Hackers can use RFID readers to steal payment card numbers

[Renegade]

Check this:

http://www.alexa.com...iteinfo/techworm.net

Techworm.net ranks around 25k. That's a big site.

Now, check this:

http://www.techworm....-numbers-public.html

BY DWULF ON FEBRUARY 12, 2015 HACKING NEWS, SECURITY NEWS, VULNERABILITY

New credit cards with embedded RFID chips can pose a problem with security and identity theft

A team of cyber security researchers have revealed that hackers can mobile technology to use to steal credit and debit numbers from you while you’re in public. The cards at risk are enabled with radio technology that allows you to “wave and pay.”

Its as though while you are ‘waving and paying’ a hacker lurking in vicinity is secretly reading your payment card numbers and storing them. While you are unaware of such a risk, you may receive a 440 volts shock to see unknown payments at the end of the payment cycle in your billing statement.

Radio frequencies are all over the place but the frequency most smart cards (i.e. newer debit and credit cards) are in the range of 13.56 MHz (HF) the range can be detected between 10 centimeters – 1 meter (around 2 feet max).

Just. WOW!

I'm pretty stunned.

First, 1 metre is closer to 3 feet than 2 feet, but... also, this:

That was 2010. Ranges DEMONSTRATED were ORDERS OF MAGNITUDE LARGER.

See here:

http://www.tombom.co.uk/extreme_rfid.pdf

If you want to see some seriously scary stuff, do this:

1) Visit this URL: http://www.tombom.co.uk
2) View the source.
3) Crap your pants.

Lesson Learned: BE VERY AFRAID!!!

[Stoic Joker]

1) Visit this URL: http://www.tombom.co.uk
2) View the source.
3) Crap your pants.

-Renegade (February 13, 2015, 07:55 AM)

I can't get to step 3 because step 2 just says boo!

Site down/link bad perhaps?

[Renegade]

Odd. The source was blank for me in two browsers.

[Deozaan]

This is news? Like, new news? I thought RFID chips broadcasting their data being a security risk was a known issue for years. Maybe longer than a decade.

If you take a hammer and smash your credit card in just the right spot, it will destroy the RFID chip. Or you could also nuke it in the microwave for a few seconds to destroy it.

1) Visit this URL: http://www.tombom.co.uk
2) View the source.
3) Crap your pants.

-Renegade (February 13, 2015, 07:55 AM)

I can't get to step 3 because step 2 just says boo!

Site down/link bad perhaps?

-Stoic Joker (February 13, 2015, 11:26 AM)

For me:
Step 1 says "Boo!"
Step 2 is blank/empty source.
Step 3 in progress.

[Stoic Joker]

^I wonder if that means we passed the test? Although it seems unlikely given the intro.

@Ren - What browser "works" for the pants crapping exorcise?

[Renegade]

@Ren - What browser "works" for the pants crapping exorcise?

-Stoic Joker (February 14, 2015, 07:57 AM)

In Opera and Chrome there is no source.

I checked in IE, and it's there.

It's freaky though. How does he manage to do that?

My guess is he's doing some bizarre stuff with headers, but I have no idea what.

[Stoic Joker]

That's weird, I'm using IE11 and it's still blank for me ... Maybe you broke yours..

[Renegade]

Huh? I have IE 11 and I can see the source.

[4wd]

IE11 (Developer Tools):

Hackers can use RFID readers to steal payment card numbers

It ain't very exciting, certainly nothing to soil your pants over.

Pale Moon (Web Developer->Inspector):
Hackers can use RFID readers to steal payment card numbers

Comodo Dragon (Tools->Developer Tools):
Hackers can use RFID readers to steal payment card numbers

BTW, what does a minimal HTML page have to do with RFID?

And, like Deo said, this has been a known "feature" of RFID for the last decade.

From the RFID Journal in 2004 <- Google's reporting the date as Aug 1, 2004:

UHF tags-the kind used on pallets and cases of goods in the supply chain-have a read range of 20 to 30 feet under ideal conditions. If the tags are attached to products with water or metal, the read range can be significantly less. If the size of the UHF antenna is reduced, that will also dramatically reduce the read range. Increasing the power output could increase the range, but most governments restrict the output of readers so that they don't interfere with other RF devices, such as cordless phones.

The HF tags you've mentioned in your OP should have a greater range due to longer wavelength.

[Renegade]

It ain't very exciting, certainly nothing to soil your pants over.

-4wd (February 15, 2015, 03:35 AM)

No no no! You're missing it.

Do this:

Create a blank text file, type "anything" in it, save it as anything.html, then open it and check the DOM again. You'll see that the DOM is there, even though you only typed "anything". Now, do a view source and you'll see "anything", but no head or body or html tags.

What's funky here is that view source shows nothing, but the document says, "Boo!" Which, is kind of spooky as the site hosts security material, and that's the home page.


For the OP, I was trying to point out just how backwards and out of touch the article was. It just took me by surprise seeing it, and then again, I thought about how very few people are aware of this -- present company excluded, of course.

[4wd]

Create a blank text file, type "anything" in it, save it as anything.html, then open it and check the DOM again. You'll see that the DOM is there, even though you only typed "anything". Now, do a view source and you'll see "anything", but no head or body or html tags.

-Renegade (February 15, 2015, 04:22 AM)

Isn't that just the browsers reinterpreting the source due to the extension?

For example, if you then change the extension to .txt you'll find that the DOM wraps it in <PRE> ... </PRE> tags as well as HTML/BODY.

[Renegade]

Create a blank text file, type "anything" in it, save it as anything.html, then open it and check the DOM again. You'll see that the DOM is there, even though you only typed "anything". Now, do a view source and you'll see "anything", but no head or body or html tags.

-Renegade (February 15, 2015, 04:22 AM)

Isn't that just the browsers reinterpreting the source due to the extension?

For example, if you then change the extension to .txt you'll find that the DOM wraps it in <PRE> ... </PRE> tags as well as HTML/BODY.

-4wd (February 15, 2015, 04:55 AM)

For the "inspect element" bit, yes. It's just a part of error correction, and relates to the display, but doesn't relate to the actual document in a literal sense.

[Stoic Joker]

Create a blank text file, type "anything" in it, save it as anything.html, then open it and check the DOM again. You'll see that the DOM is there, even though you only typed "anything". Now, do a view source and you'll see "anything", but no head or body or html tags

-Renegade (February 15, 2015, 04:22 AM)

Behavior was the same as the external 'Boo!' page...the head/body tags were there.


O_o Okay, Digging in a level.. I fired up my copy of the Fiddler Web Debugger (really cool freeware), and let it run while requesting the page so it would record (and display) the entire exchange.

...and it shows nothing really exciting happening; basic request; basic response; no cookies; total replied content=boo!

Given the pitch, I was expecting it to tell me what I had for breakfast yesterday morning ... But no matter how I view the source, it just says boo!

What's funky here is that view source shows nothing, but the document says, "Boo!" Which, is kind of spooky as the site hosts security material, and that's the home page.

-Renegade (February 15, 2015, 04:22 AM)

Looks more to me like the site's home page is actually at http://www.tombom.co.uk/blog and the (url masking/) root level redirector is broken. They're specialty is after all hardware hacking it appears, and as we all know (sh)IT Happens.

[Renegade]

...and it shows nothing really exciting happening; basic request; basic response; no cookies; total replied content=boo!

Given the pitch, I was expecting it to tell me what I had for breakfast yesterday morning ... But no matter how I view the source, it just says boo!

-Stoic Joker (February 15, 2015, 07:51 AM)

With Fiddler, in Chrome I get a 502, but in IE & Opera I get a 304. In all of them I get "No Response Data".

In Wireshark, with Chrome, I get 200, and "Boo!\n".

Then, fiddling in Fiddler, I managed to get a 200 with "Boo!".

I don't know - it's just bizarre that the source won't show up in some cases. I give up. Got better things to do.

[Deozaan]

IE11 (Developer Tools):
 (see attachment in previous post)
It ain't very exciting, certainly nothing to soil your pants over.

Pale Moon (Web Developer->Inspector): (see attachment in previous post)
Comodo Dragon (Tools->Developer Tools): (see attachment in previous post)

-4wd (February 15, 2015, 03:35 AM)

There's a difference between View Source and Developer Tools.

If I view source in Chrome, it's blank. If I open the developer console (ctrl-shift-J) in Chrome, it shows me the standard HTML stuff.