Archive for the ‘Travel Card Crime’ Category

TWENTY million Brits are at risk of having their bank details stolen by electronic pickpockets, a Sun investigation has revealed!

Journalist Nick Francis of The Sun newspaper has spearheaded a major investigation into the potential for contactless crime, taking the work of RFID Protect to a national audience.  In an interview with RFID Protect spokesman [David Maxwell] The Sun revealed:

“…David is a former cop and director of RFID Protect, a firm specialising in products which combat RFID fraud.  It has been a big problem in America for a while and now it is getting to be a problem over here. It is a difficult thing to put statistics on because it’s hard to tell how your card details were skimmed.”

“If you ring your bank they will point out there are many ways to lose your card ID, which is true, and by the time you find out you’ve been skimmed it is too late to work out how.

“But the technology is out there and in the wrong hands.”

Source: The Sun (News International)

Date: Sunday 29 April 2012

Original author: Nick Francis

You can read the full story at this link:  “Robbed by Radiowave”  The Sun Newspaper (News International)  or get protected from contactless crime at: RFID Protect (click here)

Update | 05 May 2012:  This story has now captured the attention of numerous media agencies, and continues to expand its reach on a daily basis.  We are aware that the following players have run either similar features during the course of the past week, or intend to do so before long:

The Daily Mail

This is Money

DNA Daily News Analysis

This Morning (ITV.com)

Advertisements

DN Systems has published a helpful overview of the considerable benefits that come with new ‘contactless’ technologies, and also some of the alleged associated risks for businesses keen to deploy this new technology. Firstly, it seems important to keep in mind that this is a relatively new sector, and therefore security policies are still in their infancy – so this is a shifting terrain.  Whilst companies may have given much thought to the design of their RFID enabled devices (for instance door-access control cards, RFID tags, and ID cards) – their supporting ‘back-end’ IT systems may still have possible inherent flaws.

A spokesperson for DN Systems said, “…RFID tags are always an integral part of a larger IT system and should be seen in this context. Given a compatible RFID reader device, anyone can freely read and modify data stored on these RFID tags without the legitimate owner even being aware of it. RFID auditing tools like RFDump can be used to explore the weaknesses of existing RFID infrastructures.”

Is on-tag encryption – a cause for concern?
Certain RFID tags carry something called ‘on-tag encryption’.  DN Systems argue that this approach is inherently vulnerable to unauthorised access and modification.  ‘On-tag’ encryption simply means that the code used to access the RFID devices’ data is stored on the device itself.  (In this respect, it would be a little like writing down the PIN code for a new credit card somewhere on the surface of the card – duh!)

Some suggest that with the right equipment it is possible to break the encryption on such devices.  Using a software package such as ‘RFDump’, DN Systems suggest the information contained within the RFID device can be manipulated.

The ‘Mifare Classic’ chip (used in public transport systems and building access control across the globe – even today?) appears vulnerable to this sort of probing.

DN Systems have this to say on the matter, “At the Chaos Computer Congress 2007 Karsten Nohl from the University of Virginia presented the results of his research. Nohl had analyzed the Mifare chip layer by layer under an electron microscope and reverse engineered significant parts of its proprietary encryption logic revealing major design flaws showing how easy it is to break the chip’s security features. With the dollar amount of the ticket directly stored on the tag, ticketing systems based on this chip, like the Oyster Card in London or the Charlie Card in Boston, are at risk. An attacker could attempt to either clone a ticket or change its value to gain illegal access to the service provided. Similar cloning and tampering scenarios apply to other open loop applications as well, including hotel key cards, ski lift and event tickets, electronic payment systems and the electronic passport.”

But that was then – this is now…
The ‘Mifare Classic’ chip emerged way back in 1994 and has since been superseded by more improved products with so-called “light-weight cryptography” solutions for the RFID element.

Today’s RFID chips contain approximately 15,000 secure ‘gates’. Although DN Systems is keen to stress that, “…only a fraction of these are available to implement crypto functionality, the rest is required to implement the tag’s state. Strong private key crypto systems on the other hand require at least 20,000 – 30,000 gates alone when implemented in hardware.”

What the above would appear to suggest (to this layperson at least) is that in order to deliver a 100% secure solution a designer would require more ‘gates’ than are currently available with commercially available RFID tags.  Therefore, whilst recent developments – i.e. since the ‘Mifare Classic’ –  have made our ‘contactless’ experience far more secure –  there is still further to go.

Some percieved RFID vulnerabilities
Ranked in no particular order of importance, what follows is an overview of common perceived RFID vulnerabilities:

  • RFID Cloning: Here the target RFID device (often a tag) is probed for vulnerabilities, and once compromised a duplicate is made.  This identical copy allows the perpetrator access to a secure area (i.e. cloned door-entry pass) or the prospect of introducing non-authorised products into an operations’ supply chain.  Another tactic would be to manipulate the value of goods, via cloned item tags, when shopping.  This phenomenon has been dubbed, “Cyber Shop-lifting”.
  • Malicious Code Injection: In this scenario, the aim of the perpetrator is to introduce a virus into the RFID device, which once read seeks to corrupt or crash an associated ‘back-office’ IT support system.  The main aim is to cause disruption or ‘hack’ into a secure area – such as a database.  What, you don’t believe the databases of major corporations can be ‘hacked’ – well, here’s an overview of some of the more staggering database ‘hacks’ over the last decade.
  • Man in the middle: Here the perpetrator seeks to trick users into presenting their RFID enabled device to a non-authorised reader.  The goal is to decrypt certain information during this electronic transaction that might provide useful keys for performing other attacks in due course.
  • Electronic eavesdropping / Skimming information:  This subject has already been explored at length elsewhere on this blog:
    https://contactless.wordpress.com/2011/06/11/eavesdropping-attacks-on-high-frequency-rfid-tokens/

The above vulnerabilities should not be read as proof that all RFID devices will be compromised in due course.  Nor should we fear a new crime wave at this point in time.  Rather, this article seeks to raise awareness that with any new technology come benefits and drawbacks – often in equal measures.

British-based company RFID Protect has positioned itself in this arena, as an operation that provides a range of security counter-measures for those seeking to combat some of the above issues.

To learn even more about this fascinating subject or to view the original article visit: http://www.dn-systems.de/technology/risks/

Eavesdropping attacks on RFID enabled devices, such as e-passports and contactless credit cards or secure door entry systemsThis extraordinary academic paper, with its practical experiments, presents actual ‘proof-of-concept’ eavesdropping attacks across a range of RFID enabled devices.

The author, G.P. Hancke (of the British-based Smart Card Centre / Information Security Group at University of London), demonstrates how he implemented successful attacks on the three most popular High Frequency (HF) standards: ISO 14443A, ISO 14443B and ISO 15693.

What some may find particularly disturbing is that in each case Hancke not only describes the equipment needed to execute an attack, but also how an effective RFID receiver kit can be constructed for less than £50.

“Even though the self-build RF receiver did not achieve the same results as commercial equipment – it does illustrate that eavesdropping is not beyond the means of the average attacker.” says Hancke.

Read the full PDF report here

And then protect yourself against unauthorised ‘contactless’ eavesdropping here

UK Government HQAbstract: A UK government-backed report that explores certain security flaws in RFID / contactless technology.  Well worth a read is this…

Source: http://www.ico.gov.uk

“It will be the responsibility of RFID users to prevent any unauthorised access to personal information. One concern is a practice that has become known as “skimming”. Since a transponder’s signal can be picked up by any compatible reader, it is possible for RFID tags to be read by unauthorised readers, which could access personal information stored on them. Users can guard against skimming by using passwords. The EPCglobal Class 1 Generation 2 RFID specification enables the use of a password for accessing a tag’s memory. However, these are not immune to “hacking”.

Most RFID systems require a short distance between tag and reader, making it difficult for “rogue” readers to scan tags but this could nevertheless be done in a situation where people are naturally at close range, for example, on a crowded train. The nominal read range of some tags can also be extended by the use of more powerful readers. It is also possible to read part of a tag’s number by eavesdropping merely on a reader’s communication with a tag. Readers, with a much higher power output than tags, can be read at much greater distances.

While some RFID applications might not need communication between tag and reader to be encrypted, others that process personal and especially sensitive personal data will need an adequate level of encryption to safeguard the data being processed. In most cases “skimmers” would also need a way of accessing the external database containing the personal data, but in some cases inferences might be made about someone from information which in itself does not relate directly to him. If a person leaves a store having purchased items carrying RFID tags that have not been disabled, he carries with him a potential inventory of his possessions. This would enable someone with a suitable reader and knowledge of EPC references to discover what items he was carrying at a given time. Sensitive personal data about a person’s illness, for example, might be unknowingly revealed by him via the EPC referring to the medication in his pocket. An insufficiently secure RFID chip could also be “cloned”. By copying personal data stored on the RFID chip of an identification card, a person could for practical purposes steal the identity of the cardholder. If the information on the database (e.g., a fingerprint) is checked only against the information on the card, rather than directly against the person himself, a criminal would not need to access the information stored on the database.”

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/radio_frequency_indentification_tech_guidance.pdf

For more information visit:  RFID Protect

Finally, if you’re in any doubt as to whether or not RFID skimming is a real threat, then perhaps watch the following video evidence.

Video evidence from the United States of America, claiming that RFID enabled devices are vulnerable to skimming, cloning and hacking.

Electronic Pickpocket – YouTube Video
(Approx. 4minutes – n.b: opens in a new window.)

Today the BBC broke news of a staggering development in the world of smart phone / contactless technology.  In short, unscrupulous hackers and the criminal fraternity have managed to exploit a weakness in the means by which Apple’s i-Phone, Blackberry, and Android handsets connect with wi-fi or ‘open networks’.  The end result is that these particular devices may broadcast personal data, often in the course of normal social media interactions using i.e. Facebook and Twitter, which can be viewed by a third parties.  Scary stuff indeed!  This is what a BBC spokesperson had to say on the issue:

“The main lesson must be how insecure you can be if you sit in a public place and go online using an open network. I’d heard about Firesheep, a tool demonstrated recently as a warning of the dangers of open networks and unencrypted cookies. But sitting and watching as your entire life – or rather your social-networking life – is laid bare is very sobering.”

Rory Cellan-Jones, BBC Correspondent

Read the full article at:

http://www.bbc.co.uk/blogs/thereporters/rorycellanjones/2010/11/iphone_cracking_wifi.html

First published at BBC Online: 08:40 UK time, Tuesday, 23 November 2010

UPDATE:  (November 07, 2011) BBC News reports that malware attacks on UK andriod APPs, and smartphone fraud in general is up a staggering 800% since this time last year!!!!  The shape of things to come – who knows, perhaps?

Google has finally accepted that it harvested personal data from wireless networks as its fleet of vehicles drove down residential roads taking photographs for the Street View project. And yet only a few months ago it would have screamed ‘blue murder’ if anyone intimated that this had happened. Now it transpires that millions of internet users have potentially been affected. Google’s acknowledgment of guilt is an interesting U-turn from its earlier assertion that no sensitive personal information had been taken.

Google has now confessed that its, “…vehicles had also gather(ed) information about the location of wireless networks, the devices which connect computers to the telecommunications network via radio waves.”

The Daily Telegraph newspaper reported that, “…Privacy International lodged a complaint with Scotland Yard earlier this year about Google’s Street View activities and officers are still considering whether a crime has been committed. Google is facing prosecution in France and a class action in the US, with similar lawsuits pending in other countries.”

The full story can be read at: http://www.telegraph.co.uk/

Whilst this development does not relate specifically to RFID or contactless technology as such, nonetheless it’s an excellent example of a large multi-national operation initially stating – “guys, what’s the problem – there’s nothing to worry about your wireless internet connection because we’ve ensured that it’s 100% secure” – and then a few months later we arrive at a different place – “…er, you know that technology that we told you was secure, well there’s been a slight issue with it and as a result your email, passwords and other sensitive information are now in the public domain – whoops, sorry about that…”

Therefore it could be reasonably argued that whilst today contactless credit, debit, Oyster, and Olympics 2012 RFID passes are all being sold as 100% safe – tomorrow may bring with it a somewhat different outlook…

Watch this space, and in the meantime can you afford not to protect your biometric details now?

Dutch security researchers rode the London Underground free for a day after easily using an ordinary laptop to clone the “smartcards” commuters use to pay fares, a hack that highlights a serious security flaw because similar cards provide access to thousands of government offices, hospitals and schools.

There are more than 17 million of the transit cards, called Oyster Cards, in circulation. Transport for London says the breach poses no threat to passengers and “the most anyone could gain from a rogue card is one day’s travel.” But this is about more than stealing a free fare or even cribbing any personal information that might be on the cards.

Oyster Cards feature the same Mifare chip used in security cards that provide access to thousands of secure locations. Security experts say the breach poses a threat to public safety and the cards should be replaced.

“The cryptography is simply not fit for purpose,” security consultant Adam Laurie told the Telegraph. “It’s very vulnerable and we can expect the bad guys to hack into it soon if they haven’t already.”

By Alexander Lew  Email Author| June 24, 2008

Source: http://www.wired.com/autopia/2008/06/hackers-crack-l/