- Bargaineering - http://www.bargaineering.com/articles -

Stealing RFID Credit Card Data Is Easy!

Remember when someone actually needed to have your card before they could steal your data? With RFID, or radio frequency identification, all they need to be is near your card, with an $8 RFID reader, to get your information now! If you watch this episode of boing boing TV, you can see a $8 reader pull your card’s details from you without actually having your card. What can you get? Card name, cardholder’s name, and expiration date (probably more, you can transmit about 2 kB of data) – or essentially everything off the face of your card.

If you remember back to physics class, electricity and magnetism are inter-related. A magnetic field around a conductive material will generate an electric charge. If you want to get real nostalgic, remember the right hand rule [3]? 🙂 Anyway, RFID works off that principle. The reader sends out a magnetic signal that generates a current in the RFID chip. The current powers the chip and gets it to send out a signal that the reader will detect. The signal is encrypted, that’s not the problem, the problem is that it can be decrypted by the reader, a reader you can buy for $8. The security flaw has nothing to do with RFID technology, the failure is in the implementation by the credit card industry.

The technology expert in the clip, Pablos Holman, does point this out by saying the decryption should happen back at a secure location rather than at the point of sale and I suspect this is a cost cutting measure on the credit card industry’s part. By decrypting at the POS, they get to reuse their systems (i.e. use RFID on the cheap) as-is rather than building a mechanism for decrypting the data somewhere down the data stream. I’m 99.9% sure that someone in the entire industry has thought of the scenario in which someone buys an $8 reader and starts stealing data but it’s cheaper to fix the fraud than develop a better system.

As to the concerns that you could walk into a Starbucks and steal everyone’s data with a reader augmented with a powerful antennae, that’s not 100% accurate because an RFID tag has a read range based on its frequency. Smart cards are said to use high-frequency tags, which have a read range of 3′ or less. So while you could activate every card in the room, you’d have to wander within 3′ of everyone (still easy, just not as easy as turning it on and standing there) to grab the data.

If you want to learn more about RFID, check out the Association for Automatic Identification and Mobility’s FAQ on RFID [4].