Vulnerabilities in First-Generation RFID-Enabled Credit Cards

RFID-enabled credit cards are widely deployed in the United States and other countries, but no public study has thoroughly analyzed the mechanisms that provide both security and privacy. Using samples from a variety of RFID-enabled credit cards, our study observes that (1) the cardholder's name and often credit card number and expiration are leaked in plaintext to unauthenticated readers, (2) our homemade device costing around $150 effectively clones one type of skimmed cards thus providing a proof-of-concept implementation for the RF replay attack, (3) information revealed by the RFID transmission cross contaminates the security of RFID and non-RFID payment contexts, and (4) RFID-enabled credit cards are susceptible in various degrees to a range of other traditional RFID attacks such as skimming and relaying.

[1]  David A. Wagner,et al.  Security and Privacy Issues in E-passports , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[2]  Ari Juels Strengthening EPC tags against cloning , 2005, WiSe '05.

[3]  Ari Juels,et al.  Technology Evaluation: The Security Implications of VeriChip Cloning , 2006, J. Am. Medical Informatics Assoc..

[4]  Mike Bond,et al.  Phish and Chips Traditional and New Recipes for Attacking EMV , 2006 .

[5]  Andrew S. Tanenbaum,et al.  A Platform for RFID Security and Privacy Administration (Awarded Best Paper!) , 2006, LISA.

[6]  Ross J. Anderson Why cryptosystems fail , 1993, CCS '93.

[7]  Avishai Wool,et al.  How to Build a Low-Cost, Extended-Range RFID Skimmer , 2006, USENIX Security Symposium.

[8]  Ronald L. Rivest,et al.  The blocker tag: selective blocking of RFID tags for consumer privacy , 2003, CCS '03.

[9]  V. Rich Personal communication , 1989, Nature.

[10]  Matthew Green,et al.  Security Analysis of a Cryptographically-Enabled RFID Device , 2005, USENIX Security Symposium.

[11]  Kevin Fu,et al.  Privacy for Public Transportation , 2006, Privacy Enhancing Technologies.

[12]  Avishai Wool,et al.  Picking Virtual Pockets using Relay Attacks on Contactless Smartcard , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[13]  Gerhard P. Hancke Practical attacks on proximity identification systems , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[14]  Ari Juels,et al.  RFID security and privacy: a research survey , 2006, IEEE Journal on Selected Areas in Communications.

[15]  Gildas Avoine,et al.  Privacy Issues in RFID Banknote Protection Schemes , 2004, CARDIS.

[16]  Gerhard P. Hancke,et al.  A Practical Relay Attack on ISO 14443 Proximity Cards , 2005 .

[17]  Mike Bond,et al.  Phish and Chips , 2009, Security Protocols Workshop.