Vulnerabilities in first-generation RFID-enabled credit cards

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 4886 LNCS, Issue , 2007, Pages 2-14

  Heydt Benjamin, Thomas S ^a   Bailey, Daniel V ^b   Fu, Kevin ^a   Juels, Ari ^b   O'Hare, Tom ^c  

^a UNIVERSITY OF MASSACHUSETTS   (United States)

^b RSA   (United States)

^c Innealta Inc   (United States)

Author keywords

Contactless; Credit cards; RFID; Vulnerabilities

Indexed keywords

COMPUTER CRIME; DATA COMMUNICATION SYSTEMS; DATA PRIVACY; INFORMATION RETRIEVAL; RADIO FREQUENCY IDENTIFICATION (RFID);

CREDIT CARDS; VULNERABILITIES;

SMART CARDS;

EID: 38549131714     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-540-77366-5_2     Document Type: Conference Paper

References (36)

1. Adida, B., Bond, M., Clulow, J., Lin, A., Murdoch, S., Anderson, R., Rivest, R.: Phish and chips: Traditional and new recipes for attacking EMV. Technical report, University of Cambridge Computer Laboratory (2006), http://www.cl.cam.ac.uk/~mkb23/reseaxch/Phish-and-Chips.pdf
2. Anonymous: Chip and spin (2006), http://www.chipandspin.co,uk/problems. html
3. Associated Press: Wave the card for instant credit. Wired News (2003), http://tinyurl.com/yc4511
4. Averkamp, J.: ITS Michigan: Wireless technology and telecommunications (2006), http://www.itsmichigan.org/ppt/AM2005/Joe.ppt
5. Bono, S., Green, M., Stubblefield, A., Juels, A., Rubin, A., Szydlo, M.: Security analysis of a cryptographically-enabled RFID device. In: 14th USENIX Security Symposium (2005)
6. Bray, H.: Credit cards with radio tags speed purchases but track customers, too. Boston Globe (August 14, 2006), http://tinyurl.com/lmjt4
7. CardTechnology: Paypass subway trial starts in New York (2006), http://tinyurl.com/uya3k
8. Carey, D.: NFC turns phone into a wallet. EE Times (2006), http://tinyurl.com/yyxk28
9. Chan, S.: Metro briefing - New York: Manhattan: Warning about credit risks. The New York Times (2006), http://www.nytimes.com/2006/12/04/nyregion/ 04mbrfs-credit.html
10. DIFRWear: Faraday-Caged Apparel. (2006), www.difrwear.com
11. Dougherty, G.: Real-time fraud detection. MIT Applied Security Reading Group (2000), http://pdos.csail.mit.edu/asrg/02-28-2000.html and http://pdos.csail.mit.edu/asrg/02-28-2000.doc
12. EMVCo: EMV Integrated Circuit Card Specifications for Payment Systems (2004), http://tinyurl.com/oo663
13. EPIC: Mock point of entry test findings, p. 48 (2005), http://www.epic.org/privacy/us-visit/foia/mockpoe_res.pdf
14. Ferguson, R.: Schwarzenegger quashes RFID bill. eWeek DATE (2006), http://tinyurl.com/y29z6s
15. Greenemeier, L.: Visa expands contactless card efforts. Information Week (2006), http://tinyurl.com/ykzo4t
16. Hancke, G.P.: A practical relay attack on ISO 14443 proximity cards. Technical report, University of Cambridge Computer Laboratory (2005), http://www.cl.cam.ac.uk/~gh275/relay.pdf
17. Hancke, G.P.: Practical attacks on proximity identification systems (short paper). In: Proceedings of IEEE Symposium on Security and Privacy, pp. 328-333 (2006), http://www.cl.cam.ac.uk/~gh275/SPPractical.pdf
18. Harper, J.: RFID wiggles its way into credit cards? (2005), http://lists.jammed.com/politech/2005/05/0038.html
19. Heydt-Benjamin, T.S., Bailey, D.V., Fu, K., Juels, A., O'Hare, T.: Vulnerabilities in first-generation RFID-enabled credit cards. Technical report, University of Massachusetts Amherst, CS TR-2006-055 (2006)
20. Heydt-Benjamin, T.S., Chae, H.J., Defend, B., Fu, K.: Privacy for public transportation. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, Springer, Heidelberg (2006)
21. HowStuffWorks, Inc.: How blink works (2006), http://money.howstuffworks. com/blink1.htm
22. ISO: ISO/EIC 14443, proximity cards (PICCs). Technical report, ISO (2006), http://wg8.de/sdl.html
23. Juels, A.: RFID security and privacy: A research survey. IEEE Journal on Selected Areas in Communication 24(2) (2006)
24. Juels, A., Rivest, R.L., Szydlo, M.: The blocker tag: selective blocking of RFID tags for consumer privacy. In: CCS 2003. Proceedings of the 10th ACM conference on Computer and Communications Security, pp. 103-111 (2003)
25. Kfir, Z., Wool, A.: Picking virtual pockets using relay attacks on contactless smartcard systems. In: IEEE/CreateNet SecureComm., IEEE, Los Alamitos (2005), http://eprint.iacr.org/2005/052
26. Koper, S.: Contactless acceptance made easy for business payment systems. In: BPS 2006 Summer Conference, Las Vegas, NV (2006), http://tinyurl.com/sjte6
27. Moinar, D.: Personal communication (2006)
28. New York City Transit Authority: NYC MetroCard Fares. In: WWW (2006), http://tinyurl.com/y5egfd
29. O'Connor, M.C.: Chase offers contactless cards in a blink. RFID Journal (2005), http://tinyurl.com/yzy9u5
30. O'Connor, M.C.: At McDonald's, ExpressPay fits the bill. RFID Journal (2006), http://tinyurl.com/yc58sa
31. Rieback, M., Gaydadjiev, G., Crispo, B., Hofman, R., Tanenbaum, A.: A platform for RFID security and privacy administration. In: Proc. USENIX/SAGE Large Installation System Administration conference, Washington, DC, USA, pp. 89-102 (2006), http://www.rfidguardian.org/papers/lisa.06.pdf
32. Schuman, E.: How safe are the new contactless payment systems? (June 20, 2005), http://tinyurl.com/y9a525
33. Selker, E.: Manually-operated switch for enabling and disabling an RFID card. Technical report, MIT, Patent #20030132301 (2003)
34. UK Chip and Pin: Chip and pin (2006), www.chipandpin.com
35. Westhues, J.: Hacking the prox card. In: Garfinkel, S., Rosenberg, B. (eds.) RFID: Applications, Security, and Privacy, pp. 291-300. Addison-Wesley, Reading (2005)
36. Yoshida, J.: Tests reveal e-passport security flaw. EE Times (August 30, 2004), http://tinyurl.com/surgr