the crew at BoingBoing TV has posted up a little demo of how easy cracking the RFID encryption on an American Express card can be. All it takes is an $8 dollar reader easily available on eBay[From RFID credit cards easily hacked with $8 reader – Engadget]
The actual title should have been “Well-designed American Express contactless cards work exactly according to specification and non-hacking non-exploit does not actually result in losses to either cardholder, retailers or American Express themselves”. Anyway, the reason I got a few e-mails was because people wanted to know where to get these $8 readers. I just checked on eBay (US) and the cheapest pre-owned contactless terminal I could find was over $60. The video actually shows him using a Vivotech Vivopay 5000 (which is a couple of hundred quid in the UK), so if this guy really can get them for $8 he’ll make far more money from reselling the terminals than he will from “hacking” ExpressPay cards.
Here we go once again. This is not a hack. This is not an exploit. This is not even remotely interesting on any level. It DOES NOT enable a perp to create a bogus American Express magnetic stripe card by reading an American Express contactless card…
You cannot use the alias PAN (ie, the PAN given up via the contactless interface, not the one printed on the card) in anything except a contactless transaction and you cannot use it to make a bent contactless card because you need the Amex security keys in order to generate the right digital signature. If you attempt to use the alias PAN in an online transaction, the Amex host will decline it.[From Digital Money Forum: Contactless]
I wouldn’t want to stop you from checking out the Engadget post though: some of the comments are fascinating because of what they reveal about what a random cross-section of geek opinion thinks about the payment card system. Do they honestly think that American Express and their consultants are so dumb that they never considered the possibility that someone with a reader might read the card?
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]