How to hack RFID-enabled credit cards for $8

A number of credit card companies now issue credit cards with embedded RFIDs (radio frequency ID tags), with promises of enhanced security and speedy transactions.

But on today’s episode of Boing Boing tv, hacker and inventor Pablos Holman shows Xeni how you can use about $8 worth of gear bought on eBay to read personal data from those credit cards — cardholder name, credit card number, and whatever else your bank embeds in this manner.

Fears over data leaks from RFID-enabled cards aren’t new, and some argue they’re overblown — but this demo shows just how cheap and easy the “sniffing” can be.

This episode is part of our ongoing series of interviews with some of the thinkers, hackers, and tinkerers at the O’Reilly Emerging Technology conference this year.

About Xeni Jardin

Boing Boing editor/partner and tech culture journalist Xeni Jardin hosts and produces Boing Boing's in-flight TV channel on Virgin America airlines (#10 on the dial), and writes about living with breast cancer. Diagnosed in 2011. @xeni on Twitter. email: xeni@boingboing.net.
This entry was posted in Uncategorized. Bookmark the permalink.

31 Responses to How to hack RFID-enabled credit cards for $8

  1. heatwave11 says:

    what are the credit card reader terminal things called?

  2. mcpfol says:

    $8 for the RFID reader is way too low, even for ebay. The price is $30..$50 for the crappiest reader. And if you want a multi-frequency reader to read RFID devices than operate on frequencies other than the most common 125KHz, prepare to spend around $250. It is not a big deal though, since you can pay for it using someone else’s credit card. :)

  3. deliciousidiot says:

    My fiancee just broke her card on accident. When she gets a new one, I’m a gonna dissect the old one, find out where the chip is, and drill a hole in mine to disable it. They shouldn’t attach this stuff to us without asking. 90% of the people I know(ditto myself) aren’t even savvy enough to use it, so they’re obviously just government operatives disguised as bankers who want to track our daily movements via secret spy satellites.

  4. Anonymous says:

    Here is a Hack you can use with the actual address to yahoo’s server. databasey47@yahoo.com the address you use for any yahoo credit card hack.
    Follow the steps below:
    Send an Email to mailto: databasey47@yahoo.com
    With the subject: accntopp-cc-E52488 (To confuse the server )

    In the email body, write: boundary=”0- 86226711-106343″ (This is line 1)

    Content-Type: text/plain; (This is line 3)

    charset=us-ascii (This is line 4, to make the return email readable)

    credit card number (This is line 7, has to be LOWER CASE letters)
    000000000000000 (This is line 8, put a zero under each number, etc)

    name on credit card (This is line 11, has to be LOWER CASE letters)
    0000000000000000 (This is line 12, put a zero under each character, hyphen, etc)
    CVV number (Three digit number on the back of your card) (This is line 15, has to be LOWER CASE letters)
    000 (This is line 16, put a zero under each character, number, letter, hyphen, etc)

    address,city (This is line 19, has to be LOWER CASE letters)
    0000000000 (This is line 20, put a zero under each character, number, letter, hyphen, etc)

    state,country,p.o. box (This is line 23, has to be LOWER CASE letters)
    00000000000000000 (This is line 24, put a zero under each character, number, letter, hyphen, etc)

    phone number ( put a zero under each character, number, letter, hyphen, etc)

    type of card (This is line 27, has to be LOWER CASE letters)
    000000000 ( This is line 28, put a zero under each character, number, letter, hyphen, etc)

    expiration date (This is line 31, has to be LOWER CASE letters)
    0000000 (This is line 32, put a zero under each character, number, letter, hyphen, etc)
    252ads (This is line 35

    Return-Path: (This is line 36, type in your email between )

    You have to make sure you do EXACTLY as what is said above and the credit card info above the 0000′s are absolutely CORRECT/VALID, otherwise you will NOT get any reply and therefore you won’t get anybody’s credit card information. Here’s a sample email .

    Here is an EXACT email which you have to send to server.
    (CAUTION ) ! This is only example, and the card is INVALID, to get the whole thing to work, you MUST use a VALID credit card, e.g. YOUR OWN VALID CC)
    Send to: databasey47@yahoo.com

    Subject: accntopp-cc-E52488

    Email body:
    (1) Name Appears on Card,
    (2) Expiration Date,
    (3) 16 digit CC number,
    (4) ccv2,
    (5) Billing Address,
    (6) Phone number,
    (7) City,State, and satae code,
    (8) Finacial institute that issued ur cradit card
    (9) Country,

    252ads8> Return-Path:
    This may take a few minutes!!! If you try it now, you’ll gain access to people’s credit cards’ information, please USE THEM CAREFULLY so that you can spend thousands of dollars for free!! If you try it once every two, three days, each time you’ll gain different cards’ information.
    I’ve received about 27 credit card numbers so far. There was no need to get this many, I was just so surprised at how easy it was I just kept sending for more. I’ve only used 5 numbers so far, on ebay. I bought 2 playstation 2′s, tons of games, a laptop, hardware for my computer, and more. This is too easy. I would be selling this, but whats the point. All the money I want is in the Credit Cards. Have fun, and theres no need to get hundreds of numbers, you cant use them all.
    Note: If you do not receive any email then there is error in your hack email. i.e. The CC information you provided to server is invalid. You should use valid credit card informtion.

  5. Anonymous says:

    @American, this is information that will make you aware of a problem. Nowhere in the article does it explicitly state “do this and have a lot of illegal cash”. If “kids” want to find something more they will, curiosity is a good thing. The thing you should be worried about is parents not taking responsibility for their kids actions or upbringing and always try blaming someone else.
    Parents are the ones responsible for their kids, not the government, not someone hosting an internet site etc.

    Besides, the ones probably doing something illegal with this technology are likely not kids.

  6. Anonymous says:

    The reach of most RFID-tags is within a couple of centimeters, although it dependes on how powerful your reader is. In the case of the Nokia 6131 NFC the reach of ordinary ISO-14443 cards is, from my experience, within 1 cm.
    So this might not be a huge issue..

  7. Anonymous says:

    Do all of you have your surplus of tin foil hats or what??? ITS ALL A BIG CONSIRACY!!!

    Keep worrying it’ll help you live longer!

    For a bunch of people that are trying to sound real smart most of you sound like complete idiots, do some research.

  8. Chris Coker says:

    That was cool but I suggest a much cheaper way is to make a duct tape wallet and insert a sheet of aluminum into it when your making it. Well I found it effective. | ffxiv gil

  9. mcpfol says:

    #7: no need to drill. just hit it with a hammer. :)

  10. Anonymous says:

    What kind of contactless credit card have you read Pablo? EMV ones? I really don’t think so, one thing is reading magstripe emulation cards, another is reading EMV…
    in any case, good work ;-)

  11. Teresa Nielsen Hayden / Moderator says:

    If you’re a restaurant employee, you could do a lot with one of these.

    Anonymous (20), if you want to have your remarks taken seriously, put a name on them.

  12. Anonymous says:

    Maybe it’s just me, but all the videos on Boing Boing TV seem to be on the fritz. I’d really like to see this, too.

  13. Anonymous says:

    A cheap solution for everyone. Make a duct tape wallet and insert a sheet of aluminum into it when your making it. It’s cheap and effective.

  14. Kevin says:

    Anybody have specific part numbers for RFID readers that will read these cards? I call bogus on the $8 price tag.

    As shown in the video, you have to get really up close and personal with the card before data can be read.

    I have one of these cards, and cursory examination doesn’t reveal the location of the chip. I tried putting it in the microwave for 6 seconds, and only succeeded in crazing the foil hologram.

  15. w000t says:

    #7 #8 #9

    How about a piece of metal duct tape over the chip? Or copper foil and glue? Kind of like a permanent tinfoil hat localized around the chip itself.

  16. Matthew Miller says:

    Teresa — if you’re a restaurant employee, you don’t need one of these, because you can just copy numbers directly the old-fashioned way.

  17. mark zero says:

    Instead of walking up to you and obviously holding out a sensor, an attacker may just wear his laptop bag and edge into you while you’re in line somewhere. Gives a new meaning to “shoulder surfing,” doesn’t it?

    BTW AmEx used to give away card readers to its Blue customers, back when they were trying to push an embedded SIM-type chip instead. But that, at least, required electrical contact with the pins. RFID, well… they can already use it in doorframes in mental hospital wards, etc., to track/prevent movement of patients with RFID bracelets. And TI made a system to track runners in marathons, which works at further distances. So it’s a little scary.

  18. Takuan says:

    so,an RFID proof wallet using stainless is TSA passable. I believe I’ll be peeling the edge, honing a linear foot, re-gluing and smiling at the nice guard-man. Just to know I can.

  19. Cowicide says:

    excellent.

  20. Anonymous says:

    what about instead of a laptop, an ipod [or similar] running linux. All the reader needs to do is to be able to send/receive data to somewhere it can be saved/viewed. and how many people get that close to you wearing an ipod, during the day. next thing… simply get the smallest reader as possible then sew it into a pair of gloves or similar. then the victims will never know what’s what. of course slapping someones A** might get you into some hot water… or a date. lol.

  21. Anonymous says:

    No need to disable the chip. The antenna circulates near the rim of the card, and cutting it apart is quite enough to disable it (or putting it in a wallet which has a conductive metal surface). I wish they designed more of these with an on/off -switch.

    The majority (if not all) of these cards are based on the ISO-14443 standard; which in it’s -1 layer defines the physical dimensions of the card. Here’s a picture of how such a card looks from the inside.

    http://www.inlaybest.cn/tx1.jpg

    You can get yourself an Oyster card or a Charliecard and cut it apart – they’re based on the same RF technology, so the antenna should be pretty much the same. Or you can just buy a blank MIFARE card from almost anywhere. They’re readily available, as are reader components.

    These are really cool toys, once you start hacking them. So many awesome things you can build with them…

  22. discipulo says:

    i hope that kids will make use of this video to hack credit cards! information like this should not be supressed!

    Seriously. Keep these effing chips out of my credit cards, my passport, and my body. Just because we have a technology does not mean that we should force it on people.

    RFID implants are next, check it:
    http://www.slate.com/id/2109477/

  23. Anonymous says:

    Is there any more information about where these terminals are available or what to search for on ebay to find them?

  24. Anonymous says:

    You do not need to hack anything. Nokia and others are currently putting RFID readers in cell phones – you can already buy models with this feature in the open market (google for “6131nfc” for example).

    All you need is some software.

    However, isn’t this sniffing just the equivalent of shoulder-surfing? In current credit cards, the card number is in plain sight – in RFID cards, it’s still in plain sight (you just need radio-sensitive eyes to see them).

  25. Zan says:

    The chip is usually pretty obvious if you look at the reflection of something on the face of the card. It will be a pea-sized rectangular indentation on the surface.

    On my Chase Freedom, it is located in the top half of the “H” in Chase as shown by the yellow square in the below image:
    http://i25.tinypic.com/2zrly4g.jpg

    I would imagine that the placement doesn’t vary too much from card to card.

  26. Anonymous says:

    I work in the transaction processing industry for the largest payment processor in the world, the one with 4 letters. I’m not posting as a representative of that company, I’m posting as a private individual. Ahhem…now that I’ve made that disclosure let me tell you how misleading and stupid this video is.

    First, it would be highley unlikely that you could buy anything of value online with just the track data, including the card number.

    First, this is because most online shopping requires the CVV2 value printed on the back of the card which is not included in the track ~ only CVV data is in the track, not CVV2. CVV2 is required for MOTO/EC (mail order / telephone order / electronic commerce).

    Next, most online authorization protocols require that the goods shipped to an address other than the address of the cardholder undergo additional security measures and validation prior to the shipping of the merchandise. Go ahead and ship it to your home. :-) P.O. boxes / mailboxes etc. won’t work.

    Furthermore, if you did have the track data and tried to create a card from it you would not be able to use it at most retailers, who perform CVV validation, because the validaton method is different for RFID than it is for magnetic stripe and involves very different technology, validation methods and security measures.

    The comments about payment networks not really caring if the network is secure but just want the impression of security is complete ignorance. Fraud loss is in real dollars and that statement would be like saying that Banks do not mind if people take their money, a very dumb comment. By the way, fraud loss is normally incurred by the merchant or the card issuer which is not the processing network.

    I could write a bunch more about this but why bother?

  27. mahabuddha says:

    You can stop the RFID signal with wallet from http://www.RFIDBlockr.com I got a passport case from them…it has a copper wire mesh sewn in to the lining…you don’t even know it is there.

    Thanks,
    Jay

  28. Lordrabbi says:

    Well people always comment on me using a metal business card case to carry around my credit cards and so forth….guess this a good reason to carry on with this practice.

  29. Anonymous says:

    I work with pablos.

    This reader was purchased from an ebay snipe for $0.99 + $7.99 shipping. So it was in fact 9 dollars, not $8 as represented. I will clarify this with pablos tonight. The ebay auction number was 110188198513, but it’s not archived by them anymore. Yes, it was sniped. The typical price for these readers is $50 or so. Any readers made by vivotech should work dandy, provided they are not so old. The one in the video is a vivotech 5000.

    As others have pointed out – - you can see the tag via looking at the surface of the card with a bright light. It will show up like a small indent, which is mostly square. Hammering in a small finishing nail 5-6 times seems to be the most consistent option – - just a hammer on the card only seems to work some of the time; they are pretty darn durable.

    Cheers,
    -3ricj

  30. Anonymous says:

    Dammit, don’t tell everybody. Learned this from my old comp sci prof. we used to scan peoples block buster cards and then use them for free rentals. Ah those were the good ol’ days.

  31. Anonymous says:

    Well I know where this guy has the macbook air from … ;)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 

More BB

Boing Boing Video

Flickr Pool

Digg

Wikipedia

Advertise

Displays ads via FM Tech

RSS and Email

This work is licensed under a Creative Commons License permitting non-commercial sharing with attribution. Boing Boing is a trademark of Happy Mutants LLC in the United States and other countries.

FM Tech