16

RFID/NFC technology is used in credit cards and many other personal identification applications.

Is it possible/how easy is it to clone a card using a simple RFID reader?

In other words, can the retrieved information be reused in the future by the attacker?

Sparkler
  • 795
  • 4
  • 7
  • 19

3 Answers3

11

If it is a basic data providing tag, then it can be cloned. If it is a secure tag, it is far more difficult.

For secure cards used for payments and authentication, a private key is loaded on to the card and the card never discloses it. The public key is kept by the bank or whoever needs to be able to verify that the card was used. If, for example, the card is used for a payment, the vendor's terminal feeds information about the transaction to the card and asks the card to sign the transaction. The card signs the transaction and returns the signature to the reader. This signature allows the vendor to prove to the credit card company that the card was used for that transaction, but it doesn't give the vendor the information needed to clone the card.

There are potentially ways to etch off layers of the card and directly access the circuitry that holds the keys, but such methods are unreliable and difficult to execute, particularly since a good secure tag should be designed to be tamper resistant.

There are some attacks against older protocols that should be going out of use now, but generally speaking, a good, modern, secure tag should not be cloneable. That is the entire point of using this kind of technology rather than a magnetic strip (which is easily cloneable.)

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
8

NFC devices which do not use either public key crypto, encrypted tokens or HMAC tokens or similar cryptographic mechanisms where there is a secret that never leaves the device, they can all be impersonated. Simple devices often just have a static string of data which they broadcast.

Many newer NFC devices as well as most enterprise grade devices since basically forever use cryptography which prevents impersonation.

However, some of the new credit cards lack this type of cryptography. But from what I understand most of them now implements cryptography as defined by the EMV security standards.

Then there's also the issue of that some of the variants like some Mifare variants are crackable due to sidechannel attacks against the cryptography. IIRC most newer ones aren't vulnerable, but I'm not entirely sure on the current state on this.

Natanael
  • 821
  • 7
  • 10
  • So the manufacturer of the receiver hard_codes the key in the receiver, to correspond the key on the card? If yes, then if one gets his hands on a receiver they can retrieve the key, no? – Sparkler Oct 22 '14 at 15:13
  • 1
    @Sparkler with public key cryptography they put the public key in the receiver (or the server it is connected to), it only gets a signature which it can verify. It can not impersonate the card. With symmetric key based systems like HMAC and OTP, however, yes it can. However, the receiver is usually well protected or communicates with a secure server which holds the secret. – Natanael Oct 22 '14 at 17:38
-2
  1. Cloning isn't necessary as the algorithm used for nfc with the emv cards is flawed, lacking a true rng. The predictable prns be used to negotiate transaction authentications.
  2. Another implementation flaw foils the $200/transaction cash limit by doing the transaction in a foreign currency.
  3. There are other implementation flaws that make it relatively simple to fake an emv transaction.

This could have been avoided by having a white hat hacking contest with substantial rewards for discovering security flaws before the system was adopted in the US.

Silly bankers, RFIDs are for kids. :-)

Ohnana
  • 4,737
  • 2
  • 23
  • 39
Psst Doff
  • 1
  • 4
    Hi, could you provide some sources to back up your claims? These are some serious allegations. – Ohnana Jul 12 '16 at 23:29