Advertisement

Vulnerabilities in First-Generation RFID-enabled Credit Cards

  • Thomas S. Heydt-Benjamin
  • Daniel V. Bailey
  • Kevin Fu
  • Ari Juels
  • Tom O’Hare
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4886)

Abstract

RFID-enabled credit cards are widely deployed in the United States and other countries, but no public study has thoroughly analyzed the mechanisms that provide both security and privacy. Using samples from a variety of RFID-enabled credit cards, our study observes that (1) the cardholder’s name and often credit card number and expiration are leaked in plaintext to unauthenticated readers, (2) our homemade device costing around $150 effectively clones one type of skimmed cards thus providing a proof-of-concept implementation for the RF replay attack, (3) information revealed by the RFID transmission cross contaminates the security of RFID and non-RFID payment contexts, and (4) RFID-enabled credit cards are susceptible in various degrees to a range of other traditional RFID attacks such as skimming and relaying.

Keywords

RFID credit cards contactless vulnerabilities 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Adida, B., Bond, M., Clulow, J., Lin, A., Murdoch, S., Anderson, R., Rivest, R.: Phish and chips: Traditional and new recipes for attacking EMV. Technical report, University of Cambridge Computer Laboratory (2006), http://www.cl.cam.ac.uk/~mkb23/research/Phish-and-Chips.pdf
  2. 2.
    Anonymous: Chip and spin (2006), http://www.chipandspin.co.uk/problems.html
  3. 3.
    Associated Press: Wave the card for instant credit. Wired News (2003), http://tinyurl.com/yc45ll
  4. 4.
    Averkamp, J.: ITS Michigan: Wireless technology and telecommunications (2006), http://www.itsmichigan.org/ppt/AM2005/Joe.ppt
  5. 5.
    Bono, S., Green, M., Stubblefield, A., Juels, A., Rubin, A., Szydlo, M.: Security analysis of a cryptographically-enabled RFID device. In: 14th USENIX Security Symposium (2005)Google Scholar
  6. 6.
    Bray, H.: Credit cards with radio tags speed purchases but track customers, too. Boston Globe (August 14, 2006), http://tinyurl.com/lmjt4
  7. 7.
    CardTechnology: Paypass subway trial starts in New York (2006), http://tinyurl.com/uya3k
  8. 8.
    Carey, D.: NFC turns phone into a wallet. EE Times (2006), http://tinyurl.com/yyxk28
  9. 9.
    Chan, S.: Metro briefing | New York: Manhattan: Warning about credit risks. The New York Times (2006), http://www.nytimes.com/2006/12/04/nyregion/04mbrfs-credit.html
  10. 10.
    DIFRWear: Faraday-Caged Apparel. (2006), www.difrwear.com
  11. 11.
    Dougherty, G.: Real-time fraud detection. MIT Applied Security Reading Group (2000), http://pdos.csail.mit.edu/asrg/02-28-2000.html and http://pdos.csail.mit.edu/asrg/02-28-2000.doc
  12. 12.
    EMVCo: EMV Integrated Circuit Card Specifications for Payment Systems (2004), http://tinyurl.com/oo663
  13. 13.
    EPIC: Mock point of entry test findings, p. 48 (2005), http://www.epic.org/privacy/us-visit/foia/mockpoe_res.pdf
  14. 14.
    Ferguson, R.: Schwarzenegger quashes RFID bill. eWeek DATE (2006), http://tinyurl.com/y29z6s
  15. 15.
    Greenemeier, L.: Visa expands contactless card efforts. Information Week (2006), http://tinyurl.com/ykzo4t
  16. 16.
    Hancke, G.P.: A practical relay attack on ISO 14443 proximity cards. Technical report, University of Cambridge Computer Laboratory (2005), http://www.cl.cam.ac.uk/~gh275/relay.pdf
  17. 17.
    Hancke, G.P.: Practical attacks on proximity identification systems (short paper). In: Proceedings of IEEE Symposium on Security and Privacy, pp. 328–333 (2006), http://www.cl.cam.ac.uk/~gh275/SPPractical.pdf
  18. 18.
    Harper, J.: RFID wiggles its way into credit cards? (2005), http://lists.jammed.com/politech/2005/05/0038.html
  19. 19.
    Heydt-Benjamin, T.S., Bailey, D.V., Fu, K., Juels, A., O’Hare, T.: Vulnerabilities in first-generation RFID-enabled credit cards. Technical report, University of Massachusetts Amherst, CS TR-2006-055 (2006)Google Scholar
  20. 20.
    Heydt-Benjamin, T.S., Chae, H.J., Defend, B., Fu, K.: Privacy for public transportation. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    HowStuffWorks, Inc.: How blink works (2006), http://money.howstuffworks.com/blink1.htm
  22. 22.
    ISO: ISO/EIC 14443, proximity cards (PICCs). Technical report, ISO (2006), http://wg8.de/sd1.html
  23. 23.
    Juels, A.: RFID security and privacy: A research survey. IEEE Journal on Selected Areas in Communication 24(2) (2006)Google Scholar
  24. 24.
    Juels, A., Rivest, R.L., Szydlo, M.: The blocker tag: selective blocking of RFID tags for consumer privacy. In: CCS 2003. Proceedings of the 10th ACM conference on Computer and Communications Security, pp. 103–111 (2003)Google Scholar
  25. 25.
    Kfir, Z., Wool, A.: Picking virtual pockets using relay attacks on contactless smartcard systems. In: IEEE/CreateNet SecureComm., IEEE, Los Alamitos (2005), http://eprint.iacr.org/2005/052 Google Scholar
  26. 26.
    Koper, S.: Contactless acceptance made easy for business payment systems. In: BPS 2006 Summer Conference, Las Vegas, NV (2006), http://tinyurl.com/sjte6
  27. 27.
    Molnar, D.: Personal communication (2006)Google Scholar
  28. 28.
    New York City Transit Authority: NYC MetroCard Fares. In: WWW (2006), http://tinyurl.com/y5egfd
  29. 29.
    O’Connor, M.C.: Chase offers contactless cards in a blink. RFID Journal (2005), http://tinyurl.com/yzy9u5
  30. 30.
    O’Connor, M.C.: At McDonald’s, ExpressPay fits the bill. RFID Journal (2006), http://tinyurl.com/yc58sa
  31. 31.
    Rieback, M., Gaydadjiev, G., Crispo, B., Hofman, R., Tanenbaum, A.: A platform for RFID security and privacy administration. In: Proc. USENIX/SAGE Large Installation System Administration conference, Washington, DC, USA, pp. 89–102 (2006), http://www.rfidguardian.org/papers/lisa.06.pdf
  32. 32.
    Schuman, E.: How safe are the new contactless payment systems? (June 20, 2005), http://tinyurl.com/y9a525
  33. 33.
    Selker, E.: Manually-operated switch for enabling and disabling an RFID card. Technical report, MIT, Patent #20030132301 (2003)Google Scholar
  34. 34.
    UK Chip and Pin: Chip and pin (2006), www.chipandpin.com
  35. 35.
    Westhues, J.: Hacking the prox card. In: Garfinkel, S., Rosenberg, B. (eds.) RFID: Applications, Security, and Privacy, pp. 291–300. Addison-Wesley, Reading (2005)Google Scholar
  36. 36.
    Yoshida, J.: Tests reveal e-passport security flaw. EE Times (August 30, 2004), http://tinyurl.com/surgr

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Thomas S. Heydt-Benjamin
    • 1
  • Daniel V. Bailey
    • 2
  • Kevin Fu
    • 1
  • Ari Juels
    • 2
  • Tom O’Hare
    • 3
  1. 1.University of MassachusettsAmherstUSA
  2. 2.RSA LaboratoriesBedfordUSA
  3. 3.Innealta, Inc.SalemUSA

Personalised recommendations