The attack Paget demonstrated is far from new. This is an embarrassingly simple hack, but it works." "The reader just spits out the number as if I’m the point-of-sales terminal, which is totally stupid. "Whatever encryption or other security there might be, it doesn't matter," she says. The scheme, Paget points out, doesn't involve any hidden bug in the system, but rather the more fundamental problem that any commercially-available RFID reader can read the data from a contactless card as easily as a store's point-of-sale device does. In a demonstration just before her talk, Paget read a card in my wallet through my back pocket without touching me, successfully obtaining the card's information. (That's the striped panel pictured above.) In one practical version of the scam, Paget says, a fraudster could simply bump up against his victim with that reader in a coat pocket and invisibly scan the RFID signal through material like a leather wallet or cloth pants. Paget, a well-known security researcher for the consultancy Recursion Ventures who was known as Christopher Paget until a gender change last May, used a simple method for her hack: impersonating a legitimate contactless point-of-sale terminal with her own RFID card reader. According to a show of hands among Shmoocon's audience, dozens of the several hundred conference attendees in the room had contactless cards, and about a quarter of those weren't aware of it until Paget asked them pull out their cards and check for contactless symbols. Visa calls its technology payWave, MasterCard dubs it PayPass, Discover brands it Zip, and American Express calls it ExpressPay. "You were planning on cancelling that card, weren't you?" she added somewhat sheepishly.Ĭontactless cards are far more common than they might seem: According to the Smart Card Association, about 100 million of the RFID-enabled cards are in circulation. If anyone still doubted that the trick had worked, Paget accidentally flashed the volunteer's credit card number on a screen in front of an audience of hundreds of hackers and security researchers.
0 kommentar(er)
