Contributed by Joanne Kelleher
Another week and another blog entry about hacking RFID – this time it is contactless credit cards. Unlike the Mifare story which has received lots of international attention (see https://veridify.com/RFID-Security-blog/?p=46), so far this story had only been picked up by a few technology blogs. Maybe it is old news just presented in a new way.
IT security expert, hacker and inventor Pablos Holman shows reporter Xeni Jardin of Boing Boing tv, how you can use gear bought on eBay to read personal data such as cardholder name and credit card number from an RFID enabled American Express credit card.
Pablos has hooked up a ViVOpay 5000 Contactless Payment Reader from ViVOtech to his laptop and uses it to capture the credit card data. He points out that one of the problems is that the decryption of the credit card data is being done by the reader at the countertop rather than at the financial institution’s secure data center. Pablos doesn’t clarify if the reader he purchased is processing this decryption or if he has written a hack for his laptop to handle this. He does show the credit card number and name displayed on the screen.
On the American Express website I found no response to this hack and very little about the security or technical details of their ExpressPay cards. For example, in doing a search on their site for RFID I received zero results (but their search engine spellchecker helpfully gave me all the results for REID).
The Smart Card Alliance has posted a Q&A called Contactless Payments Security Questions & Answers because recent media reports have raised questions about the security of contactless payment transactions and the risk of fraud to consumers.
While it is technically possible for a contactless payment card or device to be read illicitly, this scenario is unlikely. In the event that a criminal did read the information from a contactless payment device, the security features designed into the device, the payment terminal and the payment system (see questions 2 and 4) would prevent the information from being used to create fraudulent contactless transactions.
Pablos plans to continue his work so that the cards can be read from further away. He hasn’t published if he would be able successfully, if illegally, use the credit card data he captured to process transactions.