RFID's make passport forging easier.

[zerojunkie]

At least in the UK, but There's plenty of reason to be wary of their implementation here. Although I'm sure there can be methods devised to keep unauthorized parties from viewing the data, but I think more processing power will be required on them for that to happen.

http://www.dailymail.co.uk/pages/liv...n_page_id=1770

[e-brake]

All RFID chips are super super easy to read and spoof. Same with all the new credit cards that have chips in them have been hacked as well. With $15 of parts and a laptop running Linux you can scan all the credit card information from 20 feet away without ever seeing the actual card. You dont want anything with RFID in your wallet, there is just no way to secure it short of carrying it around in a lead lined case.

[St. Stalin the Apathetic]

Should that happen there's no way in hell I'd pay for fraudulent charges to my account and there is a substantial likelihood that either the credit company or the entity that was to receive payment for the charges are going to be left holding the bag. If merchants frequently are left holding the bag for say Visa you can bet they'll quit accepting Visa....so why are CC co.s putting them out there if they are so easily hacked?

[e-brake]

Quote:

Originally Posted by xian

Should that happen there's no way in hell I'd pay for fraudulent charges to my account and there is a substantial likelihood that either the credit company or the entity that was to receive payment for the charges are going to be left holding the bag. If merchants frequently are left holding the bag for say Visa you can bet they'll quit accepting Visa....so why are CC co.s putting them out there if they are so easily hacked?

You wouldnt have to pay those charges any more than if your CC was stolen using any other means. In the 90's the big thing was the hand held magnetic swipers that bar tenders or waiters could use to steal info by swipoing your card...the CC companies didnt stop using magnetic swipe technology they just absorbed the fraud as a cost of doing business. Same thing they are doing now, when a card gets hijacked by RFID they just write it off as a loss.

Here is an article from over a year ago about the problem:
http://www.engadget.com/2006/10/23/r...-big-surprise/

RFID has been riddled with so many problems, it's amazing that anyone even has a shred of confidence in this technology at all. Our latest security problem du jour is that credit card companies are apparently issuing plastic that relays your digits wirelessly; as you might have guessed, security researchers are checking into this, and in a demonstration for The New York Times, easily hacked a University of Massachusetts computer science professor's newfangled RFID credit card. In short order (and with his permission), a researcher working with RSA Labs was able to steal the professor's name and credit card number that was being transmitted in cleartext -- thereby poking massive holes in Visa, MasterCard and American Express' claims that these card include "the highest level of encryption allowed by the U.S. government." Predictably, the credit card companies have already dismissed claims that the populus will be greatly affected by this hack. Brian Triplett, senior vice president for emerging-product development for Visa, told the Gray Lady: "This is an interesting technical exercise, but as a real threat to a consumer - that threat really doesn't exist." Well, Brian, care to put your plastic where your mouth is?

[St. Stalin the Apathetic]

Quote:

Originally Posted by e-brake

You wouldnt have to pay those charges any more than if your CC was stolen using any other means. In the 90's the big thing was the hand held magnetic swipers that bat tenders or waiters could use to steal info by swipoing your card...the CC companies didnt stop using magnetic swipe technology they just absorbed the fraud as a cost of doing business. Same thing they are doing now, when a card gets hijacked by RFID they just write it off as a loss.

Here is an article from over a year ago about the problem:
http://www.engadget.com/2006/10/23/r...-big-surprise/

RFID has been riddled with so many problems, it's amazing that anyone even has a shred of confidence in this technology at all. Our latest security problem du jour is that credit card companies are apparently issuing plastic that relays your digits wirelessly; as you might have guessed, security researchers are checking into this, and in a demonstration for The New York Times, easily hacked a University of Massachusetts computer science professor's newfangled RFID credit card. In short order (and with his permission), a researcher working with RSA Labs was able to steal the professor's name and credit card number that was being transmitted in cleartext -- thereby poking massive holes in Visa, MasterCard and American Express' claims that these card include "the highest level of encryption allowed by the U.S. government." Predictably, the credit card companies have already dismissed claims that the populus will be greatly affected by this hack. Brian Triplett, senior vice president for emerging-product development for Visa, told the Gray Lady: "This is an interesting technical exercise, but as a real threat to a consumer - that threat really doesn't exist." Well, Brian, care to put your plastic where your mouth is?

so the short answer is that the CC co has decided that the convenience of the RFID is ofset but the cost of absorbing the fraud?

[e-brake]

Quote:

Originally Posted by xian

so the short answer is that the CC co has decided that the convenience of the RFID is ofset but the cost of absorbing the fraud?

Yep, in fact there is a quote from one of the Visa executives who pretty much said that the cost and time to intigrate additional security is higher than the losses that result from stolen accounts. They are spending more money setting up user profiles to detect unusual account activity instead of working on security for the cards themselves.

[Nyteshade]

You can also jam RFID signals with about $10 worth of parts from Radio Shack. We had a demonstration in MOS school on how easy it was to scramble military GPS signals.

[zerojunkie]

Quote:

Originally Posted by e-brake

Yep, in fact there is a quote from one of the Visa executives who pretty much said that the cost and time to intigrate additional security is higher than the losses that result from stolen accounts. They are spending more money setting up user profiles to detect unusual account activity instead of working on security for the cards themselves.

I can't wait for the first fully automated rfid skimmer to come out. CC# theft on a massive scale.

[e-brake]

Quote:

Originally Posted by zerojunkie

I can't wait for the first fully automated rfid skimmer to come out. CC# theft on a massive scale.

They were showing one off at the blackhat developers confrence last month. They made an application that would run in any build of Linux with a RFID scanner from a 7-11 gas pump credit card scanner and a generic wi-fi card. when they activated the application it immediately scanned and recorded the information from over 100 credit cards inside the tradeshow hall instantly. They also found that it picked up data from RFID door keys and some European passports at the same time.

Luckily the guys who did it work for a data security firm that was just trying to make a point. But the fact is if they can do it so can someone else.

Stolen credit cards are one thing but a stolen passport is another. If someone jacks a passport with one of these things I dont think we are prepared to absorb the security risk the same way banks are ready to absorb fraud from CC abuse.

[zerojunkie]

Quote:

Originally Posted by e-brake

They were showing one off at the blackhat developers confrence last month. They made an application that would run in any build of Linux with a RFID scanner from a 7-11 gas pump credit card scanner and a generic wi-fi card. when they activated the application it immediately scanned and recorded the information from over 100 credit cards inside the tradeshow hall instantly. They also found that it picked up data from RFID door keys and some European passports at the same time.

Luckily the guys who did it work for a data security firm that was just trying to make a point. But the fact is if they can do it so can someone else.

haha, had a feeling it'd already been done. Don't they have readers that can work at a distance too? Rfid's a pretty interesting technology, but as is so often the case it's all about how it's implemented.

Quote:

Originally Posted by e-brake

Stolen credit cards are one thing but a stolen passport is another. If someone jacks a passport with one of these things I dont think we are prepared to absorb the security risk the same way banks are ready to absorb fraud from CC abuse.

Yeah, i hope our government doesn't implement this too hurriedly.

[Kaliente]

Quote:

Originally Posted by e-brake

They were showing one off at the blackhat developers confrence last month. They made an application that would run in any build of Linux with a RFID scanner from a 7-11 gas pump credit card scanner and a generic wi-fi card. when they activated the application it immediately scanned and recorded the information from over 100 credit cards inside the tradeshow hall instantly. They also found that it picked up data from RFID door keys and some European passports at the same time.

Luckily the guys who did it work for a data security firm that was just trying to make a point. But the fact is if they can do it so can someone else.

Stolen credit cards are one thing but a stolen passport is another. If someone jacks a passport with one of these things I dont think we are prepared to absorb the security risk the same way banks are ready to absorb fraud from CC abuse.

I honestly think it's a useless technology. The cons definitely outweigh the pros. I don't think it's ever going to be possible to hack proof these things. The power required to make them function is a definite limiting factor.

[zerojunkie]

Quote:

Originally Posted by Kaliente

The cons definitely outweigh the pros.

No way! The fact you can checkout at a grocery store by simply walking through a reader on your way out is good enough for me...not to mention plans for 'smart refrigerators' to be able to read the same rfid's and generate all kinds of things with that data like automatically reordering something when it senses you're getting low, making your shopping list for you, and alerting you of expired food. Hot stuff...and that's just a couple applications.

Quote:

Originally Posted by Kaliente

The power required to make them function is a definite limiting factor.

huh? the power's transmitted to the chip by the reader when it gets close, that's what's made them such a break through.