(((As a sometime computer-crime journalist, I don't believe in spreading access to freaky malware from my weblog, so if you're into that kind of mischief, you'll just have to find these Israeli skimming-hackers on your own.)))
(((Some nice neologisms for a new area of practice: not skimming the tags themselves, but cracking the communication between RFID tags and legitimate scanners. I rather doubt this is the last we'll hear of 'ghosts' and 'leeches.')))
"Radio-Frequency Identifier (RFID) technology, using the ISO-14443 standard, is becoming increasingly popular, with applications like credit-cards, national-ID cards, E-passports, and physical access control. The security of such applications is clearly critical. (((I wonder why hackers always say that, given that there has never been perfect security in any other system the human race ever constructed. After all, the better the hardware gets, the more sense it makes to just go bribe some insider geeks. They're so eager to talk about it that, hey, they'll set up how-to websites.)))
"A key feature of RFID-based systems is their very short range: Typical systems are designed to operate at a range of 5-10cm.
"Despite this very short nominal range, Kfir and Wool predicted that a rogue device can communicate with an ISO-14443 RFID tag from a distance of 40-50cm, based on modeling and simulations. Moreover, they claimed that such a device can be made portable, with low power requirements, and can be built very cheaply. Such a device can be used as a stand-alone RFID skimmer, to surreptitiously read the contents of simple RFID tags. The same device can be as the "leech" part of a relay-attack system, by which an attacker can make purchases using a victim's RFID-enhanced credit card–despite any cryptographic protocols that may be used.
"In this study we show that the modeling predictions are quite accurate. We show how to build a portable, extended-range RFID skimmer, using only electronics hobbyist supplies and tools. Our skimmer is able to read ISO-14443 tags from a distance of †25cm, uses a lightweight 40cm-diameter copper-tube antenna, is powered by a 12V battery–and requires a budget of †$100. We believe that, with some more effort, we can reach ranges of †35cm, using the same skills, tools, and budget."
(...)
"A German hacker used a simple PDA, equipped with an RFID read/write device, and changed product prices in a grocery shop using a software he wrote. He managed to reduce the Shampoo price from $7 to $3 and go through the cashier without incident. Supermarket checkout trials held by NCR corporation showed that some clients standing at the cashier paid for groceries held by clients standing behind them in the queue.
"A research team in Johns Hopkins University managed to build a system that sniffs information from RFID-based car keys and immobilizers, and were able to purchase gasoline without the owners consent."
