Wednesday, February 1, 2012

RFID-based credit card fraud

This one is nasty, and unlike most credit card fraud, can stick you with the cost of the transaction:
Pull out your credit card and flip it over. If the back is marked with the words “PayPass,” “Blink,” that triangle of nested arcs that serves as the universal symbol for wireless data or a few other obscure icons, Kristin Paget says it’s vulnerable to an uber-stealthy form of pickpocketing. As she showed on a Washington D.C. stage Saturday, she can read all the data she needs to make a fraudulent transaction off that card with just a few hundred dollars worth of equipment, and do it invisibly through your wallet, purse, or pocket.
Paget did a live demo of this at the Shmoocon security conference.  She asked for a volunteer from the audience, read his RFID credit card information remotely using equipment she picked up for a song from eBay, and then used the information to place a $15 online transaction.  She gave the volunteer $20 to keep everything above board.

As far as we know, the range is limited, so the attacker would have to hang out in a crowd to harvest card information.  However, that just means riding the subway or going to the ball game.

And here's the part that I really don't like (quote from the same article):

In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor that detects multiple transactions with the same code or codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number for one transaction, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.

“The truth is that consumers should be embracing this technology because it’s making them safer,” says Vanderhoof. “Efforts to try to discredit the use of chip technology in cards is only making the technology more vulnerable.”
That's not true.  Today's credit card fraud involves repeated use of a stolen card number, until the fraud detection software picks up that something is wrong and the card number gets frozen.  The cost of this fraud is picked up mostly by the merchant or (infrequently) the card issuer.  With this technology, the card can only be used once.

That is unlikely to trip the fraud detection software, which means that the charge goes on your account.  If you don't pick it up when you go over your bill, you eat the cost of fraud.  In other words, this technology doesn't make the system more secure, it transfers the cost of fraud to you.

My recommendation is to stop carrying any credit card that contains an RFID chip.  It's probably OK to use them online, from home.  Or do some cooking:
Perhaps the simplest solution, Paget advises, is to kill your card’s RFID chip by frying it in the microwave. But that’s a more delicate task than it might seem. “Three seconds in the microwave will kill the chip,” she says. “Five seconds will set it on fire.”
If you have a card that you can wave in front of a reader, it has one of these chips.  Here's more on finding out if you have a problem.  Me, I like the E-Z Bake option.

12 comments:

bluesun said...

I could use this as an excuse to get one of those nifty RFID blocking wallets! Of course, since none of my cards have an RFID chip, it doesn't really matter, but still, NEW WALLET!

Bob said...

bluesun beat me to my question: what about those stainless steel RFID-blocking wallets, Ted?

Borepatch said...

i haven't used any of these wallets, but the buzz is that they work.

AnarchAngel said...

My wallet, and my passport wallet are both RFID blocking. I've tested them and they work.

From then on (about three years ago) I have only used RFID blocking wallets.

They used to be hard to find, but now you can get them anywhere. I usually buy mine from Amazon.

The one I'm using right now is a Kena Kai 6 slot bifold with ID flap and double bill compartment. I really like it.

Dave H said...

Instead of a shielded wallet, we need one that detects an intrusion and returns bogus credentials that mark any transaction attempting to use them as fraudulent. Then the card issuer can dispatch the police to apprehend the scammer

Okay, maybe I stole that idea from William Gibson.

AnarchAngel said...

Actually, it would be trivially easy to do that yourself technically, on the user end.

The problem is the infrastructure to support the backend would run well into the hundreds of millions.

I was the chief architect for the retail division (which included credit cards, and online and electronic banking), for five years.

You wouldn't believe the volume of credit and debit card transactions that are processed every single day in just one major bank.

From just one bank, you are going to have anywhere from a few million, to hundreds of millions; the vast majority concentrated in three, three hour windows each day.

That number is duplicated multiple times inside each bank, as well as between the major banks and clearinghouses, and by each of the merchant account servicing companies and processors.

Each single swipe or entry of a card can generate 7 different SETS of transactions, and SETS of records; each set could have dozens of records, with dozens of datapoints per record.

I can tell you that the annual budget for the staff and infrastructure for all those transactions at one major bank, is something like $800 million.

That bank runs on a 4 year amortization cycle; so you can estimate the total cost of the infrastructure and operations of that set of business units (just the IT part, not the business side) is about $3 BILLION.

Billion, with a B.

And that one bank has only about 5% of the credit card, and about 10% of the debit card market.

Old NFO said...

Sigh... here we go again...

Tacitus said...

Can you DIY a shielded wallet? Metal I got, from tinfoil on up...

Tacitus

SiGraybeard said...

Stainless is a poor conductor compared to copper or aluminum foils. It would be inconvenient to double wrap your cards in aluminum foil, but it would work.

There are envelopes that hold a card or two and keep readers from getting the data. Identity Stronghold is a trusted brand, I hear. Search for "credit card shield" on Amazon, or your favorite e-tailer.

kx59 said...

I keep my cash in my pocket, so three or four layers of aluminum foil in my wallet would shield the whole lot I would think.
Might confuse the TSA at the airport though and make for delay.

Chuck Kuecker said...

One layer of foil is enough to shield RFIDs from reading, as long as it completely and tightly wraps the card. Gaps can spoil the shield effect.

I really like the idea of a spoofer device that would give the thief bogus data and alert you to the attempt. The data just needs to be the same format as a real number, it doesn't have to actually cause any alert for the system.

Thanks for the tip, Dave H - which Gibson story did that come from anyway?

Dave H said...

Chuck: I was thinking of the "black ICE" from Neuromancer, as applied to non-implanted electronics. It's kind of hard to terminate an intruder remotely if he's not jacked in. You have to send someone out.

wv: insesste. "I ssswear, offissser! I didn't know ssshe wasss my sssissster!"