Grabbing the Data Before
the Consumer Uses the Card"> From the thiefs perspective, there is a huge value in capturing the data from the card before the consumer has seen it. If a criminal grabs the data "and then replays that transaction to the network before the legitimate user has a chance to use their card, then the charge-processing network should accept the [criminals] transactions and actually decline the legitimate ones," the report said. "Therefore, even if the counter and codes are cryptographically secure, these cards should still be susceptible to this attack. Its true that the attacker is faced with a counter synchronization problem, but these are far easier than the cryptographic problems on which we prefer to base our security whenever possible." Beyond gathering data from the contactless credit card directly, the report discovered substantial weaknesses when the researchers tried eavesdropping on contactless transactions at POS locations. The equipment consisted "simply of a tuned 13.56MHz antenna connected to an oscilloscope. Using this setup, we obtained oscilloscope traces of complete transactions between various RFID credit cards and our various commercial readers."Worse yet, the study looked at one of the more sophisticated contactless credit card defensesa challenge-response protocoland quickly came up with an easy way to thwart it using a relay attack and two culprits. One thief is armed with a clandestine credit card reader emulator with a non-RFID link to a clandestine credit card emulator being used by the second thief. Thief One sits or stands next to the victim and quickly discovers the victims contactless credit card. Thief One beams the captured signal to Thief Two. Thief Two then approaches the merchants POS and uses his device to receive commands from the POS terminal, which are forwarded to Thief Ones device, which shares them with the victims contactless card. The cards responses are processed through Thief Ones device into Thief Twos device, which gives the proper authenticated response to the POS terminal. "The purchase should succeed, and the cost will be charged to [the victim]. Observe that even with application-layer challenge-response or transaction-counter protocols, this attack will still succeed as protocol messages will simply be relayed between the card and reader," the report said. The report also described a cross-contamination attack, which involved adding easily obtained information into the wireless mix. "We combined the data thus obtained with address and telephone information looked up in the telephone directory given the cardholder name transmitted through the envelope. For postal mail, the attacker already knows the cardholder address," the report said. "Using only this information, we placed an online purchase for electronic parts from one of our major research-parts suppliers. Our purchase was successful." This tactic should work against most contactless card types in conjunction with any merchant that doesnt require a CVC, the report added. The report recommends a couple of ways to defend against such attacks, including simple RFID-blocking covers for the cards, such as some crudely made ones by consumers and some marketing-driven Hello Kitty RFID blockers being sold in Japan, officially some sort of Faraday cage. "Note that this countermeasure is useless when the card is in use, since a card must be removed from a shielded wallet before an RF purchase can be made. It is clear, however, that credit card companies should at least ship cards through the mail enclosed in a Faraday cage to obviate the dangers" of unauthorized data-capture, the report said. The authors of the report also suggest more complicated defenses, such as blocker tags that "exploits RFID anti-collision protocols in order to simulate a vast collection of non-existent RFID devices, thereby obscuring real RFID tags in its vicinity. In principle, a consumer could confer protection on RFID-enabled credit cards in an ordinary wallet or purse by positioning a blocker tag near them," the report said. "On removal from the protected environment, a credit card would then operate normally. Or perhaps the blocker could contain a button or other means for a consumer to authorize card use." Ultimately, the report said, improved cryptography and more sophisticated means of signaling consumer intent would make such approaches unnecessary. "It is possible, of course, to modify the credit cards themselves so that they activate only on indication of user intent. A simple push-button would serve this purpose, but more sophisticated sensors might serve the same purpose, such as light sensors that render cards inactive in the dark, heat sensors that detect the proximity of the human hand, motion sensors that detect a telltale tap-and-go trajectory, etc.," the report said. "Ultimately, credit card functionality will see incorporation into higher-powered consumer devices, such as NFC-ready mobile phones and will benefit from the security protections of these host devices, such as biometric sensors and increased computational capacity." Retail Center Editor Evan Schuman can be reached at Evan_Schuman@ziffdavis.com. Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.
What was captured? "Examination of data obtained through these means immediately demonstrated the efficacy of the simple eavesdropping attack, since the full cardholder name and card expiration date were present in clear-text in all transactions," the report said.