would not be accepted as transactionally valid and numerous other security mechanisms would need to kick in to authenticate the payment authorisation. As such, all that was demonstrated here was the potential ease with which data can be read from smart-cards using RFID scanning techniques, without any actual physical contact.

With close on 50 countries around the world using RFID enabled passports, many places also opting for RFID enabled public transit cards and so on, the security implications are still worrying. In Spain, there are apparently even some operations where users can get a RFID tag implanted under the skin. One such application being a beach resort which allows bars and shops to scan your wrist for payment, yet you can enjoy the beach and sea without requiring a wallet.

As always though, convenience needs to be balanced with confidentiality and as the Black Hat demo proves perhaps this particular angle of the RFID transaction is not being given as much serious thought as it should.

waltaugust 0 Newbie Poster

I can do this on my Chase blink card too. On the Chase card it is the same number as on the front of the card.

This can be blocked by keeping the card in one of the Identity Stronghold sleeves that he shows on his website

Why don't the credit card companies just send out the sleeve with their cards?


Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.