RFID Cards - WARNING!

[Rambo]

Unbeleivable! Now... Electronic Pickpocketing!

http://www.wreg.com/news/wreg-electronic-pickpocketing-story,0,6564458.story

 

[dmc]

This has concerned me for a while.. I never can understand why they don't encrypt the stuff on the RFID... My last job was in data security and I think it would be easy to do..

I always worried about RIFD on items from stores.. Say you go to 5th Avenue and shop a a super high end store where the items are tagged with RFID... I could conceivably stand beside you and scan the contents of your bag and determine weather it's worth it to rob you based upon what's in the bag....

 

[wa-loaf]

Doesn't duct tape block rfid? I saw a thing about shoplifters and they had shopping bags lined with duct tape to foil the rfid readers at the doors.

 

[millerm277]

If your bank/CC company ever tries to give you one of the cards with the thing in it to "tap" to pay for stuff, return it and ask for a non-RFID one, or rip the destroy the RFID chip in it.

 

[Johnskiismore]

Wow. Even though I can't stand people who steal, have to admire the cleverness of some thieves.

 

[Glenn]

There was an invention on "Pitch Men" where I guy made a selve to put your CC's in. It blocked anyone/anything from reading the RFID.

 

[wa-loaf]

There was an invention on "Pitch Men" where I guy made a selve to put your CC's in. It blocked anyone/anything from reading the RFID.

Wonder if it's the same dude as in the article.

 

[TheBEast]

Scary stuff.....Protect yourself! Thank god none of my cards have it.

 

[o3jeff]

The only cc I have that has it is the work credit card

 

[roark]

Supposedly aluminum foil is sufficient to block it. Google duct tape wallet.

(insert tin foil hat joke here)

 

[ctenidae]

This is why I renewed my passport a few years early, to get a new one before they stuck a chip in it. Not hard to make an American-O-Meter to find gringoes in a crowd. Not that we're all that hard to spot, generally, as we tend to travel in loud herds.

 

[neil]

It's all due to software developers not implementing decent encryption.

 

[wa-loaf]

ftfy

It's all due to corporations saving money by not paying software developers to implement decent encryption.

 

[dmc]

It's all due to software developers not implementing decent encryption.

yup - you could put AES256 on it - problem would be rotating the encryption keys unless the user could select his own and type it in at transaction... or maybe use a thumbprint or something as a multi factor authentication..

 

[Glenn]

or maybe use a thumbprint or something as a multi factor authentication..

How nice would this be? Instead of signing, just use your thumb. Or scan the retna.

 

[dmc]

How nice would this be? Instead of signing, just use your thumb. Or scan the retna.

yeah.. it would be too intrusive for us in the US though.. We don't like to be scanned.. I'm sure the credit card comps are working something..

I made a ton of cash in my last job encrypting credit cards in databases. it's totally doable..

 

[Geoff]

I need to weigh in on the whole encryption thing. To make it work, you'd have to use different technology. RFID always returns the same information. It doesn't matter whether it's in the clear or encrypted. If it returns the same data every time, it can be broken or the cypher can be compromised. An example elsewhere.... you can't make a DVD that can't be ripped for the same reason. You can either brute force break it or use the compromised cipher key. You really need to use public key encryption technology where you never expose the private keying information embedded in your credit card.

Putting a 2-way transceiver and small microprocessor in a credit card to implement public key encryption is way more expensive than what is done today. For the moment, you need tin foil over your wallet to go with your tin foil hat.

 

[dmc]

I need to weigh in on the whole encryption thing. To make it work, you'd have to use different technology. RFID always returns the same information. It doesn't matter whether it's in the clear or encrypted. If it returns the same data every time, it can be broken or the cypher can be compromised. You really need to use public key encryption technology where you never expose the private keying information embedded in your credit card.

not true...
AES256 has yet to be broken. Hashing SHA can be broken based upon values using "rainbow" tables..

 

[bvibert]

I need to weigh in on the whole encryption thing. To make it work, you'd have to use different technology. RFID always returns the same information. It doesn't matter whether it's in the clear or encrypted. If it returns the same data every time, it can be broken or the cypher can be compromised. An example elsewhere.... you can't make a DVD that can't be ripped for the same reason. You can either brute force break it or use the compromised cipher key. You really need to use public key encryption technology where you never expose the private keying information embedded in your credit card.

Putting a 2-way transceiver and small microprocessor in a credit card to implement public key encryption is way more expensive than what is done today. For the moment, you need tin foil over your wallet to go with your tin foil hat.

I removed the picture you posted. I have to assume that the picture that we ended up seeing isn't what you intended. If it is then please don't do that again!

 

[Geoff]

not true...
AES256 has yet to be broken. Hashing SHA can be broken based upon values using "rainbow" tables..

It's trivial to decode 256-bit AES if you know the cipher key. If this ever got implemented, it's also trivial to present the RFID results to the credit card system and get them decoded.

I do this stuff for a living, too.