Brought to you as a public service of the Open Spectrum Foundation (Stichting Open Spectrum), Amsterdam - Prague

 openspectrum.info logo

NEWS

New report on RFID credit-card vulnerabilities

From "Vulnerabilities in First-Generation RFID-Enabled Credit Cards," by Prof. Kevin Fu, RFID ConsortiUm for Security and Privacy, 23 October 2006:

"Consumers in the United States today carry some twenty million or so credit cards and debit cards equipped with RFID (Radio-Frequency IDentification) chips. RFID chips communicate transaction data over short distances via radio. They eliminate the need to swipe cards or hand them to merchants. Consumers can instead make payments simply by waving their cards - or even just their wallets - near point-of-sale terminals.

"While appealing to both consumers and merchants, the convenience of RFID credit cards has a flip side. What a legitimate merchant terminal can read, a malicious scanning device can also read without a consumer's consent or knowledge. RFID credit cards therefore call for particularly careful security design.

"A report released today by a team of scientists in the RFID Consortium for Security and Privacy (RFID-CUSP) reveals lapses in the security and privacy features of several types of currently deployed RFID credit cards. The report (of which I am a co-author) highlights two basic vulnerabilities in the cards under study:

  1. Names in the clear: The RFID credit cards transmit bearer names promiscuously. Any device capable of scanning a card can learn the name imprinted on it - with or without the owner's consent.
  2. Payment fraud: In varying degrees, the RFID credit cards are vulnerable to an attack called 'skimming.' An attacker with an RFID reader can harvest information from a card, create an inexpensive clone device, and make charges against the legitimate card. (Alternatively, an attacker may be able to perform online transactions with harvested credit-card information.) Skimming requires minimal technical expertise and expense.

"Credit-card fraud is already widespread in various forms, and financial institutions already address the problem effectively with sophisticated detection and mitigation systems. Despite their flaws, therefore, it is unlikely that RFID credit cards will trigger a large new wave of fraud.

"Rather, what the RFID-CUSP report highlights most significantly is the new physical dimension of vulnerability that RFID credit cards introduce.

"Without even removing their cards from wallets or pockets, consumers can potentially see their privacy and security compromised. A scanner in a crowded subway station might surreptitiously harvest credit-card data from passersby.

"Or consider what the RFID-CUSP research team has dubbed a 'Johnny Carson' attack. In the comedian's Carnac the Magnificent act, he divined the contents of sealed envelopes held against his forehead. Likewise, an attacker can quickly skim data from RFID credit cards in sealed envelopes while they are in transit or sitting in mailboxes.

"Slightly stronger data protections and cryptography could largely prevent Johnny Carson attacks and most of the other vulnerabilities illustrated in the RFID-CUSP study. Given that RFID as a broad technology is already a flashpoint for consumer fears, the choice of credit-card associations not to confer stronger protections on RFID-enabled cards is somewhat surprising.

"Numerous media reports have drawn attention to consumer concerns about RFID privacy and security, and various government bodies are mulling over RFID-privacy regulations. In early 2005, a team of researchers (including some in RFID-CUSP) demonstrated skimming attacks against ExxonMobil SpeedPass, another RFID payment device used by millions of Americans for some number of years. (It should be noted, however, that unlike RFID credit cards, SpeedPass does not reveal personally identifying information.)

"The RFID-CUSP report leaves some open questions. With unclear legal protections in place for scientific exploration, the research team was unable to perform field tests of skimming attacks - even against our own credit cards... Thus, while the report makes definitive claims about certain vulnerabilities, others remain conjectural. Moreover, the research team was unable to ascertain the number of issued cards affected by the security flaws we encountered, and whether newer cards incorporate stronger protections. It is for the credit-card associations to give a precise account of how many vulnerable cards they have issued, should they choose to do so. Finally, there is the vexed question of read ranges. While the nominal read range of the RFID chips in credit cards is on the order of at most a few inches, large antennas and non-standard readers may be able to achieve longer ranges. This remains an open research question.

"The RFID-CUSP report does not explicitly name the card types under study. The vulnerabilities affect several major organizations, and the aim of the report is not to point fingers. (In fact, I should note that my employer, RSA, The Security Division of EMC, contacted credit-card associations with our findings some months ago, and itself declined to initiate any media contact.)

"The RFID-CUSP study is, in effect, a product-safety report. By highlighting weaknesses in a significant, fielded RFID system, the study aims to promote strong accountability and security practices in the RFID industry as a whole.

"RFID has the potential to bring great benefit to our lives. An early underpinning of solid security and privacy can help ensure the swiftest and most complete success for this budding and transformational technology.

"For details on the RFID-CUSP study, visit www.rfid-cusp.org.

Frequently asked questions

"Read our FAQ on RFID-enabled credit cards.

Technical manuscript

"Our technical paper is available in draft form: PDF

Video/print demonstrations

ABC Good Morning America segment, October 24, 2006

New York Times story on no-swipe credit cards, October 23, 2006

We have a short video demonstrating some of the attacks from a technical perspective. Please excuse our poor-quality video techniques: YouTube or the secondary link..."

[: 24 October 2006]

Click here for the LATEST HEADLINES

Recent News...

"Survey Shows Free Wi-Fi Increases Sales and Builds Customer Loyalty" (24 October)

"Comparing 802.11n and UWB for video applications" (20 October)

"EU calls for RFID privacy enhancements" (20 October)

Free WiFi for Qatar's parks (18 October)

Europe's agenda for expanding wireless "commons" (16 October)

RFID middleware: "poised to explode," soon to disappear, or seeking a new role? (14 October)

FCC votes to let low-power devices use empty TV channels after digital switchover (13 OctoberO

WiMedia Alliance promotes UWB in China (12 October)

"I have seen Wi-Fi's future, and it's free" (12 October)

TransSend: Bluetooth delivery of web items (12 October)

Singapore offering free WiFi "almost everywhere" (11 October)

IEEE approves low data-rate UWB spec (9 October)

First underwater radio modem goes into commercial production (9 October)

US patent for on-chip fractal antenna (5 October)

Reviving China's WAPI "war" against IEEE 802.11i (5 October)

Tablet PC + WiFi to replace medical charts and patient files (3 October)

Spectrum a hot topic at Telecom Policy Research Conference (3 October)

Nokia introduces "Wibree" technology as open industry initiative (3 October)

Bluetooth chip market "taking off" (1 October)

European Commission's RFID advisory group meets (1 October)

ABI: "Bridging the PC-TV gulf" means "explosive growth for WiFi" (30 September)

Proposal: let license-free broadband use the FM radio band in subways (25 September)

WiFi's future in UK libraries (22 September)

Medical breakthrough: wireless "bio-chip" sensor implants (22 September)

US cities install WiFi-enabled parking meters (22 September)

WLANs "key to classroom of the future" say UK teachers (22 September)

Hotspot networks and muni-WiFi meshes in Peru (21 September)

UK students developing RFID systems for pub (20 September)

xG coming to Europe (20 September)

Civilians, military seek different kinds of Software-Defined Radio (19 September)

"Wizards of OS" video now online (19 September)

Huge market growth forecast for UWB, Zigbee (19 September)

Apple's new "iTV" links TV and computer wirelessly (12 September)

FCC releases roadmap for authorizing unlicensed use of TV band (12 September)

Patent sought for "invention to eliminate interference" (12 September)

Shopping centers install WiFi to attract customers (10 September)

Infonetics: (pre-)WiMAX beats mesh in growth while WLAN sales are down (8 September)

"Real Time Rome" maps citywide wireless activity (7 September)

Latin America's first passive RFID road toll system (6 September)

Powerful new technique: radio signal "fingerprinting" (6 September)

TV Anywhere (4 September)

"Where is Bluetooth going?" (4 September)

Ireland: new law boosts Bluetooth phone sales (4 September)

RFID: "a slow motion train wreck"? (3 September)

"Wi-Fi black magic boasts super signal range" (1 September 2006)

Visit our News Archive for additional stories.

To receive the openspectrum.info newsfeed by email, enter your email address:

(Email subscriptions managed by FeedBurner)