Another RFID Hack – Contactless Credit Cards

Contributed by Joanne Kelleher

Another week and another blog entry about hacking RFID – this time it is contactless credit cards. Unlike the Mifare story which has received lots of international attention (see http://www.securerf.com/RFID-Security-blog/?p=46), so far this story had only been picked up by a few technology blogs. Maybe it is old news just presented in a new way.

IT security expert, hacker and inventor Pablos Holman shows reporter Xeni Jardin of Boing Boing tv, how you can use gear bought on eBay to read personal data such as cardholder name and credit card number from an RFID enabled American Express credit card.
http://tv.boingboing.net/2008/03/19/how-to-hack-an-rfide.html

Pablos has hooked up a ViVOpay 5000 Contactless Payment Reader from ViVOtech to his laptop and uses it to capture the credit card data. He points out that one of the problems is that the decryption of the credit card data is being done by the reader at the countertop rather than at the financial institution’s secure data center. Pablos doesn’t clarify if the reader he purchased is processing this decryption or if he has written a hack for his laptop to handle this. He does show the credit card number and name displayed on the screen.

On the American Express website I found no response to this hack and very little about the security or technical details of their ExpressPay cards. For example, in doing a search on their site for RFID I received zero results (but their search engine spellchecker “helpfully” gave me all the results for REID).

The Smart Card Alliance has posted a Q&A called Contactless Payments Security Questions & Answers because ”recent media reports have raised questions about the security of contactless payment transactions and the risk of fraud to consumers.”

“While it is technically possible for a contactless payment card or device to be read illicitly, this scenario is unlikely. In the event that a criminal did read the information from a contactless payment device, the security features designed into the device, the payment terminal and the payment system (see questions 2 and 4) would prevent the information from being used to create fraudulent contactless transactions.”

http://www.smartcardalliance.org/pages/publications-contactless-payment-security-qa

Pablos plans to continue his work so that the cards can be read from further away. He hasn’t published if he would be able successfully, if illegally, use the credit card data he captured to process transactions.

Trackbacks & Pings

  1. Current trends in cyber attacks on mobile and embedded systems « Embedded Computing Design on 05 Oct 2009 at 5:55 pm

    [...] Joanne Kelleher, “Another RFID Hack – Contactless Credit Cards,” RFID Security, March 25, 2008, http://www.securerf.com/RFID-Security-blog/?p=47 [...]

  2. Current trends in cyber attacks on mobile and embedded systems at RFID Security on 30 Oct 2009 at 4:35 pm

    [...] $250? Cloning Electronic Passport Cards  with the  Not really cloning…  follow up (2/2009) and Another RFID Hack – Contactless Credit Cards  [...]

Comments

  1. rob wrote:

    i am new to RFID enabled card reader. Do all RFID enabled read credit cards? how do you know if my credits have been.

    Posted 20 Sep 2009 at 12:39 am

Post a Comment

Your email is never published nor shared. Required fields are marked *

*

*


«
»