While the BBC and others are lamenting the latest chip-and-PIN compromise of Shell in the UK, I'm more concerned about the RFID security issues. Let's ignore the technology for a moment (because there are too many man-in-the-middle attacks like those the one implemented in the UK.)

Chip-and-PIN has a different attack vector than RFID cards. Chip/PIN is being widely adopted throughout Europe and requires that the cardholder enter their PIN at the point of transaction. This switches the liability to from the Acquirer to the Merchant (unless the PIN is not available and the magnetic stripe is used.) In order to do this restaurants have implemented wireless POS devices so the waiter can bring the POS device to the cardholder for them to enter their PIN. This sounds great until you start to question what wireless protocol us being used by the POS device, and sounds even worse when you learn that it's over unencrypted 802.11.

Both the POS software and hardware vendors are scrambling to address this issue, but until they do it's a major point of compromise. The problem is that it requires attackers to physically travel to every location where a merchant (i.e. restaurant) exists in order to compromise cards. Even then the most they will get is the equivalent of magnetic stripe that that will have to be used fraudulently in another region of the world that accepts those transactions. (There is no way to recreate or re-encode a Chip/PIN card with captured chip data, but you could create a magnetic track read.)

RFID cards have a different set of locality problems. Instead of replacing the entire POS infrastructure in the US, we have decided to use RFID cards to provide a faster form of payment in hope of encouraging cardholders to spend more. The RFID reader is basically a plug-in to the current POS systems (using the service code to determine the type of transaction) and does not require replacement of the current infrastructure.

The problem is that, like most RFIDs, these cards were meant to only be read at close range (1-3 centimeters), but can be read up to 2-3 feet (30-90 centimeters) away. The danger of attempting to read a card at this distance is that the amplification of the reader could "burn out" or disable the RFID portion of the card. (As people are doing purposefully with their RFID passports.)

To prevent theft of this data in transit the cards are usually shipped with a metallic (Faraday cage) sheath. But this does not protect the unsuspecting cardholder if an appropriate RFID reader is put around a doorway and all cards (held by a person) who pass through that door are "skimmed". There are preventative measures to prevent this making any skimmed data time sensitive, but (assuming the attackers have a network that can churn or flip the compromised data fast enough) the attacker now only need monitor a high traffic area instead of hitting every merchant.

Again, the attack vector is similar in that it requires the physical presence of an attacker (which differs from the current remote theft compromises over the Internet) but for each the location of the attacker is different. In theory, if the attack vector is known an RFID skim would harder to detect than a Chip/PIN compromise because the common purchase point (CPP) does not exist. In all practical terms, even if a CPP exists for compromised cards the thief should be smart enough to not use the numbers/track information immediately. The attacker will more than likely use some numbers from a variety of compromises to make the CPP harder to determine.

Advertisements