How the researchers

By Evan Schuman  |  Posted 2006-10-30 Print this article Print

did it"> The techniques the scientist researchers used were quite straight-forward. "We reverse-engineered the protocols and constructed inexpensive devices that emulate both credit cards and readers. The experiments indicate that all the cards are susceptible to live relay attacks, all the cards are susceptible to disclosure of personal information, and many of the cards are susceptible to various types of replay attacks," the report said. "In addition, we successfully completed a cross-contamination attack against the magstripe of one card. All but one of the other cards tested appear to be susceptible to the cross-contamination attack as well."
A core industry defense to criticism of a security hole in contactless cards has been that the cards data can only be read from a very short distance. But previously reported research—including material last year from Shell Canada and more recent concerns about Citbanks contactless fob deployment—that data can be read from a much farther distance was confirmed by the researchers.
Besides, readers are so small that a thief could get close enough to a customer standing in line to read a credit card or someone putting brochures into mailboxes could be near mailed credit cards. "RFID tags do not have a single, definitive read range. While the nominal read range of an RFID tag may be quite short, on the order of several centimeters, for example, a non-standard reader or large antenna can provide a significant boost in range at which an attacker can skim an RFID tag," the report said. A New York City Transit Authority report "recently demonstrated skimming ranges of over 20 centimeters for RFID systems in which most readers operate at a distance of only several centimeters" and others have demonstrated "a possible skimming range of up to 50 centimeters" and "while skimming requires that a reader power the targeted tag, an attacker performing passive eavesdropping on a session between a legitimate reader and RFID tag can potentially harvest tag data at a considerably longer range," the report said. "Claims have surfaced of tests in which e-passports, which rely on ISO 14443-A and 14443-B, were read at a distance of 30 feet and detected at a distance of 20 meters." The report adds that this does not resolve the contactless read-distance debate, but it makes clear that much more needs to be known and that neither side is that sure of its facts. "We make no claims in this paper about the read ranges of RFID-enabled credit cards beyond the fact that characterization of these ranges is not straightforward and constitutes an important open research question." The report points out that, unlike older-style magstripe-only credit cards, the "security envelopes" that hide current credit cards are not effective in a contactless world. Or, in the vernacular of the report: "Containers that are visually opaque and not necessarily RF-opaque." The threat here involves easy access to mailboxes—the report cites dormitory or apartment mailrooms and side-of-the-road mailboxes as especially risky—along with crowded lines, elevators and subways. The report makes an interesting observation that the way consumers have been trained to protect their credit card information may actually make their contactless data less secure because consumers arent sensitive to confidential data that isnt human-eye-readable. "Even if the read ranges of RFID-enabled credit cards are short, their new uses and form factors will engender new opportunities for attack. Cards that support sufficient read range may tempt consumers to hold their wallets up to readers, rather than to remove their cards first. For instance, consumers are trained to present ATM cards to devices that look like ATMs. A compromised reader at a parking garage could skim customers credit card information at the same time that they read the parking pass," the report said. "Fob-type RFID credit cards are now available for attachment to key rings, exposing them to attack when consumers leave their keys unattended. This behavior is seen most often in valet-parking situations or in gymnasiums where it is common for users to leave their keys together in an unsecured box by the door. The fact that such cards may not bear embossed numbers can create a false sense of security in addition to the fact that consumers are skilled at protecting their wallets, but as we have seen, often leave their keys exposed." Next Page: Grabbing the data before the consumer uses the card.

Evan Schuman is the editor of's Retail industry center. He has covered retail technology issues since 1988 for Ziff-Davis, CMP Media, IDG, Penton, Lebhar-Friedman, VNU, BusinessWeek, Business 2.0 and United Press International, among others. He can be reached by e-mail at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel