Announcement

**xor** · January 16, 2010, 12:08

Re: Best Buy "TAG"

Originally posted by facon12 View Post

I don’t know if anyone else has seen this but if I were a best buy customer I would honestly be upset about this. A few people I know were sent an e-mail stating that they had been automatically enrolled in the "Tag" program and would be receiving their tag in the mail. Basically what this is, is a sticker with an rfid tag of some kind with their account information in it. The suggestion from Best Buy is to put this sticker on your cell phone so that you can just wave your phone over the reader in their stores to pay for purchases, and that for any purchase under $50 they don’t require a signature. My first reaction to this is that this is just a huge security issue since customers don’t even have a choice about whether or not they can enroll in this program.
The Best Buy page provides the following in their FAQ about security concerns on the Tag website.

"The PayPass™ feature uses special security technology and typically, at the checkout when you tap your tag it must be within an inch or two of the "contactless symbol" on the payment reader"
https://www.rzmctag.com/

To some people security is not a concern and so they sign up for credit cards that come with RFID tags, but it seems to me to violate a customer’s desire for security by simply sending them the tag with no choice. Obviously you can choose not to use the tag, and those who have this concern don’t have to, and can probably destroy the tag. I just think that, especially with a technology such as rfid that has had questions raised before, that a company should be obligated to ask its customers before just signing them up.

I was just wondering if anyone else had seen these and had any thoughts about it. Im mostly curious about how good the "encryption" is on the card that would prevent someone from just scanning the card and making a copy with another rfid tag. I know there are technologies that prevent this, but it just seems like a risk that shouldn't just be pushed onto customers without their permission

RFID chips are what microwave ovens are for.

xor

**Thorn** · January 16, 2010, 14:50

Re: Best Buy "TAG"

Originally posted by facon12 View Post

I was just wondering if anyone else had seen these and had any thoughts about it. Im mostly curious about how good the "encryption" is on the card that would prevent someone from just scanning the card and making a copy with another rfid tag.

Encryption? Surely, you jest. The chips used in these cards are too small and too underpowered to have encryption. http://tv.boingboing.net/2008/03/19/...-an-rfide.html

Originally posted by facon12 View Post

I know there are technologies that prevent this, but it just seems like a risk that shouldn't just be pushed onto customers without their permission

Get used to it. There are a number of cards, including MasterCard and Visa that have this technology, and none use encryption. I carry all my credit and ATM cards in a shielded wallet that blocks RF to specifically prevent this kind of attack. http://www.difrwear.com/product-display.php

**TheCotMan** · January 16, 2010, 15:06

Re: Best Buy "TAG"

Originally posted by Thorn View Post

I carry all my credit and ATM cards in a shielded wallet that blocks RF to specifically prevent this kind of attack. http://www.difrwear.com/product-display.php

I own one of these as a wallet and another for my passport, and gave them to family for traveling abroad as a gift near the end of 2008. You just need to remember to put your wallet and passport holder in the "dish" when walking through the metal detectors in airport security.

People are being provided with a technology that is supposed to make purchasing easier, with fewer moving parts for breakdown with each transaction. (Receipts still involve moving parts.) They put consumer credit scores at risk, and when theft occurs with cloned RFID, the credit card companies will either stop using this technology, change the technology, or push the burden of responsibility for theft of RFID onto the consumer that "allowed the tag to get stolen/copied."

**streaker69** · January 16, 2010, 15:22

Re: Best Buy "TAG"

I just ordered and RFID safe wallet yesterday.

As for Best Buy, I think it's a really bad idea for them to be opting consumers into such a service. I'm sure they're thinking is that they're safe because they'll be including a letter explaining everything, which no one will read.

**AgentDarkApple** · January 16, 2010, 16:25

Re: Best Buy "TAG"

Originally posted by facon12 View Post

I don’t know if anyone else has seen this but if I were a best buy customer I would honestly be upset about this. A few people I know were sent an e-mail stating that they had been automatically enrolled in the "Tag" program and would be receiving their tag in the mail. Basically what this is, is a sticker with an rfid tag of some kind with their account information in it. The suggestion from Best Buy is to put this sticker on your cell phone so that you can just wave your phone over the reader in their stores to pay for purchases, and that for any purchase under $50 they don’t require a signature. My first reaction to this is that this is just a huge security issue since customers don’t even have a choice about whether or not they can enroll in this program.

You are right that this should not be happening without the customer's prior consent. I am surprised this does not violate some law pertaining to use of customer information. I see it as a way of taking advantage of consumer ignorance - most people have no idea about the vulnerabilities associated with RFID. If I get one of those things in the mail, I will promptly destroy it. It would not make things more convenient for me anyway because 1) I am not sticking crap like that on my phone and 2) it's not like I can get out of Best Buy with a purchase of less than $50

**facon12** · January 16, 2010, 19:59

Re: Best Buy "TAG"

Originally posted by Thorn View Post

Encryption? Surely, you jest. The chips used in these cards are too small and too underpowered to have encryption. http://tv.boingboing.net/2008/03/19/...-an-rfide.html

I assumed this was the case and there was no encryption, but I figured it best to at least ask first as I am not the most informed about rfid. The thing that confuses me the most about their decision to do this is that they actually suggest you put this sticker/tag on your cell phone. I am very careful with my wallet and phone, but I am much more likely to set my phone down for a moment where someone might be able to get close to it than my wallet. Also if I lose my phone, I have to get my card info changed adding one more frustrating step to an already annoying situation.

**Thorn** · January 17, 2010, 07:58

Re: Best Buy "TAG"

Originally posted by facon12 View Post

I assumed this was the case and there was no encryption, but I figured it best to at least ask first as I am not the most informed about rfid. The thing that confuses me the most about their decision to do this is that they actually suggest you put this sticker/tag on your cell phone. I am very careful with my wallet and phone, but I am much more likely to set my phone down for a moment where someone might be able to get close to it than my wallet. Also if I lose my phone, I have to get my card info changed adding one more frustrating step to an already annoying situation.

The "encryption" in this case is that there is no customer name and account number on the stick-on card. However, the name and account number coded into the RFID tag is still in cleartext. It has to be, because the card readers that use the MasterCard PayPass® RFID technology only read cleartext.

There has been at least one RFID/credit devices that does use encryption, namely the ExxonMobil Speedpass. However, the tags used in these devices are rather large in comparison to the RFID circuitry used in the cards. Furthermore, the encryption level is only 40-bit, and was broken in 2005 by a research team from Johns Hopkins University.

Best Buy encourage the sticker being placed on the back of the cell phone as a matter of convenience. Look at it this way: A customer is very likely to have their phone with them, it's easier for most people to grab their phone, rather than dig a card out of a wallet, and this use -as with any card- guarantees payment for the merchant. On top of all that, again with most credit cards, the security falls entirely on the customer. What makes this worse is that the customer doesn't understand the technology, and has no concept of how their information is vulnerable.

**xor** · January 17, 2010, 09:56

Re: Best Buy "TAG"

Originally posted by Thorn View Post

Best Buy encourage the sticker being placed on the back of the cell phone as a matter of convenience. Look at it this way: A customer is very likely to have their phone with them, it's easier for most people to grab their phone, rather than dig a card out of a wallet, and this use -as with any card- guarantees payment for the merchant. On top of all that, again with most credit cards, the security falls entirely on the customer. What makes this worse is that the customer doesn't understand the technology, and has no concept of how their information is vulnerable.

Have you seen some womens purses? You could lose and infant in some of those.

xor

**renderman** · January 17, 2010, 15:35

Re: Best Buy "TAG"

Read an interesting article the other day that BB is getting into a pissing match with Mastercard over the contactless payment thing. This may be related.

Also read that if you use the contactless system without a PIN, it costs the retailer less in charges from master card than if you swipe/sign. it's the same on the back end, it just seems like they want to push the less secure solution more.

I'll see if I can find the article again and post it here. Until then, this post is just conjecture.

**renderman** · January 17, 2010, 15:39

Re: Best Buy "TAG"

On a related note, I wonder how these guys would freak out if you waved a proxmark or other RFID cloner past their reader and played back the details of your 'tag'.

That would be worth filming

**barry99705** · January 17, 2010, 17:16

Re: Best Buy "TAG"

Originally posted by renderman View Post

Read an interesting article the other day that BB is getting into a pissing match with Mastercard over the contactless payment thing. This may be related.

Also read that if you use the contactless system without a PIN, it costs the retailer less in charges from master card than if you swipe/sign. it's the same on the back end, it just seems like they want to push the less secure solution more.

I'll see if I can find the article again and post it here. Until then, this post is just conjecture.

Heh, my wife's mastercard debit card won't work as a debit card at best buy. You have to run it as a credit card or the system won't take it.

**beakmyn** · January 18, 2010, 08:45

Re: Best Buy "TAG"

I stopped shopping at BestBuy when I went to kiosk to look-up a part number and the BestBuy said to purchase it through the kiosk and pick it up at the counter. No sooner did the red flag in my head go off and the kiosk's Internet Explorer conviently auto-filled in the entire Name,Address,CC# etc with another customer's data. I did a quick looksy and found that it had auto-saved dozens of customer's personal/payment information. I pointed out the issue and the answer from Best Buy, "Is that a problem?".

My CC used to have a chip, then it met Mr. Microwave and then mr. Scalpel. I know have a hole in my card.

My passport is in a Shmoocon RFID wallet (thanks Bruce!) and I keep it in my hand when I go through the magnetometer. So, far TSA has never questioned me further after I say "It's the RFID blocker in the wallet"

BTW, I've got half a dozen or so RFID sample tags in my bag and a naked Exxon mobile speedpass just for giggles.

Just as planned from 2007: http://www.rfidjournal.com/article/a...view/3422/1/1/

**Deviant Ollam** · January 18, 2010, 09:26

Re: Best Buy "TAG"

Originally posted by beakmyn View Post

I keep [My passport] in my hand when I go through the magnetometer

interstingly... i, too, refuse to surrender my passport at any time and for any reason other than border control. i won't give the passport to local merchants and the like (a common request in other countries, especially when attempting to buy SIM cards or other data services*) and even get irked when security flunkies attempt to make passengers place their passport on the x-ray belt.

i've seen some places where the policy is absolutely vicious... demands shouted over and over and passengers pushed back through the machine and made to hand it over, etc. in many of these airports there have been crowds and the additional ordering around of people has caused even more confusion and amid the bluster people get separated from their bags (no huge risk, hard to walk off with the wrong bag) and sometimes even documents (much scarier risk... at least one time i was claiming my things and a little white dish slid down next to my carry-on with someone else's passport in it. i could have quietly lifted it and strolled off. unknown how far i would have gotten... but still fucking freaky to me)

i now leave my passport in my back pocket at all times. i had one of the very last non-RFID passports (i'm so happy about that, i must say) so the wallet issue doesn't take place with me. but yeah... even taking my passport out in public for anything other than a Border Agent doesn't sit right with me.

* i keep a blurry photocopy for that purpose, which i've tweaked in photoshop to make even more blurry in a few places so they have to ask "uh... how exactly do you spell your name?" and maybe i'll mumble and steer them in a less than ideal direction. there is a whole story behind this from our first trip to Malaysia. ask me later.

Announcement

Best Buy "TAG"

Best Buy "TAG"

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment