|Modern Payment Security – RFID Credit Cards|
|Written by Daniel Gualtieri|
|Wednesday, 15 August 2012 15:47|
RFID (Radio-Frequency Identification) credit cards, or contactless credit cards, are currently in the wallets of over 75 million Americans. It has been suggested that RFID cards could bridge the gap between traditional magnetic strip credit cards and EMV credit cards which are popular across Europe but have been adopted at a slower pace in the United States.
RFID credit cards feature advanced encryption capabilities that serve as an extra layer of protection for the cardholder’s sensitive personal and account information. However, due to the fact that the RFID chips are always active, these cards have their share of security weaknesses.Anatomy of the RFID Card Hack
At the Def Con conference in Las Vegas, Eddie Lee (Security Researcher for Blackwing Intelligence) displayed how to “skim” or steal credit card information off of RFID credit cards using a rooted, NFC-enabled Android phone.
NFC technology is usually used to broadcast data from the phone. For example, when you make a payment at an NFC-enabled terminal, waving or tapping an RFID-enabled card broadcasts the payment information to the reader as if you swiped your card. Using software available online, hackers can turn their NFC-enabled phone into a card reader.
Thus, hackers can steal account information from an RFID credit card by tapping the card with these phones that have been modified into card readers, or even by putting the phones in close proximity to the RFID card. The stolen account information can then be used by the hacker to make a purchase by tapping the phone at a standard NFC-equipped payment terminal.
As with Charlie Miller’s hack which we analyzed in a previous post focusing on NFC-enabled mobile device security, Mr. Lee’s hack has its own complications:
In contrast to Mr. Miller’s NFC hack, Mr. Lee’s RFID hack is straightforward, easy to execute and leaves cardholders vulnerable. Mobile wallet apps like Google Wallet and ISIS need the user to unlock their phone before the NFC signal is activated. As we mentioned, RFID cards do not have a lock feature and are always able to be scanned making them easier prey for hackers. I recently spoke with Mr. Lee via email and he reiterated that RFID cards have greater security issues than NFC payment methods: