Submission + - Hacker Demos Easy Wireless Credit Card Fraud (forbes.com)
Sparrowvsrevolution writes: At the Shmoocon hacker conference, security researcher Kristin Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.)
The payment industry often claims that contactless credit cards are more safe than traditional cards, and that any data a hacker could wirelessly read from them can't be used for fraud. But with 100 million of the RFID-enabled credit cards now in circulation, Paget wanted to undisputably show that's not the case. A stealthy attacker in a crowded public place could easily scan hundreds of cards through wallets or purses.
The payment industry often claims that contactless credit cards are more safe than traditional cards, and that any data a hacker could wirelessly read from them can't be used for fraud. But with 100 million of the RFID-enabled credit cards now in circulation, Paget wanted to undisputably show that's not the case. A stealthy attacker in a crowded public place could easily scan hundreds of cards through wallets or purses.