Posts Tagged ‘rfid shield’

Nevada Attorney General warns of 'contactless' crimewave

A leading smart card shielding company in the States recently announced news that the Nevada Attorney General’s Office had issued a series of daily consumer briefings on the growing concern surrounding ‘contactless’ crime.   If this is true then things are heating up!

Warnings appear to have been linked with America’s 13th Annual National Consumer Protection Week (NCPW). During NCPW, groups across the States share consumer advice, in the hope that individuals will find better ways to protect their privacy and avoid fraud.

A spokesperson from ID Stronghold said, “Thieves can steal this information by using a frequency reader. These readers are inexpensive and easy to obtain. The thief can simply walk next to you and acquire your credit card number and expiration date without any physical contact. While these cards are in your wallet or purse they can transmit your card or passport number and in some states, your digital drivers’ license information when placed near a reader. The information almost immediately appears on a computer screen without you ever knowing about it. Apparently U.S. passports are more difficult to read than cards with RFID chips because they require a password. However, hackers with enough knowledge can see everything on the passport’s front page.”

From the above evidence there seems to be growing concern across America, (not least in Nevada), about a potential RFID crimewave. Against such a backdrop the case for consumers to protect themselves from this type of identity theft is growing stronger by the day.  And whilst it is important to also mention that the makers of RFID enabled devices still maintain that their products are 100% safe from unauthorised access, should you feel the need to buy some RFID sheilding just in case then you can learn more here…

Advertisements
US Department of Defense orders RFID shields

US Department of Defense orders RFID shields

It can now be reasonably argued that November 2010 will mark a significant turning point in the debate surrounding RFID or ‘contactless’ credit, debit, passport and door-access security.  For on Wednesday 29 November, 2010  Secure ID News reported the following news,

“…2.5 million radio frequency shielding sleeves (were delivered) to the Department of Defense to protect the contactless Common Access Card (CAC) from data interception. The FIPS 201-approved, shielding sleeves are distributed via RAPIDS ID offices worldwide with the issuance of new CACs.”

Furthermore, the online journal then went on to state,

“…an option to purchase an additional 1,675,000 sleeves was exercised by the Defense Department for final delivery in January 2011. This order will bring the total number of our sleeves 4.2 million. In September, an order for 200,000 rigid, RF shielding, non-metallic badge holders (was also placed).”

Of course, whilst unauthorised data interception from RFID enabled device is not commonplace – this development would strongly suggest that the potential threat of ‘skimming’ is real and growing by the day.

Original source: http://www.secureidnews.com/2010/11/29/defense-department-order-rf-shields-from-national-laminating

UK Government HQAbstract: A UK government-backed report that explores certain security flaws in RFID / contactless technology.  Well worth a read is this…

Source: http://www.ico.gov.uk

“It will be the responsibility of RFID users to prevent any unauthorised access to personal information. One concern is a practice that has become known as “skimming”. Since a transponder’s signal can be picked up by any compatible reader, it is possible for RFID tags to be read by unauthorised readers, which could access personal information stored on them. Users can guard against skimming by using passwords. The EPCglobal Class 1 Generation 2 RFID specification enables the use of a password for accessing a tag’s memory. However, these are not immune to “hacking”.

Most RFID systems require a short distance between tag and reader, making it difficult for “rogue” readers to scan tags but this could nevertheless be done in a situation where people are naturally at close range, for example, on a crowded train. The nominal read range of some tags can also be extended by the use of more powerful readers. It is also possible to read part of a tag’s number by eavesdropping merely on a reader’s communication with a tag. Readers, with a much higher power output than tags, can be read at much greater distances.

While some RFID applications might not need communication between tag and reader to be encrypted, others that process personal and especially sensitive personal data will need an adequate level of encryption to safeguard the data being processed. In most cases “skimmers” would also need a way of accessing the external database containing the personal data, but in some cases inferences might be made about someone from information which in itself does not relate directly to him. If a person leaves a store having purchased items carrying RFID tags that have not been disabled, he carries with him a potential inventory of his possessions. This would enable someone with a suitable reader and knowledge of EPC references to discover what items he was carrying at a given time. Sensitive personal data about a person’s illness, for example, might be unknowingly revealed by him via the EPC referring to the medication in his pocket. An insufficiently secure RFID chip could also be “cloned”. By copying personal data stored on the RFID chip of an identification card, a person could for practical purposes steal the identity of the cardholder. If the information on the database (e.g., a fingerprint) is checked only against the information on the card, rather than directly against the person himself, a criminal would not need to access the information stored on the database.”

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/radio_frequency_indentification_tech_guidance.pdf

For more information visit:  RFID Protect

Finally, if you’re in any doubt as to whether or not RFID skimming is a real threat, then perhaps watch the following video evidence.

Video evidence from the United States of America, claiming that RFID enabled devices are vulnerable to skimming, cloning and hacking.

Electronic Pickpocket – YouTube Video
(Approx. 4minutes – n.b: opens in a new window.)

David Beckham - victim of RFID hacking and car jacking!

Going, going, gone – RFID car-jacking!

It’s the stuff of movies. A criminal gang that sets out to steal hundreds of cars, each in under 60 seconds, using the latest in high-tech gadgets to facilitate their heist.   But for David Beckham, Hollywood fiction became a reality when in April 2006 criminals used a simple laptop and RFID scanner to crack the electronic door locks of his BMW X5. Once the locks were cracked they then fired up the ignition and drove away – gone in just 15 minutes!

So how was this possible? After all the RFID industry has gone to considerable lengths to reassure us that ‘contactless’ chips and ‘smart keys’ are 100% secure, and not vulnerable to ‘skimming’.

John Holl, a journalist with Forbes Autos throws some light on the matter saying,

“…Back in 2004, when keyless technology was still new and touted as unbreakable and secure, Dr. Aviel D. Rubin, a professor of computer science at Johns Hopkins University, examined this possibility (with his students). Within three months they had successfully cracked the code embedded within the ignition keys of newer model cars, theoretically allowing them to steal the autos.”

“It was a trial-and-error process,”  Rubin said. “We wanted to see if it could be broken and found out that (surprisingly) it could!”

The technique requires a laptop, an RFID scanner and software capable of probing for encryption weaknesses. It only takes about 15 minutes for the software to explore millions of possible encryption answers, before finding the one that fits with the vehicle’s unique identity.  The thieves then submit an identical code to the vehicle, which allows them to ‘boost’ it.

15 minutes – it’s not long.  About the time it takes to park up, leave your vehicle and order at a restaurant, which seems to be what happened to the Beckhams.  And it just goes to show that no security system is 100% fool-proof, however peace of mind may soon arrive as British company RFID Protect hopes to manufacture RFID shielding sleeves that are specifically designed to protect a vehicle’s ‘smart key’ against unauthorised probing.

Original article at:

http://www.msnbc.msn.com/id/13507939/ns/business-autos/

NEWSFLASH: Update September 2012

This month sees AutoExpress reporting on a new twist to this story.  It transpires that BMW has at last accepted that there is an issue with its keyless entry systems on cars issued between 2007 and September 2011.  BBC’s Watchdog television programme highlighted a problem with certain models (specifically BMW X5 & X6) in June of this year, and since then a number of high profile cases have come to light.  One story in particular demonstrates the problem that BMW is now facing, because when London-based consultant Eric Gallina had his car stolen from outside his home he couldn’t understand how thieves had taken it.  Mr Gallina still had the two factory-issued master car keys in his possession, and there had been no evidence of vehicle break in (i.e. there was no broken window glass at the crime scene).

AutoExpress reported that Mr Gallina was told by police officers,

“…nine other BMWs with keyless entry had been stolen in the Notting Hill area within the past month and a half.”

Apologists for BMW have issued security guidance to owners of these models, although it is not clear whether an actual ‘fix’ for the problem is available at the time of writing.  According to AutoExpress BMW have issued the following advice,

“…[until the fix is available to all models], where ever possible park your car out of sight, in a locked garage, or under the cover of CCTV cameras.”

Easier said than done, and some will wonder whether this guidance from BMW has really been thought through, or goes far enough to address such a serious security flaw?

Original article at: http://www.autoexpress.co.uk/bmw/60264/bmw-owners-offered-fix-hi-tech-theft

Google has finally accepted that it harvested personal data from wireless networks as its fleet of vehicles drove down residential roads taking photographs for the Street View project. And yet only a few months ago it would have screamed ‘blue murder’ if anyone intimated that this had happened. Now it transpires that millions of internet users have potentially been affected. Google’s acknowledgment of guilt is an interesting U-turn from its earlier assertion that no sensitive personal information had been taken.

Google has now confessed that its, “…vehicles had also gather(ed) information about the location of wireless networks, the devices which connect computers to the telecommunications network via radio waves.”

The Daily Telegraph newspaper reported that, “…Privacy International lodged a complaint with Scotland Yard earlier this year about Google’s Street View activities and officers are still considering whether a crime has been committed. Google is facing prosecution in France and a class action in the US, with similar lawsuits pending in other countries.”

The full story can be read at: http://www.telegraph.co.uk/

Whilst this development does not relate specifically to RFID or contactless technology as such, nonetheless it’s an excellent example of a large multi-national operation initially stating – “guys, what’s the problem – there’s nothing to worry about your wireless internet connection because we’ve ensured that it’s 100% secure” – and then a few months later we arrive at a different place – “…er, you know that technology that we told you was secure, well there’s been a slight issue with it and as a result your email, passwords and other sensitive information are now in the public domain – whoops, sorry about that…”

Therefore it could be reasonably argued that whilst today contactless credit, debit, Oyster, and Olympics 2012 RFID passes are all being sold as 100% safe – tomorrow may bring with it a somewhat different outlook…

Watch this space, and in the meantime can you afford not to protect your biometric details now?

Dutch security researchers rode the London Underground free for a day after easily using an ordinary laptop to clone the “smartcards” commuters use to pay fares, a hack that highlights a serious security flaw because similar cards provide access to thousands of government offices, hospitals and schools.

There are more than 17 million of the transit cards, called Oyster Cards, in circulation. Transport for London says the breach poses no threat to passengers and “the most anyone could gain from a rogue card is one day’s travel.” But this is about more than stealing a free fare or even cribbing any personal information that might be on the cards.

Oyster Cards feature the same Mifare chip used in security cards that provide access to thousands of secure locations. Security experts say the breach poses a threat to public safety and the cards should be replaced.

“The cryptography is simply not fit for purpose,” security consultant Adam Laurie told the Telegraph. “It’s very vulnerable and we can expect the bad guys to hack into it soon if they haven’t already.”

By Alexander Lew  Email Author| June 24, 2008

Source: http://www.wired.com/autopia/2008/06/hackers-crack-l/

In the UK we stand at the dawn of a new era, the emergence of a new way of conducting business and our lives – welcome to the RFID enabled World! But as is the case with the roll-out of any new technology, we may not be fully aware of the associated challenges. Will our identity remain safe from the unscrupulous career criminals? How can we protect ourselves from card skimming and cloning. These are just some of the many questions that this site hopes to address into the future. We hope you’ll contribute, and that this resource will prove useful in some way.