RFID Credit Card Skimming

Re: RFID Credit Card Skimming

Attacking cookie-based and other authentication that happen over http using wireless connections in places like Starbucks was like this, too. It did not become mainstream until there was a product (firesheep) that visually conveyed the process in such a way that a camera crew could take still pictures, or video, and write up a story about it.

As I mentioned before, during Defcon 5, Hobbit and Mudge provided a presentation on cracking passwords used by windows and during that presentation, they explained this issue with the media and news. Paraphrased, "we made a tool to grab passwords and crack them from a shell and notified the media, but they were not interested, so we slapped on a GUI and suddenly, they were interested!"

DIFR Wear has published videos demonstrating reading RFID from wallets, and passports, and then showing how their product helps to protect RFID from remote reading unless their wallet/passport-holder is open, but the CBS video you reference (assuming it is the one I saw) is a much better advertisement for the DIFRwear or in this case, idstronghold products, and just in time for Christmas. (Savvy promotion if you ask me, and this is not a sarcastic comment.)

As for stuff that has been covered in the public, but not widely:
* Chris Paget: Practical Cellphone Spying which has been covered forbes, wired, DarkReading. However, a discussion on the ramification of this and how it could be used to harm consumers could go to national news. They will more likely focus on "emergency response" and use risk of death, fire, and failure to response to medical emergencies requested by cell phone to sensationalize the story, but if it helps to push cell phone vendors and telecommunications to use encryption, then consumers benefit.
* Risks to DNS and cache poisoning, even though certificates, signing, and encryption exists to decrease this risk, but only when validation is used. There was an online article about how only a small percent of domains is actually using protection, but I don't remember where I read it.
* BGP and highjacking internet networks, though covered in 2008 (Anton Kapela & Alex Pilosov: Stealing The Internet - A Routed, Wide-area, Man in the Middle Attack) and discussed in the news when China accidentally "stole the internet for 15 minutes", the implications for us consumers and users of the Internet has not really been broadcast in a way that the general public found interesting or relevant to their lives.
* Attacks into networks by trojaned USB devices. This appeared in the short-run Court TV show, one of four episodes of, "Tiger Team." It has been discussed online, and there have been a few stories, but I don't remember it being picked up by national broadcast media. Here is an example 2006 article from slashdot. This is still an issue today. This vector was cited in discussions about Stuxnet.

The way i see it, is previous discussions on these topics have failed to yield supportable solutions to be created, made available, and then installed/upgraded into a majority of places it is used. As a result, these issues have either been judged as not important enough to spend resources for a fix, or not explained in such a way that people demand fixes and upgrades, and express their desire and willingness to pay for it.

This is just my first pass on this. If I have time, I will try to think of more things that have been discussed but not really fixed or widely discussed in national media.

Re: RFID Credit Card Skimming

Awesome examples.

I'm still surprised at how many WEP networks I run into. Also, the recent news about Gawker and some interactions with a terrible company that maintains a piece of software I have to use for work has me thinking a lot about password storage policies.

Re: RFID Credit Card Skimming

I've been having great success lately with the privacy conferences and educating them about these sorts of things.

One point I make is the hacker community tends to be 2-5 years ahead of the community. Keeping an eye on the abstracts from conferences and not marginalizing our contributions would go a long way to keeping things secure. If there's something on our radar, you can bet that it'll be an issue in 2-5 years, so why not get a jump on things.

DECT sniffing and good old analog radio (headsets) have been a great source of entertainment for me lately. In addition, the sheer amount of facebook traffic (non-firesheep) that I see is terrifying. Mix that with EXIF GPS data and you have quite a terrifying amount of risk that these guys never had a clue.

I'll think more about it. The obvious one if the stupidity at airports, but that's a whole topic on it's own.

Re: RFID Credit Card Skimming

And here is another pass at this with 4 more:
(I don't want to grab all of the ideas people might want to post about. These ideas are mostly from looking over the past 3 Defcon listings of presentations, and then finding presentations or topics related to these topics from earlier presentations.)



1) TMI (Too Much Information)

The dangers of "TMI" (Too Much Information) with respect to "social networking" has been a recurring issue, but people still freely give up "too much information" online.
Consider some recent of the high profile "hacks" with VP Candidate Pailin email. (Please no politically charged comments about the person, party or political complaints.)
"As detailed in the postings, the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search."
This is not unusual. It has happened before with other people that leave "private" information used as secrets to authenticate themselves, but share these secrets with other people.
This same problem manifests itself with con games over the telephone, where people give up information about themselves, and telephones existed before the Internet and its social networks. It is a recurring problem in two spaces:
* Who do you trust and how is trust established?
* What information do you keep secret from which people?
It also came up in another form with the publicized website:
http://pleaserobme.com/ that attempted to determine what people were not home based on information they broadcast through social networking, leaving an empty house to rob while they were away.



2) Portable Devices

The topic of exploits against portable electronic devices (like phones, and bluetooth-enabled devices) is often a recurring theme with new issues announced, but seldom ever fixed:
* Kevin Mahaffey, John Hering, Anthony Lineberry: Is your Iphone Pwned? Auditing, Attacking and Defending Mobile Devices
* Collin Mulliner: Advanced Attacks Against PocketPC Phones From Defcon 14.
* JP Dunning: Breaking Bluetooth By Being Bored Defcon 18
* Dominic Spill, Michael Ossmann, Mark Steward: Bluetooth, Smells Like Chicken Defcon 17



3) The police are not your friends

Something that even the brightest people trip over:
"The Police are not your Friends"
Their job is not to prevent crime, but document crimes as or after they are committed and then do their best to provide sufficient evidence to ensure that district attorneys prosecution of people for committing crimes is successful. Said more simply: "law enforcement." Some police are lazy, and some work hard. The ones that are lazy may choose the shortest path, and if you are their destination, bad news for you. The ones that are overworked may not have the time or resources to give each case the time each one deserves, and if you "seem" like the best candidate (so far) then bad news for you.
Because our laws are mostly about protecting property, life, and attributing penalties for violating our freedom/choice, the argument is often posed as follows: since police enforce these laws, and laws are designed to protect property, life and penalize violations of freedom and choice, they serve the public good and/or safety.
However, this attribute is provided as a result of logical conclusion, not by direct description of their responsibilities.
Understand, I am not saying, "do not help the police, " or, "fuck the police." No. I am only saying they are not your personal friend looking out for your personal interest. Sometimes it is in your interest to help the police, and sometimes it is not, but they are not your friends.
Where am I going?
* Jim Rennie: So You Got Arrested in Vegas... (mostly humorous review of what kinds of laws might be broken, and what might happen.)
* I think I remember Jennifer Granick provided a presentation at a past Defcon, where she asked the audience to repeat after her, "I want to talk to my lawyer," and in this presentation, she gives some examples of how saying anything to the police can be twisted and turned against you. (I am having trouble locating that presentation -- I hope it was not just from my imagination.)
If you really want to provide help to the police, pass your help through your lawyer.
(I am not a lawyer; this is not legal advice.)



4) ATM Skimming..

* Robert Morris: ATM Network Vulnerabilities: Defcon 13, 5 years ago, this was about "ATM Skimming", as well as the introduction of "fake" ATM where all of the hardware is configured to steal copies of mag stripe data and PIN, and shoulder surfing. (Low-tech: "shoulder surfing"+"theft of physical card or receipt", fork-lift and carry ATM away,
* Slashdot: "Cybergang Compromises Every ATM In Russian City": Specially designed malware designed to compromise ATM in Russia.
* Crooks Hack Music Players For ATM Skimmers which cites a 1992 Phrack document.
* I think there was another Defcon presentation where the presenter showed slides of some examples of false attachments to ATM designed to copy mag stripe data and a camera to copy finger motions for entry of PIN with the card that was inserted, but I was not able to find it.

You can find more stories like this, including articles in 2600, if you want. The point here? It is still an issue and still has not been solved and will come up again.

Re: RFID Credit Card Skimming

Thanks, Cot, for all the input and thoughts. Some of this stuff are the same things I've thought of, but it's nice to have it confirmed. I did think of looking over the DC topics, but hadn't gotten to it.

Thanks too, to Renderman and chrono.

As to the rest of you, come on! You know you've got some thoughts on the subject. Let's hear them!

Re: RFID Credit Card Skimming

This came up recently at a friend's house for a party, wireless video baby monitors. With our 2nd arriving and people wanting to get stuff, it was a common question asked, even assumed that we would want one.

Of course I went into the generic, 2.4GHz...unencrypted...no authorization necessary...strangers watching your kids...blah blah blah. People were genuinely surprised with that.

Re: RFID Credit Card Skimming

Have you seen the 2.4ghz after market backup cameras they sell for vans and such? Guess what their little display can pick up while driving around? :)

Re: RFID Credit Card Skimming

I have not seen those, even better!

"Don't back up Sam, there's a crib there!"

Re: RFID Credit Card Skimming

It's even more disturbing when the one in your van picks up someone else's backup camera in a parking lot.

I've considered modifying the display that I have to maybe put an external antenna on it.

Re: RFID Credit Card Skimming

Very much so. I am always baffled because hackers are almost always portrayed in a negative light, okay so what black (and grey) hats do may not be completely legit., but it's thanks to hacking (obviously amongst other reasons) that modern technology is as advanced as it is today, and is still advancing at a quick pace.

As for this topic, there is a show on television here in the UK and Ireland were the presenters show how to prevent being 'hustled' by a scams carried out on a regular basis by scam artists and hacker... They show how to prevent it by actually scamming 'random, everyday people' off the street (and then obviously giving them their money back)... But one 'scam' I saw was were they rigged an ATM with a card reader by putting a shell over the ATM...

Here is the video:
http://www.youtube.com/watch?v=OOiCufYGH9I

Re: RFID Credit Card Skimming

Simple. This is summarized in an old quote:

[Don't] "Kill the messenger."

It is the nature of many people to blame any person that conveys bad news as though that will solve the problem or deny its existence. Related to this is another quote, "stick your head in the sand," which like killing the messenger, can be another source of denial that a problem even exists; it is like a passive form of killing a messenger: pretending they and the bad news does not exist.

Re: RFID Credit Card Skimming

Okay. One more:
* Security by obscurity or maybe just poor choice or "proprietary [ciphers &] algorithms"
(Link to story from tweet by WeldPond retweeting a tweet from daveaitel.)

Re: RFID Credit Card Skimming

a more specific example for me would be the user-rekeyable locks that Kwikset and now Schlage have produced. i still see these appearing in commercial spaces and mixed up with all sorts of swooning chatter about how wonderful they are, when they actually offer less security against a dedicated, specialized attacker.

these are great for rental units or places with high turnover and generally low security needs (read: brute force or street criminal threat only, no sensitive IP or techy info valuables inside that would ever be targeted by high-end thieves or corporate infiltrators)

these locks are totally the wrong solution for almost all "business" spaces that i can think of, save for maybe a Hot Dog Cart.

Re: RFID Credit Card Skimming

"What things do you see as worrisome as a vulnerability in information security that can affect the general populace, yet the public is generally clueless about?"

Hmmm... well lets see...
Surely some of these things the public knows about on a lil level..
BumpKeys, RFID Skimming, Man In the Middle Attacks, Fake Honeypots, Car Imobilizer Encryption (cracked) mentioned already , OptiCom Strobe technology (CHROME BOX) and if ya pack on a IR filter only a camera will see that strobe , Scanners (CHIPCON CC1010) programmable chip could be used to sit there from 0mhz to 1ghz and scan, WEP (everyone knows of WEP's flaws), elf EMP, rootkits, wireless video camera jammers, wireless video sniffers, cell phone jammers .. ill list more as they come to me.. problem is this.. even though you sit and tell the public about all sorts of security problems, they still dont listen. How much malware is reported on the internet and yet, people still click click on everything, they still fall for scams... Its funny and sad.. They want the Laissez-faire attitude yet, cry to govt for help when stuff goes wrong... Damned if you do damned if you dont... Theyll prob hate ya just for going public with non public information. Which is where the media comes into play.. Good luck Thorn... Educate the Masses!