RFID Flap Silences Security Researchers

"Robert L Bass" a écrit dans le message de news: E7idnTifRPewoJ3bnZ2dnUVZ snipped-for-privacy@comcast.com...

False both the skimmer and normal reader see the card..

false again what in god name can prevent an RF receiver of receiving a signal sent by the RFID device,if close enough...and the device triggered,it will recieve the data,and like in any RF system the data will be received by the legitimate receiver too,RF is not sucked up by the skimmer receiver..

wrong again...you dont seem to grasp the whole concept here...

Some folks never let their ignorance of a topic stop them from babbling nonsense about it. ;)

One of the links I gave earlier is about a security consultant cloning (from a few feet away) an RFID badge used for access in the California state capitol building. Improving the receiver and/or antenna could increase the distance.

Another video in the "related" section illustrates capturing user data from an RFID-enabled credit card.

snipped-for-privacy@yahoogroups.com

de

Precisely. The card's magnetic stripe passes through 2 heads, not one. The second reading head is contained in the false shroud and "skims" the data from the card. Perhaps that's why they are called skimmers! (-: Here's a more detailed description of the well-known scam as practiced in Scotland:

*Emphasis mine

triggered,it

Exactly right, once again. The same technique of a second reader concealed in the same type of shroud would produce the same results. The skimmer gets a copy of any data the legit reader gets.

Obviously. The shroud sits there and extracts the stripe data on the card before it slides past and into the real reader and the little pinhole videocam gets the PIN. The machine works *completely* normally, handing out money and receipts, accepting deposits and giving out bank balances. The crooks want the account numbers and PINS, not the cash. Not that way, anyway. The information is typically used to make large purchases, since ATM have such low daily cash limits.

Other variations have included a skimming keyboard that is designed to pass the keystrokes to the real keypad below while recording them for the skimmer. The cameras apparently superceded the readers because they were able to provide much more information about the customers than a simple series of keystrokes did. There are even low tech variations I won't discuss here that allow crooks to capture the PIN and the card itself rather easily, making the user think the machine ate the card, which they retrieve after the customer gives up and leaves the ATM.

-- Bobby G.

Hmm. This is different from a newspaper story I read a while back where thieves used a skimming device in the US. In that case the device read the cards and pass codes but did not pass anything on to the real ATM. They were arrested.

In another case thieves simply placed a fake ATM in a mall in CT. They, too were caught.

"Robert L Bass" a écrit dans le message de news: AqGdnYym_J3DX5_bnZ2dnUVZ snipped-for-privacy@comcast.com...

got some links on that case?

The scariest aspect of this is that the congenital idiots at Homeland Security are planning to require RFID badges precisely because they can be read from several feet away.

The state of Washington is planning a pilot program.

snipped-for-privacy@yahoogroups.com

Their you go, insulting sentient, albeit challenged, human beings by comparing them to HS geeks! (-: Here in my county the number 2 HS officer gunned down two *unarmed* furniture delivery men in his house, killing one, critically wounding the other.

A police corporal, he got the HS job (over literally thousands of more qualified candidates) because he had been a driver for the County Exec in a previous "lifetime." Then there was some other deputy in HS who had a sex crime problem with juveniles. These guys, at least, were as much a threat to society as most terrorists.

The state of Washington is planning a pilot program.

At least "the enhanced licenses will not be mandatory for Washington drivers." Not yet, anyway. I'm all for studies like that where it should be pretty easy to tell if the people who volunteered for the RFID card suffer a higher incidence of ID theft than their non-RFID enabled peers. I'm all for it, as long as it's not mandatory and it's not my license they are diddling!

-- Bobby G.

In article , snipped-for-privacy@gmail.com (Petem) writes: | | "Robert L Bass" a icrit dans le message de | news: AqGdnYym_J3DX5_bnZ2dnUVZ snipped-for-privacy@comcast.com... | >> The shroud sits there and extracts | >> the stripe data on the card before | >> it slides past and into the real reader... | >

| > Hmm. This is different from a newspaper story I read a while back where | > thieves used a skimming device in the US. In that case the device read | > the cards and pass codes but did not pass anything on to the real ATM. | > They were arrested. | | got some links on that case?

I have no information on that case, but they did something similar locally last(?) year I think. It was somewhat clever. They replaced the door access reader with their own and wedged the door lock open. They pointed a camera at the keypad inside. They didn't do anything near the ATM proper. I probably would have noticed that the door was already unlocked and not inserted my card, but apparently many did not. It isn't clear that it would be all that hard to go one step further and make the door access device actually work since you don't need to pass through a specific code but any code which will open the door.

Dan Lanciani ddl@danlan.*com

Oops! Forgot the URL:

The review of the book tells us not much has changed in thirty years!

-- Bobby G.

No. It was a newspapaer article.

In Brazil it's done a little more simply. They wait for someone well dressed to approach his car and jump him. The victim is forced to drive to an ATM and withdraw R$800 (about US$380), which is the daily limit. The crime is called a "relâmpago" which means lightning kidnapping because it's all over in a few minutes.

Newspapers are searchable... Which one?

Or is this just more Bassshit?

Actually, making a "bump key" for the more common locks wouldn't require carrying around a "wad" of 'em at all. There used to be a video on how to make one online, but I lost the URL.

The only way to properly secure your home is with a properly installed perimeter security system and some higher quality lock-sets. It wouldn't hurt to physically "harden" the common entry points either. It really doesn't matter how you "slice it" in the end however, if someone wants "in" bad enough they'll get in. What you want is for them to make lots of noise and spend some time doing it. "Exposure" increases the chances they're going to get caught.

Here's another RFID article with some interesting links.

snipped-for-privacy@yahoogroups.com

Truthout isn't exactly what I'd call journalistically responsible.

"On Saturday afternoon, May 13, 2006, TruthOut ran a story titled, 'Karl Rove Indicted on Charges of Perjury, Lying to Investigators.' The story stated in part that top Bush aide Karl Rove had earlier that day been indicted on the charges set forth in the story's title."

Much as we'd love for that story to have been true, it was not.

"Around 20 million credit cards now have RFID placed within them without the knowledge of the consumer," she informed me. She said there is no sure-fire way to protect your information short of "cutting up your credit cards."

Ah, perhaps, perhaps not. A few seconds in a microwave does hideous things to the metallic layer of a CD without affecting the plastic. What will it do to the fine metal traces of an RFID chip? I'll have to look at my new cards closely to see if there's an RFID chip. Fortunately, they always send two but we only use one so I could justify a little slicing and dicing if I think I see a chip.

It's sounding more and more like metallized wallets and RFID sniffer sniffing bracelets are in our future.

45.7M credit cards hacked from TJMaxx and Marshalls:

Also included in the lost data were 500K driver's license numbers stored from customers who paid cash and returned or exchanged items. I bought my CFLs with cash and I would probably return them but I'd rather not provide Home Depot with any more information than they already have about me. Today, while filling a prescription the clerk asked for my driver's license to ID me and then just copied it! Whoa, Nellie!

Egghead died after their massive breach. I expect TJX might very well follow them to the corporate grave.

-- Bobby G.

Robert,

Since you seem to be unable to avoid interjecting your political and/or religious opinions into your often otherwise useful and informative posts, I regret I will have to stop reading them.

Jon

A post mortem showed that the Egghead hackers never reached the credit card info but Egghead was never-the-less punished for doing the right thing and alerting their customers to the possibility.

There was strong evidence that the real breach was at a much larger entity that never 'fessed up and is now part of an even larger entity popular with those who find things that have fallen from passing trucks.

snipped-for-privacy@yahoogroups.com

Tchau.

That's news to me. Shortly after I received the Egghead email assuring me that thieves broke in to their data but merely "looked around and didn't take anything," my credit card company sent me a notice that my card was being changed. There was also a $10 charge from a Russian Telecom company that I ended up eating because getting a notary and filling out all the forms required was worth more than $10 of my time.

I never dealt with Egghead or Citibank after that. Here's my take on notification, bolstered by the details of TJMaxx's breach only appearing in an SEC filing. Companies do it only when they terrified that by NOT notifying customers, a court would find that they possessed the last clear chance of helping a customer prevent a fraud. In other words, they send out notification not to help the customer as much as help themselves gain immunity from serious "punies" as the lawyers like to call "punitive damage awards."

TJMaxx was in the same position, and had to spill more details to avoid running afoul of SEC filing regulations as well.

While I realize this is all old stuff:

http://attriti Something's not right there. As the author of that document further notes: "Sentence one says the breach 'may have' compromised account data. Sentence two assumes that the data was compromised. We very much wished to clear that bit up."

That may be true, but I only used that credit card online for Egghead purchases. I use cash almost exclusively so I didn't have very many charges on the card except for egghead, and they were all with local merchants.

There's another site, CNN, that reports data that directly coincides with mine: