Geeks in Paradise | Brian Chee | InfoWorld | I object to RFID payment schemes without positive acknowledgment! | February 1, 2008 01:05 PM

MORE ENTRIES

I object to RFID payment schemes without positive acknowledgment!

February 01, 2008 | Comments: (0)

I object to RFID payment schemes without positive acknowledgment!

Technologists object to U.S. RFID passports - Jul. 13, 2006

<Start soap box>
I just got my replacement American Express Blue for Business credit card and to my dismay I found that Amex has given up on smart card tech and has instead led us down the primrose path with their "ExpressPay" RFID based technology. With MasterCard touting their "Tap and GO" payment system (also RFID) and now Amex, did these folks read about the problems that the US Gov is having with RFID's in passports? (Technologists object to U.S. RFID passports - Jul. 13, 2006 )

Here's my bitch...there is a VERY good reason why high security facilities demand that you have positive acknowledgment of a card swipe for entry. It's just too easy for someone to lose a card or have it stolen. Now with an RFID someone with just a bit of kit can walk through a crowd (occasionally brushing up against folks) and harvest RFID information. Heck even if the information is encrypted, it can still be gathered for bulk decryption later. (See how well the DVD encryption worked!) So for proximity entry cards, you not only swipe/wave your card, but you must also punch in a challenge code (pin). This way a stolen card can't be used to get access to our nation's secrets. Heck, many new keypads even use OLED's under the keys to change the positions of the numbers so that someone can't just dust the keypad.

So I've written a real letter to the American Express folks asking them to get their head examined; but in the mean time I've taken a hammer to my new card (sniff) to destroy the RFID chip. Just as a bit of history, in the very early days of eCommerce, American Express lured me into becoming a Blue member by being one of the first to put into place verbiage in their user agreement saying that they will protect me from Internet fraud if I signed up. hint hint hint... Hey Amex! Do the same thing for the RFID and maybe I'll just quietly request a new card and stop destroying your investment. Better yet, make the person scan a finger or type in a pin code.

Oh yeah, I'm far from the first to raise my hackles on this subject...check out this for a rant on using the RFID to track what products you might be looking at in a store...very big brother if you ask me...

Lastly, to my congressional representatives...please make sure that if you choose RFID for a national ID, make sure that it requires my explicit acknowledgment to the intrusion. Or better yet, if you want a way to ensure that the ID isn't fake, why don't you talk to Gavin Jancke at Microsoft Research? His 2D color bar code can't be read unless you take it out of your wallet, and can contain enough information that you can embed an RSA signature in it. Don't you think this might be a more acceptable plan to folks that would like to maintain a bit of privacy?

Posted by Brian Chee on February 1, 2008 01:05 PM

RATE THIS ARTICLE:

COMMENTS

Although we can't dissuade AmEx from sending us RFID enabled cards, we can control when RFID is active or not. By turning off RFID when we don't want it used, you avoid many of the security issues with RFID. Try using Smart Tools' RFID Shield to turn on and off RFID communications at your command. There's info at:
http://smarttools.home.att.net/rfshield.htm

**************************************************
Comment from Brian Chee
Yeah, this is an attempt at free advertising...I challenge you to find a switch to "turn off" the RFID on the physical card. The only way to turn off the RFID on the physical card is to: (1) hit the chip with a hammer...(2) find a metal lined wallet so that the RF energy can't power the chip and have it respond with its information.

Nope...this was definatley a thinly disguised ad...

/brian chee

Posted by: Byron at February 3, 2008 09:35 AM

Dude, you're protected against fraud if your identity is lost or stolen anyway! Even if someone managed to decrypt your RFID code (which I am not sure is possible, your DVD example notwithstanding) as soon as a false charge came through you would be protected as long as you called and told Amex.

*********************************************
Comment from Brian Chee
ah...but it's the "card present" clause that worries me. If someone scans the RFID and uses the "Express Pay" then it could be interpreted as the "card is present" which you've now got a different level of hassle to prove that it wasn't you when the card is still in your possession. You also have to know you've been scanned, you may not know until your statement arrives, perhaps as much as 30 days later. So while "your protected", the onus of proof changes due to that little clause.

/brian chee

*************************************************************
Followup from Brian Chee
Ok, I now have a written response from American Express that yes, they do consider remote harvesting of the RFID/Contactless Smart card information to be under the "card theft" clause and yes you are protected. I have strongly asked them to consider clarifying it in the card agreement and they're considering it.

Second, the number that is sent by the chip is different from the card number (as said before by another commenter) but what isn't spelled out is that Amex can disable their system from allowing that number to be used separately from the physical card. So they disabled all my "Express pay" chips numbers for all my cards and everyone is now happy.

So even if someone harvests the number...they can't be used...so nice compromise.

All in all, kudo's to American Express Customer Service for handling a pissed off journalist/techie well....but shame on the marketing folks for not being proactive about this in the first place. This should have been an "opt in" program.

/brian chee

Posted by: dave at February 4, 2008 03:58 AM

You do know there is a difference between RFID and Contactless Smart cards right? You also understand that the contactless cards use a dynamic card id, meaning the 3 digit code on the back of the card changes each time it's used. so if somebody managed to skim they wouldn't be able to get the card to generate a useable CID, so no soup for you

**********************************************
Comment from Brian Chee
I do know the diff...and Amex keeps saying RFID...so I'm trying to find out which one they're really using. So my question to you is: Do you know how to tell them apart by looking through the clear plastic on the Amex Blue card? I can't and there isn't any number on chip.

That and there seems to be a pretty darn LONG antenna on embedded in the card.

Here's what Amex sez about their Express Pay System:
https://www124.americanexpress.com/cards/loyalty.do?page=expresspay

They do NOT expressly say which technology they're using. You actually have to dig onto third party sites to find out, and while you're NOT liable for charges made if the card is lost or stolen...they haven't updated their agreement to include "grazing" of the RFID/Contactless information.

So it would seem the only clue on the american express site as to which technology they're using is the little symbol of a wave in an oval with a hand holding a card. The assumption I'm making is that this is a contactless smart card rather than a traditional RFID? Geez, it would have been nice if someone had actually added some assurances into the FAQ on the site.

I saw a demo at CES a couple years back and it sounded good, but when I tried to get the guy to tell me more about "grazing" issues, he stumbled and said he'd get back to me...never did...

So, I'm still not convinced that my pounding the crap out of the chip was or wasn't a good move on my part. I'm still mad that Amex has done a really crappy rollout of what could be a good tech. I like to remind IT folks that while a particular tech might be superior to brand X...the back office folks make a pretty big difference over the long run. Just look at the conflict of VHS versus BETAMAX in the VCR wars.

/brian chee

Posted by: fred garvin at February 6, 2008 06:29 AM

The chip in the Amex is an ISO 14443 contactless chip. Interesting enough Amex actually responds on the contactless interface with a different account number than the one printed on the front of your card. Both account numbers link back to your statement. Visa so far that I have seen does not do this. It still remains to be seen what happens if I read your contactless interface account number and use it on a no 4 digit ID required web site. I think you could still purchase.

As far as the unique changing ID number that can't be replayed. It can be subverted by using a relay (not replay) attack. Google "practical relay attack on ISO 14443" for a white paper on the details.

That all being said my company Identity Stronghold specifically makes metal shielded Tyvek credit card sleeves to block the 13.56mhz signal. We have done this for the new US Passport and the new Federal employee ID card which both use the same ISO 14443 interface as the contactless credit card. It is interesting that the federal employee ID card (PIV card) requires issuing a shielding sleeve or our badge holder with the cards.

Also the new Passport Card and Washington State Enhanced drivers license ship with our sleeve.

You can see them at www.idstronghold.com

******************************************************
Comment from Brian Chee
My sincerest gratitude for a well thought out and informative comment. Since many enterprise grade physical security folks are examining new identify solutions, I'd love to have an offline conversation on this technology.

/brian chee

Posted by: Walt at February 11, 2008 08:42 AM

Technology White Papers

InfoWorld Technology Marketplace

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert