Category Archives: Security Awareness

Craigslist and your anonymity

Filed under Security Awareness

Stumbled upon a very good social experiment by another blogger today in which he researched the identity of a “anonymous” Craigslist poster. While Craigslist does have a decent system for providing anonymous postings it goes to show you that there is always going to be human error..or just plain stupidity. (Note the last link…this was a “sex baiting prank” which goes to show you that people will gladly give out their personal information to complete strangers.)

Help protect your identity with RFID credit/debit card shields

Filed under Security Awareness
<%image(20071010-cc_rfidtag.JPG|200|78|RFID tag in a debit card)%>

While checking out some security blogs the other day I came across a very good article over at the IT Security Expert blog about 15 tips to help reduce the risk of identity theft and fraud. One thing to add to that list is to use an RFID shield for your RFID enabled credit/debit cards.

RFID or “contactless” payment cards are being issued by more banks and are starting to be accepted at more merchants. I actually noticed recently that you can use your MasterCard Paypass RFID card at Sheets gas stations and also at the local movie theater.

There have been several vulnerabilities (good paper here) and other security concerns regarding RFID especially focused on privacy.

One example I saw when I was at the Blackhat conference in Las Vegas this past year. I was walking by one of the entrances to the conference areas and noticed a gentleman sitting with a laptop and a long range wireless antenna (looks like a Pringles can). On the antenna was a sticker that said “Your RF is showing”. I observed that he would also smirk when conference attendees passed him and to me I took that he was getting at least “some” identifying information from RFID enabled cards people had on them. In addition, I saw a great (but scary) presentation at Blackhat from Adam Laurie entitled “RFIDIOts!!! Practical RFID Hacking (Without Soldering Irons or Patent Attorneys)“. These two examples made me think that I should probably use some sort of protection while carrying these cards around.

The solution?
Yes, wrapping your cards in tin foil supposedly works but its not as sexy as a sleeve shield to put your cards in. A company called Identity Stronghold makes “Secure Sleeve” shields for ISO 14443/15693 and EPC Gen 1/Gen 2 contactless smart cards and RFID tags (which most cards issued by banks are). You can check them out here. Also there is a company that makes RFID blocking wallets which protect your entire wallet.

I highly recommend you check out Adam Laurie’s website which has really good technical information about different types of RFID tags as well as software (written in Python) to read them. You can even buy the hardware needed to read RFID tags directly from his site.

If you ever get a chance to see Adam so..he is one of the leading RFID security researchers and a great presenter as well.

Would you answer these questions?

Filed under Security Awareness

Interesting post on the F-Secure Weblog about a recent Paypal phish. Take a look at the questions being asked? Do you think someone would fall for this? You bet! It is amazing to me that people will still give all of this sensitive information when asked (click on the link below for a screen shot).

There is no cure for human stupidity except more education. 🙂

<%popup(20071009-SP32-20071009-102407.gif|713|711|Questions asked in a PayPal Phish)%>

How Gullible Can You Get? – F-Secure Weblog : News from the Lab