It's been known for some time that there are security issues associated with the increasing use of RFID tags in credit cards, but this past weekend afforded a fresh demonstration of just how easy it is for hackers to take advantage of them.
Onstage at the Shmoocon hacker conference in Washington, D.C., Recursion Ventures security researcher Kristin Paget used about $350 in equipment to wirelessly read a volunteer’s RFID-enabled credit card and then encode its key data onto a blank card, as described Monday by Forbes.
Next, she used the fraudulent card and a Square Card Reader to make a payment to herself.
Elaborate trick? Far from it: “This is an embarrassingly simple hack, but it works,” Paget told Forbes.
Essentially, it's possible because much the way the store's point-of-sale device reads the data on a contactless card wirelessly, so, too, can pretty much any RFID reader--through standard wallets and clothing, and regardless of the encryption or security measures that are in place, Paget said.
Today's contactless cards don't make the user’s name, PIN, or permanent three-digit CVV code wirelessly available, the report notes; they also use a one-time CVV code with each scan so as to prevent repeated fraudulent use. In six years of use, there reportedly haven't been any documented cases of this kind of fraud, either.
Still, Paget's demonstration shows how easy it would be for one or more hackers to scan numerous victims' cards, even just to use each of them once.
Three Seconds on 'High'
So what can you do to protect yourself and your business?
First, determine if any of your cards are RFID-enabled. PayPass and payWave, for example, are two of the leading names under which this technology is offered in the United States.
Assuming you do have one, there are a few steps you can take to protect it. Among the more drastic options, certainly, is toasting your RFID chip in the microwave--three seconds will kill it, Paget reportedly told Forbes. Of course, then you can kiss your contactless payment capabilities goodbye as well.
Duct Tape and Aluminum Foil
Recursion Ventures, meanwhile, is reportedly working on a high-powered protection device for RFID-enabled credit cards, but it's still in the prototype stages.
In the meantime, you could try one of today's RFID-blocking shields or wallets, which generally use aluminum or steel to keep out prying eyes. There are even instructions on the Web for how to give your existing wallet RFID-inhibiting protection using just duct tape and aluminum foil.
Though by no means invincible, steps like these may be your best bet for now, short of locking your card up in a safe place.
Sign up for CIO Asia eNewsletters.