Your security, networking, programming, and application news source.

Wednesday, March 19, 2008

RFID Credit Cards

  RFID is becoming more popular for many things. Credit cards using RFID technology sporting names like 'EZ Pass', 'quick pass', and 'speed pass' are growing. A recent Boing Boing <video netcast episode> is re-raising concerns about the security of such cards.
  An older <The New York Times report> featured tests on 20 cards from Visa, MasterCard and American Express, showed that the data was being broadcast in plain text. This data frequently includes the card holder's full name, sometimes even the card number and expiration date.

  A common misconception is that RFID is totally insecure by nature. This isn't true. RFID's are just a family of inexpensive devices that broadcast via radio frequencies. Other than their price, these devices are most notable for their tiny size and ability to be self-powered. These devices can capture power from the radio frequency of a requesting device, powering it's self, to make a radio frequency reply.
  This misconception comes from frequent news headlines where a poor attempt, or no attempt, was made to protect the data or signals a RFID made. These signals are easily captured, but encryption techniques can be used to protect this data. Designers frequently don't bother.
  In some cases, like this credit card situation, an ideally secure encryption scheme may require more elaborate equipment for legitimate readers, possibly an expensive central payment system. This could defeat the entire purpose of making transactions fast.

  Some effort should be made using one of many encryption techniques to protect this data. Although the card number maybe be useless without the security code, a plain text card holder's name is surely a bad idea.

  A Boing Boing TV <video netcast episode> claims a suitable RFID reader can be purchased for as low as $8 from eBay. Some lady with her hair dyed till its falling out, and a dude who has never washed his hair, demonstrate reading a card through your pocket with a similar device. Their demonstration revealed that the full goods may still be broadcast in plain text by these type of cards.

No comments:

Post a Comment