This inspiring video makes me want to spend money on Kessler Crane gear. :)
NFC credit cards are broken by design
Short version: NFC enabled credit cards are broken by design. If your bank offers you one, you should refuse it. If you already have one be sure to drill a hole thru the card body to destroy the antenna.
Renaud Lifchitz (french security expert at BT ) gave a presentation today (friday 13th april 2012) at Hackito Ergo Sum 2012 conference on the lack of security in NFC enabled credit cards(no authentification and no encryption).
Security and convenience are diagonal opposite. What is convenient is rarely secure. What is secure is rarely convenient. For example my 63 characters long WPA2 WiFi passwords are a genuine pain in the rear end to enter on some devices (worst to date keyboardless Amazon Kindle) but I want to belive they are pretty secure.
NFC falls in the VERY convenient bin... some applications based on NFC are designed correctly some are not. For example the Navigo Pass used in the Paris public transportation is properly encrypted and authenticated. Another proper design is the electronic passport that requires reading the MRZ (machine readable zone) to unlock the access to the sensitive data.
On the other side of the spectrum lies the NFC enabled credit card. If you thought WEP encryption was broken, at least it tried to encrypt the data. NFC enabled credit cards don't require authentication to access the sensite data. This means that a bad guy in range can access your data and build a "clone". Or if he is in a good mood, kill the chip by doing 3 PIN failed access.
The sensitive data is sent unencrypted. This means that the bad guy (15 meters away) can eavesdrop a valid transaction and build a "clone" card.
The demo application ran on a computer and on an Android phone harvested the following data from the NFC enabled credit card:
- the PAN (primary account number).
- the holder first name, last name and gender.
- the expiration date.
- the transaction history.
- the magnetic stripe data.
Eye roller snippets from the presentation:
- But it's a shame and a big FAIL. They don't use any kind of authentication and any kind of encryption. So it's wide open. (at 10:40)
- EMV (Europay MasterCard Visa) is simply poorly designed for NFC and needs a complete rewrite. (at 32:40)
- EMV is not designed for contactless (at 32:50).
- We haven't broke any security or tried to because there is none. (at 39:18)
From the email exchange with Renaud Lifchitz, no tricks were used. The card just communicates with the reader without encrypting data. As in the card was not forced to use a plain text mode. I'm not even sure it qualifies for security thru obscurity since it's pretty straight forward to buy a contactless smartcard reader. Renaud Lifchitz successfuly ran his "attack" on recent credit cards from Visa and MasterCard (latest from march 2012).
Given that I have a spare laptop and some contactless smartcard readers (ACG, SCM and Omnikey), I'll be able to give the demo code a try. The hardest part will be to find a NFC enabled credit card. I asked around me but I haven't found one yet.
The following Ustream video record is a boring static shot that doesn't allow to read the slides. The presentation slides are available in PDF form on the ReadNFCC Google Code project.
Links and external references:
Embedable Spotify Play Button
Spotify just announced the embedable Spotify Play button. Let me try to embed what I'm listening to right now: Sara Bareilles - Live at the Fillmore.
Results:
iOS 5.1 + Safari: OK.
Windows 7 x64 + Chrome 19: OK.
Windows 7 x64 + Firefox 11: FAIL "Spotify failed to launch." One of my security extention prevents the content from working properly: NoScript.
Rob Reid TED Talk - 8 billion dollar iPod
In the context of the return of Game of thrones on HBO, my new favorite video is Rob Reid: 8 billion dollar iPod TED Talk. The season 2 will start on april 1st in the US. But I'll "have" to wait almost a year to get my hands on the Blu-Ray box set or the iTunes download.
I heard this talk in the last This Week in Tech with Leo Laporte.
Content industry evolve with the digital world or vanish (applies to music, movie, book and press).
Before I die - Mentioned by Steve Gibson
Woohoo, I'm "Fabrice Roux in Marseille, France". A moment of "geek fame", security guru Steve Gibson mentions me for being a twitter tipster for the EFF article about the Amazon Silk brower on Security Now #323.
Here is the incriminated tweet:
Amazon Silk browser properly handles SSL connections by not doing MITM acceleration. http://bit.ly/rbiDRr via @eff cc @SGgrc
2011.11.19 08:30