The hands-free way to steal a credit card
Researcher both reads and decodes an audience member's smart-chip-enabled American Express card without removing it from the wallet.
Update on February 22, 2008, at 3:20 p.m PST: This blog has been updated to include a response from American Express.
WASHINGTON D.C.--Adam Laurie, an RFID security expert, used the Black Hat DC 2008 conference here, to demonstrate a new Python script he's working on to read the contents of smart-chip-enabled credit cards.
As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer's wallet, Laurie both read and displayed its contents on the presentation screen--the person's name, account number, and expiration clearly visible.
Demonstrations like that show the potential misuse of RFID technology in the near future. Without touching someone, a thief could sniff the contents of an RFID-enabled credit card just in passing. The same is true for embedded RFID chips in the human body, work access badges, some public transit cards, and even the new passports in use in more than 45 countries.
As a disclaimer, Laurie said he spoke to American Express, the company that issued the volunteer's card. Laurie said that American Express told him: "We are comfortable with the security of our product." Laurie added that the company told him the number he displayed on the presentation screen was not the account number printed on the card, which Laurie proved by opening the wallet and comparing.
"The alias number on American Express' ExpressPay cannot be used for online transactions," said Molly Faust, American Express' Public Affairs representative, in an e-mail to CNET News.com. "ExpressPay has multiple security mechanisms. As the payment host, American Express would not verify/authorize an online transaction using just the alias account number. There are several other security mechanisms that would be required in order for payment authorization to take place."
The credit card industry has argued that use of the RFID-enabled cards will save customers time when processing payments.
An extreme example can be found in Spain. Laurie said a public beach there encourages visitors to have RFID tags injected into their bodies. The point? Merchants along the beach scan your wrist to obtain a unique ID from which they can debit your account. The advantage? You won't have to go to the beach with your wallet, which might get stolen.
Laurie, who has an injected RFID-tag, showed how easy it was not only to read the tag, but also to re-write the tag. During his demo, he used the coding sequence reserved for animal tagging to have his RFID chip declare him an animal.
On his RFIDiot Web site, Laurie offers the Python scripts free of charge and also sells the hardware necessary to read and write to RFID tags and cards.