Would You Trust RFID-Enabled ATM Cards? 214
race_k2 asks: "As a regular Slashdot reader I've followed the development and implementation of RFID devices in many ubiquitous areas such as clothing, passports and even people. Given that our environment is becoming increasingly tagged, often without our knowledge or consent, and can be monitored or hacked by anyone with the proper hardware, skills and motivation, I viewed the recent arrival of two new ATM cards containing RFID chips with skepticism. While this feature may bring the increased convenience of speedy checkouts, it is not something I am completely comfortable using and decided that the safety of my personal data was more important than the ability to buy things quickly. The vulnerable nature of RFID security coupled with recent, though unrelated, reports of a Possible Security Flaw In ATMs make me seriously question whether the marriage of wireless data transfer with personal finance is a wise application of technology." So race's question basically boils down to: How safe and secure are the RFID chips that are being embedded in debit and credit cards? To add another issue on to the fire: Would you trust RFID technology on your cards?
race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.
Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"
Disable the RFID (Score:5, Interesting)
Nuke it (Score:5, Insightful)
Putting the card in the microwave for 3-5 seconds should do the trick. The worst that can happen is you ruin your bank card, so just go to the bank and get another. They don't cost anything.
Nuke it from orbit (Score:3, Funny)
Re: (Score:2)
Now a hammer...
/if you beat the shit out of the RFID, you'll either break the antenna or crush the ID chip.
//works on mag strips too (like your driver's license)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
Since i had a junk chase RFID ATM, i wanted to try the whole microwave thing, here are the results:
Used a microwave on low for 3 sec, POP went the RFID chip. Leaving the rest of the card looking/working fine.
Wanting to push the limit of the ATM card, 15 sec on low starts melting process, after 35 sec the atm card becomes a small glob of goo.
We dont need RFID chips in atm/credit cards, really how hard is it to pull y
Re:Disable the RFID (Score:5, Interesting)
Funny ha ha, yes, but has anyone noticed that many science-fiction movies of recent years have included as a plot device one of the characters embedded with some sort of implant (in the brain, under the skin, etc.) or added to some common item (clothing, watch, pen, etc.) that was carried around? I recently watched Jonathan Demme's The Manchurian Candidate [imdb.com] on cable and it occurred to me that such a scenario doesn't have to involve a conspiracy of the highest order to be successful or involve a high-concept goal; unwitting or passive acceptance would work just fine, and the goal can be mundane but similarly insidious.
My guess is that monitoring technologies in various forms will increasingly become part of our daily lives. RFID chips, for example, seem destined to be everywhere [wikipedia.org], and while it's up to each of us to be as vigilant as the article's poster, the future will play out as a constant game of catch-up and workarounds for the select few in the know. Computers are part of our daily lives but knowledge of them is superficial at best. Should we expect the average person to have an inkling of how other technologies that come in smaller packages work?
Have you scanned yourself, lately?
Re: (Score:2)
I don't see RFID itself as a problem, but my understanding is that the security of the currently deployed RFID chips has already been cracked. Therefore, I would not want it used for bank cards.
The idea of an encrypted wireless short-range link instead of a mag-stripe swipe doesn't seem too outre to me. But using a technology that is known to be insecure is foolish.
Re: (Score:3, Interesting)
This has fascinating potential for spoofing.
If, in the future, we can expect to be tracked as a "package" of our worn and carried emitters, we can have a pre-built alternate package ready for use.
While "my" emitters could be providing an alibi, a throwaway set could mask my actions elsewhere.
Re:Disable the RFID (Score:5, Informative)
Re:Disable the RFID (Score:4, Informative)
Of course it means I have to take my Oyster card [tfl.gov.uk] out in order to use it, rather than wave the wallet at the reader - but that's the point!
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
If you are pressing the button, the circuit closes and your card will enable a reader.
If you are not pressing the button, the circuit is open, and disables the RFID on the chip?
I mean, even my MacBook has a power button.
Not suprised about HSBC (Score:5, Interesting)
HSBC recently forced me to subscribe to the Verified by Visa marketing pseudosecurity garbageshiteware gimmick (the only one of cards I have that actually forced me to do so). During the subscription process I found out that the idiotic subscription interface does not maintain state with most non-mainstream browsers. In fact if you use Konqueror (or play around with your browser a bit) you can cruise through it with flying colours without it asking for verification information, passwords and the like. I was seriously tempted to go all the way and register a few cards for entertainment purposes, but end of the day decided not to.
So I tried to get the wankers which run the "HSBC Goodness Gracious Me" call center to give me a security contact and a reference to report the bugs. Guess what - they neither understood the concept of "Your credit card interface has a major security flaw", not could provide a contact. Still better then Amex though. Under similar circumstances 4 years ago when I tried to contact the Amex security dept with a similar bug they subscribed me to a mandatory 60 days of phone marketing and email marketing for good measure.
Frankly - they have no clue. Banking security at its best. Understanding is not required, BS and ISO numbers are.
Re:Not suprised about HSBC (Score:5, Insightful)
Re:Not suprised about HSBC (Score:5, Funny)
Hence forth all software found wanting shall be refered to as "pseudosecurity garbageshiteware". Man law???
Re: (Score:2, Funny)
he proclaimed from his parent's basement
why should they care abotu security, it's... (Score:4, Insightful)
Effing brainwashed sheep have bought into the identity theft ruse hook, line, sinker, and hummer to the fisherman.
Re:why should they care abotu security, it's... (Score:4, Insightful)
They may be at fault, but you are the one who is screwed.
Re:Not suprised about HSBC (Score:5, Interesting)
Re: (Score:2)
But maybe someday us "privacy kooks" will leave in statistically significant numbers, and eventually someone might notice.
Nope for anything that needs security (Score:2, Interesting)
I'd use it for inventory management etc. like was the big hype when it first came out but I'd keep it out of ATM cards, passports... PEOPLE.
Absolutely not (Score:5, Informative)
Re: (Score:3, Insightful)
Sure why the heck not? We've got rfid passports and government IDs, rfid in our cars (toll passes), and rfid boarding passes just on the horizon. I mean, we've even got rfid in our TIRES making is possible to TRACK OUR CARS!!
Would
I don't think thi
Re:Absolutely not (Score:5, Insightful)
Using a credit card seems much safer than cash. If someone steals my cash, I'm out of luck. If someone steals my credit card or uses my account number without my authorization, I don't lose anything except the 10 minutes or so that I have to spend on the phone with the credit card company.
Re: (Score:2)
That's absolute crap. As someone who's been on the pointy end of the stick by having their Visa card abused after its details were stolen from a vendor's supposedly-secure (PCI compliance be damned) database I can tell you it is a big problem for the consumer. The bank has nothing to do with it: Visa themselves took every single one of their 45 business days to "inve
Re: (Score:2)
Until you try and buy a house, and find out the mortgage lender won't lend you any money because some asshole in Los Angeles you've never heard of has run up a $5000 unpaid bill in your name.
Happened to me.
Not only no (Score:3)
Liability for unauthorised transactions? (Score:2)
My answer would depend entirely on who pays if the remotely accessible card data is used to make transactions without my authorisation:
If I pay, then it is in my interests to worry about the security of the card, and I'll want a card that's unlikely to be used without my authorisation (a PIN I set required, mechanical action needed to start the process etc). I do not want to risk paying for fraudulent transactions, and I will do what I can to minimise that risk.
If the bank pays, then I can leave the se
Re:Liability for unauthorised transactions? (Score:5, Insightful)
No matter who pays at first, in the end we all pay more because of shitty security.
Re: (Score:2)
Re: (Score:2)
Me: I've had enough of this shit, I quit
Bank: If you do, we'll have the government sieze all your money
Me: Hey, let's negotiate!
Re: (Score:2)
Re: (Score:2)
I check out my online banking at least once a week - and usually more often - so I'll be aware of any odd transactions (and I include 'the £/$10 here or there' in that statement) pretty much as soon as they've happened.
If you've got access to online banking, I don't get why you wouldn't use it for that kind of thing, and keeping a fairly regular check on your account(s) that way.
New fashion accessory (Score:2, Interesting)
What use is an RFID to a bank?
--
E
um cost? (Score:4, Funny)
Oh, no, we're north american, we have to be different *cough* cdma *cough*, no way we can conform with the rest of the fucking world *cough* soccer *cough*...
Besides, RFID is not meant for privacy or security. It's meant to track inventory. The sooner these "experts" realize that the better. The sooner they realize that RFID readers are common place the even better.
Re: (Score:2)
Re: (Score:2)
And it's not like we don't have the readers here. All of the common retail stores I go to here in Ottawa (that have debit/credit) have a reader built-in (I imagine because the machines are made in one factory and chances are it's good for tourism).
So really the only problem left is to actually roll out the cards and start enforcing their use.
The point of the smart card, is
Speaking as a guy that does RFID for a living... (Score:3, Informative)
I'd say that no, it isn't ready yet for handling security-sensitive tasks like credit card or debit card transactions. It's happening anyways, but I don't think it's mature enough to trust our bank accounts to them.
Just for a tiny bit of reassurance, RFID tags and readers used in credit card/debit card applications (I know because I help make these readers, though I'm still new to the business) include cryptography features such as encrypted data transfer and authentication. In other words, if you don't
An article you may want to read. (Score:2)
RFID Detection (Score:4, Interesting)
Check the incentives (Score:5, Informative)
With an RFID-enabled credit card, the credit card company is the first line of defense against fraudulent usage. The customer is only secondarily responsible, and in any event does not lose any cash or interest. So, you can be certain that the security system and the implementation will be sound.
With an RFID-enabled ATM card, all of that is reversed. A fraud will cause the customer to lose his or her cash and interest... and the customer must then fight with the bank to get them back. The bank has only secondarily responsibility, and therefore only secondary incentive, to get the plan right and to maintain the implementation. It's like a config.rc file with the wrong default value: loss-paid-by = customer.
It's a given that few people in any organization (banks or otherwise) actually understand security, encryption, or the very pertinent issue of "identification versus authentication". But even if Chase or whoever has done their research, the incentives for protecting customers from atm fraud are inherently perverse.
Re: (Score:2)
Wow. You must be the biggest geek on earth.
Another solution? How about Altoids tins? (Score:5, Interesting)
At work, we have RFID security badges. Mine is, obviously, in my Altoids tin. I can hold the tin against the sensor as long as I want; it won't scan. I pop it open (which is really easy to do one-handed once you get used to it), and it'll read from several inches away.
They also have several designer colors: red peppermint, aqua wintergreen, tan ginger, and my personal favorite -- black liquorice.
Re: (Score:2)
I pop it open (which is really easy to do one-handed once you get used to it)
One-handed manipulation of electronic devices shouldn't pose much of a problem to the majority of the /. readers...
Destroy the tag... (Score:3, Informative)
Re: (Score:2)
Just like the sharpie on "protected cd's"
Course I was thinking that a x-acto knife could extract the chip. I dont care if the antenna is still in there.
oh hell (Score:2)
Second, do you know whether there is any security around it or not? Some implementations have no security at all, others do mutual authentication and create encrypted sessions. You are considerably more secure using the latter of these than your traditional mag stripe.
Get educated before sticking your head in the sand. Mag stripe is going to go away. Hopefully EMV will come to the US soon and
Re: (Score:2)
Re: (Score:2)
Survey says..... (Score:2)
How Long? (Score:2)
I was lied to by Chase (Score:2)
I have already written my senator.
What is this mania with RFID about? (Score:2)
I think there are several reasons.
First, when Smart Card technology was first proposed some twenty years ago, the idea got earlier traction in Europe. One reason, if I recall correctly, was that at the time the cost of installing and using phones under many state telecom monopolies made the kind of system we use in the US
Re: Check the incentive (Score:5, Insightful)
As it is, they make the -merchant- pay for it! And not only do they make us cover the price of the fraudulent transaction, but they ALSO tag an extra $25 -per fraud transaction- !! Heck, at this rate they might actually be MAKING money from fraud!!
If one customer buys 3 times with same fraudulent cc over a few days (say, for $5 items!), we pay $75 in -addition- to the cc company taking back the $15!!!!!
With the hundreds of Billions they process every day, do you really think there would be so much fraud if the cc companies were the ones really paying for it??
Re: (Score:2)
But, all that aside, the real problem is that merchants need to store credit card numbers. This is entirely bogus.
As a real simple first blush at a solution, you take the
No (Score:2)
RFID is already dead for this application. (Score:2)
So what's the benefit?
My Glutes Will Gain Strength (Score:2)
NO! (Score:2)
Not New and Not That Scary (Score:2)
RFID is irrelevant here (Score:2)
A well-designed smart bank card will use SASL to prove its identity to the bank without revealing information that would allow anybody else to use the identity. So it doesn't matter if peopl
Yes, yes, a thousand times yes!!! (Score:2)
What's really sad is... (Score:2)
How about an on/off button? (Score:2)
If you aren't pressing the button/leaving the circuit open, zapping the RFID device does nothing.
If you are pressing the button/closing teh circuit, the RFIC device will read?
Why the FSCK am i the only person alive that seems to see RFID as not a problem if you put a power button on it?
Solution in Search of a Problem (Score:2)
It doesn't save anyone any time, really. At an ATM, I've got my wallet open anyway, to put the cash in. In the grocery checkout, I've got plenty of time to reach briefly into my pocket or purse, while waiting for the checker.
It's a solution in search of a problem.
an analogy (Score:2)
Of course "we use encryption". So the info on your jacket is encrypted. But we didn't use encryption before, even though we should have been (depending on how good it was).
By using RFID, companies are trying to trade off the very intuitive insecurities of radio broadcasting wi
Re:Yes but..... (Score:5, Interesting)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
If you put a power switch on them, they wouldn't send back a signal even if you were getting RF energy.
That would pretty much end the ability for someone to sniff out your RFID tags in your credit cards and passports until you pressed the button - closing the circuit between the antenna recieving the RF power signal and the part that generates and broadcasts the signal back.
how it would work in the real world is - you'd pull our your credit card at the store, s
Re: (Score:2)
I don't know if this is the case. Everyone seems to assume you can "intercept" the RFID information from many meters away. I guess I'm not sure which technology is used in credit cards, but if it's anything like ISO 14443 [wikipedia.org] standard or even ISO 15693, the max distance is only going to be 1.5 meters or less.
In the end, it's always the path of least resistance. It's easier just to steal a credit card or dig up s
Re: (Score:2, Interesting)
A standard dictates how something should work but has nothing to do with how it does work. It is entirely possible to follow the standard to the letter and still have the card readable at over 1.5 m.
Shit we buried an ethernet cable to the building next door for a project. Yes that was the easiest way at the time. The run was much longer than the standard dictated. The cable worke
Re: (Score:2)
See Alien technology [alientechnology.com] for examples of UHF tags.
Re: (Score:2)
Re: (Score:3, Informative)
Anyone stating "max distance" for RF is creating limits where none exist. With a correctly-sized transmitter, a sensitive enough receiver, and a large enough antenna, there's nothing preventing reading o
Re: (Score:3, Informative)
My assumption in this case is that the RFID technology will be of some standard similar to those stated in my parent post (ISO 15693, 14443 or other HF stand
Re: (Score:2)
Re:Yes but..... (Score:5, Insightful)
Sure, it would cut down on convenience, but only a little, and would more than make up for it in added safety.
-Charlie
Willing to stand by your statement? Are you sure you still don't have a problem with other people having access to your card data?
Re: (Score:2)
Cannot read all = might read some. It's the contrapositive, see?
Cannot read any = can read none.
The GP was stating that if you are so uncaring about your details, you might as well post them here. It'd be just as safe as walking around the mall wit
Re: (Score:2)
Re: (Score:2)
Not really, no. For Debit cards, yes. But you can just use them as a "Credit" card, and all you have to do is sign your name. You can also make online purchases without a pin.
Re: (Score:2, Informative)
Account Number
Expiration Date
Amount to charge
That's it. No PIN, no 3 digit code from the back, no name, and no address required. It's a little frightening that you don't even need a name.
Re: (Score:2)
Re: (Score:3, Informative)
Source: I work in e-Commerce for a catalog company.
Re: (Score:2)
Step 1: Higher up finds he's got all this money, but it's tied up in the company and he wants to sneak it out into my own pocket.
Step 2: Contract out with a friend for a zany new technological upgrade that does nothing for the business or it's customers. Overspend like it's going out of style.
Step 3: Split profit
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Also, for the Amex, "no pre-set limit" doesn't mean "no limit".
Re: (Score:2)
I've only had credit in the USA for 9 years. I currently have a card with a credit limit that was over $16,000 last time I looked. I didn't at any stage ask for it to be increased, either.
Pay off your bills for a few months and banks will throw credit at you, to try and tempt you.
Re: (Score:2)
But thanks for being a prick about it. Karma I suppose.
Re: (Score:2)
Not true. I don't want to use a system I know to be insecure, no matter if it has been exploited many times or never at all.
Re: (Score:2)
Re: (Score:2, Informative)
Or, much easier, find someplace with an RFID reader at the cash register and find someplace to hide a high-gain directional antenna. Let the legitimate reader do the work of powering the tag on the card, and then log the data being broadcast by the tag with the antenna.
RFID tags broadcast omn
Re: (Score:2)
The costs to the banks in other parts of the world are huge, but essentially the investments are being supported in one way or another by the governments enforcing the adoption.
In the U.S., this isn't happening at all. American regulators will be asking the banks, "What are you doing to protect and secure customer information? Is our
Re: (Score:2)
As an aside, 5 million Londoners have an Oyster card in their pocket. Mine currently has about 80 quid of pre-pay on it. I am not in the slightest bit worried that someone will be able to steal this, and I haven't heard of this happening to anyone. This is basically the same contactless smartcard implementation that will
Re: (Score:2)
Debit card? What the heck are you using something like that for anyway? You give it to a waiter in a resturant and they can take all your money with no recourse.
Credit card? Dispute the charge. Period. No liability. Not even the $50 that they claim might be your maximum liability. I've never heard of anyone losing anything on a credit card dispute when it is filed within the time limit.
Do you think the card has your locker combination at the gym on it? Or maybe it has y