I want to start by saying we've used your site as an authority on RF Technology since we became interested earlier this year. Since then, you have risen in esteem within our ranks daily as we verify and cross-reference our data for accuracy.
You have the gratitude of a small but devoted company.
Earlier this year, we became aware of the vulnerabilities of the RF-enabled bank cards the banking industry are promoting and were, appropriately, concerned for the safety of our data. As we consider ourselves "Solution-oriented", we began immediately developing a response. What we came up with was a Faraday cage for your wallet, and called it "The Armadillo Dollar". (www.ArmadilloDollar.com)
Considering the lack of forthrightness by the issuing authorities, we have engaged on a campaign to 1) Inform the general public and 2) offer our solution (Capitalism is a good thing!).
We would like to offer you guys an Armadillo Dollar for your testing and review. It is lightweight, durable, and, if I may say so myself, a product that's quite sexy!
If it meets your standards, we would love to include you in our marketing program as affilliates. I won't go into the money side, as I seek your endorsement first. Let's just say we compensate our "sneezers" well.
If the ArmadilloDollar sizzles for you, feel free to write me at my email below or call me at [redacted by Get Satisfaction at request of poster] and we'll chat.
I look forward to your response...
Help get this topic noticed by sharing it on Twitter, Facebook, or email.
EMPLOYEE0We asked a couple of folks about this, and got this response from someone we consider knowledgeable:
[I don't see why you'd need this. Said more colorfully.]
Any RFID tag that's used for payment of some sort has
security built in, like 'rolling code' schemes (the tag changes after
each authenticated read) or other sorts of authenticated interaction
(tag will pass on secret tag only after PKI handshake with trusted
the only tags that are easily clonable are the simple ones used in
I once thought the same as you, TIm. I asked the banks if it was safe, and queried a couple of firms that distribute the cards. For the most part, they had no idea.
What I found, the deeper I went down the rabbit hole, was there is quite a community out there dedicated to defeating every attempt at digital security the establishment comes up with.
I found six different designs posted for RFID skimming devices, two which my tests confirm operational, and a plethora of software hacks.
Yes, there are software protocols available for this material, but the chips to utilize it are cost prohibitive. This sends the cost per card from a few pennies directly to a few dollars each.
Have you ever known a company that is all about money to opt for the most expensive of anything when they're the ones footing the bill? After all, they pass the cost of the theft along to their clients.
I recommend you access the Library at Dartmouth College (http://library.dartmouth.edu/eResourc...) and read "Vulnerabilities in First-Generation RFID-Enabled Credit Cards" for a start. Our field tests support their conclusions.
If you'd like to see what we've found, we'll be setting up a display at the TeraMark Gun Show in Phoenix November 30th to December 1st 2007. I invite you to come by and witness first hand that the signals can, and are, captured quite easily. Once captured, you don't really need to decipher them. All that's needed is to program a new card with the captured data.
Of course, there are exceptions to the rule, but if you're out there hunting, all you're interested in is the easy target, right?
I think there's a rising tide of "discoverable IDs." A good implementation in a payments device *ought* to be secure against skimming, but there's no guarantee of that, given the inherent risk of unintended flaws (Adi Shamir's recent comments about microprocessor faults being able to compromise public key schemes, etc.). I'd rate the risk of some device in your wallet being compromised as very, very low, on a par with your being mugged several times in a very good part of town, but it's probably not zero.
More interesting to me is the issue of RFID being *detected*... short of actually compromising a payment scheme, lifting a PIN, etc., is the issue of you being uniquely identified by something you're carrying. So while I may not be able to do anything to penetrate an account, I can know it was *you* that I saw at 7:30 am at the corner of 5th and Main. Now multiply that by 100M, and there's a lot of interesting, mineable stuff.
These guys aren't the first ones on the block, btw... MobileCloak has had stuff out for several years: http://www.mobilecloak.com/mobilecloak/ Though the bill-sized form factor is pretty cool.
I'd like to reference you to an article appearing in "Wired". you can find it at http://www.wired.com/wired/archive/14.... There, you'll find some interesting data as Ms. Annalee Newitz tells her side of the RFID and Credit Card sensitivity issues.
Far too little information is being disseminated about this to the public as consumers.
Sure, I'd like everyone to buy an Armadillo Dollar. It's sexy, it's cheap, it's durable, and (lest I forget!) it WORKS! The most important issue to me is education. Every consumer should be aware of the chinks in their armor. Otherwise, they can become victims like babes in the woods.
Locks serve to keep honest people honest. But (as they say in certain sandy countries) "Trust in God-but tie up your camel!"
I'll tell you all again, guys, and give you a place to start your education.
First, Tim, would you remove my phone number? I thought the first message was going to you privately.
Second, For all lookers, Google (use quotes) "RFID Hacking" and take a look.
After that, go to ArmadilloDollar.com and see the some mainstream news videos. If that doesn't begin to get your attention, then I don't know what will.
Further, you'll find some interesting equipment at RFIDIOt.org. Software AND hardware at the same site to serve all your "development project" needs!
I've been quite busy with our product entering a new market (www.ArmadilloCardShield.com) and thought I might see if there were more updates.
Tim, I know you're an expert and you have a few experts around you upon which you rely. I want to point out something. When someone has bought into a thing, they tend to look at it from the inside out. That is not the way hackers think.
Google this:"Proxmark3". If, after reading about this readily available device (and software) you still believe this is not an issue, then I'll respect your position and leave you alone.
Everybody is entitled to satisfaction with their level of education and I won't contest that for you.
You've been great.