Well, snakeoil might be a bit strong as it actually seems to work. The question is whether this is a solution in search of a problem.
Background: The local news radio station here ran a story about the Armidillo Dollar, a metallic flat thingie you wrap your smartcard in to keep it from being scanned by nefarious people. The story has a local angle – they guy lives here – so I could see why the station ran with it. But I wonder how much of a problem it really is?
I work for a major credit card processor and we offer a RFID reader on some of the terminals we have, but I have seen that offer taken up literally a handful of times, less than five in the past two years. I haven’t any smart credit cards, but I do have a door key, identical-looking to one appearing in their videos, for getting in at work. In know from there the card has to be win an inch of the reader for the door to be triggered.
Here is a propaganda piece from the Armadillo Dollar website. Here is a news story they also have. We all know how technically naïve broadcast journalists can be and I can’t help notice, unlike the first video, how aggressively obtrusive she is to trigger the victim’s card. Notice also in the report’s hallway-brush scenario, there’s no audio so you don’t know if it was successful or not.
It’s hard to tell exactly what’s going on here but it looks like they’re getting a successful trigger at 55 cm. Note: All the videos linked to are on the AD website, but their embedded links work terrible.
So, the question is, can an RFID reader be beefed up enough to trigger your smartcard into spilling its guts at a distance worth worrying about, or is this a $25 solution we can forget about?
There’s a lot of versions of RFID tags made by many different companies. Several of these have been “cracked”. I.e., the encrypted contents can be read remotely. There are also exploits found against some of the readers. I.e., by ginning up a certain fake RIFD tag, you can cause database problems with the system, which could in turn be used to do various evil things.
Most RFID tags are quite simple and the most that you could do with them is track them from a modest distance. (E.g., 30+ of feet.) This can have security/privacy probems. Example: a store could place several scanners throughout their store. They could track which aisles you go down (via a tag on a card in your wallet), where you pause, etc. and then link “you” up with your credit card when you pay. That data can and will be sold to all comers. If you have an enemy that knows someone who works for one of the data aggregate companies, a lot of info could be obtained that you might not want certain other people to have.
My library has RFID tags on their books. So someone out on the street in front of the library can scan the codes of the books of people as they come out of the library. It doesn’t take much then to match the codes to books. Again, could be used by someone trying to harm/embarass someone.
As for RFID tags in credit cards. Ridiculously bad idea. All such systems have been or will be cracked. People will be able to get your credit card info without you even taking your card out of your wallet. Definitely a major step down in security from the credit card companies’ already horrible security.
“Consumer Reports” did article warning people about RFID tags about last April. I read professional computer journals and the articles are downright scary as to how bad this is going to be.
(I’m an ex-Computer Science prof. Quite familiar with the best encryption schemes and the long history of failed or badly implemented ones. There is no such thing as a flawless encyption scheme. Look at the exploits for supposedly secure WiFi encryption.)
Passive RFID normally only works at ranges up to a couple feet. The Armadillo Dollar itself it most likely a chunk of laminated fine copper mesh creating a faraday cage around your cards. So in a nutshell the radio waves will not even penetrate past something wrapped around it because they are absorbed and bled off as heat (nothing you would even be able to feel at this level). Stealth aircraft use similar technologies in their skins to reduce radar return.
That said, to really work well you would have to wrap it around the cards you want to protect or else it would only have a chance to stop it from certain angles.
If the bad guy stood in a busy place, say an airport terminal or mass transit entrace/exit, he/she could harvest a few hundred to a few thousand cards per hour.
Count me as another IT pro & all-around security guy who says RFID’s waaaay to dangerous to let out into public. Good thing they’re embedding it in all our passports & want to embed it in all our driver’s licenses.
In my opinion, RFID fear is just paranoid bullshit. Your actual data is not encoded on the card, just a serial number that is looked up in someone’s database. Unless you have access to the database, all you get is a bunch of random numbers - and if you have access to the database, you don’t need to be reading people’s smartcards.
Furthermore, so what if someone gets your credit card info? You’re not responsible for charges you didn’t make. How often do you hand your credit card to a waitperson at a restaurant and they take off to do their thing. How do you know they didn’t record every bit of info on the card, including the supersecret 3 digit code on the back so they could do all the nefarious things being imagined in this thread?
Again, there is a vast difference between theory and practice. People have had their credit cards stolen, reported it, the card is cancelled, and yet their lives are still ruined. One local station did a report on a couple whose card was stolen and reported. Years later they are still being harassed by merchants still trying to get paid for years old fraudulent bills. The CC companies don’t reimburse for legal fees.
Who needs even a minor headache if there is not a single reason for RFID credit cards?
My concern isn’t the card that I use regularly and that we check twice a week for false charges. In the ones that go months without use. By the time fake charges are noticed, it’s likely to be a big mess.
Sure, for some systems you need access to a DB to match things up. Nobody who knows anything about computer security thinks that can’t be done. E.g., look at the companies that offer cell phone records for a fee.
That’s the way it looked to me and that’s exactly why I posted. The risks on the site were looking dubious to me and I wanted to see if any RFID experts could say different. It looks like no.
I have had several lost or stolen wallet situations where charges got run up. Not once out of dozens of charges per incident, has anyone ever harrassed me after the fact. This includes an ugly one involving my business visa check card. People bought almost $3K worth of stuff from 5 stores, over $1K was from one store, just on 1 card.
Not a peep.
I’d be willing to bet the people in question either did not do the proper followup paperwork or for whatever reason visa rejected their claim.
The lunchroom at work (large financial institution you’ve heard of) takes only cash and American Express ExpressPay. I find the RFID credit card option highly convenient. Swiping a card would take too long and this way I don’t have to get it all the way out of my wallet, so I can do it one-handed.
You must not have had the Capitol One “extra hassle” card my wife had stolen in December. We reported it missing and asked the account to be closed immediately. We went over which charges were ours and which were fraudulent, and the fraud department people agreed with us and said the charges would be removed and the account closed. Except that they weren’t and it wasn’t. Over the past four months, we’ve attempted to close this account and every agent we’ve spoken to has sworn up and down that he or she was closing the account and that we should consider the balance $0, but as recently as Friday, my wife has gotten nasty email claiming that her account is overdue, etc, and every time we call back, we’re told that the account is not closed. Luckily it’s a small amount of money they’re hassling us over ($175ish), but if it was thousands of dollars of phony charges, this would be stressful in the extreme and potentially damaging to us.
Of course, I’ve had my card stolen before and the whole thing was solved without a hitch. My point is that just because you’re in the right doesn’t mean that having your credit card stolen is automatically no big deal.
Somebody has to pay for the stolen merchandise, and it’s most likely going to be the merchant. You think that the merchant isn’t going to raise prices to cover losses to theft and fraud? You’ll certainly be paying more in the long run, even if you don’t pay directly for the stolen merchandise charged to your card.
And no, there is no way to know when sending your card off in the hands of a server that s/he isn’t copying down all of your information (although addresses are not printed on cards and the address generally has to be included for phone/internet orders), other than the social contract I suppose. You can always walk your check up to the register and pay in person, rather than giving your card to the server, although the fraud I see most frequently from restaurants is servers writing in inflated tips so be sure you cross out the “tip” line on your receipt if you don’t tip on the card.
Or he’s “incentivized” to raise prices to make up for the loss. Which do you suppose is easier, to train a staff proper verification procedures or train them how to set a higher price on the pricing gun?
The challenge with RFID tags is that they are nearing the point where they about the size of a grain of sand. Finding one embedded in your purchases is nearly impossible without special equipment. A profile of your activities and behavior can be constructed based on what you wear or carry. It may be enough to identify who you are and it may be enough to steal your identity as your data accumulates.
I work with this stuff and I am concerned. It is about privacy and personal security. An RFID tag represents a credible risk.
The smaller the tag however the shorter the range. Those tiny ones have ranges in the area of a few inches at best, fine for cashiers, lousy for identity theft. Many of peoples paranoias involve things like people being able to scan their house from the street, which is not feasible with passive systems. Pentrating residential walls with enough power to generate a return signal from an RFID tag that could penetrate the walls on the way out ain’t gonna happen.