CC Companies Scotch Mythbusters Show On RFID Security 466
mathfeel passes along a video in which Mythbusters co-host Adam Savage recounts how credit card companies lawyered up to make sure the Discovery channel never, ever airs a segment on the flaws in RFID security. "Texas Instruments comes on [a scheduled conference call] along with chief legal counsel for American Express, Visa, Discover, and everybody else... They [Mythbusters producers] were way, way outgunned and they [lawyers] absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it."
I can just see the courtroom in 2010 (Score:5, Interesting)
"So, if I Understand this correctly, you knew of these security holes back in 2008, and rather than fix them, you prevented the Mythbusters from talking about them."
"Well, yes, Your Honor."
"Give me another reason why I should listen to one word of your defense against this class action suit?"
This will come back and bite them in the @$$. Hard.
99% chance (Score:2, Interesting)
That this clip is leaked to the Internet where it explodes in popularity.
Re:Pass the buck (Score:3, Interesting)
Personally I think that this kind of thing should be allowable, under one condition. Namely, that the credit card companies set about fixing this problem as quickly as possible, sparing no expense. If there is a big problem with these cards and they are willing to fix it now that someone has told them about it, I think it would only be reasonable to allow them to keep the information secret for a short time while they square things away.
Now, of course, the odds that this is what they'll actually do are only slightly better than my odds of scoring with a pair of Japanese twins tonight. But it is a scenario I could imagine where this might be justified.
Of course if this were the rule, and they claimed this in order to shut something down and then didn't actually do what they said they would do, they ought to be liable for triple damages to the defendant.
Re:Upcoming Mythbusters Special! (Score:5, Interesting)
I think this would be a good time to point out that Barack Obama and his running mate are lawyers.
corporate games (Score:5, Interesting)
I know the management of these companies have obligations to the shareholders but isn't about time they started to exhibit an obligation to not make fraud so easy with the current system?
Re:Upcoming Mythbusters Special! (Score:2, Interesting)
I like how this is modded informative..
Well, the patient clearly exhibits a severe form of dementia where he thinks that lawyers are supernatural beings capable of destroying his world and cheating everyone & everything--even death! The patient also sees them as an unstoppable force bent on bending all things the patient views as right and irrefutable. In this case, security and public awareness.
This is informative/interesting because there seems to be a fringe society of individuals that exhibit these symptoms while clearly the rest of society--the 'norm'--do not.
Not all lawyers are inherently evil, even Gandhi was a lawyer. Some use their powers for good, it just seems that this poor basket case has deluded himself into seeing only evil and mis-characterizing lawyers as a hate-filled 'race.'
Seriously though, does anyone else feel like either the rest of the world has gone insane or they're the only insane person on this planet? I mean, I miss the days when they would just burn scientists and heretics at the stake. At least we wouldn't have to sit through bullshit where the truth is suppressed by financial corporations! Seriously, the Discovery Channel should be renamed to the "Discover Only What Money Approves Channel."
Re:Sometimes it neccesary (Score:5, Interesting)
Bad analogy time:
It's like a ship with holes in it. If the ship is already at sea, you shut up and man the pumps. But if the ship is in the dock, you yell "Look, hole!" and hopefully you wont have to pump quite as much later on.
Ignore Them (Score:4, Interesting)
An expensive lawsuit would almost certainly be filed after the fact, but it stands no chance of success. Discovery could counter-sue for barratry and violations of anti-SLAPP statutes.
Schwab
Re:I can just see the courtroom in 2010 (Score:5, Interesting)
"Well, Your Honor, all of the persons the plaintiff has named as members of the class are invalid. All our cardmembers, as a provision of the cardmember agreement, must refer to independent Binding Arbitration, and expressly waive their right to participate in a class action. And all those that remain have no standing to file this action."
When you enter a courtroom, you enter another world where such flagrant absurdities are taken seriously. Read your cardmember agreement. Then read Kafka.
Schwab
Re:Upcoming Mythbusters Special! (Score:2, Interesting)
Not all lawyers are inherently evil, even Gandhi was a lawyer.>
Would that be Mohandas "The Jews should have offered themselves to the butcher's knife" Gandhi you are referring to?
The jokes are funny. (Score:2, Interesting)
Today, I've been seeing some jack-boot operations by the St. Paul police on some folks who didn't mean anyone any harm. The cops arrested lawyers and reporters, too. There are some lawyers who are going to make those cops and their puppet masters pay big. And I'm glad that their is financial incentive for folks to go after Government when it so egregiously violates people's rights and makes a mockery of our Constitution that those disgraces to the name of police made in St. Paul.
The St. Paul and Denver police departments are a disgrace. I hope some lawyers representing their clients (some are veterans) get rich while punishing those imbeciles. And I really hope some of those cops go to jail themselves.
It isn't just credit cards (Score:3, Interesting)
There's a nice thought.
Re:Upcoming Mythbusters Special! (Score:5, Interesting)
If you were alive during the days that they just burned scientists and heretics at the stake, I am impressed. Perhaps you just mean that you yearn for the days? (this is probably a pretty narrow style issue, but whatever)
If you really care, stop doing business with them. Stop doing business with the various financial companies because they would manipulate what is presented to you. Stop doing business with Discovery because they put profit before whatever-it-is. Stop doing business with people who do business with them. I mean, you don't actually have to sit through the bullshit if you don't want to, but damn if it isn't easier.
What it comes down to is that if you don't stand up for a principle, you don't really have much business expecting anybody else to...
PBS was fucked, too (Score:4, Interesting)
I remember bill moyers and his 'now' show. it was great, and he had this other guy (david b-something) as a second - and it did some good 'digging' on important stories.
from what I understand, he got shot down and was forced to 'retire' because he asked too many hard questions and bothered too many powerful bigwigs.
he did come back, but not on that show and he *was* put 'out of business' for about a year or two (iirc). ie, the chilling effect was done to PBS, which is a sacred cow, in US culture (more or less).
if moyers can be silenced, its proof our whole system is broken. PBS was a final hold-out but even PBS was *heavily* edited by bush-co and their henchmen.
TV is a wasteland; cable is mostly such; and even more and more of 'the net' is getting to be high in noise/signal ratio. the net is still mostly unregulated, but imagine the trend going from tv->cable->'teh internets'. we may see it in our lifetimes, too, if things don't get reversed soon.
Re:Yeah, well... (Score:5, Interesting)
You'll feel sick reading/watching Fox, or even CNN etc, after reading/watching BBC.
Re:Yeah, well... (Score:3, Interesting)
That all sounds nice in theory. However, the People's Democratic Republic of (formerly Great) Britain has the BBC -- it's funded through a license fee, and has a very strict code preventing it from carrying advertising.
It's mostly a government propaganda tool and it carries large amounts of viral marketing and product placement every single day. It appears to be wholly corrupt. It is in NO WAY an organ of truth nor democracy. It is very much a tool of plutocracy. And yet it remains, misguidedly, a respected and popular organization.
At least Fox News is fairly honest about its bias, the BBC is much more clandestine about its.
Re:Upcoming Mythbusters Special! (Score:3, Interesting)
The Slashdot Moderation System working at its finest. Truly, a day to be proud, CmdrTaco.
Vuls have been known for years (Score:1, Interesting)
There have been studies showing the RFIDs can be read for some distance - maybe 2-3 feet, maybe more with LOTS of power - and common parts do not encrypt the traffic. Thus if card number, date, and customer name are on the RFID they can be sniffed (and conversely). Simple matter to try a few brands and see which have what information. However what gets charged tends to be a few gal. of gas or a burger or three. Big deal. If all those elements are not present, it gets kinda hard to steal much without another leak (which might be enough by itself).
Re:Delaying the inevitable (Score:3, Interesting)
Looks like it's time for a grassroots movement by us:
Perhaps, only perhaps, the hard part will be communicating this problem succinctly.
Re:In other words: (Score:3, Interesting)
Unfortunately, it's true to a point (Score:5, Interesting)
Especially when it comes to things that might be used for criminal ends. Reason is, most criminals aren't all that smart. Especially small time criminals. To the extent there are smart criminals, they are usually the ones on top, the drug lords and such. The small time criminals usually aren't the sort of people who do research or think things through. You can see this in things like copper theft. This really is not a very profitable mode of operation. Even with the price having doubled, copper prices are still talked about in single digit dollars per POUND. That's also the price you'd pay on a mercantile exchange, not the price a scrap dealer gives you. Thus it is dangerous (both in terms of getting arrested and risking death if the wires happen to be live), a good bit of work, and probably doesn't pay any better than a job at McDonalds.
The point I'm getting at is that the large amount of petty, opportunity type criminals go for things their attention has been brought to. Copper prices skyrocketing made news so their attention got brought to it. They didn't realize that while the prices did double that was from about $2/lb to $4/lb.
Now as related to RFID, well Mythbusters certainly could lead to slightly more sophisticated petty criminals trying it. Right now, there's little information out there on it. So you'd be talking doing a good deal of research, perhaps some of it original, to build a device that could nab card numbers. This assumes that they've even had it brought to their attention that such a ting can be done. If they don't read a site like Slashdot, chances are they don't know it has security issues, and perhaps aren't even aware it exists at all.
However if Mythbusters calls attention to it, and shows a basic guide of how to exploit it, well then they might start trying.
Now I'm not saying that this means the problem shouldn't get fixed, or that it is Mythbusters job to keep it under wraps. I am saying that there really is some merit to the idea that if the public isn't aware of the problem it's not a problem. Sure there are people out there who are both aware it is a problem and know enough to exploit it. Perhaps you are one of them. However, are you going to actually do it? No? Then no problem.
I'm not saying this is the right way to approach the security of this issue, I am just saying that there is real merit to the idea that if the public doesn't know then it's not a problem. You probably meant that it would be happening but they'd be kept in the dark about it. No, not at all. What I mean is that if the public doesn't know about it, people won't try to exploit it.
Biometrics Epsiode (Score:3, Interesting)
I wonder how much of this is in response to that episode they did a while back on security systems and showed how easily they could be gotten around (most notably the trivial to subert finger print scanner).
After making those companies look like liers and fools, I can imagine that the credit card companies would not want to risk the bad press too.
Re:I can just see the courtroom in 2010 (Score:3, Interesting)
How do you know the credit card companies aren't trying to fix the issue?
Because they continue to deploy RFID tech that is known to have security flaws.
And why not also blame the Discovery Channel, who didn't even try to put up a defense?
Because Discovery is first & foremost a business and without their advertisers, they are nothing.
Re:Unfortunately, it's true to a point (Score:1, Interesting)
To the extent there are smart criminals, they are usually the ones on top, the drug lords and such.
"To the extent there are smart criminals"?
I assure you that such creatures do exist, and probably a lot more than you'd think. Just think for a little while about the size of the black economy - especially, as you mention, drugs. As you correctly point on, the smart ones are the ones at the top. They can be extremely smart and extremely rich - and they always buy some small business or something so no-one even knows where their real money comes from.
They operate with extreme secrecy and absolute compartmentalisation. They are often on the cutting edge of technology. They are extremely sophisticated in avoiding any provable link between the "foot soldier" and the actual bosses.
The smart criminal isn't like in the movies. They tend to be very rational, fair, restrained people. The "Scarface" types don't last long. The "nice" ones very, very rarely get busted.
The funny thing is, a lot of the time the police (and often the whole city) knows exactly who's in charge. They can never prove it in a court, but the detectives can sniff them out. They don't arrest them, they befriend them. A well-placed, reasonable, fair criminal is a detective's most valuable asset.
They often have arrangements with local police with the understanding that they run a clean ship, don't do anything too bad, feed the cops the occasional medium-size fish, cooperate when anything goes seriously wrong, and they'll be left in peace.
The line between the police (the detectives, not the coppers on the beat) and the criminals can blur pretty badly at times. Don't be fooled - a lot of the time, the top crims and the detectives are *friends*. A lot of the time, the criminals are the ones investigating the crime. There's two types of crime, you see - permissible crime and impermissable crime. Raping ladies is impermissable. Selling marijuana is fine - especially if you can ask around as to who's raping the ladies. Find out, and you're never going to be busted for the pot. Oh, and if there's some real scumbag running around killing people and scaring the punters, the crimelord types will make sure they're taken care of nice and quiet. Or not so quiet, if the police need a bit of media to keep the politicians happy.
Fact is, society needs criminals, and the govt. knows better than to shut down an otherwise well-behaved network. And there's a lot of smart people meeting those needs. Know anyone who owns any kind of "meeting place" business, like a pub, club, even restaurant? Are they doing very well - kind of suspiciously well? You might know one too : )
Re:Already done (Score:4, Interesting)
A few inches? I was hoping to see Adam and Jamie with a parabolic antenna reading people's CC tokens from a couple of blocks. No, seriously. RFID security ranks right up there with Congressional oversight in the list of the top oxymorons of all time... okay, not all RFID hardware---some actually do use crypto in the right way---but a large enough percentage that my level of trust for RFID CCs is somewhere between zero and negative infinity.
I kind of wish someone would record (and post on YouTube et al) a MythBusters parody in which they act like Adam and Jamie et al and do an RFID shootout to see who can assemble the best RFID remote reader rig. Score the contest on accuracy, on ability to distinguish multiple cards, on range, and if they are really feeling lucky, on whether they were able to successfully make a purchase using the skimmed data with the opponent's credit card.... :-)
I doubt I'm going to see that any time soon, but it would be fun to watch the inevitable train wreck in a couple of CC companies' stock as they scrambled to dismantle those systems and come up with a more secure means of payment....
Re:Delaying the inevitable (Score:3, Interesting)
YouTube is required by law to take down content when someone files a DMCA takedown notice, and put it back up after 14 days if the person who uploaded it files an uncontested counter notice. I believe that is what happened when the IOC mistakenly filed a notice against some video footage titled "Olympic Opening Ceremony" or something, which turned out to be footage of people protesting outside the Chinese embassy in New York.
While that may be the case, you do realize that this is the same YouTube who pulled videos in response to a 15 year old Australian Boy [news.com.au], right? I mean, if some kid in Australia can gin up a convincing DMCA takedown, how difficult will it be for a proper lawyer associated with Discovery or one of the CC companies to find a provision that conceivably supports their case and fire a barrage of takedown notices?
Re:Delaying the inevitable (Score:3, Interesting)
Takedown and counter takedown notices are ment to be "one shot deals". If the second notice originated from the same entity you could probably sue Youtube for failing to follow the law if they didn't ignore it.