co4ie Posted January 30, 2012 Report Posted January 30, 2012 Hacker's Demo Shows How Easily Credit Cards Can Be Read Through Clothes And WalletsPull out your credit card and flip it over. If the back is marked with the words “PayPass,” “Blink,” that triangle of nested arcs that serves as the universal symbol for wireless data or a few other obscure icons, Kristin Paget says it’s vulnerable to an uber-stealthy form of pickpocketing. As she showed on a Washington D.C. stage Saturday, she can read all the data she needs to make a fraudulent transaction off that card with just a few hundred dollars worth of equipment, and do it invisibly through your wallet, purse, or pocket.At the Shmoocon hacker conference, Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.)Paget magnetizing a counterfeit card with a volunteer's wirelessly-stolen credit card data on stage at Shmoocon. If anyone still doubted that the trick had worked, Paget accidentally flashed the volunteer’s credit card number on a screen in front of an audience of hundreds of hackers and security researchers. “You were planning on cancelling that card, weren’t you?” she added somewhat sheepishly.Contactless cards are far more common than they might seem: According to the Smart Card Association, about 100 million of the RFID-enabled cards are in circulation. Visa calls its technology payWave, MasterCard dubs it PayPass, Discover brands it Zip, and American Express calls it ExpressPay. According to a show of hands among Shmoocon’s audience, dozens of the several hundred conference attendees in the room had contactless cards, and about a quarter of those weren’t aware of it until Paget asked them pull out their cards and check for contactless symbols.Paget, a well-known security researcher for the consultancy Recursion Ventures who was known as Christopher Paget until a gender change last May, used a simple method for his hack: impersonating a legitimate contactless point-of-sale terminal with her own RFID card reader. (That’s the striped panel pictured above.) In one practical version of the scam, Paget says, a fraudster could simply bump up against his victim with that reader in a coat pocket and invisibly scan the RFID signal through material like a leather wallet or cloth pants. In a demonstration just before her talk, Paget read a card in my wallet through my back pocket without touching me, successfully obtaining the card’s information.The scheme, Paget points out, doesn’t involve any hidden bug in the system, but rather the more fundamental problem that any commercially-available RFID reader can read the data from a contactless card as easily as a store’s point-of-sale device does. “Whatever encryption or other security there might be, it doesn’t matter,” she says. “The reader just spits out the number as if I’m the point-of-sales terminal, which is totally stupid. This is an embarrassingly simple hack, but it works.”The attack Paget demonstrated is far from new. The security industry has known since 2006 that contactless credit cards can be read wirelessly without the owner’s knowledge. But in current versions of the cards, the user’s name, PIN and the three-digit CVV on the back of the card aren’t included in the wirelessly-read information, which the industry has argued means the attack isn’t practical.Randy Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. “We’ve got six years of history, a hundred million users of these cards, and we haven’t seen any documented cases of this kind of fraudulent transaction. The reason we think that’s the case is that it’s very difficult to monetize this as a criminal,” says Vanderhoof. “The premise that this is a new threat is absolutely false and isn’t supported by [Paget's] demonstration.”In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor that detects multiple transactions with the same code or codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number for one transaction, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.“The truth is that consumers should be embracing this technology because it’s making them safer,” says Vanderhoof. “Efforts to try to discredit the use of chip technology in cards is only making the technology more vulnerable.”But Paget says that rotating one-time CVV only means a fraudster would need to target multiple victims rather than defraud a single victim repeatedly. The scammer could stand in a crowded train station, for instance, reading the card numbers of many passers-by and sending them to an accomplice who carried out the rest of the scheme in real-time. “Instead of one person seeing many fraudulent transactions on their card, fifty people see one transaction on their statement, and maybe they don’t even notice it,” she says. ”The card industry says this isn’t possible, but the information they’re giving you isn’t complete. I needed me to get up on stage and prove it so they would accept that the problems are real.”And now how to solve those problems? Perhaps the simplest solution, Paget advises, is to kill your card’s RFID chip by frying it in the microwave. But that’s a more delicate task than it might seem. “Three seconds in the microwave will kill the chip,” she says. “Five seconds will set it on fire.”Paget's Guardbunny, a credit-card-sized RFID jamming device (Click to enlarge.)Paget’s firm has been working on a more sophisticated fix: a credit-card-shaped protection device known as GuardBunny that sits in a wallet alongside payment cards and blocks any would-be RFID fraudster. Paget says the device, which remains a prototype and still has no roadmap for commercial sale, blocks RFID signals far more effectively than any currently-available RFID-shielding wallet. Commercially-available RFID blockers simply shield cards or passports with a layer of aluminum or steel. Guardbunny, by contrast, reflects back the reader’s RFID signal with its own chip, effectively jamming the radio signal. That technique means even high-powered RFID readers would likely fail to pick up any credit card signals nearby. “It doesn’t matter how much power you put into it, it just bounces it back at you,” Paget says.Better still, when Guardbunny detects an RFID reader’s signal, it emits a high-pitched whining sound and its bunny icon’s eyes glow (as pictured) to warn of possible contactless pickpockets.Paget admits that certain high-level attacks could get around even the Guardbunny’s protections. “You can defeat this. But it involves building your own reader,” she says. “That’s a lot more to demand of the bad guys than spending $50 on eBay.” Quote