Skip to main content

Vulnerabilities in First-Generation RFID-enabled Credit Cards

  • Conference paper
Financial Cryptography and Data Security (FC 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4886))

Included in the following conference series:

Abstract

RFID-enabled credit cards are widely deployed in the United States and other countries, but no public study has thoroughly analyzed the mechanisms that provide both security and privacy. Using samples from a variety of RFID-enabled credit cards, our study observes that (1) the cardholder’s name and often credit card number and expiration are leaked in plaintext to unauthenticated readers, (2) our homemade device costing around $150 effectively clones one type of skimmed cards thus providing a proof-of-concept implementation for the RF replay attack, (3) information revealed by the RFID transmission cross contaminates the security of RFID and non-RFID payment contexts, and (4) RFID-enabled credit cards are susceptible in various degrees to a range of other traditional RFID attacks such as skimming and relaying.

The full version of this paper appears as UMass Amherst CS TR-2006-055. See www.rfid-cusp.org for the latest version.

The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-3-540-77366-5_37

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Adida, B., Bond, M., Clulow, J., Lin, A., Murdoch, S., Anderson, R., Rivest, R.: Phish and chips: Traditional and new recipes for attacking EMV. Technical report, University of Cambridge Computer Laboratory (2006), http://www.cl.cam.ac.uk/~mkb23/research/Phish-and-Chips.pdf

  2. Anonymous: Chip and spin (2006), http://www.chipandspin.co.uk/problems.html

  3. Associated Press: Wave the card for instant credit. Wired News (2003), http://tinyurl.com/yc45ll

  4. Averkamp, J.: ITS Michigan: Wireless technology and telecommunications (2006), http://www.itsmichigan.org/ppt/AM2005/Joe.ppt

  5. Bono, S., Green, M., Stubblefield, A., Juels, A., Rubin, A., Szydlo, M.: Security analysis of a cryptographically-enabled RFID device. In: 14th USENIX Security Symposium (2005)

    Google Scholar 

  6. Bray, H.: Credit cards with radio tags speed purchases but track customers, too. Boston Globe (August 14, 2006), http://tinyurl.com/lmjt4

  7. CardTechnology: Paypass subway trial starts in New York (2006), http://tinyurl.com/uya3k

  8. Carey, D.: NFC turns phone into a wallet. EE Times (2006), http://tinyurl.com/yyxk28

  9. Chan, S.: Metro briefing | New York: Manhattan: Warning about credit risks. The New York Times (2006), http://www.nytimes.com/2006/12/04/nyregion/04mbrfs-credit.html

  10. DIFRWear: Faraday-Caged Apparel. (2006), www.difrwear.com

  11. Dougherty, G.: Real-time fraud detection. MIT Applied Security Reading Group (2000), http://pdos.csail.mit.edu/asrg/02-28-2000.html and http://pdos.csail.mit.edu/asrg/02-28-2000.doc

  12. EMVCo: EMV Integrated Circuit Card Specifications for Payment Systems (2004), http://tinyurl.com/oo663

  13. EPIC: Mock point of entry test findings, p. 48 (2005), http://www.epic.org/privacy/us-visit/foia/mockpoe_res.pdf

  14. Ferguson, R.: Schwarzenegger quashes RFID bill. eWeek DATE (2006), http://tinyurl.com/y29z6s

  15. Greenemeier, L.: Visa expands contactless card efforts. Information Week (2006), http://tinyurl.com/ykzo4t

  16. Hancke, G.P.: A practical relay attack on ISO 14443 proximity cards. Technical report, University of Cambridge Computer Laboratory (2005), http://www.cl.cam.ac.uk/~gh275/relay.pdf

  17. Hancke, G.P.: Practical attacks on proximity identification systems (short paper). In: Proceedings of IEEE Symposium on Security and Privacy, pp. 328–333 (2006), http://www.cl.cam.ac.uk/~gh275/SPPractical.pdf

  18. Harper, J.: RFID wiggles its way into credit cards? (2005), http://lists.jammed.com/politech/2005/05/0038.html

  19. Heydt-Benjamin, T.S., Bailey, D.V., Fu, K., Juels, A., O’Hare, T.: Vulnerabilities in first-generation RFID-enabled credit cards. Technical report, University of Massachusetts Amherst, CS TR-2006-055 (2006)

    Google Scholar 

  20. Heydt-Benjamin, T.S., Chae, H.J., Defend, B., Fu, K.: Privacy for public transportation. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  21. HowStuffWorks, Inc.: How blink works (2006), http://money.howstuffworks.com/blink1.htm

  22. ISO: ISO/EIC 14443, proximity cards (PICCs). Technical report, ISO (2006), http://wg8.de/sd1.html

  23. Juels, A.: RFID security and privacy: A research survey. IEEE Journal on Selected Areas in Communication 24(2) (2006)

    Google Scholar 

  24. Juels, A., Rivest, R.L., Szydlo, M.: The blocker tag: selective blocking of RFID tags for consumer privacy. In: CCS 2003. Proceedings of the 10th ACM conference on Computer and Communications Security, pp. 103–111 (2003)

    Google Scholar 

  25. Kfir, Z., Wool, A.: Picking virtual pockets using relay attacks on contactless smartcard systems. In: IEEE/CreateNet SecureComm., IEEE, Los Alamitos (2005), http://eprint.iacr.org/2005/052

    Google Scholar 

  26. Koper, S.: Contactless acceptance made easy for business payment systems. In: BPS 2006 Summer Conference, Las Vegas, NV (2006), http://tinyurl.com/sjte6

  27. Molnar, D.: Personal communication (2006)

    Google Scholar 

  28. New York City Transit Authority: NYC MetroCard Fares. In: WWW (2006), http://tinyurl.com/y5egfd

  29. O’Connor, M.C.: Chase offers contactless cards in a blink. RFID Journal (2005), http://tinyurl.com/yzy9u5

  30. O’Connor, M.C.: At McDonald’s, ExpressPay fits the bill. RFID Journal (2006), http://tinyurl.com/yc58sa

  31. Rieback, M., Gaydadjiev, G., Crispo, B., Hofman, R., Tanenbaum, A.: A platform for RFID security and privacy administration. In: Proc. USENIX/SAGE Large Installation System Administration conference, Washington, DC, USA, pp. 89–102 (2006), http://www.rfidguardian.org/papers/lisa.06.pdf

  32. Schuman, E.: How safe are the new contactless payment systems? (June 20, 2005), http://tinyurl.com/y9a525

  33. Selker, E.: Manually-operated switch for enabling and disabling an RFID card. Technical report, MIT, Patent #20030132301 (2003)

    Google Scholar 

  34. UK Chip and Pin: Chip and pin (2006), www.chipandpin.com

  35. Westhues, J.: Hacking the prox card. In: Garfinkel, S., Rosenberg, B. (eds.) RFID: Applications, Security, and Privacy, pp. 291–300. Addison-Wesley, Reading (2005)

    Google Scholar 

  36. Yoshida, J.: Tests reveal e-passport security flaw. EE Times (August 30, 2004), http://tinyurl.com/surgr

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Heydt-Benjamin, T.S., Bailey, D.V., Fu, K., Juels, A., O’Hare, T. (2007). Vulnerabilities in First-Generation RFID-enabled Credit Cards. In: Dietrich, S., Dhamija, R. (eds) Financial Cryptography and Data Security. FC 2007. Lecture Notes in Computer Science, vol 4886. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77366-5_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-77366-5_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-77365-8

  • Online ISBN: 978-3-540-77366-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics