Rss

    Archives for : RFID

    Contactless credit cards with RFID are easily hacked

    A blog posting on BoingBoing provides further discussion as to the
    inappropriate deployment and of RFID chips within the existing payment
    marketplace.

    http://www.boingboing.net/2006/10/23/report_contactless_c.html

    The underlying point of this article is, the card schemes and banks said they are using key rotating encryption of all data between the card and the acquirer/issuer, but this is clearly not the case in many situations.

    Another interesting paper is ‘RFID Payment Card Vulnerabilities Technical Report’ located at:

    http://www.nytimes.com/packages/pdf/business/20061023_CARD/techreport.pdf

    Technology is always being challenged

    I read a very interesting paper created by the University of Massachusetts, RSA Laboratories and Innealta, Inc.<<

    This paper primarily relates to the compromise of contact less payment technologies (RFID) if the RFID and/or reader have not been implemented correctly or the solution provider has used an inappropriate type of RFID and discusses the challenges around Chip and Pin with respect to financial transactions e.g. EMV standards and compliance.

    Additionally, the paper describes a RFID relay method which is being discussed within many forums around the world and we have now begun to see equipment being produced for the RFID skimmers/clonners to use for malicious means.

    The overarching point of this paper is to use an appropriate RFID & Chip solutions which supports the security/privacy of the user and purpose of the transaction (financial or non financial)<<

    The paper can be found at http://prisms.cs.umass.edu/~kevinfu/papers/RFID-CC-manuscript.pdf

    In modern payment RFID & Chip solutions, newer devices can be used which possess a high degree of processing power and are therefore able to execute strong cryptographic methods (such as digital signatures) to protect the identification and payment information whilst the transaction is occurring.

    These systems often utilise bidirectional authentication between the RFID/Chip scanner and the RFID tag/Chip prior to performing the transaction. These methods and cryptographic algorithms are accepted and proven to work within the traditional payment markets.

    As mentioned in the paper, some solution store static digitally signed and/or encrypted data which is provided to the RFID/Chip reader when queried, but this data never changes from one transaction to another. This may allow a malicious individual to capture and re-inject the data into the reader at a later stage. The alternative to storing static digitally signed and/or encrypted data is to negotiate a key exchange at the time of the transaction in which the card/value information is encrypted and subsequently transmitted. With this method the transmitted data
    changes on every transaction and therefore even if a malicious individual was to capture the encrypted transaction data from one transaction, this would not be accepted by the reader if re-injected at a later stage.

    Although this is the case today, older RFID/Chip solutions often use technologies which are not appropriate for financial transactions and therefore may be compromised easily and in some cases without the knowledge of the card holder, merchant or acquirer.

    I find this interesting how some of these less secure solution have been approved for use by acquiring banks and the card schemes around the world (if they were told) in recent years, where it has been seen that these solutions have utilised techniques or deployment methods which can be compromised. These technologies and techniques would never be approved within the Point of Sale (PoS) or traditional banking markets.

    It can only be assumed that the need to get product to market quickly at the expense of proper testing, understanding and with due consideration to industry lessons learnt has succeeded again.

    ISO 14443

    http://www.answers.com/topic/iso-14443

    Dutch RFID e-passport cracked — US next?

    http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next

    ISO 14443 contactless card

    An international standard for proximity or contactless smart card communication

    ISO 14443 contactless card

    ISO 14443 is an international standard which describes how contactless cards and terminals should work to ensure industry-wide compatibility, for example in identity, security, payment, mass-transit and access control applications.

    ISO standards are developed by the ISO, the International Organization for Standardization. Technical committees comprising experts from the industrial, technical and business sectors develop the standards to increase levels of quality, reliability and interoperability on a global scale.

    Gemplus has always had a strong involvement in ISO definition of the chip card standards, and has been represented in the development of this international standard. The ISO 14443 is divided into 4 separate parts outlining physical characteristics, radio frequency power and signal interface, initialization and anti-collision and transmission protocol.

    Gemplus has developed a wide range of contactless payment solutions based on the ISO 14443 international standard. The speed and convenience of contactless technology has created a significant demand for this sort of solution in environments such as fast food restaurants, gas stations, public transport services, banks and many others.

    How to Build a Low-Cost, Extended-Range RFID Skimmer Filed under: RFID

    http://www.eng.tau.ac.il/~yash/kw-usenix06/index.html </a>

    Check it Out…

    here is a local copy.

    How to Build a Low-Cost, Extended-Range RFID Skimmer

    Also some of the supporting documents.

    A Practical Relay Attack on ISO 14443 Proximity Cards

    S4100 Multi-Function Reader Module Data Sheet

    Security Analysis of a Cryptographically-Enabled RFID’s

    Antenna Circuit Design for RFID Applications

    ISO 14443

    FAQ Interoperability

    Are MIFARE and ISO/IEC 14443 Type A the same?

    MIFARE and ISO/IEC 14443 Type A are not the same. While MIFARE is often viewed as an extension to or subset of ISO/IEC 14443 Type A, it is a proprietary encryption/conditional access protocol owned and licensed by Philips Semiconductors to multiple vendors of card ICs and reader ICs.

    Because MIFARE has been so predominantly used with products employing ISO/IEC 14443 Type A technology, it has mistakenly become synonymous with the standard. However, ISO/IEC 14443 Type A is a completely open standard when used independently of the MIFARE encryption/conditional access scheme.

    What changes to contactless standards and technology are expected in the future?

    Many vendors are actively developing new technologies to address the increasing market need for secure contactless technologies for a wide variety of applications. Changes in government regulations will also provide opportunities for enhancing contactless technology performance. It is important to note, however, that standards development is a lengthy process so it takes time for new technology developments to be reflected in standards that help to drive the availability of interoperable solutions. A few examples of new technologies that are expected include:

    • Changes to technology based on the ISO/IEC 15693 standard. Contactless cards supporting the ISO/IEC 15693 standard currently operate at 1.65 Kb/sec to meet FCC limits on sideband power in this frequency range. The FCC is expected to lift its restriction in late 2002, which would allow cards based on the ISO/IEC 15693 standard to improve their data rates.
    • Changes for higher speed operation. ISO working groups plan to add higher speed modes of operation to ISO/IEC 14443. This will increase the speed supported by this standard from 106 Kb/sec to the 848 Kb/sec that has already been demonstrated by IC manufacturers.
    • Alternative access control reader networking solutions. Wireless readers offer a significant advantage in lower costs of installation, particularly in older facilities. New security approaches can ensure strong authenticated channels between hosts or panels and new wireless readers. IP readers also permit direct connectivity to LANbased management and control applications.
    • The ability for a single contactless chip in a card to operate in full ISO/IEC 14443 and ISO/IEC 15693 modes.

    Is there a risk of someone listening or stealing the information from a contactless card?

    One risk with contactless cards is the ability for the card to be activated when it enters a reader’s RF range without the owner being aware of it. To prevent a contactless card activation without the card owner being aware of it, the application can be configured to always ask for the owner’s authorisation (password, PIN or biometric) before providing any user information or processing on the user’s behalf.

     

    e level of security of communication required between the contactless card and the reader must be defined as part of the system design and security controls must put in place so that un-invited listeners cannot intercept the data in any meaningful way. For example, all of the contactless technologies can use data encryption to protect data on the card and during transmission; this helps to ensure that, if information is intercepted, the information cannot be used by the recipient. It is important that all of the application’s requirements be understood and defined prior to any technology selection and implementation so that the appropriate security features are designed into the system.
    Additionally, the contactless chip is designed to self destruct if anyone tries to hack into it.

    What do you mean by three technologies on one card?

    There is confusing terminology used in the market to refer to cards that can support a combination of technologies. Cards are described as multiple technology when multiple, independent technologies share a common plastic card and do not communicate or interact with each other (e.g., magnetic stripe and contactless or contact chip). Cards are described as having a “dual-interface” when the card has a single integrated circuit (IC) that can communicate with a smart card reader/terminal via either contact or contactless.