Skip to main content

Vulnerabilities in First-Generation RFID-enabled Credit Cards

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 4886)


RFID-enabled credit cards are widely deployed in the United States and other countries, but no public study has thoroughly analyzed the mechanisms that provide both security and privacy. Using samples from a variety of RFID-enabled credit cards, our study observes that (1) the cardholder’s name and often credit card number and expiration are leaked in plaintext to unauthenticated readers, (2) our homemade device costing around $150 effectively clones one type of skimmed cards thus providing a proof-of-concept implementation for the RF replay attack, (3) information revealed by the RFID transmission cross contaminates the security of RFID and non-RFID payment contexts, and (4) RFID-enabled credit cards are susceptible in various degrees to a range of other traditional RFID attacks such as skimming and relaying.


  • RFID
  • credit cards
  • contactless
  • vulnerabilities

The full version of this paper appears as UMass Amherst CS TR-2006-055. See for the latest version.

The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-3-540-77366-5_37

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Adida, B., Bond, M., Clulow, J., Lin, A., Murdoch, S., Anderson, R., Rivest, R.: Phish and chips: Traditional and new recipes for attacking EMV. Technical report, University of Cambridge Computer Laboratory (2006),

  2. Anonymous: Chip and spin (2006),

  3. Associated Press: Wave the card for instant credit. Wired News (2003),

  4. Averkamp, J.: ITS Michigan: Wireless technology and telecommunications (2006),

  5. Bono, S., Green, M., Stubblefield, A., Juels, A., Rubin, A., Szydlo, M.: Security analysis of a cryptographically-enabled RFID device. In: 14th USENIX Security Symposium (2005)

    Google Scholar 

  6. Bray, H.: Credit cards with radio tags speed purchases but track customers, too. Boston Globe (August 14, 2006),

  7. CardTechnology: Paypass subway trial starts in New York (2006),

  8. Carey, D.: NFC turns phone into a wallet. EE Times (2006),

  9. Chan, S.: Metro briefing | New York: Manhattan: Warning about credit risks. The New York Times (2006),

  10. DIFRWear: Faraday-Caged Apparel. (2006),

  11. Dougherty, G.: Real-time fraud detection. MIT Applied Security Reading Group (2000), and

  12. EMVCo: EMV Integrated Circuit Card Specifications for Payment Systems (2004),

  13. EPIC: Mock point of entry test findings, p. 48 (2005),

  14. Ferguson, R.: Schwarzenegger quashes RFID bill. eWeek DATE (2006),

  15. Greenemeier, L.: Visa expands contactless card efforts. Information Week (2006),

  16. Hancke, G.P.: A practical relay attack on ISO 14443 proximity cards. Technical report, University of Cambridge Computer Laboratory (2005),

  17. Hancke, G.P.: Practical attacks on proximity identification systems (short paper). In: Proceedings of IEEE Symposium on Security and Privacy, pp. 328–333 (2006),

  18. Harper, J.: RFID wiggles its way into credit cards? (2005),

  19. Heydt-Benjamin, T.S., Bailey, D.V., Fu, K., Juels, A., O’Hare, T.: Vulnerabilities in first-generation RFID-enabled credit cards. Technical report, University of Massachusetts Amherst, CS TR-2006-055 (2006)

    Google Scholar 

  20. Heydt-Benjamin, T.S., Chae, H.J., Defend, B., Fu, K.: Privacy for public transportation. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  21. HowStuffWorks, Inc.: How blink works (2006),

  22. ISO: ISO/EIC 14443, proximity cards (PICCs). Technical report, ISO (2006),

  23. Juels, A.: RFID security and privacy: A research survey. IEEE Journal on Selected Areas in Communication 24(2) (2006)

    Google Scholar 

  24. Juels, A., Rivest, R.L., Szydlo, M.: The blocker tag: selective blocking of RFID tags for consumer privacy. In: CCS 2003. Proceedings of the 10th ACM conference on Computer and Communications Security, pp. 103–111 (2003)

    Google Scholar 

  25. Kfir, Z., Wool, A.: Picking virtual pockets using relay attacks on contactless smartcard systems. In: IEEE/CreateNet SecureComm., IEEE, Los Alamitos (2005),

    Google Scholar 

  26. Koper, S.: Contactless acceptance made easy for business payment systems. In: BPS 2006 Summer Conference, Las Vegas, NV (2006),

  27. Molnar, D.: Personal communication (2006)

    Google Scholar 

  28. New York City Transit Authority: NYC MetroCard Fares. In: WWW (2006),

  29. O’Connor, M.C.: Chase offers contactless cards in a blink. RFID Journal (2005),

  30. O’Connor, M.C.: At McDonald’s, ExpressPay fits the bill. RFID Journal (2006),

  31. Rieback, M., Gaydadjiev, G., Crispo, B., Hofman, R., Tanenbaum, A.: A platform for RFID security and privacy administration. In: Proc. USENIX/SAGE Large Installation System Administration conference, Washington, DC, USA, pp. 89–102 (2006),

  32. Schuman, E.: How safe are the new contactless payment systems? (June 20, 2005),

  33. Selker, E.: Manually-operated switch for enabling and disabling an RFID card. Technical report, MIT, Patent #20030132301 (2003)

    Google Scholar 

  34. UK Chip and Pin: Chip and pin (2006),

  35. Westhues, J.: Hacking the prox card. In: Garfinkel, S., Rosenberg, B. (eds.) RFID: Applications, Security, and Privacy, pp. 291–300. Addison-Wesley, Reading (2005)

    Google Scholar 

  36. Yoshida, J.: Tests reveal e-passport security flaw. EE Times (August 30, 2004),

Download references

Author information

Authors and Affiliations


Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Heydt-Benjamin, T.S., Bailey, D.V., Fu, K., Juels, A., O’Hare, T. (2007). Vulnerabilities in First-Generation RFID-enabled Credit Cards. In: Dietrich, S., Dhamija, R. (eds) Financial Cryptography and Data Security. FC 2007. Lecture Notes in Computer Science, vol 4886. Springer, Berlin, Heidelberg.

Download citation

  • DOI:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-77365-8

  • Online ISBN: 978-3-540-77366-5

  • eBook Packages: Computer ScienceComputer Science (R0)