“ChaO” (Cagatay Evyapan) was well-known in the underground carding community.  Watch the footage below, you will be very impressed how this fraudster converted his villa into a high profile ATM skimming device production factory.

ChaO’s fraud devices in action:

The attached skimming device copies all 3 tracks from the magnetic stripe of a credit/debit card, the keypad captures the PIN.  After is really easy for the fraudster to copy all collected info to  ISO 7812 blank cards  and eventually be able to cash out the money.

His hacking tips are the following (did not prove to be the best tips in his case):

* don’t install a skimmer in the morning, because people are more vigilant then;
* determine where a person would have to stand to keep an eye on everything happening on that block;
* avoid blocks where more than 250 people per day walk through, because of the danger of detection;
* don’t install skimmers in towns with fewer than 15,000 people, because people in those towns know what their ATMs look like;
* avoid areas with small shops open 24 hours a day, because there may be surveillance cameras and vigilant shopkeepers;
* don’t set up in areas where a lot of illegal immigrants live;
* places with a lot of tourist traffic are good;
* look for affluent neighborhoods and drive-through ATMs;
* ATMs near cash-only bars are a good bet for lots of customer activity.

Using google-dorks, the attackers can search for frame scripts allowing the inclusion of any url. This search reveals thousands of results with too many websites vulnerable to cross-site framing:

allinurl:”url=http” “frame”

inurl:frame filetype:asp  inurl:”url=”
inurl:frame filetype:aspx inurl:”url=”
inurl:frame filetype:php  inurl:”url=”
inurl:frame filetype:cfm  inurl:”url=”

inurl:iframe filetype:asp  inurl:”url=”
inurl:iframe filetype:aspx inurl:”url=”
inurl:iframe filetype:php  inurl:”url=”
inurl:iframe filetype:cfm  inurl:”url=”

allinurl:http frame.asp
allinurl:http frame.aspx
allinurl:http frame.php
allinurl:http frame.cfm

allinurl:frame.php?url=http
allinurl:frame.asp?url=http

Phishing and other scams are now easier to perform due to cross-site framing.
Having found such frame scripts, allows the attackers to include a webpage which is hosted somewhere else. This webpage can be designed to look like the original website and can be any cross-platform server-side script. It can contain a fake login form which on submit parses the inputted usernames and passwords and sends them to the attacker’s mailbox in cleartext format.

It is also possible to perform XSS attacks as in most cases there is no filtering of special characters, script or other common tags in the URL parameter.

Daniel Hugh mailed us about a cross-site framing and scripting vulnerability affecting Gov.MT (Official website of the Government of Malta):

Gov.MT with Frame Redirect and XSS

The XSS vulnerabilities affecting websites can also be used to perform frame redirects, but not the contrary. So if you submit a website vulnerable to cross-site framing along with a XSS attack vector, we will publish it as XSS.

The above news were written in order to heighten the awareness of potential privacy threats to users of the web.

You can also access this blog post  from XSSed.com – a project I run with Kevin Fernandez.

Here is the link:

http://www.xssed.com/news/26/Cross-site_framed/

A large number of retailers worldwide hope that RFID will replace the less-precise barcode. This is for a number of advantages, including the automation of stock tracking for cutting costs for them and for the manufacturers. [2] Despite the advantages for the retailers and the parties involved in the supply chain, the possible near future implementation of RFID chips as stock trackers raises specific privacy issues for the consumers.

This essay discusses these privacy issues with respect to the possible introduction of RFID chips as stock trackers. I will also provide a few notable examples of successes and failures in the RFID marketplace and possible solutions for mitigating privacy issues involved in stock tracking.

SPECIFIC PRIVACY ISSUES & MITIGATION APPROACHES

Various groups of privacy advocates watchdog the RFID technology for anything they consider as an infringement of privacy rights. The scenarios that annoy them the most are the item-level tagging of consumer products that end up in consumer’s possession and the tagging or tracking of individuals. [4]

Today for example, if an individual purchases a pack of hand rolling tobacco in Reading, UK, its barcode would be identical to the same brand and type of hand rolling tobacco sold in Brighton, UK. If the tobacco company chooses in the future to implement item-level tagging and the individual purchases a product with a loyalty card or credit card, it would be possible to tie the unique ID of the product to the ID of the purchaser. This creates a serious privacy issue for the consumers because they could then be tracked if they ever purchased from the same shop again or from any other shops capable of reading RFID tags [2].

RFID tags can be read at a certain distance without the knowledge of the individual. This means that when the individual enters a shop with his RFID tagged tobacco pack; the RFID reader in the shop can identify the brand of his tobacco, the shop that he purchased it from, the exact time and date of the purchase, how frequently he comes into the shop or even the time that he spent before coming to a decision whether to purchase it or not.

If the individual used a loyalty card or credit card to purchase tobacco, the tobacco company and the store could tie the identified information to the individual’s name, address and e-mail. Then the individual could receive targeted advertisements by tobacco companies as he walks through the mall or mailings through his e-mail about special offers and other products [2]. This scenario is not far from the one in the “Minority Report” movie…

Several manufacturers and retailers, including TESCO in UK, Wal-Mart in USA and Prada, expect that the RFID tagging of their product range will aid significantly in the management of the supply-chain, from manufacturing to shipping of their products and to stocking their store shelves. [1]

With the implementation of RFID technology, retailers and shops can build up an individual personal log of their customer’s shopping habits. [2] The monitoring of purchases may or may not involve personal information, because information on consumer shopping habits could be created without associating details with identified individuals. Consumer profiling is considered intrusive enough by many consumer’s standards and privacy advocates. Companies that want to keep track of the popularity of their products will not necessarily require the profiling of data about specific customer’s shopping habits. [1]

In the UK, according to the Data Protection Act 1998 (“the Act”) [1], retailers and stores collecting personal information with RFID readers, must adhere to the fair processing requirements of the Act. This means that they must notify their customers about the presence of RFID tags on products and RFID readers, and explain them the possible implications [1]. They must inform their customers what personal information is being collected, by whom, and for what purpose. In case consumer profiles are used for direct marketing, retailers and stores should provide customers with a means of opting out of such direct marketing. It is also necessary to explain to the customers how to remove or disable RFID tags from a product after purchase [1]. The Act applies where personal information is collected, generated or disclosed using RFID either directly or indirectly.

When companies decide to use RFID tags, must implement, operate and manage the RFID technology with special consideration to the data protection principles of use limitation, data quality, data retention and security [1]. This set of principles assures to a high percent the protection of the customer’s personal privacy, the improved operation of the company and thus the good relationship with the customers; but do not eliminate potential risks of privacy infringement.

Use limitation means that personal information should only be collected by companies for legal purposes [1].
Data quality means that companies should ensure that RFID collected personal information is valid, accurate and kept up to date. Only personal information necessary for specific purposes of the company should be collected [1].
Data retention means that personal information should not be stored by the companies for longer than is necessary for a specified purpose [1].

Security means that the companies have the responsibility to ensure the security of any personal information stored or on them or linked to them [1].

A few supermarkets have been using RFID tags in order to track how often certain products are removed from the shelves. Such information is usually general and do not relate to individuals. However, if this information were to be associated with identified individuals, would become personal information.

Privacy advocates and civil liberties organizations worry that companies, retailers and shops using RFID are able to track consumers long after a purchase of a product [5]. For example, an apparel designing company can scan a fashion event for the number of people wearing its trousers.

Most of the privacy concerns are based around the fact that RFID tags can still fully function after the tagged products have been taken home and even survive years of washing, drying and wearing! [3] They can be used for surveillance, corporate espionage and other utterly immoral purposes unrelated to their supply-chain stock functions.

Large retailers such as the Wal-Mart in the USA sees it as an advantage to be able to track consumer shopping habits and stock as it improves their supply-chain efficiency and cuts significant costs.

In early 2003, the Procter & Gamble Co. and Wal-Mart in order to test RFID, tagged packages of lipstick in an Oklahoma shop and were able to track the customers as they took the lipstick off the shelves. This test raised the anger of privacy advocates worldwide for the obvious privacy issues.

Stock tracking from the point that stock leaves the manufacturer to the location of where the product will be supplied for sale, is an acceptable use of RFID according to consumer privacy and civil liberties organizations [4]. Stealing and loss of stock as they move through the supply-chain should be prevented with the placement of RFID tags to the outside of the packaging and not embedded in the products. The tags should be permanently destroyed before the shops put the products on the shelf. With that way consumers won’t have to worry much about their personal privacy, although there is always the risk of hidden placement of RFID tags and hidden RFID readers.

Other acceptable uses of RFID are that of detecting items that contain toxic substances when they are delivered to the waste disposal area and that of tracking pharmaceuticals [4].

FAILURES IN THE RFID MARKETPLACE & LESSONS LEARNED

Metro Group

A notable failure is that of the Metro Group, a large retailer based in Germany. [7]

In 2004, the company tagged its store loyalty card with RFID chips, without disclosing any information to consumers. When the privacy advocates found out, protested and threatened to strike against the company. Eventually, seeing so many angry privacy advocates and concerned consumers, the company put an end to RFID tagging of their loyalty cards and announced that they would replace existing cards with non-chipped ones. However, having established its “Future Store” for displaying and testing of new technologies, the company still continues to research innovative uses of RFID and other technologies. It has also created its own mandate, which requires RFID tagging of the pallet and case level for distribution and supply-chain purposes.

Benetton

In 2003, the Philips semiconductor manufacturing company publicized that it would supply RFID tags to the Benetton apparel company [6].

When the news reached the public worldwide, groups of privacy advocates called for a boycott of Benetton’s products. They even set up a web site (www.boycottbenetton.com) to show the whole world not to buy clothing with embedded RFID tags. In the website they included the slogan, “I’d rather go naked [than wear clothes with spychips].” This call for a boycott created too many privacy concerned consumers and made Benetton announce a few weeks later that its products would not eventually be tagged with RFID.

There are a few lessons that can be learned from the above examples of failures in the RFID marketplace. [7]

Prior to the implementation of RFID technologies, companies, retailers and shops must anticipate privacy concerns. Understanding the privacy concerns of the consumers regarding RFID tags can help for a better and more secure operation of a business. Both the customers and the companies will be happy.

Companies must also find ways to mitigate privacy intrusion issues. They can, for instance, place RFID tags on consumer’s products that have a kill switch along with instructions on how to remove the tags.

They must demonstrate the steps being taken to protect the privacy of the consumers and make sure that they get their message out to the public for specific educational awareness resulting to the decreased frequency of privacy issues.
Metro Group did not even disclose that was going to use RFID tags in its loyalty cards. Consequently, it couldn’t defend to continue using the tags because when many privacy advocates and consumers found out about the matter, company got immediately disadvantaged in public relations.

SUCCESSES IN THE RFID MARKETPLACE

Other retailers, including the UK Marks & Spencer, are successfully continuing to use item-level tagging and to include trials of RFID tagging to a variety of its clothing lines.

In 2003, Delta Air Lines in the USA tagged 40,000 customer bags in order to reduce baggage losses and make it easier to route bags if customers change flight. [3]

The United States Department of Defense (DoD) is currently using RFID chips in order to track military shipments. It has also placed RFID tags on 270,000 cargo containers and is able to track all those shipments throughout 40 countries! [3]

More and more businesses are interested in item-level tagging because it helps retailers and shops to keep the best selling products in stock and the stock moving. It benefits significantly the retailers because multiple products that comes in multiple sizes and colors are difficult to keep them stocked. With item-level tagging is not, because staff can find which products are in which boxes.

CONCLUSION

Despite the number of successes in the RFID marketplace, it will be years before we see individual item-level tagging on a widespread basis.

Today, only a small number of retailers and manufacturers are piloting item-level tagging, although dozens more are evaluating its possible use. There is still a lot of research to be done in security, privacy and implementation issues.

Most manufacturers and retailers that are currently using the RFID technology, are used to privacy intrusion issues. They will continue to use the technology and to deal closely with the consumer’s privacy concerns, mitigate the privacy intrusions, manage communications, and avoid a public relations nightmare like in the Metro Group case. [7] Correct implementation of RFID tags can have a huge advantage in the near future.

REFERENCES

[1] Information Commissioner’s Office – Data Protection Technical Guidance V1.0/09.08.06 – Radio Frequency Identification

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/radio_frequency_indentification_tech_guidance.pdf

[2] Scottie Hawksworth – RFID Privacy and You

http://ezinearticles.com/?RFID-Privacy-and-You&id=30853

[3] Scott Grannerman – SecurityFocus.com – RFID Chips Are Here

http://www.securityfocus.com/columnists/169

[4] RFID Position Statement of Consumer Privacy and Civil Liberties Organizations

http://www.privacyrights.org/ar/RFIDposition.htm#1

[5] RFID and privacy: Debate heating up in Washington

http://www.infoworld.com/article/04/05/28/HNrfidprivacy_1.html

[6] Boycott Benetton – No RFID tracking chips in clothing!

http://www.boycottbenetton.com/

[7] METRO AG

http://www.metrogroup.de/servlet/PB/menu/1014671_l2/

[8] RFID Security – Protect the supply chain – Syngress Publications – (ISBN:1597490474)

Buy the book from Amazon.com (Apr 2006 publication)

OR

from Amazon.co.uk (Nov 2005 publication)