Wireless Identity Theft
Encyclopedia
Wireless identity theft, also known as contactless identity theft or RFID identity theft, is a form of identity theft described as "the act of compromising an individual's personal identifying information using wireless (radio frequency) mechanics." Numerous articles have been written about wireless identity theft and broadcast television has produced several investigations of this phenomenon. According to Marc Rotenberg
of the Electronic Privacy Information Center
, wireless identity theft is "a pretty serious issue" and "the contactless (wireless) card design is inherently flawed".
Efforts are currently under way to educate consumers as to the vagaries of Radio Frequency Identification (RFID)
which can pose a threat, as well as attempting to initiate legislation to limit the use of RFID technology by companies and governmental agencies.
, credit, debit, or government issued identification cards. Each of these cards carry a Radio frequency identification chip which responds to certain radio frequencies. When these "tags" come into contact with radio waves, they respond with a slightly altered signal. The response can contain encoded personal identifying information, including the card holder's name, address, Social Security Number, phone number, and pertinent account or employee information.
Upon capturing (or 'harvesting') this data, the thief is then able to program their own cards to respond in an identical fashion (via 'cloning'). Many sites are dedicated to nothing but teaching people how to perform this act, as well as supplying the necessary equipment and software.
The financial industrial complex is currently migrating from the use of magnetic stripes on debit and credit cards which technically require a swipe through a magnetic card swipe reader. These transactions take approximately 48 seconds, whereas the newer radio frequency tagged card transactions require approximately 12 seconds. The number of transactions per minute can be increased, and more transactions can be processed in a shorter time, therefore making for arguably shorter lines at the cashier.
have analysed and documented the covert theft of RFID credit card information and been met with both denials and criticisms from RFID card-issuing agencies. Nevertheless, after public disclosure of information that could be stolen by low-cost jury-rigged detectors which were used to scan cards in mailing envelopes (and in other studies also even via drive-by data attacks), the design of security features on various cards was upgraded to remove card owners' names and other data. Additionally a number of completely unencrypted card designs were converted to encrypted data systems.
and debit card
data could be stolen via special low cost radio scanners without the cards being physically touched or removed from their owners' pockets, purses or carry bags. Among the findings of the 2006 research study, "Vulnerabilities in First-Generation RFID-Enabled Credit Cards", and in reports by other white-hat hackers:
In a related issue, privacy groups and individuals have also raised Big Brother concerns, where there is a threat to individuals from their aggregated information and even tracking of their movements by either card issuing agencies, other third party entities, and even by governments. Industry observers have stated that: '....RFID certainly has the potential to be the most invasive consumer technology ever'.
Credit card issuing agencies have issued denial statements regarding wireless identity theft or fraud and provided marketing information that either directly criticized or implied that:
After the release of the study results, all of the credit card companies contacted during the New York Times investigative report said that they were removing card holder names from the data being transmitted with their new second generation RFID cards.
As of December 2008, it is estimated there are at least 270 million RF tagged contactless debit and credit cards in circulation in the North America.
s to harvest their identifier numbers at a distance and apply them to blank counterfeit documents and cards, thus assuming those people's identifiers.
Various issues and potential issues with their use have been identified, including privacy concerns. Although the RFID identifier number associated with each document is not supposed to include personal identification information, "....numbers evolve over time, and uses evolve over time, and eventually these things can reveal more information than we initially expect" stated Tadayoshi Kohno, an assistant professor of computer science at University of Washington
who participated in a study of such government issued documents.
of the science TV show MythBusters
stated during the July 2008 HOPE conference in New York City, that when they were going to demonstrate how RFID worked and their vulnerabilities in financial exchange cards, their lawyers were challenged by other lawyers representing RFID vendors and several banking institutions. It was made verbally clear to the Mythbusters team that advertising for their show would be pulled by the finance industry if any demonstration of contactless card vulnerabilities was conducted.
Marc Rotenberg
Marc Rotenberg is President and Executive Director of the Electronic Privacy Information Center in Washington, DC. He teaches Information Privacy Law at Georgetown University Law Center, and testifies frequently before Congress on emerging privacy and civil liberties issues, such as access to...
of the Electronic Privacy Information Center
Electronic Privacy Information Center
Electronic Privacy Information Center is a public interest research group in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values in the information age...
, wireless identity theft is "a pretty serious issue" and "the contactless (wireless) card design is inherently flawed".
Efforts are currently under way to educate consumers as to the vagaries of Radio Frequency Identification (RFID)
Radio Frequency Identification
Radio-frequency identification is a technology that uses radio waves to transfer data from an electronic tag, called RFID tag or label, attached to an object, through a reader for the purpose of identifying and tracking the object. Some RFID tags can be read from several meters away and beyond the...
which can pose a threat, as well as attempting to initiate legislation to limit the use of RFID technology by companies and governmental agencies.
Overview
Wireless identity theft is a relatively new technique of gathering an individual's personal information from RF-enabled cards carried on a person in their access controlAccess control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
, credit, debit, or government issued identification cards. Each of these cards carry a Radio frequency identification chip which responds to certain radio frequencies. When these "tags" come into contact with radio waves, they respond with a slightly altered signal. The response can contain encoded personal identifying information, including the card holder's name, address, Social Security Number, phone number, and pertinent account or employee information.
Upon capturing (or 'harvesting') this data, the thief is then able to program their own cards to respond in an identical fashion (via 'cloning'). Many sites are dedicated to nothing but teaching people how to perform this act, as well as supplying the necessary equipment and software.
The financial industrial complex is currently migrating from the use of magnetic stripes on debit and credit cards which technically require a swipe through a magnetic card swipe reader. These transactions take approximately 48 seconds, whereas the newer radio frequency tagged card transactions require approximately 12 seconds. The number of transactions per minute can be increased, and more transactions can be processed in a shorter time, therefore making for arguably shorter lines at the cashier.
Controversies
Academic researchers and 'White-Hat' hackersWhite hat
The term "white hat" in Internet slang refers to an ethical hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems...
have analysed and documented the covert theft of RFID credit card information and been met with both denials and criticisms from RFID card-issuing agencies. Nevertheless, after public disclosure of information that could be stolen by low-cost jury-rigged detectors which were used to scan cards in mailing envelopes (and in other studies also even via drive-by data attacks), the design of security features on various cards was upgraded to remove card owners' names and other data. Additionally a number of completely unencrypted card designs were converted to encrypted data systems.
RSA Report
The issues raised in a 2006 report were of importance due to the tens of millions of cards that have already been issued. CreditCredit card
A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services...
and debit card
Debit card
A debit card is a plastic card that provides the cardholder electronic access to his or her bank account/s at a financial institution...
data could be stolen via special low cost radio scanners without the cards being physically touched or removed from their owners' pockets, purses or carry bags. Among the findings of the 2006 research study, "Vulnerabilities in First-Generation RFID-Enabled Credit Cards", and in reports by other white-hat hackers:
- some scanned credit cards revealed their owners' names, card numbers and expiration dates;
- that the short maximum scanning distance of the cards and tags (normally measured in inches or centimetres) could be extended to several feet via illicit technological modifications;
- that even without range-extension technologies, Black HatBlack hatA black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
ters walking through crowded venues or delivering fliers could easily capture card data from other individuals and from mail envelopes; - that security experts who reviewed the study findings were startled by the breaches of privacy of the study (conducted in 2006);
- that other e-systems, such as Exxon Mobil's SpeedpassSpeedpassSpeedpass is a keychain RFID device introduced in 1997 by Mobil Oil Corp. for electronic payment. It was originally developed by Verifone. As of 2004, more than seven million people possess Speedpass tags, which can be used at approximately 10,000 Exxon, Mobil and Esso gas stations worldwide...
keychain payment device, used weak encryption methods which could be compromised by a half hour or so of computing time; - that some cards' scanned stolen data quickly yielded actual credit card numbers and didn't use data tokens;
- that data illicitly obtained from some cards was successfully used to trick a regular commercial card-reader (used by the study group) into accepting purchase transactions from an online store that didn't require the entry of the cards' validation codes;
- that while higher level security systems have been and continue to be developed, and are available for RFID credit cards, it is only the actual banks which decide how much security they want to deploy for their cardholders;
- that every one of the 20 cards tested in the study was defeated by at least one of the attacks the researchers deployed;
- another related security threat concerned a different product: new government issued ePassportsBiometric passportA biometric passport, also known as an e-passport or ePassport, is a combined paper and electronic passport that contains biometric information that can be used to authenticate the identity of travelers...
(passportPassportA passport is a document, issued by a national government, which certifies, for the purpose of international travel, the identity and nationality of its holder. The elements of identity are name, date of birth, sex, and place of birth....
s that now incorporate RFID tags similar to credit and debit cards). The RFID tags in ePassports are also subject to data theft and cloning attacks. The United States governmentFederal government of the United StatesThe federal government of the United States is the national government of the constitutional republic of fifty states that is the United States of America. The federal government comprises three distinct branches of government: a legislative, an executive and a judiciary. These branches and...
has been issuing ePassports since 2006.
In a related issue, privacy groups and individuals have also raised Big Brother concerns, where there is a threat to individuals from their aggregated information and even tracking of their movements by either card issuing agencies, other third party entities, and even by governments. Industry observers have stated that: '....RFID certainly has the potential to be the most invasive consumer technology ever'.
Credit card issuing agencies have issued denial statements regarding wireless identity theft or fraud and provided marketing information that either directly criticized or implied that:
- beyond the card data itself, other data protection and anti-fraud measures in their payment systems are in place to protect consumers;
- the academic study conducted in 2006 used a sample of only 20 RFID cards, and was not accurately representative of the general RFID marketplace which generally used higher security than the tested cards;
- unencrypted plain text information on the cards was "...basically useless" (by itself), since financial transactions they were tied to used verifications systems with powerful encryption technologies;
- even if consumers were victims of RFID credit card fraud or identity theft, they would not be financially liable for such credit card fraud (a marketing strategy that ignores the other serious consequences to card holders after they've been associated with fraudulent transactions or have their identity stolenIdentity theftIdentity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name...
);
After the release of the study results, all of the credit card companies contacted during the New York Times investigative report said that they were removing card holder names from the data being transmitted with their new second generation RFID cards.
As of December 2008, it is estimated there are at least 270 million RF tagged contactless debit and credit cards in circulation in the North America.
Compromised U.S. identification documents
Certain official identification documents issued by the U.S. government, U.S. Passports, Passport Cards, and also enhanced driver's licenses issued by States of New York and Washington, contain RFID chips for the purpose of assisting those crossing the U.S. border. Various security issues have been identified with their use, including the ability of black hatBlack hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
s to harvest their identifier numbers at a distance and apply them to blank counterfeit documents and cards, thus assuming those people's identifiers.
Various issues and potential issues with their use have been identified, including privacy concerns. Although the RFID identifier number associated with each document is not supposed to include personal identification information, "....numbers evolve over time, and uses evolve over time, and eventually these things can reveal more information than we initially expect" stated Tadayoshi Kohno, an assistant professor of computer science at University of Washington
University of Washington
University of Washington is a public research university, founded in 1861 in Seattle, Washington, United States. The UW is the largest university in the Northwest and the oldest public university on the West Coast. The university has three campuses, with its largest campus in the University...
who participated in a study of such government issued documents.
MythBusters
Adam SavageAdam Savage
Adam Whitney Savage is an American industrial design and special effects designer/fabricator, actor, educator, and co-host of the Discovery Channel television series MythBusters. His model work has appeared in major films, including Star Wars: Episode II - Attack of the Clones and The Matrix...
of the science TV show MythBusters
MythBusters
MythBusters is a science entertainment TV program created and produced by Beyond Television Productions for the Discovery Channel. The series is screened by numerous international broadcasters, including Discovery Channel Australia, Discovery Channel Latin America, Discovery Channel Canada, Quest...
stated during the July 2008 HOPE conference in New York City, that when they were going to demonstrate how RFID worked and their vulnerabilities in financial exchange cards, their lawyers were challenged by other lawyers representing RFID vendors and several banking institutions. It was made verbally clear to the Mythbusters team that advertising for their show would be pulled by the finance industry if any demonstration of contactless card vulnerabilities was conducted.
Further reading
- Gannsle, Daniel J. (2008) "How to Protect Yourself from High-Tech RFID Identity Theft", How To Do Just About Everything website, December 2008, retrieved online 2009-03-14;
- Herrigel, Alexander; Zhao, Jian (2006) RFID Identity Theft and Counermeasures, Optical Security and Counterfeit Deterrence Techniques VI. Edited by van Renesse, Rudolf L. Proceedings of the SPIE, Volume 6075, pp. 366–379, DOI:10.1117/12.643310, online publication date: 2006-02-09;
- Markoff, John (2006) Study Says Chips in ID Tags Are Vulnerable to Viruses, New York Times, March 15, 2006; retrieved 2009-03-14 (on how deliberately corrupted RFID tags could introduce viruses into computer systems)
- Seltzer, Larry (2009) Exposing the Myth of Passport Card Security, eWeek Online, 2009-02-20, retrieved 2009-03-14;