RFID in the mail… No need to open the Envelope!

They call it the “Johnny Carson attack,” for his comic pose as a psychic divining the contents of an envelope.

Tom Heydt-Benjamin tapped an
envelope against a black plastic box connected to his computer. Within
moments, the screen showed a garbled string of characters that included
this: fu/kevine, along with some numbers.

Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit
card, fresh from the issuing bank. The card bore the name of Kevin E.
Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.

The card companies have implied through their marketing that the
data is encrypted to make sure that a digital eavesdropper cannot get
any intelligible information. American Express has said its cards incorporate “128-bit encryption,” and J. P. Morgan Chase has said that its cards, which it calls Blink, use “the highest level of encryption allowed by the U.S. government.”

But in tests on 20 cards from Visa, MasterCard
and American Express, the researchers here found that the cardholder’s
name and other data was being transmitted without encryption and in
plain text. They could skim and store the information from a card with
a device the size of a couple of paperback books, which they cobbled
together from readily available computer and radio components for $150.

Good Article in the New York TimesFound on Boing Boing, which has more links:

And here is a related post from the guys who did the hack on RFID-cusp blog. (Thanks, Tom Heydt-Benjamin).

Consumerist has a post worth reading here.

Anti-RFID activist group CASPIAN has a response here (see also these previous BB posts about the group's founder, Katherine Albrecht).


Author: Xavier Ashe

Entrepreneur, Infosec Executive, CISSP, CISM, Ironman triathlete, traveler, UU, paleo, father of 8, goyishe, gamer, & geek. http://linkedin.com/in/xavierashe

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s