The Black Hat security conferences are always good for a crowd pleasing demonstration or two, and security researcher Adam Laurie was happy to oblige at the latest DC based event. In a 'look no hands' fashion, he was able to pull up account data including name, account number and expiration date from an AMEX credit card and display it on the big screen to the attending masses, without actually removing the card from the wallet of the man who owned it.
Yet this was no trick, but rather a demonstration to get a debate started on the potential security weakness of the RFID smart-chip-enabled technology implemented on some credit cards these days. Laurie combined some simple hardware with a Python-based script to performing his magic. The impact was lessened a little by the fact that the account number shown on-screen was not the one embossed on the card itself and cannot actually be used to make an online transaction. Indeed, American Express has confirmed that this 'alias' number alone would not be accepted as transactionally valid and numerous other security mechanisms would need to kick in to authenticate the payment authorisation. As such, all that was demonstrated here was the potential ease with which data can be read from smart-cards using RFID scanning techniques, without any actual physical contact.
With close on 50 countries around the world using RFID enabled passports, many places also opting for RFID enabled public transit cards and so on, the security implications are still worrying. In Spain, there are apparently even some operations where users can get a RFID tag implanted under the skin. One such application being a beach resort which allows bars and shops to scan your wrist for payment, yet you can enjoy the beach and sea without requiring a wallet.
As always though, convenience needs to be balanced with confidentiality and as the Black Hat demo proves perhaps this particular angle of the RFID transaction is not being given as much serious thought as it should.
