Thursday, September 19, 2013

Simulated Attacks Against RFID Credit Cards

Recently a colleague sent me this scary video illustrating an attack against contact-less (RFID) credit cards.  

Sigh.  It is bad.  It is not quite as bad as it sounds and only a little bit worse than it looks.

Watch the film again.  Focus on how close the attacker gets to the target.  Here is why.

The problem is not so much how the information is transferred as that it is transferred in the clear, not so much that the credit card number leaks as that credit card numbers are so easy to exploit. 

Said another way, all uses of credit card numbers in the clear leak;  this includes imprinters, compromised point-of-sale devices, gas pumps, and ATMs.   That would not be a problem if no one would accept a credit card number in the clear from an untrusted source.  

A major problem with the video is that it fails to distinguish between these RFID cards, that rely on the short range of the signal for security, from EMV cards that rely upon encryption, or even chip cards that require contact.

While many US merchants are ready for EMV, the issuers have slipped their schedule to 3Q 2015.  My hope is that by that time PayPal, Google Wallet, Square Wallet, or other (are you listening Apple and Amazon?) mobile computer token-passing systems, will have made them obsolete.  

For the moment, we can treat this as a vulnerability but not a problem;  there are easier ways to get credit card numbers.  The continued use of mag-stripe and PIN dwarfs all other problems in the retail payment system.


  1. good looking blog and very most important information provide RFID 4u

  2. Simulated Attacks Against RFID Credit Cards related information

  3. Interesting blog. This is one of my favorite blog also I want you to update more post like this. Thanks for sharing this article.
    Best Credit Cards Services in Chennai

  4. high risk merchants credit card processing Start accepting credit card payment for your high risk businesses and start making ... questions about high risk merchant accounts and credit card processing.

  5. Penalties for this type of crime should be harsher

  6. This comment has been removed by a blog administrator.

  7. all uses of credit card numbers in the clear leak; this includes imprinters, compromised point-of-sale devices, RFID tags