RFID (Radio-Frequency Identification) credit cards, or contactless credit cards, are currently in the wallets of over 75 million Americans. It has been suggested that RFID cards could bridge the gap between traditional magnetic strip credit cards and EMV credit cards which are popular across Europe but have been adopted at a slower pace in the United States.
RFID credit cards feature advanced encryption capabilities that serve as an extra layer of protection for the cardholder’s sensitive personal and account information. However, due to the fact that the RFID chips are always active, these cards have their share of security weaknesses.
Anatomy of the RFID Card Hack
At the Def Con conference in Las Vegas, Eddie Lee (Security Researcher for Blackwing Intelligence) displayed how to “skim” or steal credit card information off of RFID credit cards using a rooted, NFC-enabled Android phone.
NFC technology is usually used to broadcast data from the phone. For example, when you make a payment at an NFC-enabled terminal, waving or tapping an RFID-enabled card broadcasts the payment information to the reader as if you swiped your card. Using software available online, hackers can turn their NFC-enabled phone into a card reader.
Thus, hackers can steal account information from an RFID credit card by tapping the card with these phones that have been modified into card readers, or even by putting the phones in close proximity to the RFID card. The stolen account information can then be used by the hacker to make a purchase by tapping the phone at a standard NFC-equipped payment terminal.
As with Charlie Miller’s hack which we analyzed in a previous post focusing on NFC-enabled mobile device security, Mr. Lee’s hack has its own complications:
- The hacker’s phone must be running a specific version of a modified Android OS.
- After it is set as a reader, the hacker’s phone must come very close to the victim’s RFID credit card.
- Even at a close distance, it may take multiple attempts to grab the information from the RFID credit card.
In contrast to Mr. Miller’s NFC hack, Mr. Lee’s RFID hack is straightforward, easy to execute and leaves cardholders vulnerable. Mobile wallet apps like Google Wallet and ISIS need the user to unlock their phone before the NFC signal is activated. As we mentioned, RFID cards do not have a lock feature and are always able to be scanned making them easier prey for hackers. I recently spoke with Mr. Lee via email and he reiterated that RFID cards have greater security issues than NFC payment methods:
“I would say my work contributes to reasons why using NFC for payments is probably safer than using traditional RFID-enabled credit cards. Since NFC-enabled payment devices can be turned off and apps like Google wallet require a PIN, it actually makes NFC based payments more secure because it’s much more difficult to walk by someone and skim their account information.”
There are a number of security measures which can be taken to safeguard your RFID-enabled credit card. The simplest is to purchase an RFID card sleeve which serves to prevent a hacker from stealing your card information with their phone by blocking your card’s RFID signal. Fortunately for cardholders, RFID cards also contain an encryption that can only be used once. Thus, if card information is stolen and the encryption is used twice (as in making two transactions), this will raise a red flag and the fraud department will be alerted.