Shostack + Friends Blog Archive


Consumer-Grade RFID Analysis

mastercard-ad.jpgIn “Why Some People Put These Credit Cards In the Microwave,” the Wall St. Journal incidentally captures everything you need to know:

Makers of products using RFID say privacy and security safeguards are being built into the chips to prevent abuses. MasterCard International says multiple layers of security are available to prevent MasterCard data from being stolen by electronic eavesdropping. It is up to the companies that issue the card to decide which security measures to adopt, says Art Kranzley, MasterCard’s executive vice president in charge of new payment technologies.


The card Ms. Lum carries came without any information about security safeguards, she says, so she decided to take no chances. “It’s maybe a little bit of a paranoia thing, but hey, it’s my credit rating,” she says.

There you have it. It’s Ms. Lum’s credit rating, and Mr. Kranzley’s decision to not mandate any security measures, but leave that up to the issuing banks. Any questions about what’s going to happen?

Thanks to Rob Sama for the article pointer, and the U Missouri web site for the Mastercard ad.

7 comments on "Consumer-Grade RFID Analysis"

  • Chris Walsh says:

    The article reads as if the vulnerability these cards have is theoretical. I consider to have definitively disproved that assertion, by actually demonstrating a means by which such tags can be successfully subverted.

  • Why would putting your credit card in a microwave protect you? And would the mag stripe still work?

  • Chris Walsh says:

    These are active devices, Alice. The large amount of power in the microwave oven fries the circuitry (presumably via the antenna) and turns the thing back into a normal credit card. I don’t see why microwaves would demag the card, but there’s plenty about electricity and magnetism that I don’t know.

  • David Brodbeck says:

    I can’t get too worked up about this, to be honest. I don’t see how the RFID-enabled cards are any more of a risk than handing your card to a waiter, or reading the number to a sales rep over the phone, both types of transactions that are well-accepted. If there’s fraud, the liability is with the credit card company. Presumably they consider the risk low, because otherwise they’re opening themselves up to having to eat lots of fraudulent charges.

  • Chris says:

    My worry with these cards is regarding location tracking (google for a bluetooth related relation tracking paper).
    I don’t care about credit card fraud, as another commenter pointed out, it’s not my problem… it’s the credit card companies.
    However, I am quite worried about a transmitter in my pocket that can be triggered by a high powered reader a few meters away.
    A one-time shot in the microwave is much simpler than a foil-lined wallet.

  • Adam says:

    Both of those are based on you taking action. I can read the RFID without your participation or permission, and can use it as an easy way to track people. (As Chris said.)

  • Iang says:

    Guys, worrying about RFID being used for tracking is like building a barn door with splinters when a stampede of horses just blew your barn to matchwood.
    Everyone with a cell phone has a far *far* far superior tracking device in their pockets. It beats the RFID on every point. It transmits. All the time. It is paid for by the trackee. The tracekee even pays to recharge it. There is only one of them, and it is positively identified. The trackee gets very upset when they lose their personal tracking device, and can be relied upon to fight for her rights in law to be tracked.
    It even records extra information such as multiple tracking targets in an intelligent fashion – they haven’t even begun to think about RFIDs communicating and recording their chit chat. Cell phone tracking is already integrated into a convenient centralised infrastructure that reaches into our mass transits and crosses our borders.

Comments are closed.