Posts Tagged ‘theft’

On 8th December 2011, news broke that US police officials had been deployed to North Miami Beach Senior High School to investigate the alledged theft of 2,000 student ID cards.  According to a local media outlet, these ID cards contained sensitive personal information on the holder – including details of each students’ social security number.

Commentators on the situation have said, “…it’s very concerning because it has our social security numbers [on the ID card].”

Some will suggest that this is an excellent example of how any ‘foolproof’ system, (not least one that’s designed to improve security for its participants), is only 100% effective until the moment when something goes wrong.

Expect the unexpected – these are words to live by.

The original article can be found at:  BayPay Forum

____________________

And the trend continues…

According to Alien Vault Labs, the U.S. Defense Department ‘Common Access Cards (CAC)’ and Windows smart card are now being targetted by a new variant of the already infamous Sykipot malware.  Re-engineered in March 2011, this new variant has ‘raised the bar’ – with dozens of attack samples evident over the past 12 months.  The malware would appear particularly interested in government agencies, and a view has been expressed elsewhere that China may be behind this development – since a main goal in these attacks is to access information specifically from the US defense sector.  (Smart cards are in common use across the US Defense sector as a means of identifying employees and allowing them access to facilities or services.)

Alien Vault Labs explain how these attacks work by stating, “…the attackers use a spear phishing campaign to get their targets to open a PDF attachment which then deposits the Sykipot malware onto their machine. Then, unlike previous strains, the malware uses a keylogger to steal PINs for the cards. When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information. The malware is controlled by the attackers from the command & control center.”

You can read the full report here: Alien Vault Labs

Once again this news adds weight to the growing argument that as encryption systems improve those of a criminal disposition will raise their game accordingly.  There’s probably nothing to worry about for the moment (unless you’re in the US defense industry?), but just to be on the safe side then why not avoid potential mayhem and consider a low-cost ‘anti-skim’ sleeve for that new ‘contactless’ credit or debit card; such as those that can be purchased from RFID Protect.

US Department of Defense orders RFID shields

US Department of Defense orders RFID shields

It can now be reasonably argued that November 2010 will mark a significant turning point in the debate surrounding RFID or ‘contactless’ credit, debit, passport and door-access security.  For on Wednesday 29 November, 2010  Secure ID News reported the following news,

“…2.5 million radio frequency shielding sleeves (were delivered) to the Department of Defense to protect the contactless Common Access Card (CAC) from data interception. The FIPS 201-approved, shielding sleeves are distributed via RAPIDS ID offices worldwide with the issuance of new CACs.”

Furthermore, the online journal then went on to state,

“…an option to purchase an additional 1,675,000 sleeves was exercised by the Defense Department for final delivery in January 2011. This order will bring the total number of our sleeves 4.2 million. In September, an order for 200,000 rigid, RF shielding, non-metallic badge holders (was also placed).”

Of course, whilst unauthorised data interception from RFID enabled device is not commonplace – this development would strongly suggest that the potential threat of ‘skimming’ is real and growing by the day.

Original source: http://www.secureidnews.com/2010/11/29/defense-department-order-rf-shields-from-national-laminating

David Beckham - victim of RFID hacking and car jacking!

Going, going, gone – RFID car-jacking!

It’s the stuff of movies. A criminal gang that sets out to steal hundreds of cars, each in under 60 seconds, using the latest in high-tech gadgets to facilitate their heist.   But for David Beckham, Hollywood fiction became a reality when in April 2006 criminals used a simple laptop and RFID scanner to crack the electronic door locks of his BMW X5. Once the locks were cracked they then fired up the ignition and drove away – gone in just 15 minutes!

So how was this possible? After all the RFID industry has gone to considerable lengths to reassure us that ‘contactless’ chips and ‘smart keys’ are 100% secure, and not vulnerable to ‘skimming’.

John Holl, a journalist with Forbes Autos throws some light on the matter saying,

“…Back in 2004, when keyless technology was still new and touted as unbreakable and secure, Dr. Aviel D. Rubin, a professor of computer science at Johns Hopkins University, examined this possibility (with his students). Within three months they had successfully cracked the code embedded within the ignition keys of newer model cars, theoretically allowing them to steal the autos.”

“It was a trial-and-error process,”  Rubin said. “We wanted to see if it could be broken and found out that (surprisingly) it could!”

The technique requires a laptop, an RFID scanner and software capable of probing for encryption weaknesses. It only takes about 15 minutes for the software to explore millions of possible encryption answers, before finding the one that fits with the vehicle’s unique identity.  The thieves then submit an identical code to the vehicle, which allows them to ‘boost’ it.

15 minutes – it’s not long.  About the time it takes to park up, leave your vehicle and order at a restaurant, which seems to be what happened to the Beckhams.  And it just goes to show that no security system is 100% fool-proof, however peace of mind may soon arrive as British company RFID Protect hopes to manufacture RFID shielding sleeves that are specifically designed to protect a vehicle’s ‘smart key’ against unauthorised probing.

Original article at:

http://www.msnbc.msn.com/id/13507939/ns/business-autos/

NEWSFLASH: Update September 2012

This month sees AutoExpress reporting on a new twist to this story.  It transpires that BMW has at last accepted that there is an issue with its keyless entry systems on cars issued between 2007 and September 2011.  BBC’s Watchdog television programme highlighted a problem with certain models (specifically BMW X5 & X6) in June of this year, and since then a number of high profile cases have come to light.  One story in particular demonstrates the problem that BMW is now facing, because when London-based consultant Eric Gallina had his car stolen from outside his home he couldn’t understand how thieves had taken it.  Mr Gallina still had the two factory-issued master car keys in his possession, and there had been no evidence of vehicle break in (i.e. there was no broken window glass at the crime scene).

AutoExpress reported that Mr Gallina was told by police officers,

“…nine other BMWs with keyless entry had been stolen in the Notting Hill area within the past month and a half.”

Apologists for BMW have issued security guidance to owners of these models, although it is not clear whether an actual ‘fix’ for the problem is available at the time of writing.  According to AutoExpress BMW have issued the following advice,

“…[until the fix is available to all models], where ever possible park your car out of sight, in a locked garage, or under the cover of CCTV cameras.”

Easier said than done, and some will wonder whether this guidance from BMW has really been thought through, or goes far enough to address such a serious security flaw?

Original article at: http://www.autoexpress.co.uk/bmw/60264/bmw-owners-offered-fix-hi-tech-theft

Here in the UK, the bio-metric passport project is now in its fourth year.  By all accounts the roll-out has proved successful, although there is a growing body of evidence that suggests the system is not entirely fool-proof; leaving a small window of opportunity for unscrupulous individuals to ‘skim’ the data contained therein.  It’s been argued that this can be done from distances up to a metre away, and what’s more – you wouldn’t feel a thing!

As someone who’s not keen to have their privacy compromised – even if this is just a ‘long shot’ – I’ve decided to put together a DIY guide to keeping your RFID enabled passport secure from skimmers. So, we’re going to use the ‘Faraday Cage’ approach of using aluminium foil to create a secure environment for our passport – rendering it inactive, whilst inside the foil.  Yes, I realise that this smacks of ‘tin hat paranoia’ – but there’s compelling evidence to suggest it works – as the signal from our passive RFID chip is effectively blocked from the reader; or ‘hacker’ as the case may be.

You will need:

2 x A3 paper
A4 size strips of aluminium foil
C5 sized envelope/s
3M spray mount
1 x scalpel
1 x newspaper
1 x ruler
1 x strong adhesive (PVA / wood glue)
1 x kettle (for streaming the C5 envelope open)

Instructions:

  • Take your kettle, fill it with about one cup of water, and heat until boiling
  • Taking great care with this next step – steam the folded seams of your C5 envelop, until the original glue relaxes and you can peal the flaps apart
  • Once all flaps are released – unfold your envelop and allow to dry
  • Once dry, place your unfolded envelop between two sheets of A3 paper (creating a sandwich) and iron the top sheet of A3, thus in doing so the C5 envelop will be flattened.
  • Remove the 2 sheets of A3 paper, take the (now flattened) envelop and place it over a sheet of aluminium foil and ensure that there’s sufficient foil to cover your envelop.  Cut to size – allowing for at least 1 cm overlap on all edges.
  • Place the aluminium foil onto a sheet of old newspaper – spray well with 3M spray mount
  • Place inside face of envelop onto the sticky side of the foil – you’re attempting to glue the foil to the inside of your envelop.
  • Place a sheet of A3 paper over the top, then rest a heavy book on top – allowing up to 24 hrs for the glue to adhere
  • Once fully dried – and using a ruler – trim all edges with a scalpel, to the original dimensions of your C5 envelop.  TAKE CARE OF FINGERS!!!
  • Finally, crease any folds again to original C5 envelop configurations.
  • Use the strong adhesive to join the folded seams together.

You should now have a C5 envelope with a foil lining inside. All you need do now is insert your RFID enabled passport and close the flap.  You can use a paper clip to keep the flap closed.

All done!

Although with hindsight, you could well be better off simply buying an RFID protected passport sleeve (for around £2.99) from one of the suppliers listed elsewhere on this site. (Click here to buy from UK-supplier RFID Protect.)

And unless you already have most of the items detailed above then it’s probably also a cheaper option – but of course less fun!

In the UK we stand at the dawn of a new era, the emergence of a new way of conducting business and our lives – welcome to the RFID enabled World! But as is the case with the roll-out of any new technology, we may not be fully aware of the associated challenges. Will our identity remain safe from the unscrupulous career criminals? How can we protect ourselves from card skimming and cloning. These are just some of the many questions that this site hopes to address into the future. We hope you’ll contribute, and that this resource will prove useful in some way.