 |
THE WORLD'S RFID AUTHORITY
 PREMIUM = Requires Subscription. Learn MoreRFID Journal Blog
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Feed
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| RECENT ENTRIES | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
The Technology, People and Companies to Watch
Accusations of Anti-RFID Bias Are Deserved
Making Mifare Safe
New Research Papers from the University of Arkansas
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Day doesn't point to any significant flow in the technology, but is quoted as saying, "The mobile space is fraudsters' biggest opportunity for the future, largely because many people still see their phone as a communication device, rather than something that they have to keep secure."
In fact, a group of hackers at a conference recently claimed they can break into NFC phones. Even if that's true, however, it doesn't mean NFC phones "pose the greatest future threat to the security of consumers' financial details."
Day says thieves could steal small amounts of money often to reap huge sums. But the industry is already responding to potential fraudulent transactions. One protection is the Card Verification Value code (CVV, also known as CVC). Each credit-card number is associated with a three- or four-digit code, located on the back of the physical card. It's static on all mag-strip cards, but it's dynamic on an NFC phone. So if a legitimate NFC phone is used, a new CVV is assigned. If a bogus phone is then used, it will have the wrong CVV and the transaction won't go through.
The NFC industry is also working on an Over the Air (OTA) method of transferring data to a mobile device for personalization and security applets. Currently, if a hacker finds a way to break into the secure sector of an NFC chip, you'd have to replace the NFC chip. With OTA, if there is a breach, you could just send out a security patch to the phone and dynamically fix the security issue.
Another option being discussed is a digital receipt. Here's how it would work: If someone somehow were to clone your NFC phone's payment capability and purchase a handbag or pack of cigarettes, you would receive a text message on your phone—a receipt, stating the item, time of purchase, price and retailer. You could then immediately call your credit card company and inform them of the problem.
Compare that to a mag-strip card. You would pay your dinner bill with a credit card, and the waiter would clone your card. The waiter's friends would use the card to make several purchases during the next three weeks, and you wouldn't learn about the fraudulent charges until you got your monthly statement.
Here are two other things to remember. Credit-card companies have software that analyzes transactions in an effort to detect fraud. When an unusual activity occurs, a block is put on the card until the cardholder can be contacted. The same is true of phones used to make credit-card payments.
What's more, credit-card companies often protect consumers from fraudulent use of their cards. When a fake transaction occurs, it is voided and the merchant is often the party that takes the hit. So security experts can try to scare people, but the truth is, consumers don't appear to have much to be concerned about at this point.
In fact, a group of hackers at a conference recently claimed they can break into NFC phones. Even if that's true, however, it doesn't mean NFC phones "pose the greatest future threat to the security of consumers' financial details."
Day says thieves could steal small amounts of money often to reap huge sums. But the industry is already responding to potential fraudulent transactions. One protection is the Card Verification Value code (CVV, also known as CVC). Each credit-card number is associated with a three- or four-digit code, located on the back of the physical card. It's static on all mag-strip cards, but it's dynamic on an NFC phone. So if a legitimate NFC phone is used, a new CVV is assigned. If a bogus phone is then used, it will have the wrong CVV and the transaction won't go through.
The NFC industry is also working on an Over the Air (OTA) method of transferring data to a mobile device for personalization and security applets. Currently, if a hacker finds a way to break into the secure sector of an NFC chip, you'd have to replace the NFC chip. With OTA, if there is a breach, you could just send out a security patch to the phone and dynamically fix the security issue.
Another option being discussed is a digital receipt. Here's how it would work: If someone somehow were to clone your NFC phone's payment capability and purchase a handbag or pack of cigarettes, you would receive a text message on your phone—a receipt, stating the item, time of purchase, price and retailer. You could then immediately call your credit card company and inform them of the problem.
Compare that to a mag-strip card. You would pay your dinner bill with a credit card, and the waiter would clone your card. The waiter's friends would use the card to make several purchases during the next three weeks, and you wouldn't learn about the fraudulent charges until you got your monthly statement.
What's more, credit-card companies often protect consumers from fraudulent use of their cards. When a fake transaction occurs, it is voided and the merchant is often the party that takes the hit. So security experts can try to scare people, but the truth is, consumers don't appear to have much to be concerned about at this point.
4 Comments
Fairness
Yes, it is true that consumers have much to be concerned about and it is true that the cost of NFC fraud would be passed on to them. It's equally true that when credit card numbers are stolen from databases and when mag stripe cards are cloned, consumers pay the price for that too. I was wrong to generalize. All security experts aren't trying to scare people. But Day's comments were grossly irresponsible and potentially very damaging to the NFC industry and to consumers who could benefit from the technology should it take off.
Posted By: Mark Roberti 6/17/08 at 3:31 AM
Yes, it is true that consumers have much to be concerned about and it is true that the cost of NFC fraud would be passed on to them. It's equally true that when credit card numbers are stolen from databases and when mag stripe cards are cloned, consumers pay the price for that too. I was wrong to generalize. All security experts aren't trying to scare people. But Day's comments were grossly irresponsible and potentially very damaging to the NFC industry and to consumers who could benefit from the technology should it take off.
Posted By: Mark Roberti 6/17/08 at 3:31 AM
Consumers Always Have Much To Be Concerned With
While it is indeed true that credit card companies reimburse victims of fraud, and they pass this on to merchants, this does not mean the consumer does not suffer. The merchant must recoup these losses to stay in business. He may be able to "eat" some of these losses, if infrequent, but more than a few chargebacks will eventually lead to higher prices, or cost cutting (usually customer service), or his going out of business. All of these should be of great concern to consumers.
If you feel that Greg Day is out of line, it is certainly your prerogative to say so. It is not fair, however, to characterize security experts as a group of people who are trying to scare people. This is no less egregious than groups who attack environmentalists and scientists who discuss global warming, dismissing anyone who believes the evidence indicates a cause for concern.
Some of us are really trying to help.
Posted By: Mike Ahmadi 6/16/08 at 9:15 AM
While it is indeed true that credit card companies reimburse victims of fraud, and they pass this on to merchants, this does not mean the consumer does not suffer. The merchant must recoup these losses to stay in business. He may be able to "eat" some of these losses, if infrequent, but more than a few chargebacks will eventually lead to higher prices, or cost cutting (usually customer service), or his going out of business. All of these should be of great concern to consumers.
If you feel that Greg Day is out of line, it is certainly your prerogative to say so. It is not fair, however, to characterize security experts as a group of people who are trying to scare people. This is no less egregious than groups who attack environmentalists and scientists who discuss global warming, dismissing anyone who believes the evidence indicates a cause for concern.
Some of us are really trying to help.
Posted By: Mike Ahmadi 6/16/08 at 9:15 AM
Backroom security patching won't help either
The security discussion surrounding NFC technology has started much too late and virtually all current installations use cryptographically weak Mifare Classic chips.
Whether NFC will become a target of extensive fraud as Grey predicts, will depend on whether effective security measures can be developed and deployed quickly.
All the measures you are suggesting appear to have their own drawbacks and are circumventable in one way or another. The credit card CVV -- dynamic or not -- can be skimmed off a card just like the credit card number. Updating a phone over the air will only work until malware on the phone deactivates the update functionality. And the added security of RFIDs over magstripes is more than compensated by the fact that fraudsters can read your data from a distance.
So while the NFC security discussion has lead to many proposals, the potential solutions must be discussed more openly to allow for extensive peer review. The NFC forum has so far rejected such review and even claims that NFC should have no security built in.
I can't think of anybody better suited in helping to understand the threats to NFC than Grey, a virus scanner professional, who maintains products that constantly adapt to the evolving treaths that fraudsters pose.
Posted By: Karsten Nohl 6/14/08 at 11:39 AM
The security discussion surrounding NFC technology has started much too late and virtually all current installations use cryptographically weak Mifare Classic chips.
Whether NFC will become a target of extensive fraud as Grey predicts, will depend on whether effective security measures can be developed and deployed quickly.
All the measures you are suggesting appear to have their own drawbacks and are circumventable in one way or another. The credit card CVV -- dynamic or not -- can be skimmed off a card just like the credit card number. Updating a phone over the air will only work until malware on the phone deactivates the update functionality. And the added security of RFIDs over magstripes is more than compensated by the fact that fraudsters can read your data from a distance.
So while the NFC security discussion has lead to many proposals, the potential solutions must be discussed more openly to allow for extensive peer review. The NFC forum has so far rejected such review and even claims that NFC should have no security built in.
I can't think of anybody better suited in helping to understand the threats to NFC than Grey, a virus scanner professional, who maintains products that constantly adapt to the evolving treaths that fraudsters pose.
Posted By: Karsten Nohl 6/14/08 at 11:39 AM
Improved Security?
"They'll just send out a security patch". As soon as you make the software accessible then you will have hackers sending viruses or trojans to intercept and steal the customer security details. Sounds less secure, not more
Posted By: JonM 6/13/08 at 12:28 AM
"They'll just send out a security patch". As soon as you make the software accessible then you will have hackers sending viruses or trojans to intercept and steal the customer security details. Sounds less secure, not more
Posted By: JonM 6/13/08 at 12:28 AM
Please enter your name or an alias and your email address.
Only your name or alias will appear in your post.
Only your name or alias will appear in your post.
