Thursday, August 06, 2009
Saturday, August 01, 2009
RFID in Credit Cards
I believe that we are hearing and seeing enough about hacking and information theft from so many sources that I cannot succeed in conveying anything useful unless I limit my posts to small bits of the whole that are most likely to have an effect on the average person. Today that topic will be the addition of the "convenience" of having a RFID microchip embedded in their credit card.
When one of my credit card companies sent me a shiny new card out of sequence (that is, my old one was two years away from expiring) I did what I usually do in such situations. I became suspicious. Why did they do this? I doubted that it was for my benefit or totally in my best interest. OK, what was different? There was a new word printed on the back and the note that I could now just wave my card near a store's card reader rather than sliding it through the reader itself. How does this help me, I asked myself? As far as I could tell, it didn't help at all. Who did it help, then? Must be "them". Credit card companies use many safeguards including predictive analytics, identity theft countermeasures, data mining, encryption, and others to protect themselves (as well as the consumer) from theft or loss of data. I looked at the card extremely closely and discovered a very slightly thicker square located above and between the word blink and the radio wave icon. The photo is of the upper right quadrant of the card, below the magnetic strip. If you can't see it in the picture below, try looking at your monitor screen at an angle so that the shadows make it clearer.
This is not a great macro photo of the chip, but if you see it, it serves its purpose.
So why is he at it again about this privacy craziness? Because the the magnetic strip on a presently "normal" credit card is coded and cannot be read at a distance. The information can be stolen in a number of other ways, but not read at a distance.
Now I want to scare you. RFID hacking is not new (See this 2003 article from Wired) and is rather simple as this procedure, the Mifare Hack, as demonstrated by Engadget, left many cities' public transportation systems and other RFID users in peril. Here is a Creative Commons interview via Boing Boing showing the basics of remote RFID hacking (be sure to read the comments.) An excellent but easily read article RFID Credit Cards and Theft: Tech Clinic was published in 2007 by Popular Mechanics. Presently, RFID experimentation kits are being sold as toys at Think Geek for just under $100 (USD) while companies such as DIFRwear offer radio shielded wallets and passport cases for sale. If you read only one of these links, I would suggest this one as being the most general and inclusive of the good and bad uses of RFID.
If you will excuse me now, I think I'm done for a while. I must go line my wallet with copper screening to function as a Faraday Cage and make little tinfoil hats for my credit cards.
Copyright © 2009, Thomas A. Blood, Ph.D.
"The world of RFID is like the Internet in its early stages. Nobody thought about building security features into the Internet in advance, and now we're paying for it in viruses and other attacks. We're likely to see the same thing with RFIDs." - Ari Juels, research manager at the high tech security firm RSA Labs.