I've been turned Blue by American Express

tag:blogger.com,1999:blog-13417295.post-80088490622798753352007-07-12T09:16:00.001-07:002008-05-17T23:46:14.335-07:002008-05-17T23:46:14.335-07:00I've been turned Blue by American ExpressI have the Blue by American Express credit card. If you look at the image, you can see the small RFID chip, that allows you to shop at certain places (7-11, gas stations) with a "wave of a hand". <a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://bp3.blogger.com/_XRxpot-MK0s/RpZULJQvK0I/AAAAAAAACAo/nq3z88hQ31Y/s1600-h/amex_epress_blue.jpg"><img style="cursor: pointer;" src="http://bp3.blogger.com/_XRxpot-MK0s/RpZULJQvK0I/AAAAAAAACAo/nq3z88hQ31Y/s320/amex_epress_blue.jpg" alt="" id="BLOGGER_PHOTO_ID_5086345379602967362" border="0" /></a> <a href="http://en.wikipedia.org/wiki/RFID" target="_blank">RFID</a>, or Radio Frequency IDentifier is a technology that allows you to store data on a chip and read it remotely (up to 30 feet and more, with some self-powered chips) using a cheap RFID reader. The chips usually have a small antenna to boost the range of reception (see those metal curly lines?). Originally they were designed for digital warehouse management (allowing you to keep score of your entire inventory, and locate items with a wave of a reader).The US government is already adding those to American <a href="http://www.wired.com/politics/security/news/2005/04/67333" target="_blank">passports for authentication purposes</a>. And therein lies the problem: everyone can buy this reader and read your chip from afar. Due to it's small size, encryption, if it even exists, is limited. Meaning someone can sit at a parking lot, read all my details off my card, replicate the chip and start celebrating on my account. Bad :( Well, after reading several cautionary articles and posts (<a href="http://www.rfid-cusp.org/blog/blog-23-10-2006.html" target="_blank">read some more about credit card vulnerabilities</a> also <a href="http://www.spychips.com/press-releases/american-express-conference.html" target="_blank">this</a> and <a href="http://www.spychips.com/blog/2006/10/spychipped_credit_card_q_a.html" target="_blank">this</a> make good points), I called American Express yesterday and asked for a chip-less card. I spent 30-40 minutes on the phone explaining myself. After about 20 minutes, and several "put you on hold, talk to my supervisor" phrases, they "disconnected the service" - as if that helps. I spent the next 10 minutes trying to explain that the activity or inactivity of the service doesn't matter - my private info is on this chip and any kid can read it (as indeed some kids have already demonstrated - see the <a href="http://www.defcon.org/" target="_blank">DefCon</a> link below). No go - they wouldn't replace my card. They only told me I can get a different card, with a different plan yadda yadda. I'll definitely do something about this - either call them again (when I have more patience) or just scratch the chip off the card. Recommendation: make sure your card doesn't have such a chip and demand a replacement if it has. If you have an RFID chip that you don't want being read, keep it in a metal case (aluminum is great) as it breaks the reception. Read some more RFID fun news here: <ul> <li><a href="http://www.engadget.com/2006/08/03/german-hackers-clone-rfid-e-passports/" target="_blank">German hackers clone passports</a></li> <li><a href="http://www.wired.com/wired/archive/15.01/start.html?pg=9" target="_blank">How to disable your passport's RFID</a></li> <li>The <a href="http://www.defcon.org/" target="_blank">DefCon</a> Hackers convention, where every year RFID hacking records are broken (last year, an RFID was hacked from 69 feet away, off a roof. The year before that the FBI arrested a presenter as he was demonstrating hacking a passport).</li> <li>Search <a href="http://www.google.com/search?q=rfid+hack" target="_blank">Google</a> for RFID hacks - there's a wealth of info.</li></ul>Update 3/19/08 Some people call me paranoid (others call me a Space Cowboy, but that's a whole different post <img class="emoticon" src="http://wolverinex02.googlepages.com/icon_smile.gif" alt="smile" title="smile" height="" width="" />) but now I feel justified in my paranoia. While this post was written in July 07, this video, out today from <a href="http://tv.boingboing.net/">BoingBoing</a>, is clearly showing how you can get all the information you want off a Blue Amex, using an $8 reader bought on eBay. That's right - your privacy is worth $8 to Amex. <embed class="castfire_player" id="cf_4a893" name="cf_4a893" src="http://p.castfire.com/Xu7m0/video/8913/bbtv_2008-03-18-195242.flv" type="application/x-shockwave-flash" allowfullscreen="true" height="290" width="350"></embed> If you can't see the flash, download the movie <a href="http://video.boingboing.net/video/8913/bbtv_2008-03-18-195242.mp4">here</a>. Update 5/17/08 I've gone ahead and done it! It took 30 seconds, a screwdriver and a hammer. My card looks like this right now (pertinent data removed, of course): <a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://bp1.blogger.com/_XRxpot-MK0s/SC_QKtNW0qI/AAAAAAAAD5w/t6prFYirJ-Q/s1600-h/Amex+Blue+w+hole.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://bp1.blogger.com/_XRxpot-MK0s/SC_QKtNW0qI/AAAAAAAAD5w/t6prFYirJ-Q/s400/Amex+Blue+w+hole.jpg" alt="" id="BLOGGER_PHOTO_ID_5201604976989098658" border="0" /></a> Let's zoom in on the kill shot: <a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://bp1.blogger.com/_XRxpot-MK0s/SC_QbtNW0rI/AAAAAAAAD54/4eoeGagS_Xo/s1600-h/Amex+Blue+w+hole2.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://bp1.blogger.com/_XRxpot-MK0s/SC_QbtNW0rI/AAAAAAAAD54/4eoeGagS_Xo/s400/Amex+Blue+w+hole2.jpg" alt="" id="BLOGGER_PHOTO_ID_5201605269046874802" border="0" /></a> I am now blissfully RFID-less!Traveling Tech Guyhttp://www.blogger.com/profile/01547838190628135925noreply@blogger.com5