How often do you go to the store on a monthly basis? Maybe you go down to the local Starbucks every morning before work. This is prime hunting ground for an attacker to steal all of your credit card information without ever touching you, using equipment they got on ebay for under $20. These are the threats that credit card companies and the thieves don’t want you to know about. RFID hacking has been in the news quite a bit lately. There’s a lot of concern as to what it involves, how easy it is, and what exactly RFID is. We will also touch on some of the security practices that are in place for RFID and how effective they are. Before we dive in, what is RFID?
What is RFID?
RFID is short for Radio-Frequency Identification. RFID chips consist of two parts, an integrated circuit for processing data, and an antenna for transmitting and receiving data. There are three types of RFID devices.
They have no battery and rely upon an external reader to generate RF that the chip can then modulate and re-transmit. Their range is the shortest.
Battery Assisted Passive:
They are similar to passive chips, but use a battery once they are “awake” to transmit their signal over a greater range.
They use their battery to transmit over an even greater range than battery assisted passive chips.
Regardless of the type, all RFID chips work on the same basic principle of receiving an RF signal, modulating it through its integrated circuit, and then transmitting the modulated signal.
What is RFID used for?
RFID tags are typically used in asset tracking. Farmers use RFID tags clipped to their livestock to keep track of them. Retail outlets are trying to implement RFID chips as a supplement to barcodes to help speed up checkout times. In the United States, toll roads use RFID chips to quickly pay tolls without drivers needing to pull off into a toll booth.
Due to the existing use of RFID chips to uniquely identify whatever they are attached to, some companies have decided to implement them in security based technologies (think access cards for opening doors) and personal identification technologies (think passports and drivers licenses). This is where that problems begin to happen.
The hacking of RFID chips is typically done through the use of a RFID cloner. It is a device that is able to capture an RFID signal from a distance and then emit the signal whenever the attacker wants. The inherit design of RFID chips is to respond to any kind of frequency on the chip’s wireless band. This makes regular RFID chips very versatile, but terrible for security. Normal RFID chips don’t include any kind of security measures (mostly due to the processing limitations on the chips) for preventing unwanted reading of the chip. An attacker with a high enough powered reader could sniff the RFID chip in a security door access card while being far enough away that you would never know what he was doing. After they have your ID number they can come back at their leisure and use a cloner to replicate your ID and gain access to the restricted area, all with you being none the wiser.
Is My Credit Card At Risk?
Imagine you’re standing in line at the store. The guy behind you in line is standing a little closer than you would like. It is uncomfortable but you don’t say anything. He gets a smirk on his face and moves back to a more comfortable distance. He’s just stolen your credit card without ever touching you. American Express and Visa both have RFID enabled credit cards out on the market. The chip in those cards has everything you would need to make a purchase (name, card number, expiration date, etc.). Both companies offer these cards with the thought of making customers lives easier, but in reality they’re making them even more vulnerable to identity theft. It’s not like the equipment is difficult to use or hard to come by either. For under $20, someone lurking around ebay can get all the equipment they would possibly need to build a powerful RFID reader.
Is RFID Hacking A Threat?
Yes, but as with many security and privacy related issues, the real culprit lies in half-baked security algorithms and bottom line budgets. There are RFID chips that can do proper challenge-response authentication, but they cost significantly more than ones that don’t. There is also the computational performance limitations of passive RFID chips. This makes it difficult for them to implement proven encryption ciphers like AES. The computational power of passive RFID chips will no doubt improve as technology improves, and will in turn bring down the cost.
The bottom line is that you shouldn’t use RFID as the sole identification method in a system, unless it is using a proven encryption method. It should instead be used in conjunction with other types of authentication systems. If you’re not willing to fork out the money to properly secure a system, then you may as well flush your money down the toilet.
Those with concerns over their data being stolen from their credit cards are in luck as it seems there are several manufacturers making RFID blocking billfolds and passport wallets. That’s right some passports contain RFID chips as well. An example of such a a product can be seen here. Maybe all of those tin foil hat wearers really were on to something after all.