Vulnerabilities in First-Generation RFID-Enabled Credit Cards

Monday, October 23, 2006

RFID CUSP scientists have studied the security and privacy of RFID-enabled credit cards. Here Ari Juels gives an overview of the results.

Quick links

• Frequently asked questions
• Technical report
• Videos
• Links to related news

While appealing to both consumers and merchants, the convenience of RFID credit cards has a flip side. What a legitimate merchant terminal can read, a malicious scanning device can also read without a consumer’s consent or knowledge. RFID credit cards therefore call for particularly careful security design.

A report released today by a team of scientists in the RFID Consortium for Security and Privacy (RFID-CUSP) reveals lapses in the security and privacy features of several types of currently deployed RFID credit cards. The report (of which I am a co-author) highlights two basic vulnerabilities in the cards under study:

1. Names in the clear: The RFID credit cards transmit bearer names promiscuously. Any device capable of scanning a card can learn the name imprinted on it—with or without the owner’s consent.
2. Payment fraud: In varying degrees, the RFID credit cards are vulnerable to an attack called “skimming.” An attacker with an RFID reader can harvest information from a card, create an inexpensive clone device, and make charges against the legitimate card. (Alternatively, an attacker may be able to perform online transactions with harvested credit-card information.) Skimming requires minimal technical expertise and expense.

Credit-card fraud is already widespread in various forms, and financial institutions already address the problem effectively with sophisticated detection and mitigation systems. Despite their flaws, therefore, it is unlikely that RFID credit cards will trigger a large new wave of fraud.

Rather, what the RFID-CUSP report highlights most significantly is the new physical dimension of vulnerability that RFID credit cards introduce. Without even removing their cards from wallets or pockets, consumers can potentially see their privacy and security compromised. A scanner in a crowded subway station might surreptitiously harvest credit-card data from passersby. Or consider what the RFID-CUSP research team has dubbed a “Johnny Carson” attack. In the comedian’s Carnac the Magnificent act, he divined the contents of sealed envelopes held against his forehead. Likewise, an attacker can quickly skim data from RFID credit cards in sealed envelopes while they are in transit or sitting in mailboxes.

Slightly stronger data protections and cryptography could largely prevent Johnny Carson attacks and most of the other vulnerabilities illustrated in the RFID-CUSP study. Given that RFID as a broad technology is already a flashpoint for consumer fears, the choice of credit-card associations not to confer stronger protections on RFID-enabled cards is somewhat surprising. Numerous media reports have drawn attention to consumer concerns about RFID privacy and security, and various government bodies are mulling over RFID-privacy regulations. In early 2005, a team of researchers (including some in RFID-CUSP) demonstrated skimming attacks against ExxonMobil SpeedPass, another RFID payment device used by millions of Americans for some number of years. (It should be noted, however, that unlike RFID credit cards, SpeedPass does not reveal personally identifying information.)

The RFID-CUSP report leaves some open questions. With unclear legal protections in place for scientific exploration, the research team was unable to perform field tests of skimming attacks—even against our own credit cards. (The team has offered, however, to collaborate with credit-card issuers and merchants in empirical testing.) Thus, while the report makes definitive claims about certain vulnerabilities, others remain conjectural. Moreover, the research team was unable to ascertain the number of issued cards affected by the security flaws we encountered, and whether newer cards incorporate stronger protections. It is for the credit-card associations to give a precise account of how many vulnerable cards they have issued, should they choose to do so. Finally, there is the vexed question of read ranges. While the nominal read range of the RFID chips in credit cards is on the order of at most a few inches, large antennas and non-standard readers may be able to achieve longer ranges. This remains an open research question.

The RFID-CUSP report does not explicitly name the card types under study. The vulnerabilities affect several major organizations, and the aim of the report is not to point fingers. (In fact, I should note that my employer, RSA, The Security Division of EMC, contacted credit-card associations with our findings some months ago, and itself declined to initiate any media contact.) The RFID-CUSP study is, in effect, a product-safety report. By highlighting weaknesses in a significant, fielded RFID system, the study aims to promote strong accountability and security practices in the RFID industry as a whole. RFID has the potential to bring great benefit to our lives. An early underpinning of solid security and privacy can help ensure the swiftest and most complete success for this budding and transformational technology.

For details on the RFID-CUSP study, visit www.rfid-cusp.org.

Read our Frequently Asked Questions (FAQ) on contactless RFID-enabled credit cards.

Our technical paper is available as a draft PDF. The final version will be presented at Financial Cryptography 2007.

• "'Smart' cards are quick, but are they safe?" on NBC Today Show, October 26, 2006.
• "No-Swipe Credit Cards Could Make ID Theft Easier" on ABC Good Morning America, October 24, 2006.
• YouTube or the secondary link has our short video demonstration of some attacks from a technical perspective. Please excuse our poor-quality video techniques.

• New York Times story on no-swipe credit cards, October 23, 2006.
• Popular Mechanics, January 2007.
• Search the Web for news on contactless RFID-enabled credit cards