topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 8:54 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Hackers can use RFID readers to steal payment card numbers  (Read 8991 times)

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Hackers can use RFID readers to steal payment card numbers
« on: February 13, 2015, 07:55 AM »
Check this:

http://www.alexa.com...iteinfo/techworm.net

Techworm.net ranks around 25k. That's a big site.

Now, check this:

http://www.techworm....-numbers-public.html

BY DWULF ON FEBRUARY 12, 2015 HACKING NEWS, SECURITY NEWS, VULNERABILITY

New credit cards with embedded RFID chips can pose a problem with security and identity theft

A team of cyber security researchers have revealed that hackers can mobile technology to use to steal credit and debit numbers from you while you’re in public. The cards at risk are enabled with radio technology that allows you to “wave and pay.”

Its as though while you are ‘waving and paying’ a hacker lurking in vicinity is secretly reading your payment card numbers and storing them. While you are unaware of such a risk, you may receive a 440 volts shock to see unknown payments at the end of the payment cycle in your billing statement.

Radio frequencies are all over the place but the frequency most smart cards (i.e. newer debit and credit cards) are in the range of 13.56 MHz (HF) the range can be detected between 10 centimeters – 1 meter (around 2 feet max).

Just. WOW!

I'm pretty stunned.

First, 1 metre is closer to 3 feet than 2 feet, but... also, this:



That was 2010. Ranges DEMONSTRATED were ORDERS OF MAGNITUDE LARGER.

See here:

http://www.tombom.co.uk/extreme_rfid.pdf

If you want to see some seriously scary stuff, do this:

1) Visit this URL: http://www.tombom.co.uk
2) View the source.
3) Crap your pants.

Lesson Learned: BE VERY AFRAID!!! :P


Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Hackers can use RFID readers to steal payment card numbers
« Reply #1 on: February 13, 2015, 11:26 AM »
1) Visit this URL: http://www.tombom.co.uk
2) View the source.
3) Crap your pants.

I can't get to step 3 because step 2 just says boo!

Site down/link bad perhaps?

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Hackers can use RFID readers to steal payment card numbers
« Reply #2 on: February 13, 2015, 05:33 PM »
Odd. The source was blank for me in two browsers.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Hackers can use RFID readers to steal payment card numbers
« Reply #3 on: February 13, 2015, 06:35 PM »
This is news? Like, new news? I thought RFID chips broadcasting their data being a security risk was a known issue for years. Maybe longer than a decade.

If you take a hammer and smash your credit card in just the right spot, it will destroy the RFID chip. Or you could also nuke it in the microwave for a few seconds to destroy it.

1) Visit this URL: http://www.tombom.co.uk
2) View the source.
3) Crap your pants.

I can't get to step 3 because step 2 just says boo!

Site down/link bad perhaps?


For me:
Step 1 says "Boo!"
Step 2 is blank/empty source.
Step 3 in progress.
« Last Edit: February 17, 2015, 12:30 PM by Deozaan, Reason: clarified that by \"nuke\" I meant microwave »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Hackers can use RFID readers to steal payment card numbers
« Reply #4 on: February 14, 2015, 07:57 AM »
^I wonder if that means we passed the test? Although it seems unlikely given the intro.

@Ren - What browser "works" for the pants crapping exorcise?

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Hackers can use RFID readers to steal payment card numbers
« Reply #5 on: February 14, 2015, 05:17 PM »
@Ren - What browser "works" for the pants crapping exorcise?

In Opera and Chrome there is no source.

I checked in IE, and it's there.

It's freaky though. How does he manage to do that?

My guess is he's doing some bizarre stuff with headers, but I have no idea what.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Hackers can use RFID readers to steal payment card numbers
« Reply #6 on: February 14, 2015, 10:08 PM »
That's weird, I'm using IE11 and it's still blank for me ... Maybe you broke yours.. :D

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Hackers can use RFID readers to steal payment card numbers
« Reply #7 on: February 15, 2015, 01:31 AM »
Huh? I have IE 11 and I can see the source.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
Re: Hackers can use RFID readers to steal payment card numbers
« Reply #8 on: February 15, 2015, 03:35 AM »
IE11 (Developer Tools):

2015-02-15 20_32_47.pngHackers can use RFID readers to steal payment card numbers

It ain't very exciting, certainly nothing to soil your pants over.

Pale Moon (Web Developer->Inspector):
2015-02-15 20_36_24.pngHackers can use RFID readers to steal payment card numbers

Comodo Dragon (Tools->Developer Tools):
2015-02-15 20_39_12.pngHackers can use RFID readers to steal payment card numbers

BTW, what does a minimal HTML page have to do with RFID?

And, like Deo said, this has been a known "feature" of RFID for the last decade.

From the RFID Journal in 2004 <- Google's reporting the date as Aug 1, 2004:
UHF tags-the kind used on pallets and cases of goods in the supply chain-have a read range of 20 to 30 feet under ideal conditions. If the tags are attached to products with water or metal, the read range can be significantly less. If the size of the UHF antenna is reduced, that will also dramatically reduce the read range. Increasing the power output could increase the range, but most governments restrict the output of readers so that they don't interfere with other RF devices, such as cordless phones.

The HF tags you've mentioned in your OP should have a greater range due to longer wavelength.
« Last Edit: February 15, 2015, 03:56 AM by 4wd »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Hackers can use RFID readers to steal payment card numbers
« Reply #9 on: February 15, 2015, 04:22 AM »
It ain't very exciting, certainly nothing to soil your pants over.

No no no! You're missing it.

Do this:

Create a blank text file, type "anything" in it, save it as anything.html, then open it and check the DOM again. You'll see that the DOM is there, even though you only typed "anything". Now, do a view source and you'll see "anything", but no head or body or html tags.

What's funky here is that view source shows nothing, but the document says, "Boo!" Which, is kind of spooky as the site hosts security material, and that's the home page.



For the OP, I was trying to point out just how backwards and out of touch the article was. It just took me by surprise seeing it, and then again, I thought about how very few people are aware of this -- present company excluded, of course.

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
Re: Hackers can use RFID readers to steal payment card numbers
« Reply #10 on: February 15, 2015, 04:55 AM »
Create a blank text file, type "anything" in it, save it as anything.html, then open it and check the DOM again. You'll see that the DOM is there, even though you only typed "anything". Now, do a view source and you'll see "anything", but no head or body or html tags.

Isn't that just the browsers reinterpreting the source due to the extension?

For example, if you then change the extension to .txt you'll find that the DOM wraps it in <PRE> ... </PRE> tags as well as HTML/BODY.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Hackers can use RFID readers to steal payment card numbers
« Reply #11 on: February 15, 2015, 05:51 AM »
Create a blank text file, type "anything" in it, save it as anything.html, then open it and check the DOM again. You'll see that the DOM is there, even though you only typed "anything". Now, do a view source and you'll see "anything", but no head or body or html tags.

Isn't that just the browsers reinterpreting the source due to the extension?

For example, if you then change the extension to .txt you'll find that the DOM wraps it in <PRE> ... </PRE> tags as well as HTML/BODY.

For the "inspect element" bit, yes. It's just a part of error correction, and relates to the display, but doesn't relate to the actual document in a literal sense.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Hackers can use RFID readers to steal payment card numbers
« Reply #12 on: February 15, 2015, 07:51 AM »
Create a blank text file, type "anything" in it, save it as anything.html, then open it and check the DOM again. You'll see that the DOM is there, even though you only typed "anything". Now, do a view source and you'll see "anything", but no head or body or html tags

Behavior was the same as the external 'Boo!' page...the head/body tags were there.


O_o Okay, Digging in a level.. I fired up my copy of the Fiddler Web Debugger (really cool freeware), and let it run while requesting the page so it would record (and display) the entire exchange.

...and it shows nothing really exciting happening; basic request; basic response; no cookies; total replied content=boo!

Given the pitch, I was expecting it to tell me what I had for breakfast yesterday morning ... But no matter how I view the source, it just says boo!


What's funky here is that view source shows nothing, but the document says, "Boo!" Which, is kind of spooky as the site hosts security material, and that's the home page.

Looks more to me like the site's home page is actually at http://www.tombom.co.uk/blog and the (url masking/) root level redirector is broken. They're specialty is after all hardware hacking it appears, and as we all know (sh)IT Happens. :D
« Last Edit: February 15, 2015, 08:14 AM by Stoic Joker, Reason: Added the last bit after more digging »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Hackers can use RFID readers to steal payment card numbers
« Reply #13 on: February 17, 2015, 06:32 PM »
...and it shows nothing really exciting happening; basic request; basic response; no cookies; total replied content=boo!

Given the pitch, I was expecting it to tell me what I had for breakfast yesterday morning ... But no matter how I view the source, it just says boo!

With Fiddler, in Chrome I get a 502, but in IE & Opera I get a 304. In all of them I get "No Response Data".

In Wireshark, with Chrome, I get 200, and "Boo!\n".

Then, fiddling in Fiddler, I managed to get a 200 with "Boo!".

I don't know - it's just bizarre that the source won't show up in some cases. I give up. Got better things to do. :(
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Hackers can use RFID readers to steal payment card numbers
« Reply #14 on: February 17, 2015, 07:35 PM »
IE11 (Developer Tools):
 (see attachment in previous post)
It ain't very exciting, certainly nothing to soil your pants over.

Pale Moon (Web Developer->Inspector): (see attachment in previous post)
Comodo Dragon (Tools->Developer Tools): (see attachment in previous post)

There's a difference between View Source and Developer Tools.

If I view source in Chrome, it's blank. If I open the developer console (ctrl-shift-J) in Chrome, it shows me the standard HTML stuff.