Announcement

Collapse
No announcement yet.

RFID Credit Card Skimming

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • RFID Credit Card Skimming

    Yesterday, I was talking to a producer for the CBS Evening News regarding credit and ATM/bank cards with embedded RFID chips being vulnerable to wireless skimming. CBS is currently working on a story about this, due to a CBS affiliate station's story:
    http://www.wreg.com/videobeta/?watch...a-1884ec348310

    CBS News' take on this is that the skimming is great TV, but it's probably only a small portion of things that can be skimmed or otherwise attacked by the populace, and they are interested in expanding the story. Our discussion went on for a while, and we talked about similar vulnerabilities pertaining to RFID including passports, EZPay, etc.

    In the middle of all this, the producer remarked that while this vulnerability was "brand new" to the public, my reactions were making it seem like this was old news to the infosec community. My response was that the touch-less credit card issue had been known and demonstrated going back at least 6 years, if not more. He said that the same type of reaction had occurred last April, when CBS had run the story about the copier imaging on hard drives. The public was aghast, but the infosec people they'd contacted all remarked "what took you so long?"

    DC discussion about copier HDs: https://forum.defcon.org/showthread.php?t=11313

    This in turn got us talking about known vulnerabilities in information security, and what types of things the infosec community might be worried about, but that the public is generally clueless about. The upshot is that CBS is interested in learning more, and talking publicly about these "publicly unknown" vulnerabilities. I said I'd give it some thought and get back to them.

    I've got my own list in my head, but I'm only one guy, so I'm throwing the question out to the community. Let me be clear, this probably won't garnish attention one any individual, and it being TV news, it's almost guaranteed to have some level of FUD associated with it. However, I see this as a possible positive opportunity to point out some of those things were always talking (and bitching) about, but that public doesn't know exist. So I say to you: What things do you see as worrisome as a vulnerability in information security that can affect the general populace, yet the public is generally clueless about?
    Last edited by Thorn; December 14, 2010, 17:37. Reason: Fixed typo
    Thorn
    "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

  • #2
    Re: RFID Credit Card Skimming

    Attacking cookie-based and other authentication that happen over http using wireless connections in places like Starbucks was like this, too. It did not become mainstream until there was a product (firesheep) that visually conveyed the process in such a way that a camera crew could take still pictures, or video, and write up a story about it.

    As I mentioned before, during Defcon 5, Hobbit and Mudge provided a presentation on cracking passwords used by windows and during that presentation, they explained this issue with the media and news. Paraphrased, "we made a tool to grab passwords and crack them from a shell and notified the media, but they were not interested, so we slapped on a GUI and suddenly, they were interested!"

    DIFR Wear has published videos demonstrating reading RFID from wallets, and passports, and then showing how their product helps to protect RFID from remote reading unless their wallet/passport-holder is open, but the CBS video you reference (assuming it is the one I saw) is a much better advertisement for the DIFRwear or in this case, idstronghold products, and just in time for Christmas. (Savvy promotion if you ask me, and this is not a sarcastic comment.)

    As for stuff that has been covered in the public, but not widely:
    * Chris Paget: Practical Cellphone Spying which has been covered forbes, wired, DarkReading. However, a discussion on the ramification of this and how it could be used to harm consumers could go to national news. They will more likely focus on "emergency response" and use risk of death, fire, and failure to response to medical emergencies requested by cell phone to sensationalize the story, but if it helps to push cell phone vendors and telecommunications to use encryption, then consumers benefit.
    * Risks to DNS and cache poisoning, even though certificates, signing, and encryption exists to decrease this risk, but only when validation is used. There was an online article about how only a small percent of domains is actually using protection, but I don't remember where I read it.
    * BGP and highjacking internet networks, though covered in 2008 (Anton Kapela & Alex Pilosov: Stealing The Internet - A Routed, Wide-area, Man in the Middle Attack) and discussed in the news when China accidentally "stole the internet for 15 minutes", the implications for us consumers and users of the Internet has not really been broadcast in a way that the general public found interesting or relevant to their lives.
    * Attacks into networks by trojaned USB devices. This appeared in the short-run Court TV show, one of four episodes of, "Tiger Team." It has been discussed online, and there have been a few stories, but I don't remember it being picked up by national broadcast media. Here is an example 2006 article from slashdot. This is still an issue today. This vector was cited in discussions about Stuxnet.

    The way i see it, is previous discussions on these topics have failed to yield supportable solutions to be created, made available, and then installed/upgraded into a majority of places it is used. As a result, these issues have either been judged as not important enough to spend resources for a fix, or not explained in such a way that people demand fixes and upgrades, and express their desire and willingness to pay for it.

    This is just my first pass on this. If I have time, I will try to think of more things that have been discussed but not really fixed or widely discussed in national media.
    Last edited by TheCotMan; December 14, 2010, 11:19.

    Comment


    • #3
      Re: RFID Credit Card Skimming

      Awesome examples.

      I'm still surprised at how many WEP networks I run into. Also, the recent news about Gawker and some interactions with a terrible company that maintains a piece of software I have to use for work has me thinking a lot about password storage policies.

      Comment


      • #4
        Re: RFID Credit Card Skimming

        I've been having great success lately with the privacy conferences and educating them about these sorts of things.

        One point I make is the hacker community tends to be 2-5 years ahead of the community. Keeping an eye on the abstracts from conferences and not marginalizing our contributions would go a long way to keeping things secure. If there's something on our radar, you can bet that it'll be an issue in 2-5 years, so why not get a jump on things.

        DECT sniffing and good old analog radio (headsets) have been a great source of entertainment for me lately. In addition, the sheer amount of facebook traffic (non-firesheep) that I see is terrifying. Mix that with EXIF GPS data and you have quite a terrifying amount of risk that these guys never had a clue.

        I'll think more about it. The obvious one if the stupidity at airports, but that's a whole topic on it's own.
        Never drink anything larger than your head!





        Comment


        • #5
          Re: RFID Credit Card Skimming

          And here is another pass at this with 4 more:
          (I don't want to grab all of the ideas people might want to post about. These ideas are mostly from looking over the past 3 Defcon listings of presentations, and then finding presentations or topics related to these topics from earlier presentations.)



          1) TMI (Too Much Information)

          The dangers of "TMI" (Too Much Information) with respect to "social networking" has been a recurring issue, but people still freely give up "too much information" online.
          Consider some recent of the high profile "hacks" with VP Candidate Pailin email. (Please no politically charged comments about the person, party or political complaints.)
          "As detailed in the postings, the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search."
          This is not unusual. It has happened before with other people that leave "private" information used as secrets to authenticate themselves, but share these secrets with other people.
          This same problem manifests itself with con games over the telephone, where people give up information about themselves, and telephones existed before the Internet and its social networks. It is a recurring problem in two spaces:
          * Who do you trust and how is trust established?
          * What information do you keep secret from which people?
          It also came up in another form with the publicized website:
          http://pleaserobme.com/ that attempted to determine what people were not home based on information they broadcast through social networking, leaving an empty house to rob while they were away.



          2) Portable Devices

          The topic of exploits against portable electronic devices (like phones, and bluetooth-enabled devices) is often a recurring theme with new issues announced, but seldom ever fixed:
          * Kevin Mahaffey, John Hering, Anthony Lineberry: Is your Iphone Pwned? Auditing, Attacking and Defending Mobile Devices
          * Collin Mulliner: Advanced Attacks Against PocketPC Phones From Defcon 14.
          * JP Dunning: Breaking Bluetooth By Being Bored Defcon 18
          * Dominic Spill, Michael Ossmann, Mark Steward: Bluetooth, Smells Like Chicken Defcon 17



          3) The police are not your friends

          Something that even the brightest people trip over:
          "The Police are not your Friends"
          Their job is not to prevent crime, but document crimes as or after they are committed and then do their best to provide sufficient evidence to ensure that district attorneys prosecution of people for committing crimes is successful. Said more simply: "law enforcement." Some police are lazy, and some work hard. The ones that are lazy may choose the shortest path, and if you are their destination, bad news for you. The ones that are overworked may not have the time or resources to give each case the time each one deserves, and if you "seem" like the best candidate (so far) then bad news for you.
          Because our laws are mostly about protecting property, life, and attributing penalties for violating our freedom/choice, the argument is often posed as follows: since police enforce these laws, and laws are designed to protect property, life and penalize violations of freedom and choice, they serve the public good and/or safety.
          However, this attribute is provided as a result of logical conclusion, not by direct description of their responsibilities.
          Understand, I am not saying, "do not help the police, " or, "fuck the police." No. I am only saying they are not your personal friend looking out for your personal interest. Sometimes it is in your interest to help the police, and sometimes it is not, but they are not your friends.
          Where am I going?
          * Jim Rennie: So You Got Arrested in Vegas... (mostly humorous review of what kinds of laws might be broken, and what might happen.)
          * I think I remember Jennifer Granick provided a presentation at a past Defcon, where she asked the audience to repeat after her, "I want to talk to my lawyer," and in this presentation, she gives some examples of how saying anything to the police can be twisted and turned against you. (I am having trouble locating that presentation -- I hope it was not just from my imagination.)
          If you really want to provide help to the police, pass your help through your lawyer.
          (I am not a lawyer; this is not legal advice.)



          4) ATM Skimming..

          * Robert Morris: ATM Network Vulnerabilities: Defcon 13, 5 years ago, this was about "ATM Skimming", as well as the introduction of "fake" ATM where all of the hardware is configured to steal copies of mag stripe data and PIN, and shoulder surfing. (Low-tech: "shoulder surfing"+"theft of physical card or receipt", fork-lift and carry ATM away,
          * Slashdot: "Cybergang Compromises Every ATM In Russian City": Specially designed malware designed to compromise ATM in Russia.
          * Crooks Hack Music Players For ATM Skimmers which cites a 1992 Phrack document.
          * I think there was another Defcon presentation where the presenter showed slides of some examples of false attachments to ATM designed to copy mag stripe data and a camera to copy finger motions for entry of PIN with the card that was inserted, but I was not able to find it.

          You can find more stories like this, including articles in 2600, if you want. The point here? It is still an issue and still has not been solved and will come up again.
          Last edited by TheCotMan; December 15, 2010, 10:04.

          Comment


          • #6
            Re: RFID Credit Card Skimming

            Thanks, Cot, for all the input and thoughts. Some of this stuff are the same things I've thought of, but it's nice to have it confirmed. I did think of looking over the DC topics, but hadn't gotten to it.

            Thanks too, to Renderman and chrono.

            As to the rest of you, come on! You know you've got some thoughts on the subject. Let's hear them!
            Thorn
            "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

            Comment


            • #7
              Re: RFID Credit Card Skimming

              This came up recently at a friend's house for a party, wireless video baby monitors. With our 2nd arriving and people wanting to get stuff, it was a common question asked, even assumed that we would want one.

              Of course I went into the generic, 2.4GHz...unencrypted...no authorization necessary...strangers watching your kids...blah blah blah. People were genuinely surprised with that.
              Aut disce aut discede

              Comment


              • #8
                Re: RFID Credit Card Skimming

                Originally posted by AlxRogan View Post
                This came up recently at a friend's house for a party, wireless video baby monitors. With our 2nd arriving and people wanting to get stuff, it was a common question asked, even assumed that we would want one.

                Of course I went into the generic, 2.4GHz...unencrypted...no authorization necessary...strangers watching your kids...blah blah blah. People were genuinely surprised with that.
                Have you seen the 2.4ghz after market backup cameras they sell for vans and such? Guess what their little display can pick up while driving around? :)
                A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                Comment


                • #9
                  Re: RFID Credit Card Skimming

                  Originally posted by streaker69 View Post
                  Have you seen the 2.4ghz after market backup cameras they sell for vans and such? Guess what their little display can pick up while driving around? :)
                  I have not seen those, even better!

                  "Don't back up Sam, there's a crib there!"
                  Aut disce aut discede

                  Comment


                  • #10
                    Re: RFID Credit Card Skimming

                    Originally posted by AlxRogan View Post
                    I have not seen those, even better!

                    "Don't back up Sam, there's a crib there!"
                    It's even more disturbing when the one in your van picks up someone else's backup camera in a parking lot.

                    I've considered modifying the display that I have to maybe put an external antenna on it.
                    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                    Comment


                    • #11
                      Re: RFID Credit Card Skimming

                      Originally posted by renderman View Post
                      One point I make is the hacker community tends to be 2-5 years ahead of the community. Keeping an eye on the abstracts from conferences and not marginalizing our contributions would go a long way to keeping things secure. If there's something on our radar, you can bet that it'll be an issue in 2-5 years, so why not get a jump on things.
                      Very much so. I am always baffled because hackers are almost always portrayed in a negative light, okay so what black (and grey) hats do may not be completely legit., but it's thanks to hacking (obviously amongst other reasons) that modern technology is as advanced as it is today, and is still advancing at a quick pace.

                      As for this topic, there is a show on television here in the UK and Ireland were the presenters show how to prevent being 'hustled' by a scams carried out on a regular basis by scam artists and hacker... They show how to prevent it by actually scamming 'random, everyday people' off the street (and then obviously giving them their money back)... But one 'scam' I saw was were they rigged an ATM with a card reader by putting a shell over the ATM...

                      Here is the video:
                      http://www.youtube.com/watch?v=OOiCufYGH9I
                      while 1 == 1:
                      print "Help, I've got myself stuck in a loop."

                      Comment


                      • #12
                        Re: RFID Credit Card Skimming

                        Originally posted by DjDamyard View Post
                        I am always baffled because hackers are almost always portrayed in a negative light...
                        Simple. This is summarized in an old quote:

                        [Don't] "Kill the messenger."

                        It is the nature of many people to blame any person that conveys bad news as though that will solve the problem or deny its existence. Related to this is another quote, "stick your head in the sand," which like killing the messenger, can be another source of denial that a problem even exists; it is like a passive form of killing a messenger: pretending they and the bad news does not exist.

                        Comment


                        • #13
                          Re: RFID Credit Card Skimming

                          Okay. One more:
                          * Security by obscurity or maybe just poor choice or "proprietary [ciphers &] algorithms"
                          Originally posted by url
                          Car immobilizers cracked due to crappy proprietary crypto
                          ... proprietary algorithms ...
                          ... Most cars still use either a 40 or 48-bit key ...
                          ... one manufacturer was even found to use the vehicle ID number as the supposedly secret key for this internal network. The VIN, a unique serial number used to identify individual vehicles, is usually printed on the car. "It doesn't get any weaker than that," Nohl says.
                          (Link to story from tweet by WeldPond retweeting a tweet from daveaitel.)

                          Comment


                          • #14
                            Re: RFID Credit Card Skimming

                            a more specific example for me would be the user-rekeyable locks that Kwikset and now Schlage have produced. i still see these appearing in commercial spaces and mixed up with all sorts of swooning chatter about how wonderful they are, when they actually offer less security against a dedicated, specialized attacker.

                            these are great for rental units or places with high turnover and generally low security needs (read: brute force or street criminal threat only, no sensitive IP or techy info valuables inside that would ever be targeted by high-end thieves or corporate infiltrators)

                            these locks are totally the wrong solution for almost all "business" spaces that i can think of, save for maybe a Hot Dog Cart.
                            "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
                            - Trent Reznor

                            Comment


                            • #15
                              Re: RFID Credit Card Skimming

                              "What things do you see as worrisome as a vulnerability in information security that can affect the general populace, yet the public is generally clueless about?"

                              Hmmm... well lets see...
                              Surely some of these things the public knows about on a lil level..
                              BumpKeys, RFID Skimming, Man In the Middle Attacks, Fake Honeypots, Car Imobilizer Encryption (cracked) mentioned already , OptiCom Strobe technology (CHROME BOX) and if ya pack on a IR filter only a camera will see that strobe , Scanners (CHIPCON CC1010) programmable chip could be used to sit there from 0mhz to 1ghz and scan, WEP (everyone knows of WEP's flaws), elf EMP, rootkits, wireless video camera jammers, wireless video sniffers, cell phone jammers .. ill list more as they come to me.. problem is this.. even though you sit and tell the public about all sorts of security problems, they still dont listen. How much malware is reported on the internet and yet, people still click click on everything, they still fall for scams... Its funny and sad.. They want the Laissez-faire attitude yet, cry to govt for help when stuff goes wrong... Damned if you do damned if you dont... Theyll prob hate ya just for going public with non public information. Which is where the media comes into play.. Good luck Thorn... Educate the Masses!
                              Last edited by JMC31337; December 22, 2010, 14:53.
                              Your Life Is Your Crime, It's Punishment Time

                              Comment

                              Working...
                              X