On Square Skimmer Security Risks

There’s an “open letter” going around about the alleged security hole created by SquareUp, a startup that gives out free credit card readers for smart phones. To quote the meat of it:

In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.

Allow me to debunk the hell out of this:

  • To skim a card you need physical possession of the card. The numbers are printed on the front. No reader needed.
  • Skimming is normally done by attaching a device in front of a legitimate reader (such as an ATM) so it passively collects data. Not via cell phone. Stealing a credit card, walking to a back ally and skimming doesn’t make any sense.
  • Credit cards numbers are worth almost nothing on the black market. They are sold in bulk. This process is to slow to be viable for even the most brain-dead of criminals to want to bother with.
  • There are easier methods than the above including phishing attacks, becoming a waiter (the best job for credit card thieves), or just hacking one of the many insecure ecommerce sites on the net. An ATM skimmer attached to an ATM is much more profitable and harder to get caught since you can leave and come back later.
  • Square’s dongle doesn’t encrypt data because it goes directly to the phone. You’d need to extensively modify the device to intercept anything. The connection from your phone to Square seems to be encrypted.
  • Oh yea… They have their logo on top, but never link to their homepage or explain who they are. VeriFone is a vendor of credit card scanners. A direct competitor of Square. They also sell wireless scanners that would compete directly with Square. They cost a lot.

How’d I do?

Bonus:

VeriFone sells “contactless” point of sale systems. I’ve mentioned several times over the past few years how poorly thought out these seem to be. WREG recently did a great story on how easy it is to scan/clone one of these cards to a hotel key (full disclosure: WREG is an affiliate of my employer).

Conclusion:

If someone steals your credit card swiping it on their own scanner, reads the numbers off, or just running to the nearest store and buying things, it doesn’t make a difference. Square isn’t the security hole here.

I’ve got a square reader on hand and can say it’s cheaply made (obviously), but no reason at all to think it’s any less secure than any other terminal. The owner/operator of the terminal is the chief point of failure.

Feds Alarmed About RFID Reader At DefCon

This is pretty amusing. Federal agents were apparently surprised that there were RFID readers hidden at DefCon, the most cut throat (and amusing to read about) hacker convention. Why they would carry anything containing a RFID chip inside is beyond me, but even more interesting is that they were surprised by this.

The article goes on to explain the usual explanation about how insecure RFID really is. I feel like I’ve written about RFID’s security issues before.

RFID War Driving

I’ve been a critic of RFID for the purpose of identifying people from early on because the concept is inherently flawed despite the insistence of people paid to insist otherwise. Chris Paget is in a widely circulated story regarding him driving around Fisherman’s Wharf with $190 worth of gear (likely not bought with an RFID credit card) and grabbing ID’s of strangers in the area. It should be noted for anyone wondering that he didn’t break any federal laws.

The story ignores that Chris Paget also gave a talk at ShmooCon 2009 regarding RFID cloning. Of course cloning passports is nothing new, it happened in Europe just 48 hours after the passports were first issued. Don’t worry about that though, the US government says it’s passports can only be read from about 4 inches. Although as the article notes (page 3) researches from University of Tel Aviv disagree finding it can actually be read from several feet away using hobbyist gear. A student from the University of Cambridge found it can be read from 17 feet away.

While its admittedly handy you can now clone a British passport without even opening the envelope I question if this is a necessary feature.

This reminds me of that old prank where you pull the tag off a library book and sneak it onto someones belongings so when they leave the library the detector goes off repeatedly as if they tried to steal a book. Clever misuse of a pretty easy to misuse technology. Of course the other side of this is the book can now be removed without setting off the alarm. Double fail.

Putting a RFID card in a shield isn’t really a great solution since most people will never bother in a world where still only 83 percent of Americans bother to wear seat belts [NHTSA, PDF]. Besides, if the point of including RFID is to read from a distance without exposing the card to swipe it, isn’t this redundant? You can always disable by microwaving briefly though RSA Labs claims a small fire risk. I’ve heard of hammers used too, though not sure how you’d confirm it’s dead.

Can we admit this RFID stuff is half-baked now?

Elvis Takes Off

The other day I mentioned that it’s possible to clone a RFID passport, a massive security risk that the government seemingly doesn’t care to much about. It’s no longer really a proof of concept. Elvis now has an accepted RFID passport. That’s right. Mr. dead in 1977 Elvis Aaron Presley. The hack was done in Amsterdam, but you can bet it will be done elsewhere as time progresses.

Mythbusters on RFID

I’ve mentioned several times on this blog that RFID isn’t a good idea for sensitive things like credit card information. Pretty much anything you wouldn’t openly make available to strangers.

The latest piece of evidence is Adam Savage, of Discovery’s Mythbusters discussing how they were effectively outgunned by lawyers for credit card companies (with video goodness) when wanting to do a show about RFID.

My personal experience is that they will swap out your RFID card with a non-RFID upon request. Until this stuff is much more proven, I don’t want it. Some make the argument that you’re not liable for more than $50, but it’s your job to convince credit agencies to update your credit history and dealing with creditors re-evaluating your changed credit history for a really long time. Considering the current credit crunch and the knee-jerk reactions that are so common right now, that’s just a recipe for disaster. Who wants to go through that for the novelty of not needing to physically swipe the card? No thanks.

How To Hack A RFID Card

Boing Boing TV has a great video on how to hack a RFID credit card for a mere $8. I’ve said it more than once that I don’t trust it yet. This is why. You just removed the best security feature on the card (the ability to keep it and it’s information out of view).

As a commenter noted, the Nokia 6131 NFC includes the following from their tech specs:

  • Explore mobile weather and news by touching your phone to radio frequency identification (RFID) tags

That’s right, a built in RFID reader. Just needs software for this particular task. I’m sure that won’t take too long.

How To Steal A Credit Card

I said a while back RFID credit cards still have to prove themselves. Today I saw this interesting story on CNet:

As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer’s wallet, Laurie both read and displayed its contents on the presentation screen–the person’s name, account number, and expiration clearly visible.

You can find a ton of information including code and the hardware necessary to duplicate this his website RFIDIOt.

Another real potential issue is companies using RFID for security badges. Considering how easy it is to read and duplicate, potentially anyone who can get close to someone walking into an office can capture the data necessary to produce their own ID card. In this case only matching the photo stored by the company on their computer system (not the one on the badge) to the person’s face is security. So for those offices who don’t have security staff doing this, anyone could theoretically get in.

The best security mechanisms are the most simple and discrete. Credit cards are naturally pretty secure if used correctly. Nobody can abuse a credit card unless they know the number. Nobody can read it through a wallet. The wallet in this case is a great security feature. To read it you need to either visually inspect it for the numbers, copy it, get an impression of it, or swipe it through a reader. All things that require intimate contact with the actual card. Impressive security for some old technology isn’t it?

I’ll stick with swiping a credit card for the foreseeable future. Your only not liable for a stolen credit card if you and your credit card company mutually agree it’s stolen or being misused. Otherwise you may be on your way to an expensive dispute. Regardless it may have hit your credit, and you’ll spend a lot of time sorting it out and getting it corrected. Bad credit costs you money. Some individuals make it sound like it’s just a phone call and your done, but people who have had their credit card stolen sometimes spend several months fighting to save their credit.

Bank Security Sucks

Why is it, I can get a security key fob from PayPal for a mere $5, but not from my credit card company or bank? PassMark seems to be the latest craze of banks in an attempt to look more secure. It doesn’t work. Online security still seriously sucks. 96.66% fell for phishing according to Harvard and MIT just a few months ago. Interestingly both of those links reference the same bank (Bank of America), though they aren’t the only ones.

And I’m supposed to believe RFID enabled credit cards aren’t trouble? I think not. I’ll wait until the technology has been proven a bit more. Swiping the card really isn’t that hard. I find it to be a good workout. For the security of knowing my wallet is a good security device, I don’t mind the inconvenience. When they can prove it’s secure I’ll switch. I doubt that will be for a while.

I wonder how long until financial institutions start taking security to the next level. I’m confident they will be pushed to do so at some point. I’m just wondering what the catalyst for change will be. I’m guessing some more alarming statistics. I really want to see hardware based two-factor authentication the defacto standard in all banking systems. If PayPal can do it for $5 per user, I think the rest can manage to offer it. It’s not perfect, it doesn’t cover every type of attack, but it’s the single best enhancement over a good password. You do have a good password right?

[Hat Tip: The Consumerist]

Getting A Non-RFID Credit Card

Chase Freedom VisaThe Chase Freedom credit card isn’t bad (1% cash back, 3% on certain items). There is an unadvertised downside. While Chase doesn’t promote it very well, the card contains a tiny RFID chip. This allows you to pay for something using a contact-less terminal (no swiping). Just put your card near the reader and it registers. Is it really any quicker than swiping? Who knows, but likely not by much.

It looks like a regular credit card, same thickness, size, and shape. Just a tiny emblem exists on the upper right hand side to distinguish the onboard cargo. You can see it in the image above. A larger version of it is below:

Blink Logo (sm) Chase

For those wondering, the actual RFID chip seems to be on the left side, opposite the Blink logo.

Chase brands the technology Blink, American Express calls it ExpressPay, MasterCard calls it PayPass. They are all pretty much the same thing.

RFID doesn’t have a great reputation right now. There are some privacy and security concerns, such as an unauthorized party reading your credit card without you knowing. Think this is a tin-foil-hat mentality? It’s been done already. I haven’t found anything online to indicate criminal exploitation yet, but it’s possible and will happen.

Chase Flexible Rewards VisaChase doesn’t advertise this, but if you contact them by phone or email, they will send you a replacement card, without the “Blink” capability. The actual plastic card is their “Rewards Visa” though the paper it’s attached to clearly says “Chase Freedom”. It’s just plastic, the credit plan is in the account not the card. So there you have it, you can get a secure credit card if your concerned about security.

Chase claims “Blink” it’s very secure, but I’m still not personally comfortable with the technology. According to their FAQ (in PDF format):

10. Are blink purchases secure?

Yes. As always, you are 100% protected against any unauthorized purchases. These transactions are safe because they are protected by an additional level of encrypted security. You must deliberately use the Chase card with blink at the point-of-sale to make a transaction. The Chase card with blink needs to be within an inch of the special reader and correctly oriented to be read. In addition, blink transactions use specific data that is protected by the highest level of security.

Judging from the speed in which it can be swiped (as demonstrated on the Chase blink website) one could technically walk by with a bag containing a reader and just brush by the victim to read the card in their pants pocket, sit next to you on the bus/train, etc. Easier than pickpocketing since no actual contact needed (such as digging a hand into someone’s pocket).

We already know they can clone RFID passports. What stops someone from reproducing the credit card, then using it? With regular cards, my wallet is an effective firewall. No way to read the magnetic strip or copy the numbers off of it without the actual card visible. And if my card is missing, I know I have a problem. I always keep it in my wallet so nobody can just look at it. This is a pretty secure way to handle a credit card. With this potential crime, I wouldn’t even know right away, and by the time I do realize I wouldn’t have any idea when/where it was compromised. It could potentially be months between the theft and usage of stolen data.

I’d like to see this tech a little more proven in the “real world” before I jump on board. For now it’s just good to know you don’t have to live with it, you can get a non-RFID card. I didn’t find this advertised anywhere on the Chase website. I guess they realized us tin-foil-hat people would ask for a blink-free card, so they made sure to have an alternative. I must give them credit for that (no pun intended).

Just call/email Chase and ask for a non-blink version of the card. They told me 5-7 days for delivery. No hassle. I was very pleased how painlessly they made it. It arrived in about 5 days.