Shmoocon 2012: Credit Card Fraud: The Contactless Generation
PDF :- http://www.shmoocon.org/2012/presenta... Over the last few years, the payment card industry has been (somewhat stealthily) rolling out contactless payment cards - RFID-chipped credit cards that don't need a swipe through a magstripe reader to be processed. You may well have one of these cards and not know it; I'll start by telling you how to spot them. The industry would like you to believe that these cards (and related technologies like NFC) are secure, with protections like rolling CVVs and strong crypto keeping you safe. The reality of the system is rather different; in this talk I will argue that credit card security has actually decreased from these technologies, and I'll demonstrate contactless credit card fraud live on-stage using unmodified, off-the-shelf equipment. I'll also describe some recent testing we performed which demonstrates the lack of effectiveness of common RFID shielding technologies (again explaining both their capabilities and limitations), as well as presenting a number of possible solutions to the problem including our own active shielding technology which we believe offers far more effective protection. Chris Paget is the Chief Hacker for Recursion Ventures, a security consulting and product development company with a particular focus on hardware. She is a regular presenter at ShmooCon, Defcon, and the Black Hat Briefings, covering topics such as interception of cellphone calls and the world record for reading passive RFID tags at a distance. At Recursion, she leads a team of hardware- and software-hacking experts to break everyday systems and then design solutions to fix them, encompassing everything from set-top-boxes and alarm panels through to industrial control systems and oil and gas pipelines.