Ron Hatton's dashboard

Ron: I've removed your phone number, per your request. – Eric Suesz, on April 14, 2008 04:49

I'll tell you all again, guys, and give you a place to start your education.
First, Tim, would you remove my phone number? I thought the first message was going to you privately.
Thank You.
Second, For all lookers, Google (use quotes) "RFID Hacking" and take a look.
After that, go to ArmadilloDollar.com and see the some mainstream news videos. If that doesn't begin to get your attention, then I don't know what will.
Further, you'll find some interesting equipment at RFIDIOt.org. Software AND hardware at the same site to serve all your "development project" needs!

I'd like to reference you to an article appearing in "Wired". you can find it at http://www.wired.com/wired/archive/14.... There, you'll find some interesting data as Ms. Annalee Newitz tells her side of the RFID and Credit Card sensitivity issues.
Far too little information is being disseminated about this to the public as consumers.
Sure, I'd like everyone to buy an Armadillo Dollar. It's sexy, it's cheap, it's durable, and (lest I forget!) it WORKS! The most important issue to me is education. Every consumer should be aware of the chinks in their armor. Otherwise, they can become victims like babes in the woods.
Locks serve to keep honest people honest. But (as they say in certain sandy countries) "Trust in God-but tie up your camel!"

I think there's a rising tide of "discoverable IDs." A good implementation in a payments device *ought* to be secure against skimming, but there's no guarantee of that, given the inherent risk of unintended flaws (Adi Shamir's recent comments about microprocessor faults being able to compromise public key schemes, etc.). I'd rate the risk of some device in your wallet being compromised as very, very low, on a par with your being mugged several times in a very good part of town, but it's probably not zero.

More interesting to me is the issue of RFID being *detected*... short of actually compromising a payment scheme, lifting a PIN, etc., is the issue of you being uniquely identified by something you're carrying. So while I may not be able to do anything to penetrate an account, I can know it was *you* that I saw at 7:30 am at the corner of 5th and Main. Now multiply that by 100M, and there's a lot of interesting, mineable stuff.

These guys aren't the first ones on the block, btw... MobileCloak has had stuff out for several years: http://www.mobilecloak.com/mobilecloak/ Though the bill-sized form factor is pretty cool.

CORRECTION: We'll be setting up at The Crossroads Gun Show, not the TeraMark.
My Bad.
Ron Hatton

I once thought the same as you, TIm. I asked the banks if it was safe, and queried a couple of firms that distribute the cards. For the most part, they had no idea.
What I found, the deeper I went down the rabbit hole, was there is quite a community out there dedicated to defeating every attempt at digital security the establishment comes up with.
I found six different designs posted for RFID skimming devices, two which my tests confirm operational, and a plethora of software hacks.
Yes, there are software protocols available for this material, but the chips to utilize it are cost prohibitive. This sends the cost per card from a few pennies directly to a few dollars each.
Have you ever known a company that is all about money to opt for the most expensive of anything when they're the ones footing the bill? After all, they pass the cost of the theft along to their clients.
I recommend you access the Library at Dartmouth College (http://library.dartmouth.edu/eResourc...) and read "Vulnerabilities in First-Generation RFID-Enabled Credit Cards" for a start. Our field tests support their conclusions.
If you'd like to see what we've found, we'll be setting up a display at the TeraMark Gun Show in Phoenix November 30th to December 1st 2007. I invite you to come by and witness first hand that the signals can, and are, captured quite easily. Once captured, you don't really need to decipher them. All that's needed is to program a new card with the captured data.
Of course, there are exceptions to the rule, but if you're out there hunting, all you're interested in is the easy target, right?

We asked a couple of folks about this, and got this response from someone we consider knowledgeable:

[I don't see why you'd need this. Said more colorfully.]

Any RFID tag that's used for payment of some sort has
security built in, like 'rolling code' schemes (the tag changes after
each authenticated read) or other sorts of authenticated interaction
(tag will pass on secret tag only after PKI handshake with trusted
readers).

the only tags that are easily clonable are the simple ones used in
supply-chain management.