BajaNomad - Credit Card Chip Fraud DAMNED IMPORTANT YOU SEE THIS

Credit Card Chip Fraud DAMNED IMPORTANT YOU SEE THIS

DavidE - 8-29-2013 at 12:28 PM

https://youtube.googleapis.com/v/lLAFhTjsQHw%26sns=em

desertcpl - 8-29-2013 at 12:45 PM

that's just not right

what bird brain invented this

rts551 - 8-29-2013 at 01:11 PM

RFID has been around for a long time. we were using them in military and DoD civilian ID.s 20 years ago.

tjsue - 8-29-2013 at 01:21 PM

Exxon had a key ring tag that had RIFD on it. All you had to do was hold it up the card reader, and it would scan the tag.

DavidE - 8-29-2013 at 01:48 PM

I think it important to not have an opportunity to step up to an ATM a thousand miles from home and see the machine report a bank balance of $00.00 "disponible". Having zero money many hundreds of miles from the US border is not my idea of fun.

rts551 - 8-29-2013 at 03:07 PM

I agree. better to put it under your mattress.

durrelllrobert - 8-29-2013 at 04:10 PM

Some states already have the RFID chip in their drivers license and CA wants to do the same "to speed up border crossing". With that same hardware crooks can get your home address and since the know your not home and won't be back for some time (depending where you are in the world) they can then phone someone to go burglarize your house.

woody with a view - 8-29-2013 at 04:11 PM

pretty cool! no of my cards are those type....

DavidE - 8-29-2013 at 04:31 PM

Piece of cake. Line the credit card sleeve with the packaging microchips and memory comes in. Line your mattress with the packaging if you must.

David K - 8-29-2013 at 04:36 PM

Tin foil to the rescue!

Terry28 - 8-29-2013 at 04:59 PM

Just use the left over tin foil from your hats guys...

elbeau - 8-29-2013 at 06:06 PM

I hate this kind of stuff, but for more reasons than most people. I've been working for an RFID manufacturer for 9 1/2 years now and besides the obvious problems that the credit card companies are creating for consumers, they are also undermining our entire industry.

The company I work for sells RFID tags to track things like servers in data centers, medical equipment in hospitals, and pallets in supply chains. We don't track people and we don't implant our stuff in credit cards, drivers licenses, or other critical stuff. We know our products well enough that our salespeople will be the first to tell you that it can't be reliably used for security but that it is great for automating business processes.

...but then VISA decides to do a stupid implementation that ignores the most obvious vulnerabilities and the next thing you know our whole industry gets headlines for being a threat to people's security. I've been with the company long enough to see this happen over and over in various ways such as RFID in passports, RFID on keychains, Wal-Mart's ridiculous RFID push a few years back, RFID companies announcing implantable devices, etc., etc.. It gets people so freaked out about how the technology can be used wrong that they don't consider how it can be used reasonably.

We lose sales because of crap like this and it has nothing to do with us.

durrelllrobert - 8-29-2013 at 07:23 PM

"we don't implant our stuff in credit cards, drivers licenses, or other critical stuff. We know our products well enough that our salespeople will be the first to tell you that it can't be reliably used for security but that it is great for automating business processes."
___________________________________________________
Somebody does. Why not take your complaint about impacting the whole industry up with them?

MMc - 8-29-2013 at 07:29 PM

It's in is in your Passport card, Sentri card, and your new Passport too.

woody with a view - 8-29-2013 at 07:37 PM

my passport card doesn't contain all of my financial info, does it? :?:

elbeau - 8-29-2013 at 08:22 PM

Quote:

Originally posted by durrelllrobert
"we don't implant our stuff in credit cards, drivers licenses, or other critical stuff. We know our products well enough that our salespeople will be the first to tell you that it can't be reliably used for security but that it is great for automating business processes."
___________________________________________________
Somebody does. Why not take your complaint about impacting the whole industry up with them?

Yep, they do, and there's not a lot we can do about it. Do you think the major credit card companies care enough tot listen to reason? Evidently swiping your card is too much of a burden compared to waving it 2" away from where you used to swipe it. It's insane. They are broadcasting out your actual credit card number with no form of encryption or other security.

MMc - 8-30-2013 at 07:14 AM

Woody, The Passport, et all do have your personal info on them. There is a reason there is a foil envelope they come in. Check this out if you are afraid of people stealing your credit info. The phones are being used today.
http://www.rfidjournal.com/articles/view?1020

OLD NEWS

MrBillM - 8-30-2013 at 07:44 AM

Those who have been just getting the information on RFID fraud haven't been paying attention for quite awhile now.

With news story after story being done for (at least) a couple of years now.

Those Cable-TV and online hucksters along with Walmart and the like have been hustling those ($9.95) Aluminum Credit-Card "Wallets" for at least that long.

chuckie - 8-30-2013 at 07:53 AM

Old news indeed, and yet another thing that we cant do anything about.. One of the reasons I dont use credit cards.If it makes you nervous,use cash..BUT these days a lot of people dont have any,thats why they use credit cards...

MitchMan - 8-30-2013 at 08:10 AM

elbeau,
Just how far away from a reader (inches, feet?) can a credit card be read in most cases?

SFandH - 8-30-2013 at 08:26 AM

It would be interesting to know exactly what information is contained on the chips.

I guess I could buy a reader.

UHF Handheld RFID Reader, Order Now!

Bruce R Leech - 8-30-2013 at 08:45 AM

try this
https://www.youtube.com/watch?feature=player_embedded&v=...

Bruce R Leech - 8-30-2013 at 09:35 AM

some readers can work from up to 12 feet away and can write info on your card also

DavidE - 8-30-2013 at 12:47 PM

I'd like to clone Carlos Slims' black American Express card on my hotel room access card. New Bugatti? No problemo! Hire a 175' schooner for an around the world trip? No problemo.

I could rig up a 9 volt thyristor fired pulse that would cause the magic black smoke to rise from any reader, counterfeit or no.

Actually, I had a nice talk with Wells Fargo. They are clued that an attempt to secure 1st class airfare to Damascus for 12, would more than likely not be legit. Same for one ATM withdrawal in Montpelier at 9:00AM and another in Tijuana at 1:00PM. If I purchase something online, it is sent to my PO box in Chula Vista. Otherwise it's all mid-Baja California usage.

elbeau - 8-30-2013 at 01:09 PM

Quote:

Originally posted by MitchMan
elbeau,
Just how far away from a reader (inches, feet?) can a credit card be read in most cases?

That's a trickier question than you may think. RFID chips like those in credit cards do not have any internal power source like a battery. They get powered by an electrical field that is generally produced by the same device that listens for the RFID transmission but there's no reason that the RFID reader can't be decoupled from the device producing the electrical field.

If you are purely interested in the "read range" of the credit card regardless of the electrical field range powering the tag, then very long ranges can be achieved. All you need is a sensitive antenna. When a credit card comes within the electric field produced by an RFID credit card machine it starts broadcasting your credit card information. People assume that only the nearby credit card machine can pick up the signal that is being broadcast but this is not true. All you have to do is point a decent antenna towards a legitimate RFID credit card machine and you will see people's credit card numbers when they use their cards.

So, to answer your question more directly, the power source creating the electric field that powers the RFID chip must be fairly close to the card but the antenna picking up the signal can be far away.

elbeau - 8-30-2013 at 01:32 PM

Quote:

Originally posted by Bruce R Leech
some readers can work from up to 12 feet away and can write info on your card also

It is true that almost all passive RFID chips like the ones in credit cards support 2-way communication and that is what blows my mind about the unencrypted implementations. You could make the whole implementation perfectly safe by doing asymmetric encryption. Let me explain:

Right now your credit card's RFID chip broadcasts your actual credit card number when the RFID reader powers the chip. Instead of doing this the reader should first contact the credit card company and obtain a token piece of text to send to the tag. The tag could then append your credit card number to the random text, encrypt the result, and broadcast the encrypted text instead of broadcasting your credit card number. The reader never needs to see your unencrypted number, it can just pass the encrypted message to the bank. The bank can decrypt the message to get your credit card number, check that the token is valid, and check that the token came from the machine it was initially issued to.

That may sound a little complicated but it's very easy to implement and is commonly used in other applications. The result is that the RFID works just the same for the consumer but your information is never broadcast out unencrypted. The merchant can't even see your credit card number which makes it much more secure than swiping your card.

DavidE - 8-30-2013 at 02:49 PM

When an unauthorized reader queries the chip let an unauthorized transponder reply with a 10 watt full course reply. Enough to fuse their circuitry.

chuckie - 8-30-2013 at 02:55 PM

Do we get the transponder on Ebay, how big is it, does it fit in a wallet?

elbeau - 8-30-2013 at 02:56 PM

Quote:

Originally posted by DavidE
When an unauthorized reader queries the chip let an unauthorized transponder reply with a 10 watt full course reply. Enough to fuse their circuitry.

That's also very true. It doesn't take much effort to fry the chips. It's not uncommon for passive tags to fry randomly with normal use. Intentionally frying them is very easy.

elbeau - 8-30-2013 at 02:58 PM

Quote:

Originally posted by chuckie
Do we get the transponder on Ebay, how big is it, does it fit in a wallet?

Umm...I'm starting to worry about why you want to know

MitchMan - 8-30-2013 at 03:00 PM

Thanks, elbeau.

Let me see if I understand. It sounds as though the credit card's RFID chip is capable of being empowered with electromagnetic energy (electromagnetic field) from an external source (such as an RFID reader) and then it, the credit card's RFID chip, then broadcasts electromagnetic energy waves that contain the credit card info.

It sounds like the credit card has to be close enough to the reader to be within the readers energizing field. Right? Also, once the credit card RFID chip is energized and broadcasting, such broadcasted info can be picked up by an adequately "sensitive' antenna that could be far away, right?

All this, if I am correct, sounds like the RFID reader needs to be close to the credit card, but the antenna picking up the info broadcast by the energized credit card RFID chip can be much farther away from the credit card than the reader, right?

Lastly, it sounds like the RFID reader can be as far away from the RFID credit card as 12 feet.

Man, if I am right about this, that is absolutely and totally unacceptable.

elbeau, the method you described to provide security by employing the "token" text (or "key") coupled with encryption should be the only way this thing is implemented. Seems similar to the way that networks and password routines work.

EBay ?

MrBillM - 8-30-2013 at 03:08 PM

http://www.ebay.com/sch/i.html?_nkw=RFID+reader

Amazon ?

http://www.amazon.com/s?ie=UTF8&page=1&rh=i%3Aaps%2C...

elbeau - 8-30-2013 at 03:09 PM

Quote:

Originally posted by MitchMan
Thanks, elbeau.

Let me see if I understand. It sounds as though the credit card's RFID chip is capable of being empowered with electromagnetic energy (electromagnetic field) from an external source (such as an RFID reader) and then it, the credit card's RFID chip, then broadcasts electromagnetic energy waves that contain the credit card info.

It sounds like the credit card has to be close enough to the reader to be within the readers energizing field. Right? Also, once the credit card RFID chip is energized and broadcasting, such broadcasted info can be picked up by an adequately "sensitive' antenna that could be far away, right?

All this, if I am correct, sounds like the RFID reader needs to be close to the credit card, but the antenna picking up the info broadcast by the energized credit card RFID chip can be much farther away from the credit card than the reader, right?

Lastly, it sounds like the RFID reader can be as far away from the RFID credit card as 12 feet.

Man, if I am right about this, that is absolutely and totally unacceptable.

elbeau, the method you described to provide security by employing the "token" text (or "key") coupled with encryption should be the only way this thing is implemented. Seems similar to the way that networks and password routines work.

You are correct about how it works, but the reader can be much farther away than 12 feet. The electric field size can't get much larger than that without breaking a lot of EM emission regulations, but the antenna can be much farther away.

Yes, the encryption protocols are commonly used in networking and are not specific to RFID implementations.

elbeau - 8-30-2013 at 03:16 PM

Quote:

Originally posted by elbeau
You are correct about how it works, but the reader can be much farther away than 12 feet. The electric field size can't get much larger than that without breaking a lot of EM emission regulations, but the antenna can be much farther away.

I just re-read what I wrote and need to clarify that the "reader" is the device reading the signal from the antenna, not the device creating the electric field, so the reader/antenna can be much farther away than 12 feet, but the device creating the electric field needs to be within several feet of the RFID tag.

MitchMan - 8-30-2013 at 03:29 PM

Thanks again, elbeau. That last post with clarification was invaluable.

dasubergeek - 9-1-2013 at 10:26 PM

All this tin-foil hat business. Look at your credit card. Find the little radio signal icon. Smash it with a hammer (try not to hit your magnetic strip, because that would be bad).

Done and done.