Stealing RFID Credit Card Data Is Easy!

Email  Print Print  

Remember when someone actually needed to have your card before they could steal your data? With RFID, or radio frequency identification, all they need to be is near your card, with an $8 RFID reader, to get your information now! If you watch this episode of boing boing TV, you can see a $8 reader pull your card’s details from you without actually having your card. What can you get? Card name, cardholder’s name, and expiration date (probably more, you can transmit about 2 kB of data) – or essentially everything off the face of your card.

If you remember back to physics class, electricity and magnetism are inter-related. A magnetic field around a conductive material will generate an electric charge. If you want to get real nostalgic, remember the right hand rule? 🙂 Anyway, RFID works off that principle. The reader sends out a magnetic signal that generates a current in the RFID chip. The current powers the chip and gets it to send out a signal that the reader will detect. The signal is encrypted, that’s not the problem, the problem is that it can be decrypted by the reader, a reader you can buy for $8. The security flaw has nothing to do with RFID technology, the failure is in the implementation by the credit card industry.

The technology expert in the clip, Pablos Holman, does point this out by saying the decryption should happen back at a secure location rather than at the point of sale and I suspect this is a cost cutting measure on the credit card industry’s part. By decrypting at the POS, they get to reuse their systems (i.e. use RFID on the cheap) as-is rather than building a mechanism for decrypting the data somewhere down the data stream. I’m 99.9% sure that someone in the entire industry has thought of the scenario in which someone buys an $8 reader and starts stealing data but it’s cheaper to fix the fraud than develop a better system.

As to the concerns that you could walk into a Starbucks and steal everyone’s data with a reader augmented with a powerful antennae, that’s not 100% accurate because an RFID tag has a read range based on its frequency. Smart cards are said to use high-frequency tags, which have a read range of 3′ or less. So while you could activate every card in the room, you’d have to wander within 3′ of everyone (still easy, just not as easy as turning it on and standing there) to grab the data.

If you want to learn more about RFID, check out the Association for Automatic Identification and Mobility’s FAQ on RFID.

{ 9 comments, please add your thoughts now! }

Related Posts

RSS Subscribe Like this article? Get all the latest articles sent to your email for free every day. Enter your email address and click "Subscribe." Your email will only be used for this daily subscription and you can unsubscribe anytime.

9 Responses to “Stealing RFID Credit Card Data Is Easy!”

  1. Lin says:

    This is interesting. Do you know anything about having a piece of foil in your wallet to prevent this? My husband read it somewhere, so he does it. Does it work?

  2. jim says:

    It should work because it will disrupt the magnetic signal.

  3. Saving Freak says:

    I have heard the same thing and the logic does stand up. I am not particularly fond of the technology. Early adopters of such things tend to get burned until the kinks get worked out of the system. If our cards were as secure as those in Europe I would love it.

  4. mitchell says:

    as a computer engineer who’s done work with RFID stuff, i can only say “duh”.

    i don’t use credit cards with the EZ Pay stuff in it, and i was a vocal opponent (wrote my elected officials) to the RFID tags in passports push.

    none of the RFID-based options are secure, even if they’re encrypted. encrypt the card data and all someone needs to do is read the encrypted data and re-write it back onto a new blank RFID chip. and now you have a cloned version of the card — you don’t need to know the number or the expiration date if you can find something that will let you simply scan the card and walk away (some fast food restaurants, some gas stations).

  5. Thank you for posting about this, scary stuff!

  6. Lo says:

    Oh no! I’ve tried to understand your summary as much as I could, so I apologize if I’m asking a stupid question. What’s the best way to prevent this (aside from foil in the wallet or a stainless steel wallet)? Just not use RFID-cards at all?

  7. That’s just scary… I used to think it was scary-easy to create copies of credit cards, but this doesn’t even require someone to get their hands on my card :-/

  8. thomas says:

    As long as there is technology, there will be someone, somewhere trying to work the angle, and there will be an angle.

    Remember the big scare was waiters scanning your card with their hidden reader tucked in their jacket to secure your numbers? This is no different. A scam is a scam.

    I’m more worried about my wallet being lost/stolen than technology bandits.

  9. Anonymous says:

    Makes me think about this guy talking to me a bit too close or when another guy that was standing talking to the cashier for entire time I was in the store standing right next to where where people and myself had to walk in walking in.

Please Leave a Reply
Bargaineering Comment Policy

Previous Article: «
Next Article: »
Advertising Disclosure: Bargaineering may be compensated in exchange for featured placement of certain sponsored products and services, or your clicking on links posted on this website.
About | Contact Me | Privacy Policy/Your California Privacy Rights | Terms of Use | Press
Copyright © 2016 by All rights reserved.