Following on from last week’s story about how the MIFARE Classic’s RFID chip, as used in London Transport’s Oyster card, had been compromised, BoingBoing has gone a step further. It gave a video demonstration of a hacker demonstrating how easy it is to extract details from a RFID-equipped credit card.
In the video, the hacker Pablos Holman boasts that he is able to “decrypt the data” using an “eight dollar reader from eBay”. One quick swipe of the reporter’s American Express card later and he appears to have done just that, with the cardholder’s name and expiry date both visible.
“You’ll get that from most cards,” explains Holman, before adding “now we can go online and start shopping”.
Holman then offers his explanation as to why the use of RFID technology is spreading despite its obvious security flaws. “The credit card industry understands that creating a secure system isn’t really the priority; creating a system that feels secure to the user is. In reality it’s easier for me to get numbers now than it was before.”
Security risk
Mr Holmon then shows how RFID card carriers could protect themselves from readers with the aid of a metal wallet, before offering his views on how much of a security risk RFID-equipped credit cards really pose:
“I don’t expect this to be a major threat for a while. People are stealing credit card numbers from websites and that’s still pretty easy,” he says, before adding, somewhat more ominously “with a bigger antenna hooked up to this I can go into Starbucks and get the name of everyone in there”.
