Re: Credit Cards and RF Chips

Credit card companies, and companies providing the transaction services for these companies can make money with the sale of new hardware.

A conspiracy "nut" could suggest that these new technologies are purposefully created to leak information, so that upgrades are necessary, and the industry can continue to sell new machines, and upgrades to existing machines to businesses wishing to offer better security for their customers.

A realist might suggest that there is probably not a conspiracy, only a rush to get technology to market, at the cost of security, and a rush to provides the greatest number of bullets on the features chart in the shortest time at the lowest cost, and that you get what you pay for.

The whale (consumer) might wonder why this planetary sized object is moving towards them very quickly, and while falling, wonder if it will be their friend.

Meanwhile the potted plant (security professional) might only say, "Not again," or "Why me?"

(Shouldn't need citation, but those last two are parody with The Hitchhiker's guide to the Galaxy.)

Re: Credit Cards and RF Chips

I very much needed that giggle and I thank you so so so much for it. Also, Props for a job well done, that was a perfect perfect answer/example.

Re: Credit Cards and RF Chips

hah. now i want a door plaque on my office that reads "bowl of petunias" as my title.

Re: Credit Cards and RF Chips

Now you can use more convienant method's to get CC info instead of copying magnetic info with a serial reader.

I liked the serial A/N generator's people used on ATM's like the one you seen in T2(also used on mag-card lock's.) That was before they updated validation system's, and forced people to modify POS slots into portable cloner solution's. Now people gotta go thru the hard labor of running card's thru PPC attached reader's which is actually a faster payout than physiclly interfacing to an ATM via serial to magnetic trunk setup's, and running brute force attacks on the banks database(obsolete.)

Re: Credit Cards and RF Chips

Though it does not help to protect your privacy, I usually see a statement on the application to get one of these devices that states a signature and/or a card swipe is reqired for purchases over $25, but not always...

I think last week there was some csi (miami I think) episode that had found a "chip" placed on a womans body that gets scanned by the club to allow entry, age verification/ drivers license info and had credit card / spending limit info all because women did not want to carry purses and had nowhere to hold a credit card, though they managed to still have keys and cell phones. What I don't know is if these are really being used, how much info the chip really would hold... it apperaed to have good photos of the person... I suppose it could also be done by linking the number scanned to a "local" on premise database but I think it was mentioned that they would go bar hopping with them so perhaps a vendor db... the size of the device was about the size of a tick.

By the way Deviant Ollam, if you really want a plaque for your door, I would be glad to make you one, after all, I am a signcarver. I'll even carve a picture of a bowl of petunias though it may not be falling.

Re: Credit Cards and RF Chips

VisaNet (a Front End Processor that takes card authorization) has data format documents in "Public Domain". In said document, you will find information on "smart cards" and how they interface with the host systems at the CC companies.

Re: Credit Cards and RF Chips

I wonder if you could modify one of these card reader machines to have a longer range perhapse up to a range of one foot? If that were possible a person could walk into a store with a "loaded" back pack and walk out with dozens of names/card numbers.

Anyway, I think the only thing the news did by further publicising this issue was bringing it to the attention of various cons that didn't know about it. Soon they're going to just make a bigger deal about it and next thing you know people are gonna stop losing money.

Re: Credit Cards and RF Chips

It's been done, and it is relatively easy to accomplish. Depending on the frequency and several other factors, it is possible to have read ranges over tens of feet.

Being professionally paranoid about such things, I already carry all my cards in a wallet that has shielding against RFID readers.

Like most security issues, making a public announcement about a given vulnerability is a double-edged sword. Yes, you may inform some dishonest people who were ignorant of a given technique. However, the premise behind such announcements is that the cons already know, but that the people who are vulnerable do not. This is generally true. Those who would use illegal means for gain usually know those means far in advance of the victims. Usually most victims find out about a given attack only after the fact when they are victims. By making a public announcement about techniques, you are informing the potential victims and increasing public awareness. This (hopefully) forces both the potential victims and the manufacturers to take notice and rectify the situation.

Re: Credit Cards and RF Chips

Now that is what I call paranoid.

Is this something you purchased somewhere or designed and fabricated yourself.

Re: Credit Cards and RF Chips

[QUOTE=Like most security issues, making a public announcement about a given vulnerability is a double-edged sword. Yes, you may inform some dishonest people who were ignorant of a given technique. However, the premise behind such announcements is that the cons already know, but that the people who are vulnerable do not. This is generally true. Those who would use illegal means for gain usually know those means far in advance of the victims. Usually most victims find out about a given attack only after the fact when they are victims. By making a public announcement about techniques, you are informing the potential victims and increasing public awareness. This (hopefully) forces both the potential victims and the manufacturers to take notice and rectify the situation.[/QUOTE]

Good point. Perhapse this will all work out for the publics benefit.

I believe this topic deserves more research, GOOGLE HERE I COME!

Re: Credit Cards and RF Chips

Actually, it was given to me. They were on sale in the vendor area at HOPE 6, and I was impressed with the demonstration. It was able to block an RFID card at a read distance of zero. My bank is now issuing ATM/debit cards with "Pay'n'Go" RFID embedded chips, and Render and I had just finished RFID Security, so the timing was perfect

I had intended to purchase one, but before I had a chance, the vendor was kind enough to present one to Renderman, Dragorn and myself following our panel discussion "The Future of Wireless Pen Testing." One of the things we'd talked about was RFID.

Here you go. Now you can be paranoid, too.
http://www.difrwear.com/index.shtml

Re: Credit Cards and RF Chips

Thorn,
There is an old saying that says "If you aren't a little paranoid then you haven't been paying attention". I think of a shielded wallet as being proactive.

Re: Credit Cards and RF Chips

http://news.com.com/U.K.+researchers...3-6156601.html

http://www.lightbluetouchpaper.org/2...relay-attacks/

Interesting article, Very imaginative attack, I liked it. It's all the rage on the news sites at the moment.

I found the best credit/debit card system in the world. I get SMS's Of Who, what, where and how much, I get a text often before I even leave sight of the terminal. Fraud insurance is amazing also, I don't want to rave about how awesome it is, as no one wants a sales pitch. Even IF it is the greatest, mwahahaha.

I also had a joke to share... I was watching Law and Order SVU as I often to, I don't know why because they are so easy to solve. Anyway, There is a love triangle between two couples, Wife 1 gets murdered, Wife 2 falls sick in the hospital. Blah Blah, *Bob Saget plays husband of Wife 2, He is a sec engineer, professor, yadda yadda, He specializes in RFID Chips. He suspects his wife is cheating with her boss, so drugs her and puts a chip in her arm, then installs chip readers as check points, at her work, her bosses house, (husband 1 ) the corner store, etc. When he goes home at night the logs sync with his PDA and he knows where she has been. So he kills the other guys wife. His wife is now sick and dying they find the chip and how it caused an infection and the husband needs to confess in order to get out of jail and save her life by donating a kidney or something....blah blah. So the IT guy is explaining all this to our detectives and explaining how RFID Works and when he is done.
The Detective says..."So he invented a HOE-Jack"

I've not laughed that hard from prime time television in years. The term Hoe-jack is now standard vocabulary in my household. The first thing I said to Neil was I HAVE to remember to post that in the forums. Law and Order is funny, They sometimes show stuff we have known about forever, and it's funny to watch them explain it to the layman as if its alien technology and so damn advanced.

* Yes, It was actually Bob Saget, whom I am recently obsessed with over how cool he is.

Re: Credit Cards and RF Chips

Just an addendum to those shielded wallets:

I took a quick plane trip this past weekend. As a matter of course I put my wallet into the bin thing for the X-ray (ID was in my hand) and went through the usual process.

Security was pretty much empty at that time, so I asked the guy with the wand to scan my wallet and it freaked out.

So as a note, the RF shielded wallets are not metal detector friendly (or at least not friendly to you if you walk through with one)