TechExpert: Card tricks

  • Researchers have used off-the-shelf scanners to read account numbers and cardholder names off RFID credit cards.
  • TechExpert: Card tricks
Date:31 January 2007 Tags:,

I’ve heard reports that thieves might be able to steal account information from the new type of credit card that has an RFID chip in it. Should I be worried?

It depends on whom you ask. The new RFID-enabled credit cards and key fobs do have unique security risks – foremost being the chance that some twerp with a souped-up scanner will read your card information from afar. But I wouldn’t go so far as to say that they are less secure, on the balance, than magnetic-stripe credit cards.

Companies that issue these cards claim that RFID chips are built with strong encryption – 128-bit and Triple-DES (Data Encryption Standard) – to protect information. Additionally, the chips are supposed to send unique, one-time use codes for each transaction – codes that do not match the number printed on the card. Senior vice-president of Chase, Tom O’Donnell, says the combination of unique tokens, switched-on readers and transaction processing is like “tumblers in a lock.”

However, a team of researchers at the University of Massachusetts, Amherst, was recently able to construct scanners, capable of skimming both the cardholder name and card number, from a variety of first-generation RFID credit cards. Then they found a way to transmit that data back to a card reader, tricking it into accepting a “purchase”.

We spoke with assistant professor Kevin Fu, who worked on the project. He wasn’t willing to divulge which credit card issuers had been compromised, but he said that many of the supposedly encrypted cards sent card numbers, expiration dates and cardholder names in plain text – which could be read through the envelopes the cards were mailed in.

Relatively speaking, the risks are low. No one we spoke with had actually heard of RFID “skimming” occurring outside a lab. Any time you remove a card from your wallet, you are already showing your credit card info to anyone within eyeshot, and much of conventional skimming occurs when customers either lose their cards or hand them over in restaurants and stores. There, waiters or cashiers can swipe the card through their own card readers as well as the store’s.

According to Fu, however, RFID cards do have a unique vulnerability. “Your card can be read surreptitiously. Unless you were paying attention to the guy behind you with a reader, you’d never know you were being skimmed.”

As with most credit card fraud, the risks are borne primarily by the card issuers, which generally will cover all fraudulent charges. However, if the reassurances of the credit card industry aren’t enough to calm your nerves, there are other options. You can try the old tinfoil-in-the-wallet trick, or you can get a wallet lined with nickel-impregnated nylon that blocks all RFID transmissions. In our tests, it worked.

Drive switcheroo
I’ve run out of capacity on my laptop’s 30GB hard drive and would like to install a new, larger one. I’m not sure how to get my operating system and data onto the new drive before I install it. Is there an easy way to do this?

Define “easy”. It shouldn’t be too difficult since you’re putting the new drive back in the same machine. That means your settings, drivers and applications won’t need to be reconfigured and can be copied onto the new drive.

The difficulty with laptops, however, is that most of them have space for only one hard drive – so, you’ll need to find a way to plug your new drive into the laptop while the old drive is still installed. The easiest way is to use a USB 2.0 or FireWire hard-drive enclosure, available cheaply from any PC parts retailer. Make sure you get the right size and type drive and enclosure – laptops usually use 6,3 cm drives with a parallel ATA connection.

Once you have your new drive in the enclosure that’s wired to your laptop, you’ll need to copy the data. Unfortunately, you can’t just copy and paste it from within Windows File Explorer – certain files wouldn’t be copied properly, and the partitions on the new drive wouldn’t be set up correctly for booting up. To make your new drive work like your old drive, you’ll need a disc “cloner”. There are a myriad of options, from commercial solutions such as the old favourite Ghost from Symantec (www.symantec.com) and the cheaper Copy Commander from VCom (www.v-com.com) to free applications, such as MaxBlast from Maxtor, that come bundled with hard drives. If you’re comfortable mucking around with Linux/BSD, I’ve had great luck with the free g4u application. If you have a local file server, you can even send the disc image from your laptop to an FTP site, install the larger drive, then FTP it back to your laptop, obviating the need for a drive enclosure.

If you’re looking for a simple all-in-one solution, Hitachi (www.hitachigst.com) makes a Notebook PC Upgrade Kit, which includes a 100 GB hard drive, external enclosure and cloning software.

Share and share alike
I live in a complex where the residents live in close proximity. Is it legal for the resident of one unit to get DSL or cable broadband service and share it through a community-funded computer club?

It could be illegal – and it certainly violates the terms and conditions of the agreement you signed with your DSL or Internet provider.

An example, taken from one actual agreement, stipulates:

Under section ix, prohibited use includes “resell(ing) the Service or otherwise mak(ing) available to anyone outside the Premises the ability to use the Service (i.e., Wi-Fi, or other methods of networking).” Section xx forbids “connect(ing) the Comcast Equipment to any computer outside of your Premises.”

In short, you can use a router to set up a wired Ethernet or a closed, passworded Wi-Fi network, but sharing your Internet service – even by operating an open Wi-Fi node – would violate the terms of service.

Could your Internet service provider check up on you? Technically, it’s possible for your ISP to monitor the packets running up its pipe and see if there are multiple computers connected, but determining if those computers were inside your unit or simply near it would require a bit more legwork.

Legal issues notwithstanding, sharing access as you suggest might not work as well as you’d like. Not only does sharing a connection split the overall bandwidth, it also subjects everybody to the reliability of a single modem.

New Tricks and tools
Your own digital DJ
Internet radio services have evolved

Users of this Java-based player enter a song or artist that they like. Then, Pandora (www.pandora.com) creates a streaming “channel” based on the selection. For each new song, users can vote thumbs up or down – and such responses from the user refine future selections. Pandora has a library of more than 500 000 songs and adds up to 15 000 new songs every month. Basic service is free, but an adfree version costs about R250 a year. Pandora can also be piped directly to a stereo using Ethernet or Wi-Fi through the Slim Devices Squeezebox player.

Rating: ****

Like Pandora, Yahoo LAUNCHcast (www.music.yahoo.com) creates a channel based on a user-defined profile of preferred bands. LAUNCHcast’s songs are mono, nonskippable and limited to 3 000 per month – those restrictions are lifted for a monthly subscription. Unlike Pandora’s visual ads, LAUNCHcast’s free service plays audio spots between songs. LAUNCHcast doesn’t yet work with Firefox or Safari, and offers only one channel per user – which can force some odd marriages of interest. (Jay-Z and Kenny G on the same station?)

Rating: **

This free plug-in works with either iTunes or Windows Media Player. Instead of streaming music from an online library, it analyses the music collection on a hard drive. Then, it allows the user to drag and drop a song out of a music player into the Audiobaba (www.audiobaba.com) window, creating an instant playlist of similar songs – or a continuous-play channel of similar music from your collection.

Rating: ***

– Glenn Derene

Do the maths
Hard-drive capacity

Your hard drive is advertised as having a 60 GB capacity, but your computer shows only 55,8 GB. What gives? The discrepancy is the result of having two methods of measuring memory. Computers are binary,

 

Latest Issue :

Sept-October 2021