Re: how to read information from RFID equipped credit cards
On Tue, Apr 01, 2008 at 12:47:45AM +1300, Peter Gutmann wrote: Ben Laurie [EMAIL PROTECTED] writes: And so we end up at the position that we have ended up at so many times before: the GTCYM has to have a decent processor, a keyboard and a screen, and must be portable and secure. One day we'll stop concluding this and actually do something about it. Actually there are already companies doing something like this, but they've run into a problem that no-one has ever considered so far: The GTCYM needs a (relatively) high-bandwidth connection to a remote server, and there's no easy way to do this. Cell phones have that. The bigger problem is pairing with the local POS (or whatever), which is where NFC comes in -- the obvious thing to do here is to make this pairing not-really-wireless (e.g., the cell phone could scan a barcode from the POS, or the POS could scan a barcode displayed by the cell phone, or both, or any number of variants of this). (Hint: You can't use anything involving USB because many corporates lock down USB ports to prevent data leaking onto other corporates' networks, or conversely to prevent other corporates' data leaking onto their networks. Same for Ethernet, Firewire, ...). Right, it's got to be wireless :) Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: how to read information from RFID equipped credit cards
Victor Duchovni [EMAIL PROTECTED] writes: Lock USB down completely, or block most devices and allow approved ones? There is a non-empty set folks doing the latter, which opens the possibility of this type of device being permitted, while others are restricted. Lock it down completely. What really panicked the mgt. wasn't so much the thought of their data appearing on other organisations' networks but cases where other organisations' data had appeared on *their* network (due to, in some cases, overzealous employees, in another case an outside contractor, and in another someone who wanted to sell them commercially useful information). Data leakage should not be a concern if the device is built/marketted correctly. You want to explain that to management terrified of criminal prosecution? I got the feeling from talking to the IT security guy in the case of the suspected commercial espionage that the management really wanted to pour quick-setting concrete into the USB ports just to be absolutely sure. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: how to read information from RFID equipped credit cards
On Tue, Apr 01, 2008 at 12:47:45AM +1300, Peter Gutmann wrote: Actually there are already companies doing something like this, but they've run into a problem that no-one has ever considered so far: The GTCYM needs a (relatively) high-bandwidth connection to a remote server, and there's no easy way to do this. You can get a fairly high-bandwidth channel with 2D barcodes. It's uni-directional, but that's enough for many useful scenarios. The data gets shown on the PC monitor and is captured by a ubiquitous camera-phone or a dedicated locked-down device. This approach avoids the problems you mentioned about USB/Firewire/Ethernet lockdown. Disclosure: I work for a company, Cronto, which makes a product based around this technology -- http://www.cronto.com/ Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: how to read information from RFID equipped credit cards
Steven J. Murdoch [EMAIL PROTECTED] writes: You can get a fairly high-bandwidth channel with 2D barcodes. It's uni- directional, but that's enough for many useful scenarios. The data gets shown on the PC monitor and is captured by a ubiquitous camera-phone or a dedicated locked-down device. This approach avoids the problems you mentioned about USB/Firewire/Ethernet lockdown. That's what one company ended up using, not specifically 2D barcodes but a visual channel via the PC monitor (actually nothing like 2D barcodes in this particular case :-). The problem is, as you point out, that the channel is unidirectional and not very high-bandwidth. This makes the crypto very hard because you have to roll your own protocols and mechanisms and everything ends up custom and nonstandard. Here's an interesting crypto design problem, how do you do something like S/MIME or PGP (to submit or receive an authenticated request/purchase order/ whatever) with a relatively low-bandwidth channel in one direction and almost no channel (perhaps humans typing in a 4-digit number) in the other, and without requiring huge amounts of oddball custom crypto mechanisms. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: how to read information from RFID equipped credit cards
On Tue, Apr 01, 2008 at 12:47:45AM +1300, Peter Gutmann wrote: Actually there are already companies doing something like this Which ones do you think are doing a decent job of this? but they've run into a problem that no-one has ever considered so far: The GTCYM needs a (relatively) high-bandwidth connection to a remote server, and there's no easy way to do this. (Hint: You can't use anything involving USB because many corporates lock down USB ports to prevent data leaking onto other corporates' networks, or conversely to prevent other corporates' data leaking onto their networks. Same for Ethernet, Firewire, ...). Lock USB down completely, or block most devices and allow approved ones? There is a non-empty set folks doing the latter, which opens the possibility of this type of device being permitted, while others are restricted. Since *all* it needs is the ability to call home to its server, and register to send/receive messages, it will not look like mass-storage, and should not look like a network interface. Data leakage should not be a concern if the device is built/marketted correctly. -- Viktor. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: how to read information from RFID equipped credit cards
Ben Laurie [EMAIL PROTECTED] writes: And so we end up at the position that we have ended up at so many times before: the GTCYM has to have a decent processor, a keyboard and a screen, and must be portable and secure. One day we'll stop concluding this and actually do something about it. Actually there are already companies doing something like this, but they've run into a problem that no-one has ever considered so far: The GTCYM needs a (relatively) high-bandwidth connection to a remote server, and there's no easy way to do this. (Hint: You can't use anything involving USB because many corporates lock down USB ports to prevent data leaking onto other corporates' networks, or conversely to prevent other corporates' data leaking onto their networks. Same for Ethernet, Firewire, ...). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: how to read information from RFID equipped credit cards
Ben Laurie wrote: Then we get to the next problem: we don't trust the device with the keypad and display. So, we need to add that to the GTCYM (Gadget That Controls Your Money). And so we end up at the position that we have ended up at so many times before: the GTCYM has to have a decent processor, a keyboard and a screen, and must be portable and secure. Sounds remarkably like a cell phone with an NFC One day we'll stop concluding this and actually do something about it. Some of the poorest third world countries and some ex communist countries are adopting mobile phone banking, for example https://www.mpay.pl/en/, perhaps because they are not weighed down with twentieth century infrastructure, but until cell phones come routinely equipped with NFC, you cannot use a cell phone to pay for groceries. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: how to read information from RFID equipped credit cards
Ben Laurie wrote: [snip] And so we end up at the position that we have ended up at so many times before: the GTCYM has to have a decent processor, a keyboard and a screen, and must be portable and secure. One day we'll stop concluding this and actually do something about it. And it can almost certainly be done with the current technology. Arnnei Speiser at http://www.megaas.co.nz/ has a two factor one time password application that runs on a java enabled cellphone. If he can do this I suspect it is but short hop to what you suggest. He has a bank demo that is worth looking at as a potential model. Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: how to read information from RFID equipped credit cards
Perry E. Metzger wrote: Nothing terribly new here -- short interview with someone who bought an RFID credit card reader on ebay for $8 and demonstrates getting people's credit card information at short distances using it. Still, it is interesting to see how trivial it is to do. http://www.boingboing.net/2008/03/19/bbtv-how-to-hack-an.html Yeah, but... He's talking bollocks when he says that the decryption should be done in some secure datacentre. That wouldn't save you unless there was some kind of handshake with the card - and the trouble is, those cards don't have the power to do any real crypto. In the absence of something to prevent MitM, you would just intercept the encrypted contents of the card, and then use that. So why bother to encrypt it? So, the bottom line is you need more horsepower in the gadget that controls your money, so you can do real crypto. Then we get to the next problem: we don't trust the device with the keypad and display. So, we need to add that to the GTCYM (Gadget That Controls Your Money). And so we end up at the position that we have ended up at so many times before: the GTCYM has to have a decent processor, a keyboard and a screen, and must be portable and secure. One day we'll stop concluding this and actually do something about it. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
how to read information from RFID equipped credit cards
Nothing terribly new here -- short interview with someone who bought an RFID credit card reader on ebay for $8 and demonstrates getting people's credit card information at short distances using it. Still, it is interesting to see how trivial it is to do. http://www.boingboing.net/2008/03/19/bbtv-how-to-hack-an.html -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
