DN Systems has published a helpful overview of the considerable benefits that come with new ‘contactless’ technologies, and also some of the alleged associated risks for businesses keen to deploy this new technology. Firstly, it seems important to keep in mind that this is a relatively new sector, and therefore security policies are still in their infancy – so this is a shifting terrain.  Whilst companies may have given much thought to the design of their RFID enabled devices (for instance door-access control cards, RFID tags, and ID cards) – their supporting ‘back-end’ IT systems may still have possible inherent flaws.

A spokesperson for DN Systems said, “…RFID tags are always an integral part of a larger IT system and should be seen in this context. Given a compatible RFID reader device, anyone can freely read and modify data stored on these RFID tags without the legitimate owner even being aware of it. RFID auditing tools like RFDump can be used to explore the weaknesses of existing RFID infrastructures.”

Is on-tag encryption – a cause for concern?
Certain RFID tags carry something called ‘on-tag encryption’.  DN Systems argue that this approach is inherently vulnerable to unauthorised access and modification.  ‘On-tag’ encryption simply means that the code used to access the RFID devices’ data is stored on the device itself.  (In this respect, it would be a little like writing down the PIN code for a new credit card somewhere on the surface of the card – duh!)

Some suggest that with the right equipment it is possible to break the encryption on such devices.  Using a software package such as ‘RFDump’, DN Systems suggest the information contained within the RFID device can be manipulated.

The ‘Mifare Classic’ chip (used in public transport systems and building access control across the globe – even today?) appears vulnerable to this sort of probing.

DN Systems have this to say on the matter, “At the Chaos Computer Congress 2007 Karsten Nohl from the University of Virginia presented the results of his research. Nohl had analyzed the Mifare chip layer by layer under an electron microscope and reverse engineered significant parts of its proprietary encryption logic revealing major design flaws showing how easy it is to break the chip’s security features. With the dollar amount of the ticket directly stored on the tag, ticketing systems based on this chip, like the Oyster Card in London or the Charlie Card in Boston, are at risk. An attacker could attempt to either clone a ticket or change its value to gain illegal access to the service provided. Similar cloning and tampering scenarios apply to other open loop applications as well, including hotel key cards, ski lift and event tickets, electronic payment systems and the electronic passport.”

But that was then – this is now…
The ‘Mifare Classic’ chip emerged way back in 1994 and has since been superseded by more improved products with so-called “light-weight cryptography” solutions for the RFID element.

Today’s RFID chips contain approximately 15,000 secure ‘gates’. Although DN Systems is keen to stress that, “…only a fraction of these are available to implement crypto functionality, the rest is required to implement the tag’s state. Strong private key crypto systems on the other hand require at least 20,000 – 30,000 gates alone when implemented in hardware.”

What the above would appear to suggest (to this layperson at least) is that in order to deliver a 100% secure solution a designer would require more ‘gates’ than are currently available with commercially available RFID tags.  Therefore, whilst recent developments – i.e. since the ‘Mifare Classic’ –  have made our ‘contactless’ experience far more secure –  there is still further to go.

Some percieved RFID vulnerabilities
Ranked in no particular order of importance, what follows is an overview of common perceived RFID vulnerabilities:

  • RFID Cloning: Here the target RFID device (often a tag) is probed for vulnerabilities, and once compromised a duplicate is made.  This identical copy allows the perpetrator access to a secure area (i.e. cloned door-entry pass) or the prospect of introducing non-authorised products into an operations’ supply chain.  Another tactic would be to manipulate the value of goods, via cloned item tags, when shopping.  This phenomenon has been dubbed, “Cyber Shop-lifting”.
  • Malicious Code Injection: In this scenario, the aim of the perpetrator is to introduce a virus into the RFID device, which once read seeks to corrupt or crash an associated ‘back-office’ IT support system.  The main aim is to cause disruption or ‘hack’ into a secure area – such as a database.  What, you don’t believe the databases of major corporations can be ‘hacked’ – well, here’s an overview of some of the more staggering database ‘hacks’ over the last decade.
  • Man in the middle: Here the perpetrator seeks to trick users into presenting their RFID enabled device to a non-authorised reader.  The goal is to decrypt certain information during this electronic transaction that might provide useful keys for performing other attacks in due course.
  • Electronic eavesdropping / Skimming information:  This subject has already been explored at length elsewhere on this blog:
    https://contactless.wordpress.com/2011/06/11/eavesdropping-attacks-on-high-frequency-rfid-tokens/

The above vulnerabilities should not be read as proof that all RFID devices will be compromised in due course.  Nor should we fear a new crime wave at this point in time.  Rather, this article seeks to raise awareness that with any new technology come benefits and drawbacks – often in equal measures.

British-based company RFID Protect has positioned itself in this arena, as an operation that provides a range of security counter-measures for those seeking to combat some of the above issues.

To learn even more about this fascinating subject or to view the original article visit: http://www.dn-systems.de/technology/risks/

Quiet Rooms Logo
We’ve had Panic Rooms and Safe Rooms, but have you every heard of Quiet Rooms?  Nope, me neither!

Below is an extract taken from RFID Protect’s website, where this new service is being offered to anyone that’s ultra concerned about their privacy.

An interesting product, with a super-glossy sales brochure to boot – maybe this is the shape of things to come!

Silence is golden, or so the saying goes.

But in a world where corporate espionage and phone hacking are commonplace a space that’s shielded from electronic eavesdropping is arguably worth more than its weight in gold.

Quiet Rooms are just that – secure areas within your office or home where signals from mobile phone or electronic surveillance devices cannot penetrate. Built into the actual fabric of the building (normally at the construction stage), we offer low-impact solutions for those that really value their privacy. Outstanding performance with minimum intrusion our Quiet Rooms are a synthesis of functionality, cutting-edge technology and design excellence.

Download the Quiet Rooms promotional brochure (PDF 1.2MB)

On 8th December 2011, news broke that US police officials had been deployed to North Miami Beach Senior High School to investigate the alledged theft of 2,000 student ID cards.  According to a local media outlet, these ID cards contained sensitive personal information on the holder – including details of each students’ social security number.

Commentators on the situation have said, “…it’s very concerning because it has our social security numbers [on the ID card].”

Some will suggest that this is an excellent example of how any ‘foolproof’ system, (not least one that’s designed to improve security for its participants), is only 100% effective until the moment when something goes wrong.

Expect the unexpected – these are words to live by.

The original article can be found at:  BayPay Forum

____________________

And the trend continues…

According to Alien Vault Labs, the U.S. Defense Department ‘Common Access Cards (CAC)’ and Windows smart card are now being targetted by a new variant of the already infamous Sykipot malware.  Re-engineered in March 2011, this new variant has ‘raised the bar’ – with dozens of attack samples evident over the past 12 months.  The malware would appear particularly interested in government agencies, and a view has been expressed elsewhere that China may be behind this development – since a main goal in these attacks is to access information specifically from the US defense sector.  (Smart cards are in common use across the US Defense sector as a means of identifying employees and allowing them access to facilities or services.)

Alien Vault Labs explain how these attacks work by stating, “…the attackers use a spear phishing campaign to get their targets to open a PDF attachment which then deposits the Sykipot malware onto their machine. Then, unlike previous strains, the malware uses a keylogger to steal PINs for the cards. When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information. The malware is controlled by the attackers from the command & control center.”

You can read the full report here: Alien Vault Labs

Once again this news adds weight to the growing argument that as encryption systems improve those of a criminal disposition will raise their game accordingly.  There’s probably nothing to worry about for the moment (unless you’re in the US defense industry?), but just to be on the safe side then why not avoid potential mayhem and consider a low-cost ‘anti-skim’ sleeve for that new ‘contactless’ credit or debit card; such as those that can be purchased from RFID Protect.

In early November 2011, BBC News services reported that malware attacks on UK Android Apps, and smartphone fraud in general had risen by a staggering 800% since this time last year!!!!  Today we learn from The Telegraph newspaper that,

“…the majority of Britons are scared of ‘wave and pay’, [and with] only a small minority of people keen to use their mobiles like wallets. [Many] fear that ‘wave and pay’ apps will lead to greater security breaches”. 

Emma Barnett, Digital Media Editor for the Telegraph elaborated stating,

“…[the] Intersperience study, which polled 1,000 people as part of a larger project entitled ‘Digital Selves’, found that phone hacking fears are dominating consumers’ security concerns when thinking about adopting new mobile wallet payment systems.”

A spokesperson for Paypal recently intimated that mass adoption of contactless payments for products using mobile phones, or smart credit cards is at least three years away.  This is perhaps not surprising given that very few UK retailers offer this type of payment option to their customers.

Meanwhile, UK company RFID Protect has announced its intentions to offer a solution for smartphone users wary of this technology.  It comes in the shape of a simple App that will be launched mid 2012, and made available to download from www.rfidprotect.co.uk

So before too long, iPhone and Android users will have the option to disable their NFC (Near Field Communication) feature and in the words of a RFID Protect spokesperson, “MAKE YOURSELF INVISIBLE’ to would be phone hackers, e-pickpockets and e-payment skimmers.  Apparently, there’s a timer function too – so users get to determine the amount of time their phone can be read by third parties.

Read the full Telegraph article at:

http://www.telegraph.co.uk/technology/news/8825183/Majority-of-Britons-are-scared-of-wave-and-pay.html

First published on the: 14 October 2011

One of the UK’s fastest growing crimes came under the spotlight earlier this month, as identity fraud moved ‘centre stage’ once again.   National Identity Fraud Prevention Week has set the scene for a major conference in November 2011, which will see World leaders descend upon central London, all of whom are no doubt hoping to thrash out a solution to this difficult problem.

US Secretary of State Hillary Clinton seems likely to address London’s first cyberspace conference, which aims to start a high-level debate between people working in cyberspace throughout the World. Hosted by Foreign Secretary William Hague, the conference aims to help both private and public sector representatives better understand how to safeguard opportunities in cyberspace. The London conference will also consider wider societal issues including cyber threats, online safety, and…

…how governments can effectively regulate the internet!

You can learn more about the above here: National Identity Fraud Prevention Week (PDF 47KB)

Flashback to 2005 for a moment, and witness the arrival of new advice for the US banking sector concerning how best to marshal its risks in respect of online e-payments.  This guidance came from none other than the Federal Financial Institutions Examination Council (FFIEC) – an interagency body of the United States government empowered to prescribe uniform principles, and standards, across all US financial institutions.

Now fast forward to the present day.  Digital security expert, Adam Dolby of Gemalto, recently made the following comments,

“…the 2005 guidance was stricter than its predecessor because most banks had failed to take action. The FFIEC was hoping the banks would self- regulate, but that didn’t happen!”

It now transpires that rather than acting upon the FFIEC guidance, many key players within banking instead opted for a ‘minimum compliance’ approach, or in simple terms – ‘what can we get away with’.  So, if our banks are reluctant to spend money on payment authentication, and on-line security, then it’s perhaps not unreasonable to form the view that losses through fraudulent activities are merely absorbed by the banks; i.e. it’s just the price of doing business on-line.

Dolby continues stating,

“…when we rolled out internet banking we educated people and told them it was safe, protected behind firewalls and secure socket layers. And now everyone thinks it’s safe.”

It’s an interesting statement, one that hints to ongoing security threats for e-payments; ones which the banks are not necessarily equipped to counteract.  Movie fans may draw parallels with the Brad Pitt and Edward Norton film ‘Fight Club’.  In the movie, Norton’s character talks about how automotive giants determine whether a car should be recalled once found unsafe.

Edward Norton: A new car built by my company leaves somewhere travelling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, (A), multiply by the probable rate of failure, (B), multiply by the average out-of-court settlement, (C).

A x B x C = X.

If X is less than the cost of a recall, we don’t do one.

Woman on plane: Are there a lot of these kinds of accidents?

Edward Norton: You wouldn’t believe.

Woman on plane: Which car company do you work for?

Edward Norton: A major one.

So when your bank tells you that a new ‘contactless’ payment card is 100% secure, perhaps you’ll keep in mind their track record for ‘security’ and their approach to acting on the advice of independent regulators such as the FFIEC.  There’s probably nothing to worry about, but just to be on the safe side then why not avoid potential mayhem and consider a low-cost ‘anti-skim’ sleeve for that new ‘contactless’ credit or debit card; such as those that can be purchased from RFID Protect.

This article makes reference to an original story in Digital ID News:

Foil linings for all new e-passports in the USARFID Journal recently reported that all new generation US e-passports will have a protective foil lining inside their covers. Why you may well ask? The logic is simple – the foil provides an effective barrier, or shield, that protects against unauthorised access to sensitive passport information contained within the RFID chip.  (In many European countries, including Britain, passports issued since 2006 have embedded RFID or ‘contactless’ chips containing information about the passport holder.)

With this new improvement, US passport holders would have to have their passport open all of the time for it to be traced or intercepted.

This development is clearly terrific news for American citizens!

But it’s not such a bright outlook for other countries that have been slow to adopt foil linings.  Of course for UK citizens there’s a simple – and 100% effective – solution until Britain catches up with the States and issues new generation ‘foil lined’ e-passports.  RFID Protect supplies a range of  shielding products for British e-passports and is law enforcement partnered so you can be sure of an effective solution and decent customer support.  By placing your e-passport within one of RFID Protects’ shielding sleeves, wallets or holders there is no way on Earth anyone is going to scan your passport data remotely.

In fact – it’s like giving your passport its own portable firewall!

There’s an old saying – ‘when America sneezes, Britain catches a cold’.  On this occasion the UK would certainly benefit from ‘a day of fever’ in order to come out the other side feeling well again; as some will argue that the current unsatisfactory situation leaves British citizens exposed to potential RFID crime. The following link will take you to the RFID Protect webpage where you can get protected now!

http://www.rfidprotect.co.uk/products.html