RFID Journal Blog
Text size:
T
T
T
Are RFID-Enabled Credit Cards Safer Than Magstripe Cards?
11 CommentsI recently exchanged posts with security consultant Chris Paget on PBS Newshour's Web site (see Radio Frequency Identification Tags: Identity Theft Danger or Modern Aid?). The back and forth is long, and included the security of RFID-enabled credit cards. Paget wrote, "RFID tags in credit cards have made our credit card infrastructure less secure, and have significantly complicated the problems of how to detect and prevent credit card fraud. While the tags themselves have the capability to operate in a very secure manner, the architecture of the system is fatally flawed and introduces several additional attack vectors into a legacy technology that is horribly broken."
I can't believe the credit-card companies would introduce technology that makes fraud more likely, so to get the facts, I spoke with Elvira Swanson, a spokesperson for Visa, and Randy Vanderhoof, the executive director of the Smart Card Alliance. Both stated categorically that RFID-enabled credit cards are more secure than cards with data stored on magnetic stripes. One reason is that during the transaction, the card never leaves a consumer's hand. In many cases, you have to hand over a magstripe card to a waiter or gas station attendant to swipe, thereby providing an opportunity for that individual to swipe the card through a device that can capture all of the card's information, and potentially photocopy the back so that the signature can be forged.
According to Swanson, a magstripe card contains the card holder's name, a 16-digit credit card number, an expiration date and a credit verification value (CVV)—a three- or four-digit number used in transactions in which the card is not present and the signature cannot be verified (mainly, online purchases). With this information, the card can then be cloned and the new card would be indistinguishable from the original. A criminal could also conduct transactions online without a problem.
RFID-enabled cards retain their magnetic stripe, so they can be used with existing point-of-sale terminals. Therefore, the information is still vulnerable. But the chip in the RFID transponder has additional security features that credit-card companies say make it more secure. Each time the card is used for a legitimate transaction, the chip generates a new CVV—which is different from the one printed on the card—and communicates that CVV to the network, which uses it to validate the next transaction. If someone were to skim information off the card, that person could not clone the card since the CVV is only good for a single transaction.
The electronic CVV is invalid for online transactions. So if a criminal skimmed a credit card and obtained the electronic CVV, and then tried to use it to buy something at a Web site that conducted a CVV check, the transaction would be rejected. The only way a skimmed card could be used online would be to purchase something at a site that doesn't check either the cardholder's name or the printed CVV. One benefit of RFID-enabled cards is that you are not handing over your card to a waiter or gas station attendant, who can then write down you credit-card number and the printed CVV, and use the card for online purchases.
In addition, Vanderhoof says, newer contactless cards host a key that creates a dynamic cryptogram—usually a three-digit security code—that is sent to the back-end system to uniquely identify each contactless transaction. The key used to create the cyrptogram from the credit-card number, expiration date and so forth is never broadcast, so it can not be skimmed using an RFID reader. Thus, there is no way to utilize a cloned card to execute a transaction at a store that accepts contactless payments.
I can't believe the credit-card companies would introduce technology that makes fraud more likely, so to get the facts, I spoke with Elvira Swanson, a spokesperson for Visa, and Randy Vanderhoof, the executive director of the Smart Card Alliance. Both stated categorically that RFID-enabled credit cards are more secure than cards with data stored on magnetic stripes. One reason is that during the transaction, the card never leaves a consumer's hand. In many cases, you have to hand over a magstripe card to a waiter or gas station attendant to swipe, thereby providing an opportunity for that individual to swipe the card through a device that can capture all of the card's information, and potentially photocopy the back so that the signature can be forged.
According to Swanson, a magstripe card contains the card holder's name, a 16-digit credit card number, an expiration date and a credit verification value (CVV)—a three- or four-digit number used in transactions in which the card is not present and the signature cannot be verified (mainly, online purchases). With this information, the card can then be cloned and the new card would be indistinguishable from the original. A criminal could also conduct transactions online without a problem.
RFID-enabled cards retain their magnetic stripe, so they can be used with existing point-of-sale terminals. Therefore, the information is still vulnerable. But the chip in the RFID transponder has additional security features that credit-card companies say make it more secure. Each time the card is used for a legitimate transaction, the chip generates a new CVV—which is different from the one printed on the card—and communicates that CVV to the network, which uses it to validate the next transaction. If someone were to skim information off the card, that person could not clone the card since the CVV is only good for a single transaction.
The electronic CVV is invalid for online transactions. So if a criminal skimmed a credit card and obtained the electronic CVV, and then tried to use it to buy something at a Web site that conducted a CVV check, the transaction would be rejected. The only way a skimmed card could be used online would be to purchase something at a site that doesn't check either the cardholder's name or the printed CVV. One benefit of RFID-enabled cards is that you are not handing over your card to a waiter or gas station attendant, who can then write down you credit-card number and the printed CVV, and use the card for online purchases.
In addition, Vanderhoof says, newer contactless cards host a key that creates a dynamic cryptogram—usually a three-digit security code—that is sent to the back-end system to uniquely identify each contactless transaction. The key used to create the cyrptogram from the credit-card number, expiration date and so forth is never broadcast, so it can not be skimmed using an RFID reader. Thus, there is no way to utilize a cloned card to execute a transaction at a store that accepts contactless payments.
READERS' COMMENTS
Managing Director ARN (SB) Pte Ltd
Stick Paget high up on the RFID miconception wall, and ask him for his mag stripe credit cards so we can clone a free meal at his expense.
Posted By: Ian Shelley 9/15/10 at 11:32 PM
Ever heard of relay attacks?
http://www.rfidblog.org.uk/hancke-rfidrelay.pdf
Posted By: 9/17/10 at 4:26 PM
Re Relay attacks
I was not aware of this paper. Thank you for sharing. This certainly seems like an issue that the credit card industry needs to address. But I'm not sure that its a huge concern at the moment to people with RFID enabled credit card. First, you need a lot more technical expertise than just buying a reader off of eBay, which is what some people have said is all you need to "hack" an RFID-enabled card. Second, I;m not sure that it would be very easy to pull this kind of attack off in the real world. And third, if you are a criminal and you have the money and sophistication to do this, you would be far better off putting your resources toward hacking Web site database to steal thousands of cards, rather than trying to intercept one transmission at a time, so you could make one Web purchase at a time. I welcome additional comments on relay and other attacks.
Posted By: Mark Roberti 9/20/10 at 8:52 AM
Relay attacks are not limited to web purchases.
...but it works best at unattended vendors. Example: You place your card emulator next to the RFID antenna on a railroad ticket vending machine. You walk around with your reader emulator (with a large antenna, say 20") in a briefcase. The two emulators communicate with an RF link. Each time you find an RFID credit card, you buy the maximum value ticket ($100?), possibly many of them. The CC card holder has no idea his CC is paying for this. You can have the strongest encryption in the world, it's not going to protect you....
Posted By: Reader 9/22/10 at 12:23 PM
We just demonstrated the attack again
Identity Stronghold just demonstrated once again in front of onloookers skimming the data off a credit card in a back pocket (with the owners permission) and then proceeding to place a purchase with only the skimmed data over the phone shipped to someone else's address with a made up name without a 3 digit code. The product shipped no problem. But even if we had end to end encryption of the cc number in our backend systems the relay attack would work flawlessly as the dynamic cvv and cryptogram would be valid. Why don't the credit card issuers just ship secure sleeves to protect them? They are simple, inexpensive, and effective. The US Government even uses them.
Posted By: Walt Augustinowicz 9/25/10 at 10:08 AM
I would love to see this
I would love to see a video of someone successfully stealing credit cards to buy rail tickets or skimming a credit card and making a purchase online. I volunteer my time, services and credit card. Let's do a video and I will post the video and a news story on RFID Journal. If it's really this easy, we should show the capturing of data and the transaction. I am particularly interested to see how the relay attack would work in real life. You find a card with your antenna in the briefcase, relay the data to what? How is the transaction executed? Where is the emulator and link placed? And is this easier than hacking databases or paying an insider for a password?
Posted By: Mark Roberti 9/27/10 at 6:26 AM
@Mark Roberti: why don't you read the pdf first?
http://www.rfidblog.org.uk/hancke-rfidrelay.pdf or this one: http://www.eng.tau.ac.il/~yash/kw-usenix06/index.html CC's are ISO14443....
Posted By: Reader 9/27/10 at 12:58 PM
There's the lab and then there is reality
I read the first PDF on relay attacks and now I have read the one you provide. You seem to assume that because someone did something in the lab, that means it can and will be done in the real world. I don't necessarily assume that. First, pulling off a relay attack in the real world is likely to be difficult. I've offered to film such an attack and post it on our site. Second, for a relay attack to become a threat to consumers, it has to be hard to detect. It probably would be today, but if it became a common tactic, it would be easy to detect the signals from the relay and arrest the perpetrator. Third, this method of stealing credit cards numbers needs to be cheaper, easier or more efficient than other methods. This seems to fail miserably on this count. It seems to me it would be much easier to hack a database and get 10,000 cards than to set up a relay and steal a few hundred dollars worth of travel tickets. So, I don't see relay attacks as a huge threat to credit cards any time soon. That said, the credit card industry should address this.
Posted By: Mark Roberti 9/28/10 at 7:19 AM
CC RFID
Hi, I am assuming that no one has taken you up on your offer to steal your RFID CC info and then being able to use it. If they have where can I find information on the outcome?
Posted By: 3/20/11 at 2:48 PM
No takers
You are correct. No one took me up on the offer. I am thinking of trying it on my own, perhaps after our event, I will invest some time and video tape it.
Posted By: Mark Roberti 3/21/11 at 12:41 PM
What about this?
Hi, What do think about this video http://www.youtube.com/watch?v=lLAFhTjsQHw&feature=player_embedded#at=148 ? True or false?
Posted By: Lukasz Janczarek 4/6/11 at 10:56 PM