07. 01. 2006
Citibank's RFID PayPass credit card
Dan Costa over at Gearlog was recently sent a new type of credit card by his bank. The new MasterCard PayPass is an RFID token that uses radio frequency keys to authorize purchases. The basic principle is very similar to the speed passes currently in use at gas stations, toll booths, and subway stations all over the country.
Dr. Costa did a very nice write up on the potential pitfalls and inherent security features embedded into the payment medium, but he missed one bit of very important information. Hackers have already managed to solve the problem of trying to read a chip from within two inches, and rumor has it that there are breathtaking hacks regarding RFID capture and spoofing being released at this year's Defcon conference.
It's a very interesting read to see where the technology is now, but I do not trust that keyfob yet.
Posted by Johnny
Category:
devices
Tags:
Email this
| Comments (3)
Comments (3)
Wow, this is a pretty cool concept, but I am a bit nervous of the keyfob. Nonetheless, this is a step in the right direction. Great find! I love this site. Keep of the great work!
Kevin | July 2, 2006 11:50 AM
July 2, 2006 11:50
it looks quite interesting where can i apply for one?
michael | July 4, 2006 5:18 AM
July 4, 2006 05:18
Sure, the basic principle is the same as the "speed passes" for the gas station or toll booths, but making blanketed statements is usually not productiive, and often leads to false conclusions. Generalizing about the family of technologies known as "RFID" is common in the media today, especially as the US Gov. debates the use of various types of RFID for passports and frequent border crossing credentials (PASS). The DHS recently issued a report, "The Use of RFID for Human Identification" in which there was obvious confusion about what security features have been implemented at what frequencies. In this post specifically, the technology in use at gas stations is likened to the toll roads despite the fact that one uses active transponders at frequencies of 900MHz or greater, while the other uses passive transponders at 125/134kHz (so called "Prox" technology). The PayPass technology from MasterCard uses yet another frequency and a completely different set of cryptographic techniques. Finally, the citation of various "hackers" exploits in beating the technology are a bit out of date and contrived. The first, describes one persons ability to perform a replay attack on the "Prox" technology (mostly in use for access control) that has been slowly but surely in replacement for 10 yrs (Johns Hopkins and RSA Labs successfully hacked the DST in use for car immobilizers and gas station payments). The second, details the efforts of students in Amsterdam to perform spoofing and jamming attacks where it is claimed there is compatibiliity with ISO 15693 and 14443,despite the vast differences between these 2 air-interface protocols and the fact that these standards do not specify security features. ISO 14443-based transponders are being considered for use in passports, but the tag ICs in use are capable of 2048-bit keys using standardized Elliptical Curve Cryptography, while the DST technology uses 40-bit keys and a proprietary cipher. Security and privacy are valid concerns when confronting new technologies, but it is crucial to be informed about the specifics of a given technology before judgements are made. Otherwise, we are simply aiding the conspiracy theorists in another chorus of "the sky is falling."
RF Base | July 4, 2006 10:18 AM
July 4, 2006 10:18