Wednesday, December 22, 2010

Smart Cards: The ABC of Hacking and 5 Tested Ways to Protect Your Cards: Part 3

RF-blocking leather passport and credit card wallets. Although a tinfoil or an aluminum foil can 
block radio wave frequency, and probably the most inexpensive way to protect your ePassports
contactless credit cards, or any smart cards, a leather-coated tinfoil may be a better and
more fashionable alternative. Image courtesy from IDStronghold


Last Updated: December 23,2010 10:20AM

Credit card fraud is billions of dollar business. In US alone,the Boston-based research firm Aite Group LLC has issued a report recently that it costs about $8.6 billion annually. Among these card fraud include in different forms such as cards not present, counterfeit cards, lost/stolen card fraud and first party fraud.

Trustwave company also released a study thru SpiderLabs, which shows that over 38% of credit card hacking-related crimes last year involved hotels than other industries. Other sectors that were cited in the study that were involved with credit card fraud include: the restaurants and bars industry, 13%; the retailing industry, 14.2%; and the financial service industry, 19%.

For this last installment series on contactless smart card, I would like to focus more on how smart cards can be counterfeited or hacked and practical yet effective ways to protect them. It is not a question whether credit cards in general can be hacked or not, but how and when. There are numerous ways, but I will just mention at least 6 for this post:

Corporate and financial database hack.
Compromising corporate secured system and stealing customers' database of sensitive information are harder tasks to perform compared to other forms of hacking, but once successful, it would be very devastating and could cost the company's entire business, customers lost of confidence, or even the entire credit card industry.

Just 3 years ago, at least 45.7 million credit and debit card users are at risk following a security breach with the TJ Maxx database. Another example of database hack was 2 years ago: The Best Western hotel chain has suffered one of the world's largest credit card hacks which compromised at least 8 million customers. Just last year, 7 Eleven chain of stores, Heartland, etc. suffered customer data theft from hackers who broke into the database's firewall and stole at least 130 million credit cards information. The company has paid 12 million to cards issuers already.

Just few days ago, 100,000 credit cards were compromised due to database breach.

Stolen or Lost Cards.
Every credit card transaction, online or offline, is assumed valid until it is proven otherwise. Although you may have zero liability for fraudulent purchases against your card, you are still liable for transactions if you do not report an incident promptly. If you do not report any stolen or lost card immediately to your card issuer, you are putting a greater risk for fraudulent purchases against your account.

CNP (Card Not Present) Transactions
These types of transactions are anything done thru online shopping, mail-orders, and phone orders. Merchants are not fully aware of the identity of the shopper. They simply rely on the information based on the card information being provided. Sure there are countermeasures and safeguards, but since online payment systems vary from merchant to merchant, credit fraud creates a lot of opportunities and has a lot of real estate to offer for hackers.

How does a merchant spot that the credit card an online buyer uses a legitimate or cloned when all the information the buyer have provided are true and accurate? Honestly, a merchant does not concern about it. But the real card holder may only determine it AFTER a fraudulent purchase has been done AND recognized that it was a counterfeit. It is even harder to spot a fraudulent transaction when the counterfeit user analyze and mimic the card holder's spending patterns and shopping behavior.

It is not hard to perform online purchases using a counterfeit credit information. Because such information needed to complete a transaction can be obtained easily from an RF reader, or from a Chip and PIN reader (if you happened to live in UK), or from a skimmed credit cards that card holders use for payment at bars and restaurants.

Peer-to-Peer network credit card theft.
Some of you may have used a peer-to-peer client software such as BitTorrent, LimeWire, etc., at some point. This is probably one of the easiest ways to steal credit cards numbers and information stored in computers connected to a P2P network or uses a file-sharing client software.

You do not have to google "credit card numbers free" to get results. Even if you do, chances are those numbers could either have been expired, recycled, or already have been blocked. Millions of users use P2P to share audio, video, and image files. But many do not realize that you may use this client to search and browse another peer's default folders directly accessing all files imaginable that are present including document files in that computer. And you would be surprised how easy to search others' files for credit card numbers and passwords.

Script Kiddies and Injection Attacks
This only applies when searching for URL vulnerabilities on websites which may yield a good chance to obtain credit card information including contactless cards. If you are familiar to programming using Perl, Python, C/C++, SQL, or Java etc. you can easily create your own "vulnerability scanner" application, or a hacking script. Better yet, you can search perl-based scripts from the internet like most script kiddies would do. Legacy systems are still being used by some merchants online and therefore easier to spot vulnerabilities.  Remember that 7/11 credit card heist I just mentioned? Hackers used SQL Injection to compromise database.

Electronic Pickpocketing
This is an RF reader model from Motorola XR400 series used
by Chris Paget in his RF hacking demo in New York.
Thieves do not need to snatch your bags or wallet to use your credit card, Online scammers do not need to phis you via counterfeit websites just to lure you to "update" your credit information and other personal data. Hackers do not need to infiltrate bank's secured web servers and compromise millions of credit card data and use them fraudulently. Anybody with the right scanning device, you can steal a contactless credit card in as easy as 1-2-3. 

This is electronic pickpocketing. With the help of a cheap card reader either concealed in your body, or in a small netbook bag., a software, a wireless device, that receives the captured data, AND a few minutes walk at a crowded downtown area (although you can do it with your own contactless credit card for experimental purposes), you can be an electronic snatcher in no time.

When the first generation of RF-based credit cards were introduced in 2006, the first hack was sponsored by RSA labs at University of Massachussets. The hack was documented and outlined with this paper.






One of the best case of an RF-enabled contactless cards was the Oyster's MiFare Classic hack. The Oyster is an RF technology and is compatible with ISO 14443A and ISO 14443B architectures at 13.56MHz frequency. The hack has prompted the Greater London Transportation authority to halt the system on January 2010 after it was hacked in December 2008. Later, it was upgraded to MiFAREDesfire last February this year. There is an excellent paper on how MiFare Classic was hacked.

But you may ask, "So what's the use of those 3DES, AES, RSA, SSL, and other encryption methodologies in the first place if a mere $8 RF credit card reader can easily scan and lay bare my credit information?"


Because these methodologies can only protect your credit card information at a certain degree when you make online and offline transactions and also to protect credit cards information stored in a secured database. They encrypt/decrypt data AND communications coming from your credit card to the merchant's electronic paying system and vice versa. They CAN protect data coming from your web browser to the merchant's web server and make sure the transaction is secured using an SSL certificates or similar security features.

But, they DO NOT protect your credit card from any RF-enabled scanning devices. In fact, almost ALL commercially available RF-enabled scanner in the market can be used to hack any contactless credit card. That is how open and unprotected the RF-enabled smart cards are!

So, If I were a quickie hacker, why should I spend my time and effort trying to force my way in into a secured database or electronic paying system (although I must admit that the result may be overwhelmingly rewarding), if I can do it in a crowded area in a city using a cheap RF-enabled credit card scanner with a higher success rate?

Chris Paget, Director of R&D will certainly agree with my assessment. He demonstrated how easy to steal information from an RF-enabled smart cards form his speech at a 2009 Shmoocon Convention:






Technology is neither good or bad. It can be used to benefit the majority or use it to cause harm. It always boils down to how responsible we are. I wish to continue more, but I thought that this article is beyond the usual length of an article. So, I hope my readers will forgive me if I will deal with the second part of this article, "5 Tested Ways to Protect Your Cards" on my incoming articles.

A word from the author: All information written here are for educational purposes only. No warranty is implied and written in AS IS basis. The author is a technology professional. He does not encourage anyone to perform hacks and breaches or perform illegal access to any system, device, or computer. The author shall not be responsible for any damage, incident, or any punitive act as a result, or arising from a direct or indirect use or abuse of the information herein. 

This link may help you:



1 comment:

  1. Your article is well written,Welcome to my website to see

    ReplyDelete

Everyone is free to comment. Currently, comments are not moderated from this blog. However, Google SPAM and customized filtering are active for this blog. Be civil and polite when responding or placing your own.