Bruce Schneier has been a very vocal opponent of the move to put RFID tags, or at least ones without security, on passports. For instance, there is this blog post, and this article. Passports are, of course, interesting, particularly when you have to use them as much as I do. Most countries now seem to be moving to RFID enabled passports. However, recently, credit card companies have started putting RFID tags on their cards, and that is making me wonder.
Several years ago, when I was living in Boston, Exxon started something they called the "Fast Pay" system. The premise was that you had a little piece of molded aluminum on your keychain that contained an RFID tag, and when you pulled into the gas station you just waved the tag in front of the gas pump, at which point you could pump your gas and quickly get back to sitting in traffic waiting to go through the toll booth.
It was probably only a matter of time, but American Express has now started putting RFID tags on some of their credit cards, and it probably will not be long before other credit card companies follow suit. The readers are starting to show up in various places, like McDonalds, which makes sense, because if you eat at McDonalds a lot (and I do; I like their food) then the act of pulling your credit card out of your wallet is just way too much exercise. :-)
The interesting thing here is that there is virtually no security information available on how RFID tags on credit cards work. In talking to some near-normal people (they are friends and relatives of mine, so they probably are not entirely normal; at least not when it comes to security) they figured this was an interesting idea. My first concern, by contrast, was what stops someone from reading the data off the RFID tag and duplicating it. Estimates on how far away you can be and still read a passive RFID tag range from 10 meters to 25 meters, so unless there is something on these tags to stop unauthorized systems from reading them they are probably readily accessible from quite some distance.
That being said, it is hard to believe that the credit card companies had not thought about this first. I'd just feel a lot better about the whole idea if there was more detail on the security of the system than a claim that they use a "unique cryptogram."
Of course, if you do not like these RFID tags 15 seconds or so in the microwave oven will take care of them. You may want to use the microwave oven at work though...
There was a discussion on this topic on slashdot a while back with some interesting comments about whether this was actually RFID technology:
That's interesting. I had not seen the slashdot article (I find it hard to keep up with slashdot).
The comments were a bit random, as usual, but the most logical seemed to be that "they must have thought of this." I hope so.
Does anyone know if you can do something with an RFID tag such that it can only be read by particular readers that possess some key? Simply encrypting a piece of static data would not be enough. The processing to decide whether to give up the key must reside on the tag itself.
"Of course, if you do not like these RFID tags 15 seconds or so in the microwave oven will take care of them. You may want to use the microwave oven at work though..."
I guess someone is going to be flamed at http://minimsft.blogspot.com/ for destroying their microwave ovens :)
The cards sound awfully easy to use, even for criminals who steal a card...
Are you kidding?
"They must have thought about this" - this about an industry who have been responsible for a number of different security problems...
1. "12 digits are enough for anyone who'll ever want a credit card ... oh, make that 16, with the first several guessable by where you do your banking, and the last four printed out on the receipt."
2. "What do you mean, you don't like that we printed the entire credit card number on your receipt?"
3. "Why should anyone get upset that we're storing their PIN?"
4. "It's sufficiently secure to pass your credit card number and expiration date to every Internet merchant you wish to buy from.
5. "Oh, it isn't? Then we'll give you an extra 3 digits to type in. That'll make it more secure."
6. "Your debit card can be used just like a credit card... except without any of the nice legal protections that say we have to refund your money if your number gets stolen."
7. "and if you tell us your card number was stolen, we'll charge the merchant for the refund, the transaction fee, and a further $25 to punish them for trusting us when we verified your credit card number"
8. "You and your wife get the same credit card number"
9. "Why should the magnetic stripe need to be encrypted?"
10. "What's wrong with transferring the purchase data for the day using FTP? HTTP?" [My favourite, because I actually have a few credit card PoS device manufacturers use my FTP server, WFTPD Pro - but they use it _because_ it does FTPS - encrypted and authenticated FTP]
I'd better stop there.
This doesn't make much sense to me although I don't know much about how RFID works.
As I understand it, a passive tag reacts to the incoming radio signal and transmits (backscatter) a set (?) reply. If that's the case and that reply is encrypted, surely that reply only has to be duplicated - not decrypted - to be able to forge a credit card signal? That would make the encryption pointless.
The only thing I can think of here is that the reply the RFID chip gives is dependant on the radio signal it receives and not the same every time. Pure speculation though, I haven't found anything that suggests that's the case.