The hands-free way to steal a credit card

Update on February 22, 2008, at 3:20 p.m PST: This blog has been updated to include a response from American Express.

WASHINGTON D.C.--Adam Laurie, an RFID security expert, used the Black Hat DC 2008 conference here, to demonstrate a new Python script he's working on to read the contents of smart-chip-enabled credit cards.

As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer's wallet, Laurie both read and displayed its contents on the presentation screen--the person's name, account number, and expiration clearly visible.

Demonstrations like that show the potential misuse of RFID technology in the near future. Without touching someone, a thief could sniff the contents of an RFID-enabled credit card just in passing. The same is true for embedded RFID chips in the human body, work access badges, some public transit cards, and even the new passports in use in more than 45 countries.

As a disclaimer, Laurie said he spoke to American Express, the company that issued the volunteer's card. Laurie said that American Express told him: "We are comfortable with the security of our product." Laurie added that the company told him the number he displayed on the presentation screen was not the account number printed on the card, which Laurie proved by opening the wallet and comparing.

"The alias number on American Express' ExpressPay cannot be used for online transactions," said Molly Faust, American Express' Public Affairs representative, in an e-mail to CNET News.com. "ExpressPay has multiple security mechanisms. As the payment host, American Express would not verify/authorize an online transaction using just the alias account number. There are several other security mechanisms that would be required in order for payment authorization to take place."

The credit card industry has argued that use of the RFID-enabled cards will save customers time when processing payments.

An extreme example can be found in Spain. Laurie said a public beach there encourages visitors to have RFID tags injected into their bodies. The point? Merchants along the beach scan your wrist to obtain a unique ID from which they can debit your account. The advantage? You won't have to go to the beach with your wallet, which might get stolen.

Laurie, who has an injected RFID-tag, showed how easy it was not only to read the tag, but also to re-write the tag. During his demo, he used the coding sequence reserved for animal tagging to have his RFID chip declare him an animal.

On his RFIDiot Web site, Laurie offers the Python scripts free of charge and also sells the hardware necessary to read and write to RFID tags and cards.

[schmidty1985]

Tags

Another for the MAN to track you and get into your personal life.
Just think if everyone had this inserted into them. HEY close that
window, we don't want any more of our rights to fly out it
please!!!!!!

[vanderhr]

rf-enabled credit cards are secure

I am sure Mr. Laurie is a knowledgable RFID expert, but he is not a credit card expert or a passport expert, so he should be cautious in jumping to conclusions about what a thief can do with the data skimmed from an RFID chip in those two examples, as there are other security controls beyond the RFID chip that prevent bad things from happening in this type of attack. The AMEX credit card data can only be used to commit online fraud if the merchant account does not to ask for the 3 or 4 digit security code which is not stored inside the chip, only on the card itself. If that unlikely event happens, the customer is not liable, the merchant is. Second thing, regarding passports, these are protected with an additional feature called basic access control, so no personal data stored inside a passport can be skimmed in the manner demonstrated.

[teh_chrizzle]

intelligence data is intelligence data

any data that is broadcast is not secure. any data that is broadcast is intelligence data and intelligence data in the wrong hands is always a bad idea.

with passports and credit cards you don't need to be able to use the data in the manner card or passport issuer intended for the data to be dangerous. data of any kind can be used to identify or target an individual.

just because i can't easily use a credit card number to buy stuff doesn't mean having a person's credit card information is a good thing. you can still cause all manner of havoc with the information, using the card name or type in a scam, or just figuring out who has an american express card in their possession.

the trouble with RFID passports is that broadcasting your identity and nation of origin is not a good idea in any country, including the united states. being able to scan a crowd for american passports (or brits, or israelis) makes targeted kidnapping and bombing much more effective.

anyone with an ounce of security training will tell you that you should do your best to blend in when you are in a foreign country so you will not become a target for terrorism, crime, or espionage. having your credit card and passport broadcasting personally identifiable information via RFID is the opposite of blending in.

[WaltAugustinowicz]

Amex should provide a shielded card sleeve.

as should all the credit card companies and the transportation card companies. They are very inexpensive in bulk. Identity Stronghold sells them on their website. www.idstronghold.com

In the UK you can buy them at www.smartcardfocus.com/skimstopper

This seems a simple solution to a big problem.

[tienkou]

Oh come on!

It sounds to me like Laurie is contributing to the problem not the solution. Everyone wants to find the flaw and become "infamous". No one takes the time to think "What's the cost of cyber-fame?" Ooh If I come up with this really complex algorythm to prove my point and tell everyone they will have to fix it. How about you find the flaw tell only the company that needs to know and keep you trap shut. No the entire public can buy you stuff and steal from each other.

I know they work hard and think they are doing the right thing by exposing potential dangers, but guess what most people don't know how to make a bomb until someone tells them step by step.

Expose the threat not the do it yourself!

[dansodouglas]

how do i really get my credit card with safe

[Goldking78]

you have to keep your credit card password safe for others not to see because if they see they may go in to your credit account so you have to get password protection so that people can not use you credit card for any business

[julietroland90]

i want to have marster card number free with his code an card number

[julietroland90]

and i want u to mail me the number of the card

[julietroland90]

and i want u to mail me the number of the card