RFID Cause for concern?

Forums › Off topic › RFID Cause for concern?

gnfb

2609 posts

Uber Geek

ID Verified

#179103 26-Aug-2015 12:38

Another thing I noticed in the UK whilst out and about was more people using this "hold your phone up " to pay your bill at the checkout.

In keeping with that was a concern by some of phones being "read"

This apparently is overcome by products like "Scannerguard" and little aluminum wallets etc.

I have various cards now that have a RFID "chip" in them and of course both my UK and Oz passports apparently have this technology in.

So

Is this just a beat up or is it something we should be concerned about?

Is an English Man living in New Zealand. Not a writer, an Observer he says. Graham is a seasoned 'traveler" with his sometimes arrogant, but honest opinion on life. He loves the Internet!.

I have two shops online allshop.nz patchpinflag.nz
Email Me

wasabi2k

2096 posts

Uber Geek

#1374564 26-Aug-2015 12:52

Each implementation is different, but newer RFID cards tend to use half decent crypto to make them harder to impersonate.

That being said, no system is perfect - you can be as paranoid as you feel comfortable being. if you are going to a Blackhat convention - wrap everything in lead-lined tin foil, in a concrete bunker, 1km underground. Day to day - I don't really worry too much.

The phone thing is similar tech but adds the whole software/mobile OS layer that can also be done badly and/or compromised, but also allows the NFC chip part to be turned off when not in use making it more challenging.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1374602 26-Aug-2015 13:44

Visited that website and there are so many errors there I wonder if that thing really works...

Geektastic

17942 posts

Uber Geek

Trusted

Lifetime subscriber

#1374671 26-Aug-2015 14:55

Scottevest make a number of tech-enabled clothing items that include RFID blocking pockets.

roobarb

653 posts

Ultimate Geek

Trusted

#1374689 26-Aug-2015 15:04

gnfb:I have various cards now that have a RFID "chip" in them and of course both my UK and Oz passports apparently have this technology in.

Yes, anybody can read a passport, you open up it's pages and the data is printed on the pages.

That is rather the point, that you can show your passport to somebody and they can read it and use it to verify you.

The electronic version has a public read key so a border-guard can read the public key using an OCR, then use NFC to read the rest of the data.

The write keys are an entirely different matter and very closely guarded by the various agencies.

gnfb

2609 posts

Uber Geek

ID Verified

#1374743 26-Aug-2015 16:47

roobarb:
gnfb:I have various cards now that have a RFID "chip" in them and of course both my UK and Oz passports apparently have this technology in.

Yes, anybody can read a passport, you open up it's pages and the data is printed on the pages.

That is rather the point, that you can show your passport to somebody and they can read it and use it to verify you.

The electronic version has a public read key so a border-guard can read the public key using an OCR, then use NFC to read the rest of the data.

The write keys are an entirely different matter and very closely guarded by the various agencies.

Thanks for pointing that out I didn't realize you could open the passport and read it!

And that is what the border-guard does when he opens the passport looks at it then looks at me ..ok

helpful thank you

Its good to know that the write keys are closely guarded as well no chance of them getting in the public domain...

Is an English Man living in New Zealand. Not a writer, an Observer he says. Graham is a seasoned 'traveler" with his sometimes arrogant, but honest opinion on life. He loves the Internet!.

I have two shops online allshop.nz patchpinflag.nz
Email Me

gnfb

2609 posts

Uber Geek

ID Verified

#1374744 26-Aug-2015 16:49

freitasm: Visited that website and there are so many errors there I wonder if that thing really works...

Reminded me of a magician "nothing up my sleeve!"

Is an English Man living in New Zealand. Not a writer, an Observer he says. Graham is a seasoned 'traveler" with his sometimes arrogant, but honest opinion on life. He loves the Internet!.

I have two shops online allshop.nz patchpinflag.nz
Email Me

LennonNZ

2459 posts

Uber Geek

ID Verified

Trusted

#1374751 26-Aug-2015 16:57

gnfb: Another thing I noticed in the UK whilst out and about was more people using this "hold your phone up " to pay your bill at the checkout.

In keeping with that was a concern by some of phones being "read"

This apparently is overcome by products like "Scannerguard" and little aluminum wallets etc.

I have various cards now that have a RFID "chip" in them and of course both my UK and Oz passports apparently have this technology in.

So

Is this just a beat up or is it something we should be concerned about?

Reading the RFID on passports is easy but you need to know the Passport Machine readable Key in the 1st place (The numbers down the bottom of the main page there)
The Information (including the picture) is then readable but this is 100% the same information as printed on the physical passport.

If someone has this number then they would have had your passport in the first place so no need to read it via RFID.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

roobarb

653 posts

Ultimate Geek

Trusted

#1374873 26-Aug-2015 20:30

gnfb: Its good to know that the write keys are closely guarded as well no chance of them getting in the public domain...

About the same chance as somebody getting the master Visa and MasterCard keys.

SIMs, EMV cards and Passports all use very similar JavaCard technology and one would expect them to use derived keys.

If master keys were compromised then one would expect to see existing cards cancelled and compulsory renewal.

A recent public example was the Gemalto hacking incident.

tardtasticx

3075 posts

Uber Geek

#1374895 26-Aug-2015 21:50

In terms of credit cards being skimmed from the card or phone, I don't even give it a second thought. If it happens, the bank issues you a new card and deals with the rest. I imagine the process would be the same if it was done from a phone.

But for something like a passport I don't think there's much risk because you probably won't be carrying it around with you on the streets everyday, and if it was compromised it'd probably be quite hard to make useful.

If there was anything to be worried about, I think it would be paying with the Chip + PIN method and having to hand your card over to the merchant. A stranger has your card in their hand and it'll be out of your sight for a few moments but that's all it takes. With the contactless you hold the card/phone yourself, can cover it with your hand and you don't have to compromise your PIN. Apple Pay (and some other mobile payment methods?) will use unique card numbers for every transaction, so if the phone was read the card details they get from it will be completely useless anyway.

edit: spelling

Yabanize

2350 posts

Uber Geek

#1374937 26-Aug-2015 23:02

tardtasticx: In terms of credit cards being skimmed from the card or phone, I don't even give it a second thought. If it happens, the bank issues you a new card and deals with the rest. I imagine the process would be the same if it was done from a phone.

But for something like a passport I don't think there's much risk because you probably won't be carrying it around with you on the streets everyday, and if it was compromised it'd probably be quite hard to make useful.

If there was anything to be worried about, I think it would be paying with the Chip + PIN method and having to hand your card over to the merchant. A stranger has your card in their hand and it'll be out of your sight for a few moments but that's all it takes. With the contactless you hold the card/phone yourself, can cover it with your hand and you don't have to compromise your PIN. Apple Pay (and some other mobile payment methods?) will use unique card numbers for every transaction, so if the phone was read the card details they get from it will be completely useless anyway.

edit: spelling

I believe PayWave also has something similar, Each time it is used the data changes (the chip)