RFID credit cards have a chip that wirelessly communicates with the card reader. You won’t have to swipe it. It’s basically faster and easier … i believe the technology was used in last Olympics.
Anyway, some researchers have breached it. The card listens in a sort of promiscuous mode, and thus anybody can fetch the card holder’s name, number, and expiry date. Although, the conventional credit cards are not really safe, but these ones are like broadcasting your credentials.
One type of card is very easy to be exploited using replay attack.
Workaround: If any of you have such cards, use some protection like “Faraday Cage” or some radio frequecy blocker thingy. Details are in the Original paper.
The paper says 20 million cards are issued only in US.
A friend of mine at my faculty from the electrical engineering departement has developed an RFID signal blokker :D
I have the link to his site somewhere here
dumb a$$ politicians who approve this kind of sh*ty technology need to come up with something better. RFID cards lol..I doubt it will happen in canada ..hopefuly not....watch how fast this new card system will come down ;)
I came across a website where these teenagers showed how these new RFID technology is easy to crack. In the video they drove to some gas station which accepted RFID tags outside on the pumps....they pointed some antenna attached to their laptop and pointed it towards the Scan area on the pump .....they did something and were able to fill up the gas and they just simply drove away withouth anyone noticing.
These banks think their encryption is safe but its really not. 3des, des, DES DUKPT, or whatever method they will use...its all piece of cake!
things to watch closely in future. Satellite hacking...an interesting area to monitor for next 10 years.
** These banks think their encryption is safe but its really not. 3des, des, DES DUKPT, or whatever method they will use...its all piece of cake! **
things to watch closely in future. Satellite hacking...an interesting area to monitor for next 10 years.
The guys in link (by Tofibaba) did NOT break 3DES or AES ....... it was actually an unknown commercial algorithm by Texas Instruments. One major weakness in those DSTs (digital signature transponders) by TI was the use of 40-bit key. And it has been long ago known that this size of keys is easily breakable even by brute-force attack ...... and that's what they did.
Some of the cryptographic algorithms are pretty good, specially AES, 3DES and some non-symmetric ones . It's the fault of the vendors who do not implement them properly ..... in this case TI.
If you use 128-bit key for AES ..... it's NOT a piece of cake at all. Not even if you run super-computers. Unless some mathematical flaw is found in it .... but so far there's none.
That’s quite risky step as well … since the passport RFIDs would be passive, they won’t be able to verify the authentication of the Reader, and therefore anybody can commnunicate with them using their own readers.
If they are using shielding, then i don’t know whether that shield will remain all the time with the passport.
It depends on how they implement it … as long as they don’t keep the key in the passport, and keep the information encrypted with good size key & alg. then it could be doable … but again, can’t say anything without knowing the details.
thats the idea behind biometrics if you didnt know.
The problem with RFID is is mainly down to size = number of transistors.
The greater the transistors you need a battery powered chip, cant induce enough charge from RF. Remember the encryption needs to be fast, you cant have someone waiting 5 mins while keys are computed for example. look at London underground where a chip is powered, booted, computed in under 0.5s.
By using a strong crypto like AES-256 you need more time. Time is not a variable it has restrictions. Add more transistors, not possible unless you want a much larger battery powered RFID. These are the constraints and in most instances a faster, less secure protocol is employed.
^ exactly ..... there's always a compromise/tradeoff ..... if u want more security then more power is needed. If convenience, then less power and less security. But when it comes to your finances and sensitive information then priority should be security, not convenience. The solution still does not seem to be practical.
If the world is running well without this new technology, then why take such a risk. I have no problem with using this new technology, but it should be improved before putting in the practical life.
An exploit (proof-of-concept) is released on Oct 27, 2006 for RFID Passports. All you need to provide is:
(1) Passport Number … (could be obtained from insecure airline web sites)
(2) Date of Birth … (may be from gupshup, social engg., or somewhere else)
(3) Expiry date … (possibly same as 1)
if they where to implement a protocol such as SSL where RSA or El-Gamail is used to share keys i.e. asymetric key change followed by a what is considered to be a strong cipher like AES-256 I would feel fairly secure:
a) RSA is cracked, just to date impossible to commute. Against the laws of mathematics no magic happening in S-Box's.
b) Asymmetric key exchange with digital signatures has shown to be very secure. One easy, good example of secure cryptography.
Can that be implemented in a RFID card of today is another question. BTW AES-128 is not considered ver secure. minimum length by Rinajdel was always 256. NISA changed to 128 which was odd.