As many as 100 million credit cards in active use today contain a technology that can be tricked into exposing the users’ account to fraudulent transactions, according to a hacker who demonstrated the exploit on stage this past weekend at a conference in Washington, D.C.
Speaking at the Shmoocon hacker conference on Saturday, security researcher Kristin Paget demonstrated a hack that she called “embarassingly simple” in which she “stole” someone’s credit card data, embedded it onto a blank magnetic card, then paid $15 into her own bank account, all without ever even touching or viewing her willing victim’s card.
According to Forbes reporter Andy Greenberg, she used a cheaply available radio frequency identification (RFID) reader to procure the card number, expiration date and CCV code. Inputting that information on a small card magnetizing tool that sells for approximately $300, the card was replicated in an instant then swiped through a cheap iPhone attachment that allows users to accept credit card payments. With that, she charged the card $15, then paid her volunteer $20 in cash for the trouble.
The vulnerability in RFID has been known for years, yet credit card companies have embedded the tech in over 100 million current cards since it was introduced in 2005, Greenberg noted.
Devices that ping any nearby RFID chips can be purchased for as little as $2 in some cases, and because credit cards have localized security instead of an encrypted response that must be validated through the company’s servers, they can be tricked into giving up their crucial details upon request.
The challenge, however, is that RFID-enabled cards have a built-in security feature that doesn’t activate the response signal until it is within inches from the reader device, which it must verify as genuine before sending it’s details. A clever thief with the proper software setup could simply bump into their victim and trigger the reader at the same time, or scan a purse or back pocket from inches away in a crowded retail environment.
The tech is also in use by mega-retailers like Walmart, who rely on RFID tags to monitor their inventories and watch what customers are carrying around with them. Pets, similarly, have been getting “chipped” for years, with an RFID tag the size of a grain of rice embedding their owners’ contact information into the animal’s flesh. The same technology is used to turn mobile phones into their own method of payment, keep track of containers of highly addictive drugs, and verify official documents like passports.
For the time being, the only countermeasure credit card users can take against RFID thieves is a wallet made with stainless steel fabric that blocks radio signals. Short of that, it’s back to cash or the barter system — but it’s more likely that credit card users don’t have anything to fear from this hack just yet.
“We’ve got six years of history, a hundred million users of these cards, and we haven’t seen any documented cases of this kind of fraudulent transaction,” Randy Vanderhoof, director of the Smart Card Alliance, told Greenberg. “The reason we think that’s the case is that it’s very difficult to monetize this as a criminal.”