how to read information from RFID equipped credit cards

[Ben Laurie]

Perry E. Metzger wrote:
> Nothing terribly new here -- short interview with someone who bought
> an RFID credit card reader on ebay for $8 and demonstrates getting
> people's credit card information at short distances using it. Still,
> it is interesting to see how trivial it is to do.
> 
> http://www.boingboing.net/2008/03/19/bbtv-how-to-hack-an.html

Yeah, but...

He's talking bollocks when he says that the decryption should be done in 
some secure datacentre. That wouldn't save you unless there was some 
kind of handshake with the card - and the trouble is, those cards don't 
have the power to do any real crypto.

In the absence of something to prevent MitM, you would just intercept 
the encrypted contents of the card, and then use that. So why bother to 
encrypt it?

So, the bottom line is you need more horsepower in the gadget that 
controls your money, so you can do real crypto.

Then we get to the next problem: we don't trust the device with the 
keypad and display. So, we need to add that to the GTCYM (Gadget That 
Controls Your Money).

And so we end up at the position that we have ended up at so many times 
before: the GTCYM has to have a decent processor, a keyboard and a 
screen, and must be portable and secure.

One day we'll stop concluding this and actually do something about it.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com