Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

The Consequences of Convenience

RFID payment devices might mean we'll spend less time in lines, but will they strengthen or weaken our privacy protections? That remains to be seen.
By Mary Catherine O'Connor
It has also become apparent that exploiting a weakness within encryption algorithms is not the only way to compromise an RFID payment device. More than one researcher has discovered a means of essentially fooling an RFID interrogator into thinking an RFID-enabled credit card (or, perhaps, a building access card, or some other type of payment device, such as a Speedpass key fob) is within the required read range, when in actuality, the tag is up to 150 feet away. This type of attack is called a relay, and it involves placing two devices between a tag and an interrogator.

One device, a ghost or proxy, is placed within the read range of a legitimate interrogator deployed in a store. The ghost relays the interrogator's signal to a second device, a leech or mole, held within 4 inches of the credit card's RFID tag. The leech then picks up the tag's responding signal and relays it to the interrogator by means of the ghost. The decryption of the data takes place in an interrogator linked to the POS system, as it would if the tag was being held up to the reader. In other words, this kind of attack compromises an RFID system without actually breaking the encryption.

"With a relay attack, the protocol [between the card and interrogator] is still taking place. All that's changing is the perception of the distance of the tag from the reader," says Ari Juels, manager of applied research at RSA Laboratories. "There are questions around how easy or difficult it would be to launch [a relay attack] on an RFID system in the real world. Once RFID savvy becomes more pervasive, hackers will be able to create the devices needed for the relay systems, but how sophisticated they'll be able to make them is still to be seen."

To be successful, Juels says, a relay attack would also likely require the cooperation of an employee to okay the transaction in the point-of-sale system since the person supposedly purchasing the item would not be able to present an RFID-enabled credit card to the interrogator. For this reason, using the relay attack with an RFID-enabled vending machine would be easier.

Should my mailbox be graced with an RFID-enabled credit card one of these days, I probably would not reject it. Still, I would keep a closer eye on my bill every month, and I might just wrap it in tin foil so that it couldn't be skimmed (read surreptitiously) while inside my wallet. Would this kill all the convenience? I don't think so. It's still easier than using the mag stripe, which sometimes just won't read.

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations