Ask Hack-A-Day

swipeless

You may have heard that MasterCard is rolling out swipeless cards. I was alarmed by the quote: “point to the success of ExxonMobil’s SpeedPass system”. You mean the RFID system that was cracked and TI refused to acknowledge? There has been other RFID spoofing work that has proven that the action of reading the card makes it more insecure. What do you think of this new rollout and what percentage of your body will you be covering in tinfoil (freezer grade, shiny side out)?

31 thoughts on “Ask Hack-A-Day

  1. Our new school ID’s can be linked to our wells fargo bank account to take the place of our debit cards (www.txstate.edu)… When I found out that they also have an embeded RFID tag in them, I opted out of the link to my account. Plus, now I only have one card to lose.

  2. I wonder if this will then trickle down to my bank’s debit card (which is mastercard). Will suck really. But it’ll just be more incentive to go finally apply for an AMEX card or something else instead of using my debit card as a credit card (yay for no growth on my credit report *cry*).

  3. i do a lot of work with wireless networking and massaging 802.11x hardware beyond its intended abilities, however i have no experience in the rfid area of wireless snooping. what id like to know, however, is whether anyone has intentions to obtain one of these cards and test them in a manner similar to the one present at the following address: http://rfidanalysis.org/ ..it would be educational to consumers, those that provide cards to consumers, and to the security field in general. by my estimation, it should be done, and quickly.

  4. I would be the first to “scam” them, Scopes Monkey style. I’ll just say someone stole the rf and charged me a shitload. Then when (Or I should say if) they find out, I’ll just say that it is completely possible and show proof, via University Exxon Speedpass papers and such.

    And you don’t need to be able to write to the cards, just steal the info on them and spoof them at cash registers. But I don’t see any incentive to using this unless MC (and Amex which the article mentions) develop compatible readers and provide them free of charge and extra fees to their clients.

    (Ohh, and everybody should be paying by debit card, since they charge you extra money if you pay cash… think about the fees they get for processing credit cards and yet you never get charged more for using it…)

  5. Heh, woohoo, a new kind of card for the lazy-assed american that’s too fat and weak to swipe their own fucking card. I’ll bet you card swiping is the primary cause of cancer in old people. I say we just id-theft anyone who’s so lazy they need a swipeless card.

  6. correction: there have been plenty.. just look at the past few weeks.

    on a more hack-a-day note, I’m planning on picking up a new cellphone sometime soon. are there any suggestions on what I should get to hack the most?

  7. tristan

    i just bought a razr. while i wouldn’t recommend motorola’s software to a retarded dog (crappy address book application, broken bluetooth implementation) it has great voice quality, a good camera, and best of all is end-user hackable. check out http://www.motomodders.net/ there is a large community of hackers that are replacing firmware, images, and changing control bytes in their phones.

    there is also a cheaper clamshell version that isn’t as thin as the razr (v330 i think) but runs the same software and is just as hackable.

    when i get enuf courage (and a cable :-) i’m going to try upgrading my firmware to see if it helps with some of the crashing issues i’ve had.

    but i still think their phone book application is teh suck.

  8. digitally sick, read back a few (ok maybe something like 5) pages back, we’ve already hacked Exxon speedpasses, how long do you think it will be before this is hacked? and would you really trust me with your credit card?

    the RFID tags use (you guessed it) radio frequency to send info, this means that the scanner picks up the info *over the air* (just like wi-fi, and you know how hard that is to crack!) at least with traditional credit cards there isn’t any over the air signals, so someone will pretty much have to physically have your card to do damage. imagine if they could just have a scanner twenty feet away hidden inside of a backpack (and i give it two weeks before some geek figures out a way to record your rfid info to an ipod) then rebroadcast it with a walkie talkie. sound fun?

    ok, i’ll admit that it might be more than a walkie talkie, but something that broadcasts radio signals can broadcast… radio signals…

    p.s. imagine if someone recorded your info on an ipod with a rfid scanner, and broadcasted it with one of those microphones that can be played on stereos set to a specific radio station hooked up to the headphone jack. think it could work? someone needs to teach digitallysick a lesson

  9. For those of you who are curious: judging by the image, those are Xilinx Spartan II FPGAs on XSA evaluation boards made by Xess. Very nice; fun to play with. FPGAs are the bomb-diggity. For those hobbiests out there, I highly suggest getting one. If you like coding in C or ARM, try the XPort 2.0 board for GameBoy Advance. Charmed Labs makes it. I used one to build a GPS cartridge for GBA

  10. American Express just sent me an RFID-looking card too. (American Express “Blue” is the AmEx variant aimed at dot-com-era geeks: lots of cool features, most of which never materialize. My last card from them had a ISO7816-type contact pattern on it, which would supposedly be useful for something or other. Never did find out what.) It’s got an embedded chip and spiral antenna and some vague marketing wordage about how easy it’ll be for me to pay for stuff with it. If, that is, I ever use it for something.

    Hmmm, here we go: http://www.rfidjournal.com/article/articleview/1297/1/11/

    The article mentions that “American Express, Visa and MasterCard are all offering RFID-based contactless payment options”. They’re the 13.56-MHz style card. No info on whether it’s a cryptographically strong exchange (ha!) or just the usual “broadcast your card number to all listeners” kind of thing.

    Um, is there a way to avoid having my comment forced to all lower-case?

  11. Hello,

    I need someone who can transfer money into a wellsfargo account,bank of america,barclays bank and fifth third bank,So we are going to share the money 60% while %40 for you.So i will be waiting to hear from you.

    Thanks
    Suzie

  12. i’d like to find out my ex-bf’s e-mail password, to his Ohio State University e-mail account, so I can erase some of the e-mails i’ve sent him that are totally irrelevent, and i wrote when i was pissed off. If you could please find someone to do this, or tell me how, i’d appreciate it. e-mail me above and i’ll give you his info. Thanks.

  13. Hi,

    I have a list of debit card numbers with personal information, I want a bank account where I can transfer the funds from these debit cards, how do I do that? Can anybody help? Can share the profits with you? All debit cards are UK origin.

  14. Hi,

    I have a list of debit card numbers with personal information, I want a bank account where I can transfer the funds from these debit cards, how do I do that? Can anybody help? Can share the profits with you? All debit cards are UK origin.

Leave a Reply to steveCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.