Mastercard and RFID

2008-01-24

in Daily updates, Law, Security

I got a replacement Mastercard in the mail today and was slightly surprised to learn that it has an embedded radio frequency identification (RFID) tag in it. The idea is that it will let merchants bill you card by having you put it near a reader, rather than swipe it though a magnetic strip reader. The existence of the RFID tag does raise a couple of issues, however.

First, it has been shown that such tags can be activated using inexpensive directional transmitters from relatively long ranges. The way they work is by using the energy in the incoming radio signal to power the circuitry that produces a response. I don’t know if the tag in my card simply has a unique identifier, or whether it actually performs a challenge-response authentication. Either way, it is likely that the presence of the card, and the fact that it is a Mastercard, can be determined at a distance of several tens of metres at least, using information and equipment fairly easily acquired.

Secondly, I don’t know about the liability associated with such cards. I know that if I lose my Mastercard and report it promptly, I am only liable or $50 at the most. I am not sure about a situation where somebody clones the RFID tag and uses it to make purchases.

Overall, I see little value in contact-free payment systems. I would rather have a traditional card without new features and vulnerabilities. Unfotunately, Mastercard says that RFID-free cards are no longer available.

More on RFID:

Report a typo or inaccuracy

{ 16 comments… read them below or add one }

Neal January 24, 2008 at 8:43 pm

This strikes me as both an invasion of privacy and a security risk. Are there even real applications for it yet? I would cancel my card, assuming that there are other cards out there that are not introducing RFID tags. Failing that, some kind of shielded wallet would seem to be the only answer.

Anonymous January 24, 2008 at 9:33 pm
Anonymous January 24, 2008 at 9:34 pm

Protect your brain from RF (radio-frequency) pollution with this handsome baseball style hat!

Anonymous January 24, 2008 at 9:35 pm

RFID Blocking WALLET

“Prevents Identity Theft”

The RFID tags in identification cards have been shown to be insecure. Attackers are able to read and copy information stored on these tags to create copies they can use themselves! Major RFID enabled credit cards including Visa, MasterCard and American Express have been hacked. These stylish RFID B locking Wallets ensure that cards with RFID tags within the wallet can NOT be read while the wallet is closed. This gives you the ability to control when, how and by whom your cards are accessed. To allow the RFID tag in the card to be read, simply open the wallet and direct it towards the reader. Made of the finest quality leather and built to last. The wallets contain a layer of RF shielding that prevents RFID readers from reading any passive tags stored within. They have a convenient flap to allow easy “flip” access to RFID cards. 2 sizes for your convenience. Patent Pending.

David January 25, 2008 at 2:35 am

there was one proof of concept of a relay attack on an eCredit card, it seems the early ones had pretty loose challenge/response windows such that someone could skim data from your card from a 20cm distance ‘in the street’, then use WiFi to route this to an accomplice who was able to do successfully complete an internet purchase. Talking to eID industry representatives, “they are fully aware of the security problems and are making sure that soon this will not be possible”. The big advantage of the eCredit ePayment card is the “tap & pay” , for instant purchases of newspapers, concert tickets, cups of coffee etcetera. It is likely that the european citizens’ card coming in about 2010 will implement the full range of fac ilities, eID, ePass, eCredit, eHealth entitlement, eEtcetera. I’d say that now you have the card, you’ve bypassed/survived one of the biggest threats which is RFID scanning mailbags – and crims selectively stealing the RFID enabled letters, be they credit cards or electronic passports.
As to the threats that you now face, they are extremely remote – at present, but will likely grow. I have an HP PDA 4700 with added NFC (13.56MHz) RFID, but I wouldn’t be able to use it (for ethical) hacking till I successfully manage to dump WinCE and load Linux. This has Wifi and enough power to do the relay from a short distance, upcoming Software Radio devices may also be programmed as tools, but again, I’d say you probably have a 5 year ‘usual problem’ timespan before any ‘new problem’ attacks become widespread. Hopefully this timespan will be enough for the CC & eID companies to develop better more robust products. Watch for problems if they drop 13.56MHz NFC and head for EPC Global 900MHz ‘supermarket’ RFIDs as they *can* be read at 20 metres. have fun, David

Anon January 25, 2008 at 9:30 am

Kooky as the tinfoil hat community is, a radio-blocking wallet might be a good idea.

Anon January 25, 2008 at 10:32 am

Are there even real applications for it yet?

Mastercard has their PayPass terminals, where you just bring your card near to make payments up to $25, with no need to sign anything.

Secondly, I don’t know about the liability associated with such cards. I know that if I lose my Mastercard and report it promptly, I am only liable or $50 at the most. I am not sure about a situation where somebody clones the RFID tag and uses it to make purchases.
The liability is the same. Your worst-case scenario is having to pay $50.

. March 14, 2008 at 9:51 am

London Tube Smartcard Cracked

Looks like lousy cryptography.

Details here. When will people learn not to invent their own crypto?

Note that this is the same card — maybe a different version — that was used in the Dutch transit system, and was hacked back in January. There’s another hack of that system (press release here, and a video demo), and many companies — and government agencies — are scrambling in the wake of all these revelations.

. March 19, 2008 at 11:30 am

BBtv – How to hack RFID-enabled credit cards for $8
By Xeni Jardin on Video

A number of credit card companies now issue credit cards with embedded RFIDs (radio frequency ID tags), with promises of enhanced security and speedy transactions.

But on today’s episode of Boing Boing tv, hacker and inventor Pablos Holman shows Xeni how you can use about $8 worth of gear bought on eBay to read personal data from those credit cards — cardholder name, credit card number, and whatever else your bank embeds in this manner.

Fears over data leaks from RFID-enabled cards aren’t new, and some argue they’re overblown — but this demo shows just how cheap and easy the “sniffing” can be.

. April 25, 2008 at 10:25 am

HOWTO kill/block an RFID

By Cory Doctorow on Gadgets

Instructables have just published their latest installment in their series of HOWTOs inspired by my forthcoming novel Little Brother, a young adult book about kids who use technology to wrest liberty from the Department of Homeland Security. This week, it’s HOWTO block or kill an RFID chip.

. August 30, 2008 at 12:10 pm

Credit-card companies killed Mythbusters segment on RFID vulnerabilities

By Cory Doctorow on Gadgets

Check out the first two minutes of this clip of Mythbusters’ Adam Savage telling the folks at the HOPE hackercon about how the Discovery Channel was bullied by big credit-card companies out of airing a program about how crappy the security in RFID tags is. Arphid Watch: Mythbusters and RFID

. February 3, 2009 at 11:51 am

US passports can be read and copied from a moving car using a $250 rig

By Cory Doctorow on Gadgets

“Meet Chris Paget, a hacker who believes that people shouldn’t be tagged with RFIDs. He spent a productive day driving around San Francisco, sniffing and cloning mountains of RFID-equipped US passports and driver’s licenses. The equipment to accomplish this feat cost him $250. When we debate the risks associated with RFID-equipped IDs, we usually focus on what happens when the government can follow us around everywhere — but the real risk may be that crooks, marketing creeps and various unaffiliated snoops will do this instead. “

. July 20, 2009 at 1:08 am

Tech.view
Have chip, will travel

Jul 17th 2009
From Economist.com
Why chips in passports and ID cards are a stupid idea

A MONTH of tramping around Europe has given your correspondent a chance to see how effective the new e-passports are at border crossings. Between them, his family holds American, Japanese and British passports, each recently renewed. Unlike previous ones, the e-passports contain biometric data embedded in a radio-frequency identification (RFID) chip, along with the usual mugshot and optical bar-code.

. July 20, 2009 at 1:10 am

“Slightly open passports could leave holders vulnerable to physical attack. Each country encrypts data in a characteristic way that terrorists could use to identify the nationality of the person carrying the chipped passport. To demonstrate the point, a firm called Flexilis used a partially opened American e-passport tucked in the pocket of a dummy to trigger an explosion as it passed a dustbin containing a small charge.”

. June 17, 2011 at 9:49 pm

Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security

A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.

In May 2009, Sanford, Maine based Patco Construction Co. filed suit against Ocean Bank, a division of Bridgeport, Conn. based People’s United Bank. Pacto used online banking primarily to make weekly payroll payments. Patco said cyber thieves used the ZeuS trojan to steal its online banking credentials, and then heisted $588,000 in batches of fraudulent automated clearing house (ACH) transfers over a period of seven days.

. September 14, 2013 at 7:49 pm

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Previous post:

Next post: