Re: RFID Flap Silences Security Researchers

The "Pay Pass" has been around for a
while - now it's down to credit card size.
It doesn't even have to be swiped
through a reader, just passed near it.
The problem with these sorts of systems
is that it's probably pretty easy for some
dweeb to put a second reader, hidden
nearby, that also scans the card and
captures the information.

Perhaps, but if it's so easy to do, why is it
we haven't heard of anyone doing it? Bear
in mind that the 2nd reader would need to
be secreted within inches of the real one.
I'm not familiar with Pay Pass so I can't
say what kind of range it has. However,
any hidden reader would also need a
source of power and a device to collect
stolen data. It's likely not as easy as one
might think.

There would be little chance of snatching
hundreds of RFID codes from passers-by
out of thin air with known technologies,
AFAIK. But I also know hackers are
ingenious - as evidenced by hardware like
cantennas - and it may be quite possible
to build a longer-than-normal range device
that would allow you to set up a covert
reader near a "funnel point" like a subway
turnstile where 1,000's of people pass with
the wallets and pocketbooks at very much
the same height and distance.

OK, let's suppose someone was able to
hide such a device inside the 42nd Street
station. He collects data from thousands of
RFID devices as people pass by. Now what?
He has no idea who they are or what facility
their card accesses.

The reality is that there are far eaier, orders
of magnitude simpler ways to break in. It's
highly unlikely anyone will set up a code
grabbing system in a subway station. Based
in many years' experience in the security
industry, I believe it's also unlikely most
locations where people might rightfully use
an RFID card are susceptible to installing
a hidden device to steal data from the cards.

You might not even need s super reader
if you could locate your hijacking reader
quite near a legitimate one...

Perhaps, but that would be pretty noticeable.
If I came home to use my RFID card to open
the fron door I'd probably want to know why
there's a new black box mounted next to the
real one. In a workplace environment someone
would notice right away if someone started
installing a strange device next to the door.

I can also easily see a hacker designing a
very small, easy to conceal device that
would record every RFID that was used in
the reader that had been tapped...

The problem is twofold. If the device is to
read data as it is entered, it has to be wired
in place and remain there for all to see. On
the other hand, if it is to grab data all at once
it must be connected to the access control
panel. The readers don't store data.

This is a well-known criminal technique...

Hmm. I never heard of anyone doing it.

I read sometime back that some gang of
criminals had figured out how to add a
vampire tap to a plain old POTS credit card
authorization machine that provided them
with the card data from every card that
was swiped through the reader in the
restaurants they targeted.

If that is the story I think it is, they just
tapped and recorded the phone lines.

Hackers are ingenious. I remember people
making 1,000's of long distance phone calls
for free way back when with the:

Totally unrelated.

...The most popular item in the store has
been a copper bracelet with a red light that
blinks when it is near an RFID scanner...

And that would help someone hack into an
RFID?

--- snip a bunch of unrelated stuff ---

--

Regards,
Robert L Bass

=============================>
Bass Home Electronics
941-925-8650
4883 Fallcrest Circle
Sarasota · Florida · 34233
http://www.bassburglaralarms.com
=============================>


.

Relevant Pages

  • Re: SCardTransmit Fails
    ... ' Advanced Card Systems, Ltd for the Smart Card Development Kit sample code. ... ' this reader be ignored. ... ' This implies that the given ... End Sub ...
    (microsoft.public.platformsdk.security)
  • Re: SCardTransmit Fails(Forgot to Attach File)
    ... ' Advanced Card Systems, Ltd for the Smart Card Development Kit sample code. ... ' this reader be ignored. ... ' This implies that the given ... End Sub ...
    (microsoft.public.platformsdk.security)
  • [Full-disclosure] RFID Attack theory
    ... I have read more since the initial post in regards to RFID hacking. ... the contents of an RFID Proximity Card, Access Card, so on.. ... They have some really good ideas about attacking the middleware using SQL ... What about attacking the reader itself and not the middleware... ...
    (Full-Disclosure)
  • Re: Citibank Kills The SmartCard
    ... Well, the idea was that with a reader at home, you would never enter your card ... >>cards no longer have the smart chip - they come with an RFID chip instead. ... When did they start shipping the RFID ones? ...
    (misc.consumers)
  • Re: RFID Flap Silences Security Researchers
    ... makes them useless for RFID scanning. ... False both the skimmer and normal reader see the card.. ... the legitimate receiver too,RF is not sucked up by the skimmer receiver.. ...
    (comp.home.automation)