Credit Card Companies Gagged Mythbusters Over RFID Vulnerabilities?
from the security-through-obscurity...-and-legal-threats dept
It’s amazing to watch just how sensitive some companies are concerning the rather well-known security vulnerabilities associated with RFID tags and smart cards. We’ve seen time and time again, companies try to suppress such research from getting published — and every single time, those efforts to suppress the publication of the vulnerabilities backfires, often badly.
But that never seems to stop companies from flexing their legal muscles.
The latest example comes to use via the Consumerist blog, who dug out a clip of Adam Savage from the TV show Mythbusters talking about what happened when the show tried to do an episode on RFID vulnerabilities:
Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else… They were way, way outgunned and they absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it’s on Discovery’s radar and they won’t let us go near it.
Check out the video of him saying this (while admitting he’s probably not supposed to talk about it) here:
Filed Under: adam savage, gagged, mythbusters, rfid, smart cards, vulnerabilities
Comments on “Credit Card Companies Gagged Mythbusters Over RFID Vulnerabilities?”
How dare you accuse them of thinking… they have a team of lawyers to do that for them…
Since we are a society of Laws, then lawsuits, not common sense shall rule the end of the day.
do the credit card companies really think that security through obscurity (with a healthy dose of legal threats) is the best way to protect their customers?
No, this is just business. The RFID tags are supposed to be a big selling point for credit cards — it’s how they make our lives more convenient and how they convince us that they’re better than the other guys. They don’t want it to become common knowledge that this convenience makes them really, really vulnerable — imagine the backlash! People wouldn’t sign up for new cards and very possibly might cancel the cards they have. Turning a selling point into a liability is a Bad Thing, and it’s only “smart” for then to keep their customers stupid.
After all, identity theft is the consumer’s problem…
Since when did you think that the credit card companies are out to protect the customers? It seems to me that their actions and policies have almost always been about them.
For shame, Discovery... for shame.
Things like this just piss me off. If the show details issues with RFID, then it should be aired. It’s not Discovery’s fault these issues are so prevalent. So instead, fans of the show get screwed because Discovery is run by a bunch of cowards.
Savage is cool. I’m glad he made the comment and I’m further glad it’s spreading like wildfire.
When will stations realize ad revenue doesn’t even come close to offsetting the cost of shows, so why bother running them in the first place.
Re: For shame, Discovery... for shame.
“When will stations realize ad revenue doesn’t even come close to offsetting the cost of shows, so why bother running them in the first place.”
…clearly you’ve never worked or even met anyone in the television industry.
Who cares????!???! Its the companies that will lose the money in the end, anyway. I guarantee they have a team of experts working to make it as secure as possible, because they CAN’T let the customer hang out for the balance on the card that was stolen through RFID security flaws. It would be no different than having your card stolen. Visa cancels the balance while they find and sue the guy who stole it. The customer has nothing to worry about.
Re: Re:
Well, if this becomes public knowledge they have to throw resources at correcting the flaws.
If the cost of the breaches currently happening is less than the cost of correcting the flaws. Then nothing will happen except for the authoring of Techdirt articles.
Re: Re:
“I guarantee they have a team of experts working to make it as secure as possible”
How naive are you really?
The CC companies do not design this stuff, they implement 3rd party solutions. And trust me, the cheapest wins.
Re: Re:
Actually the credit card companies do NOT repeat NOT pay for the stolen balance on the card, they pass that burden straight through to the merchant who accepted the card along with a fee (read fine) for accepting the stolen card in the first place. Unless the merchant has a signature and it matches the customers the merchant cannot fight the chargeback with any hope of winning… and winning by the way means the customer pays.
“but do the credit card companies really think that security through obscurity is the best way to protect their customers?”
Yes they do. Seriously, you can nag and complain all you want. But at the end of the day, they believe this to be correct.
Don't Link RFID and Smart Cards
You look like fools lumping them together. RFID is not a very smart system or very secure…
Smart Cards are very secure and virtually un hackable.. to get the secure data on them..
Re: Don't Link RFID and Smart Cards
http://www.g4tv.com/techtvvault/features/37779/Smart_Card_Vulnerability_Found.html
http://weblog.infoworld.com/zeroday/archives/2006/03/fedex_smartcard.html
http://query.nytimes.com/gst/fullpage.html?res=9406E4DB1739F930A25756C0A9649C8B63
Re: Don't Link RFID and Smart Cards
You look like fools lumping them [RFIDs and SmartCards] together.
That’s a very strong statement. Care to explain the reasoning behind your ad hominem attack? Based on the links that Mike provided, the commonality between RFIDs and SmartCards is the tendency of their manufacturers to supress and deny the existence of security vulnerability rather than fix them. Even if SmartCards are much more secure than RFID systems, this point it not negated.
http://www.rfidvirus.org/
http://www.lockergnome.com/reflections/2007/04/03/rfid-payment-card-vulnerabilities/
http://www.youtube.com/watch?v=xPkzFETzueQ
can stop TV, but try to stop the internet. As with most things, by trying to keep it quiet, they have opened it up for the the whole world to see.
Congratulates
>^..^
Security through Obscurity
Back in the early days of the cellular industry, people were unsure whether or not the content of their calls were secure. Of course, they were right. Anyone with a Radioshack scanner that scanned the 800-1000 megahertz band could.
So, rather than make better, more secure cellphones, the cellular carriers pushed through the Electronic Communications Protection Act of 1986 which banned the sale of any scanner that could pick up cellular phone frequencies. As expected, that only made pre-ECPA scanners more valuable and proliferated the hacks for post-ECPA scanners to restore the missing frequencies.
But, with the end of analog cell phones, there are no more cellphones to listen in on…
It won't stop here either
because what comes next is RFIDs in currency. The government will follow every bill to every bank/store/atm. Using the data from those RFID tags in conjunction with the data from your cards and clothes and other RFID tagged properties they’ll follow every bill every step of the way. You won’t be able to disable the tags in the bill because at some step along the way they’ll trace the bill back to you and know where the tag died, and tampering with currency is illegal. Then they’ll pass a law banning disabling tags on all other items too. Oh, they won’t throw you in jail for it though, at least at first, they’ll just fine you heavily. The jail time comes later when you’re broke. Then they’ll RFID you.
Re: It won't stop here either
Good to see at least one person is aware of the real purpose behind RFID, cattle tags for humans. They’re designed to track your every move and financial expendature and where contention arises, RFID’s will simply be shut off, and all devices dependant upon RFID compatability will be rendered useless.
all the talks were at hope 2008
http://www.thelasthope.org/talks.html
mp3’s
Enough Already
The sooner the corporations team up with the government and turn the internet into an extension of TV, the sooner we’ll be done with embarrassing episodes like this.
Whoever thought that giving the public the ability to comment, discuss and share technology was definitely high.
Honestly.
smash lab
BOOOOOOOOOOOOOOOO!!!
“Yeah, I know…”
Credit Cards
I moved to all cash, if we all did that everyone would be way better off
Re: Credit Cards
Clearly you’ve never been robbed.
Re: Re: Credit Cards
…or tried to purchase online, over the phone, through mail order, or anything above £1000.00.
Just be extra careful when walking around with £10,000 for a new car.
Yes Shoot the messenger! These are not the droids you are looking for...
RFID is a neat toy but it is not secure. Not the ones in credit cards, not the ones in passports, none of it. Of course most people dont realize that.
Shameful is it that Discovery channel buckled like a cheap hooker with a five spot dangled in their face! It just goes to prove one thing you cant discover on Discovery is a strong moral compass. Although the color yellow appears readily abundant.
In conclusion Discovery will happily show you any truth that doesn’t go against a sponsor. Never forget through that the truth is less important to them than greed so take everything you hear from them with a grain of salt because after all….
Discovery is the best programming a corporate bribe can buy!
Re: Yes Shoot the messenger! These are not the droids you are looking for...
In conclusion Discovery will happily show you any truth that doesn’t go against a sponsor. Never forget through that the truth is less important to them than greed so take everything you hear from them with a grain of salt because after all….
Discovery is the best programming a corporate bribe can buy!
you act like the media has some sort of responsibility to us. we are a product, a commodity to be leveraged and traded. the media’s only responsibility is to the company execs and the stock holders. the execs and stock holders only care about profits, and profits are dictated by advertisers. er go, advertisers will always be able to bend media companies to their will. if you think fox or nbc or cnn are any different than the discovery channel you are woefully naive.
real security research is now and will forever be underground. it’s cheaper to provide the illusion of security than it is to build truly secure systems, so corporations and governments will always opt for obscurity first until an independent researcher exposes these vulnerabilities.
the credit industry is built on impulse buying. secure systems with integrity checks and access restrictions are a hindrance to impulse buys and will never be implemented. credit systems will always be flawed and fraud will just be considered the cost of doing business. if you think that’s pessimistic think about this: what does a company do when it’s had a large data breach: it buys the victims a year of credit monitoring and it moves on like it never happened.
why do you think credit card companies and news programs blame ID thefts and credit card fraud on hackers?
identities get stolen by identity thieves. credit card companies are defrauded by con artists. there is no hacking involved 99% of the time.
corporations want you to see competitive analysis and independent research as the products of shadowy figures that we need to fear so that you will mistrust the exposure of security vulnerabilities and not ask scary and expensive questions.
credit cards
YET ANTHER reason NOT to own credit cards (not debit cards.)
Our ancestors didn’t use them and we DO NOT need them now. Buy what you can afford not what you can afford to pay each month…for now.
Re: credit cards
“Our ancestors didn’t use them and we DO NOT need them now”.
Amen brother, and while we are at it we should abolish the use of fire too.
Re: credit cards
Your argument about our ancestors not needing something simply doesn’t hold. The world changes, and with those changes are goods and bads.
What in particular do you find offensive about credit cards and debit cards (I could guess, but I won’t)?
I have a credit card, use it frequently, find it extremely convenient, and as a individual who can do arithmetic understand the ins-and-outs of my monthly finances to determine the appropriate payback structure so as to maximize the potential of my overall net worth.
Of course!
but do the credit card companies really think that security through obscurity (with a healthy dose of legal threats) is the best way to protect their customers?
Um, YES! If customers don’t know about a problem, then there is no problem, especially if the problem is security-related. Plus, it’s easier to hide the flaw than try to convince customers that the flaw isn’t too bad. Instead of spending money on R&D to fix the issues, just get the already-paid-for lawyers to threaten anyone who mentions the issue. Problem solved!
Leaked episode
Savage should leak the episode and then do a Mythbusters on whether or not CC companies can track the leak and sue him for it.
I have seen some RFID solutions that are worth looking at that provide very secure mechanisms (128 bit encr.) for activating, reading and writing. One is from Neology Corp., which uses a priopietary passive chip with 3 different channels for the above options, each with a unique key to activate the chip.
Their chip is expensive, but provides more security than any other RFID chip i have looked at.
I have worked with several security solutions for credit cards, and trust me, the weakest link is never the security either on the card itself, or at the contact points (TPV, ATM, POS, Interet VPos). The weakest link is always the holder of the card.
The use of either contact chips or RFID tags on credit cards, needs to go hand in hand with the use of a PIN (ore more) to complete any transaction. That leaves part of the security in the user hands, without seriously compromising the information stored in the chip (which has to be limited).
Get some real facts - not just opinions
An excellent book on this subject can be found on Amazon entitled “Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity” By Byron Acohido and Jon Swartz (hardback, Amazon $13.57).
The main premise of the book is that the payment industry, comprised of credit card companies, banks, credit bureaus and data brokers have created an easy-to-use, low cost (in maintenance) infrastructure that is pliable, extendable and very adaptable, but paper-thin when it comes to security. The system is built with the idea that “ease of access” for the customer ‘will bring them in’ especially when linked with easy credit. But when you link ease of access, easy credit and the absolute need for speed (for transactional processing), the payment industry has had to sacrifice a robust security infrastructure and privacy controls. Examples abound in the book of what not to do, as well as a Who’s Who of companies and bad guys (and girls), how they actually link up together, and how they control your credit.
Intended not merely to alarm, but to illuminate, “Zero Day Threat” exposes how lawbreakers do their dirty work, and how corporations knowingly, and unknowingly, help them do it.
As they say up north, “Take that in your pipe and smoke it !”
I can't believe...
… that we don’t have a PIN number for ALL transactions on credit cards. Sure, it’s convenient to not have to enter a PIN, but it would help quite a bit.
Options
You can wrap your RFID CC in tin foil. drill through the RFID chip or you can also request a CC without the RFID.
Also there are active RFID jammers.
It will not be long till these things are either unavailable or illegal.
http://www.youtube.com/watch?v=yZaQFilWXgE&feature=related
Lots look at
The Pizza Stone
…sure, all this is neat, but I’m most interested in that great question asked by the woman at the end of the video clip: “Will you do a Mythbusters on whether a commercial pizza stone does a better job of cooking pizza in a home oven over a regular clay tile?” Now that would be a gripping show… for an audience of one.
Why is it that at every conference, some weirdo manages to commandeer the Q&A mic and ask lengthy questions that they should know don’t interest anyone? You can see the line of people at the mic who want to get their turn, but she slides in this ludicrous pizza idea as her second question. Why are events not better moderated? Couldn’t someone step in with a friendly, “How ’bout you finish your question offline?”
Security through obscurity.
“but do the credit card companies really think that security through obscurity is the best way to protect their customers?”
Hmmm, the myth of “Security through Obscurity” probably ought to be tested. Plenty of examples, plenty of failures, but corporations still believe in the myth.
Just ask the Boston subway operators. 😛
Regardless of practices and policies, competition is really what balances everything out so that we deal with companies that treat everyone fairly.
Re: Re:
Oh, Please…. What fairy tale did you just finish reading ? Companies treating everyone fairly ? When did “fair” ever get counted on the bottom line ? What this is all about is charging the customer (you and I, if you missed that) for the financial company’s wrong decision (or choice) of technology. Fast, cheap, secure and easy-to-use; pick any three, but the fourth goes down the toilet and we get to pick-up the tab passed through via your local financial institution.
the irony of obscuring the truth from the people creates security for credit card corporations
One of the most successful financial services outside of the banks and credit card companies (who can afford to lobby, we might mention) is under fire from legislative bodies these days. It’s Washington DC that might be setting their sights on payday loan lenders next. Part of Obama’s economic plan is to get a rate cap in place on all lending, and keep it at 36%, which makes payday lending untenable. Accusations of predatory lending are only backed up by anecdotal evidence, whereas the empirical (which means legitimate) evidence stacks up on the side of the payday loan lenders providing a needed service.
They need to switch to Java microprocessor cards because there more secure.
They need to switch to Java microprocessor cards because there more secure.