As some of you may know, I was recently interviewed for an article in the Wall Street Journal called "Why Some People Put These Credit Cards In the Microwave".   For the original article I posted that led to the interview, see my article on the BrainPox site.

This article will attempt to further elaborate on the security issues behind this technology.

What is RFID?

For those not familiar with RFID, it stands for Radio Frequency IDentification.  In a nutshell, and RFID chip is passive, has no power source and really does nothing, until it receives transmission from a reader (which is really a transmitter/receiver).  The chip is then able to use the radio waves received to power itself and return a response, which the reader will presumably read.

There are several different frequencies that these chips operate in, and several different types.  So a reader for one frequency cannot read chips in other frequencies, and in many cases different types of chips use different communication techniques so in most cases there is no interoperability (which is probably good).

Examples of RFID use and weakness

Ever heard of Mobil SpeedPass?  The keychain 'thingy' contains an RFID chip.  Remember when McD's was accepting them (and probably other places)?  Notice they are all gone?  Well the reason behind that is likely because the system was cracked early in 2005 (see  Johns Hopkins University). 

In the same article they discuss how to defeat the RFID chips in many new car keys, so that tech is essentially broken as well.

Why I wasn't worried much about those technologies

SpeedPass required 'buy in' by the consumer, and the link to your credit card was on the Mobil credit card network systems and fairly secure... and quite frankly you couldn't use it many places anyway.

What's the problem with PayPass?

There are a ton of problems.  The number one problem is that the technology they use hasn't been examined for security flaws by any objective third party.  When they say it's safe, you have to take their word for it.  Fact is they also say it's faster and safer!  When in fact it's no faster (you still have to wait for the charge to clear, just like swiping a credit card) and it's certainly not any safer.

That leads into the other major problem, they are foisting these things onto consumers who don't know any better, with a media storm of absolute bullshit they're hoping people will just go along with it.  I my case no option was mentioned, they just sent the thing to me as a replacement (old card was going to expire anyway).  

So what's the problem?

With a sufficiently powerful reader (which could be built easily with off the shelf hardware), someone could read the information off your card from several feet away (could be as high as hundreds of feet).  Not scared yet?  If these get out in sufficient quantities the potential financial gain will be great enough to justify the effort, and pickpockets will just have to walk around in a subway, club, elevator to get 1000's of cards.

Still not worried?  Well then go ahead and get one if you like, but I will not.