mindspork t1_j5ait8g wrote
Reply to comment by DrFriedGold in TIL The writer for "Die Hard with a Vengeance" was investigated by the FBI after they revealed that his story's plan of robbing the Federal Reserve through a breached subway wall would have worked by fortifier22
I still remember the story about how they got bullied out of doing an RFID myth segment because 1) the security was actually atrocious on the damn things and 2) Visa, Mastercard, Discover, and their lawyers got on Discovery and were like "You will not do this episode."
https://www.tomshardware.com/news/Mythbuster-RFID-HOPE,6313.html
nitefang t1_j5c66if wrote
It is really interesting though, I just did some VERY SHALLOW research into RFID security because I'm about to be traveling internationally. It turns out that paying anything extra for an RFID blocking wallet or passport holder is essentially a waste of money.
Short list of reasons is
- For most credit cards, you can't make a transaction with only the RFID info which could be potentially skimmed and copied. Even when you don't have to enter a PIN number or anything, there is a verification process going on that can't be saved and used again later.
- While security experts and "white-hat/grey-hat hackers" at the DEF-CON "hacker convention" proved it is possible to skim RFID data at long range, it appears no criminals have found a way to use this technology to steal information. At least there aren't any known cases of it being done to steal credit card data for nefarious reasons successfully.
- In the case of Passports, the information transmitted is encrypted, for it to be useful to skim a passport you'd also need access to an encrypted and secured government database.
- For large purchases and withdrawals, you should be required to enter a pin number.
​
I won't pretend to be an expert on this, I don't fully grasp how various public-key encryption technology works (tried to learn a few times, always seems like magic or math only a genius can understand). But here is an article I found.
TL;DR: RFID isn't even that insecure, at least not anymore, I'm not sure what the credit card companies were freaking out about. If you are really worried about it, RFID wallets aren't too expensive, and just check for close-range skimmers by pulling on card readers to make sure they are real.
a_rainbow_serpent t1_j5c9zlx wrote
Security on paywave/ rfid transactions is the spend limit ($100), transaction analytics and insurance. I had some teenagers pinch my card and go on a short shopping spree. The bank reversed the 20 odd transactions that I couldn’t identify without a second question.
TeamGodzilla t1_j5cerak wrote
In Canada, the limit is up to the store and/or the card holder. I have mine set to $25.00
bak3donh1gh t1_j5coz7j wrote
God that's low. Mines lower than $200 for sure. I've been pretty lucky in that the only time I lost a credit card at the bus stop, a nice older gentleman found it. Called all the people with the same last name in my area, and I think got in contact with my Grandpa at the time. I don't think I had noticed yet that I had lost it. I also didn't even know about Tap and pay at the time, somehow. So after he ID me when I came to pick it up and said well it's a good thing they don't have my pin, he explained that CCs have Tap on them.
Nowadays, I use Tap on my watch when I can.
TeamGodzilla t1_j5cu8y7 wrote
I was just going to say, I use tap on my phone.
bak3donh1gh t1_j5czomr wrote
I never bothered with the phone tap and pay b/ I was gunna pull something out, might as well be the card. That and some terminals being not compatible, while a card always is.
Though part of the reason for using the watch these days is it's basically always out and to help justify to myself how much I spent on it.(and now watch straps) Though when a terminal either doesn't have tap or the spot is in a weird spot I look kinda dumb, or at least in my head i do.
blue_bomber697 t1_j5d5ndx wrote
I have forgotten/left my wallet at home/work several times before where the phone payment was clutch. I don’t use it often, but it’s great to have it as an option.
blue_bomber697 t1_j5d5tob wrote
My tap is at $200. Very convenient for smaller purchases. It’s nice that Canada has allowed modifications for the card taps.
MacDegger t1_j5cpu4n wrote
This is not true. For #1, 2 and 4 cloning is sufficient and does nit rely on breaking encryption (well, actually it does, kinda, but not in a way that is relevant to cloning).
Also, check this:
nitefang t1_j5dh72a wrote
With 4 you can't just clone the card though, you also need the PIN which you cannot get via skimming. And I didn't see them explaining what method they used to skim the card.
disruptioncoin t1_j5csmgf wrote
There was a vulnerability for a while where some researchers found that they could exceed the transaction value limit for "tap to pay" (RFID) by changing the currency on the app to a different currency (they changed it from US dollars to yen or something, for example). Typically you can only charge like $35 that way without any kind of pin or anything. They showed you could just tap your phone to someone's wallet in passing and charge thousands of dollars to their card. Imagine walking through the subway with an amplifier antenna on your phone and zapping thousands of dollars per person from every card you pass. I believe they notified the offending banks before publishing this research but still, just goes to show that sometimes these things slip though the cracks. It's probably pretty safe now but idk, better safe than sorry.
nitefang t1_j5dhnqq wrote
Like I said, DEF-CON proved it was possible forever ago, but there haven't been large scale operations doing long range skimming. When it does happen it is done almost like a pick pocket or via a nefarious skimmer attached to a genuine POS.
bad_robot_monkey t1_j5dp3s1 wrote
It’s more along the lines of “what’s the most efficient way of stealing credit cards without getting caught, equipment used on-site or a remote hack and downloading thousands at a time?”
If you’re specifically targeted, it’s a different deal…but then you have to ask yourself why you were being specifically targeted…
Viewing a single comment thread. View all comments