You don't need a tinfoil hat, either. Opportunists have exploited consumer fears to create an industry that doesn't need to exist
Because I’m a computer security guy, I have friends who like to show off
their new RFID-blocking wallets and purses. "Look what I got for
Christmas!" they say. My lack of response should be telling, but they
don’t seem to pick up on it.
They've seen the TV ads about malicious hackers who can “stand on any
street corner” and wirelessly steal their credit card and other identity
information. I've seen similar demonstrations at Black Hat and other
computer security conferences for nearly a decade now. They never fail
to wow the audience.
An entire, multi-billion-dollar RFID-blocking industry has emerged. You
can get RFID blocking for almost any object you own. Some of my friends
have so much faith in RFID-blocking products that they buy expensive,
customized purses and wallets. These are the same people who drive extra
miles to save a few cents on gas.
It goes to show that humans don’t evaluate risk very well.
The RFID fallacy
RFID technologies have been around for a long time, and they're now
included in more and more items. Yes, your RFID products can possibly be
read from a distance. Yes, a hacker might be able to read your credit
card information remotely as you pass by. But before you buy an
RFID-blocking product, ask yourself if you're worrying about the right
things.
First and foremost, does your credit card actually have an RFID
transmitter? The vast majority does not. Have you ever been told you can
hold up your credit card to a wireless payment terminal, and without
inserting your card, pay for something? For most of my friends, and the
world in general, the answer is no.
Most RFID-enabled credit cards are heavily marketed as capable of being
used wirelessly. They have names that imply wireless payment: PayPass,
Blink, PayWave, Express Pay, and so on. Usually they bear a little RFID/contactless payment logo.
Hint: The new little golden metallic square on your new credit card does
not indicate RFID. Also, many new contactless payment cards will have
chip-and-PIN protection -- or will use the chip to securely protect even
RFID communications.
If you look at the number of credit cards with RFID, you can’t even
represent it statistically. It’s not 0 percent, but it’s so far below 1
percent that it might as well be 0 percent. Part of the problem is that
every major credit card vendor came out with its own version, so vendors
and merchants had to physically support the same standards. Most people
don’t want to have to figure out which vendors support which wireless
cards and go get that specific card type.
On top of that, most of the world is going to wireless payments using
your mobile device. Apple Pay had more users and adopters in its first
day in the market than all active users of RFID credit card products
combined. Apple Pay works with every credit card you have, as long as
your vendor supports Apple Pay. Did I mention that Apple Pay is far more
secure in almost every way?
RFID cards are coming with chip-and-PIN protections, and the lessons
learned from Apple Pay (and other mobile phone wireless payment
solutions) are migrating to credit cards. The days when a bad guy can
sit on a corner and sniff your credit card information out of thin air
are numbered.
Entertainment for the paranoid
But did that bad guy ever sit on the corner in the first place? Sure,
I’ve seen the demos, but I’ve yet to hear of one criminal who was caught
using an RFID sniffer or who admitted to stealing credit card info
wirelessly. We know about all sorts of cyber crime. Why not the theft of
RFID credit card information if the risk is so high?
Here's why: It would be a lousy use of a criminal mastermind’s time.
Today’s smart criminals break into websites and steal hundreds of
thousands to tens of millions of credit cards at a time. Why would a
criminal go to the effort and expense of stealing credit card info one
card at a time when you can steal a million in one shot?
If a criminal wants a credit card or even your specific credit card, he
or she can buy it for a few bucks from several places on the Internet.
In fact, it's significantly cheaper than buying all the necessary RFID
attack equipment and sitting in a public square (which is likely to have
one or more security cameras trained on it these days).
Still worried? If you actually have an RFID-enabled credit card, it
turns out aluminum foil does the same job, if not better, than an
expensive RFID-blocking sleeve. I know I’m going to get email from
RFID-blocking vendors saying their products protect better than aluminum
foil. No doubt that's true in some cases.
But if you're worried about that, you should also be wrapping your car keys in aluminum foil. Now
we're in the paranoid zone. I’ve heard from readers who have -- I’m not
making this up -- removed every electronic product in their house due
to hacking fears. They’ve sold their new cars with embedded computers
and gone back to older models without any. I can’t tell if I’m dealing
with regular paranoid people or true paranoid schizophrenics.
If you have a credit card, there’s a huge risk it will be hacked, but
not by a guy sitting on a corner sniffing for your card as you walk by.
The former is a fact of life. In the latter case, you might have a
better chance of winning the lottery.
Source: InfoWorld
No comments:
Post a Comment