Re: Credit Cards and RF Chips

Why not make one?

On a sepreate not does anyone realize how sad it is that we're making it so you don't even have to pull out your credit card. We're elimating money, now were eliminating the need to open wallets. Some day I'm going be talking to my grandkids, (hopefully maybe great grand kids) they're going to see a dollar bill stuck on my wall, or in a book somewhere and I'm going to have expain what currency is. The kids are going to be a surprised and ask if they can bring it in for show and tell.

It just sprung into my mind, what happens if you've got more than one credit card in your wallet and you flash it over the RFID reader? Does it pop up all your credit cards and let you select the one you want to send the purchase to?

(p.s. If your a grammer nazi stick it in your ear, I did my best.)

Re: Credit Cards and RF Chips

Outstanding !! Now I feel great for having purchased a Passport holder from the site Thorn provided ! My new passport is expected in the next 30 days. Seems I need it to go to Canada and back.

Re: Credit Cards and RF Chips

/me Shits a brick in excitement

Re: Credit Cards and RF Chips

don't know if it was about this specific hack or not, but Major was called away from a little mini-session he was giving today at HackCon in order to be part of a radio interview about something recent in the UK. i think this may have been it.

speaking of recent activities from everyone's favorite british agent, after his talk (a terrific distillation of past IrDA/MagSripe/RFID talks) Major did a small workshop which consisted of a lot of scanning tests, many of which involved international passports.

some lessons we learned...

1) some nations do not even properly conform to the US-imposed standards (the USA is among the offenders)

2) it is of course possible to shield a passport using tin foil (and con attendees are the type to do such a thing)...


3) with no preparation and just on-the-fly code modification, Major was able to dump the entire contents of a USA passport, including the digital photograph...


4) the new RIFD enabled US passport does incorporate shielding in its enclosure (which is more than some nations' passports) but when laid at rest on a surface, the manner in wich the document slightly spreads open is enough to compromise the faraday cage...


5) norway is a terrific nation and everyone should visit here at least once.

Re: Credit Cards and RF Chips

Just an addendum to those shielded wallets:

I took a quick plane trip this past weekend. As a matter of course I put my wallet into the bin thing for the X-ray (ID was in my hand) and went through the usual process.

Security was pretty much empty at that time, so I asked the guy with the wand to scan my wallet and it freaked out.

So as a note, the RF shielded wallets are not metal detector friendly (or at least not friendly to you if you walk through with one)

Re: Credit Cards and RF Chips

http://news.com.com/U.K.+researchers...3-6156601.html

http://www.lightbluetouchpaper.org/2...relay-attacks/

Interesting article, Very imaginative attack, I liked it. It's all the rage on the news sites at the moment.

I found the best credit/debit card system in the world. I get SMS's Of Who, what, where and how much, I get a text often before I even leave sight of the terminal. Fraud insurance is amazing also, I don't want to rave about how awesome it is, as no one wants a sales pitch. Even IF it is the greatest, mwahahaha.

I also had a joke to share... I was watching Law and Order SVU as I often to, I don't know why because they are so easy to solve. Anyway, There is a love triangle between two couples, Wife 1 gets murdered, Wife 2 falls sick in the hospital. Blah Blah, *Bob Saget plays husband of Wife 2, He is a sec engineer, professor, yadda yadda, He specializes in RFID Chips. He suspects his wife is cheating with her boss, so drugs her and puts a chip in her arm, then installs chip readers as check points, at her work, her bosses house, (husband 1 ) the corner store, etc. When he goes home at night the logs sync with his PDA and he knows where she has been. So he kills the other guys wife. His wife is now sick and dying they find the chip and how it caused an infection and the husband needs to confess in order to get out of jail and save her life by donating a kidney or something....blah blah. So the IT guy is explaining all this to our detectives and explaining how RFID Works and when he is done.
The Detective says..."So he invented a HOE-Jack"

I've not laughed that hard from prime time television in years. The term Hoe-jack is now standard vocabulary in my household. The first thing I said to Neil was I HAVE to remember to post that in the forums. Law and Order is funny, They sometimes show stuff we have known about forever, and it's funny to watch them explain it to the layman as if its alien technology and so damn advanced.

* Yes, It was actually Bob Saget, whom I am recently obsessed with over how cool he is.

Re: Credit Cards and RF Chips

Thorn,
There is an old saying that says "If you aren't a little paranoid then you haven't been paying attention". I think of a shielded wallet as being proactive.

Re: Credit Cards and RF Chips

Actually, it was given to me. They were on sale in the vendor area at HOPE 6, and I was impressed with the demonstration. It was able to block an RFID card at a read distance of zero. My bank is now issuing ATM/debit cards with "Pay'n'Go" RFID embedded chips, and Render and I had just finished RFID Security, so the timing was perfect

I had intended to purchase one, but before I had a chance, the vendor was kind enough to present one to Renderman, Dragorn and myself following our panel discussion "The Future of Wireless Pen Testing." One of the things we'd talked about was RFID.

Here you go. Now you can be paranoid, too.
http://www.difrwear.com/index.shtml

Re: Credit Cards and RF Chips

[QUOTE=Like most security issues, making a public announcement about a given vulnerability is a double-edged sword. Yes, you may inform some dishonest people who were ignorant of a given technique. However, the premise behind such announcements is that the cons already know, but that the people who are vulnerable do not. This is generally true. Those who would use illegal means for gain usually know those means far in advance of the victims. Usually most victims find out about a given attack only after the fact when they are victims. By making a public announcement about techniques, you are informing the potential victims and increasing public awareness. This (hopefully) forces both the potential victims and the manufacturers to take notice and rectify the situation.[/QUOTE]

Good point. Perhapse this will all work out for the publics benefit.

I believe this topic deserves more research, GOOGLE HERE I COME!

Re: Credit Cards and RF Chips

Now that is what I call paranoid.

Is this something you purchased somewhere or designed and fabricated yourself.

Re: Credit Cards and RF Chips

It's been done, and it is relatively easy to accomplish. Depending on the frequency and several other factors, it is possible to have read ranges over tens of feet.

Being professionally paranoid about such things, I already carry all my cards in a wallet that has shielding against RFID readers.

Like most security issues, making a public announcement about a given vulnerability is a double-edged sword. Yes, you may inform some dishonest people who were ignorant of a given technique. However, the premise behind such announcements is that the cons already know, but that the people who are vulnerable do not. This is generally true. Those who would use illegal means for gain usually know those means far in advance of the victims. Usually most victims find out about a given attack only after the fact when they are victims. By making a public announcement about techniques, you are informing the potential victims and increasing public awareness. This (hopefully) forces both the potential victims and the manufacturers to take notice and rectify the situation.

Re: Credit Cards and RF Chips

I wonder if you could modify one of these card reader machines to have a longer range perhapse up to a range of one foot? If that were possible a person could walk into a store with a "loaded" back pack and walk out with dozens of names/card numbers.

Anyway, I think the only thing the news did by further publicising this issue was bringing it to the attention of various cons that didn't know about it. Soon they're going to just make a bigger deal about it and next thing you know people are gonna stop losing money.

Re: Credit Cards and RF Chips

VisaNet (a Front End Processor that takes card authorization) has data format documents in "Public Domain". In said document, you will find information on "smart cards" and how they interface with the host systems at the CC companies.

Re: Credit Cards and RF Chips

Though it does not help to protect your privacy, I usually see a statement on the application to get one of these devices that states a signature and/or a card swipe is reqired for purchases over $25, but not always...

I think last week there was some csi (miami I think) episode that had found a "chip" placed on a womans body that gets scanned by the club to allow entry, age verification/ drivers license info and had credit card / spending limit info all because women did not want to carry purses and had nowhere to hold a credit card, though they managed to still have keys and cell phones. What I don't know is if these are really being used, how much info the chip really would hold... it apperaed to have good photos of the person... I suppose it could also be done by linking the number scanned to a "local" on premise database but I think it was mentioned that they would go bar hopping with them so perhaps a vendor db... the size of the device was about the size of a tick.

By the way Deviant Ollam, if you really want a plaque for your door, I would be glad to make you one, after all, I am a signcarver. I'll even carve a picture of a bowl of petunias though it may not be falling.

Re: Credit Cards and RF Chips

Now you can use more convienant method's to get CC info instead of copying magnetic info with a serial reader.

I liked the serial A/N generator's people used on ATM's like the one you seen in T2(also used on mag-card lock's.) That was before they updated validation system's, and forced people to modify POS slots into portable cloner solution's. Now people gotta go thru the hard labor of running card's thru PPC attached reader's which is actually a faster payout than physiclly interfacing to an ATM via serial to magnetic trunk setup's, and running brute force attacks on the banks database(obsolete.)