The hands-free way to steal a credit card

Unsecured RFID Technology

WASHINGTON D.C.--Adam Laurie, an RFID security expert, used the Black Hat DC 2008 conference here, to demonstrate a new Python script he's working on to read the contents of smart-chip-enabled credit cards.

As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer's wallet, Laurie both read and displayed its contents on the presentation screen--the person's name, account number, and expiration clearly visible.

Demonstrations like that show the potential misuse of RFID technology in the near future. Without touching someone, a thief could sniff the contents of an RFID-enabled credit card just in passing. The same is true for embedded RFID chips in the human body, work access badges, some public transit cards, and even the new passports in use in more than 45 countries.

(As a disclaimer, Laurie said he spoke to American Express, the company that issued the volunteer's card. Laurie said that American Express told him: "We are comfortable with the security of our product." Laurie added that the company told him the number he displayed on the presentation screen was not the account number printed on the card, which Laurie proved by opening the wallet and comparing.

"The alias number on American Express' ExpressPay cannot be used for online transactions," said Molly Faust, American Express' Public Affairs representative, in an e-mail to CNET News.com. "ExpressPay has multiple security mechanisms. As the payment host, American Express would not verify/authorize an online transaction using just the alias account number. There are several other security mechanisms that would be required in order for payment authorization to take place.")

The credit card industry has argued that use of the RFID-enabled cards will save customers time when processing payments.

An extreme example can be found in Spain. Laurie said a public beach there encourages visitors to have RFID tags injected into their bodies. The point? Merchants along the beach scan your wrist to obtain a unique ID from which they can debit your account. The advantage? You won't have to go to the beach with your wallet, which might get stolen.

Laurie, who has an injected RFID-tag, showed how easy it was not only to read the tag, but also to re-write the tag. During his demo, he used the coding sequence reserved for animal tagging to have his RFID chip declare him an animal.

On his RFIDiot Web site, Laurie offers the Python scripts free of charge and also sells the hardware necessary to read and write to RFID tags and cards.

See Adam Laurie’s site ‘’d3f3nc3 in d3pth at http://news.cnet.com/defense-in-depth/?keyword=Adam+Laurie&tag=mncol;tags

By Robert Vamosi

Update from February 22, 2008, at 3:20 p.m PST: This was updated to include a response from American Express.

- From CNET:  http://news.cnet.com/8301-10789_3-9875961-57.html?tag=headhttp://rfidiot.org/

Xtra Image - http://www.peratech.com/press/RFIDBiometricPassport_SkimStory.jpg

For further enlightenment see –

The Her(m)etic Hermit - http://hermetic.blog.com

The New Illuminati

The Prince of Centraxis

 (These sites have been locked by Today.com and this author no longer has access to his own blogs - Enlightenment Today

Imagine Nation – Artwork & Images )

This material is published under Creative Commons Copyright – reproduction for non-profit use is permitted & encouraged, if you give attribution to the work & author - and please include a (preferably active) link to the original along with this notice. Feel free to make non-commercial hard (printed) or software copies or mirror sites - you never know how long something will stay glued to the web – but remember attribution! If you like what you see, please send a tiny donation or leave a comment – and thanks for reading this far…

From the New Illuminati – http://newilluminati.blog-city.com

tags: rfid  smart  cards  id  identity  theft  radio  frequency  embedded  chips  adam  laurie  robert  vamosi  injected  tag  mark  of  the  beast  

links: digg this    del.icio.us    technorati    reddit