Are RFID Passports Safe? (No)

Passports these days have a small chip inside called an RFID. Governments who issue these passports say they’re secure and safe to use. And for years hackers have been saying they’re not secure. So who’s right?

Chris Paget, a white hat hacker (the good kind of hacker), recently did an experiment to see how many passports he could copy using some very simple tools. His aim was to see if he could read the RFID inside someone’s passport. The results?

In 20 minutes he managed to find 2 people carrying a new RFID passport, and was able to copy the contents of the RFID chip.

He did this from his car while driving around San Francisco. The people carrying the passports have no idea this happened. There’s no way for them to know. He made a video of his experiment that you can watch here:

(If the video above doesn’t play click here)

So what can we learn from this?

  • The RFID chip inside passports are not secure
  • The RFID chip inside passports can be copied from a distance

What can you do?

  • If your governments wants to tag people using RFID, e.g. by embedding RFID chips in drivers licenses, be aware of the ramifications.
  • It’s technically possible to shield your RFID passport by using a metal film. Some companies have started selling passport wallets that can block radio signals, stopping people reading the chip remotely.

Below are some passport wallets that can shield RFID signals (Click here to view in a full page)

FIFA World Cup Lottery Scam

The FIFA World Cup is scheduled for 2010 in South Africa and scammers have already started using this news to trick people into giving out their personal details.

Targetting peopleA new scam email is sent to people telling them they won a lottery. The email is full of interesting things to catch people’s attention such as a large dollar amount ($850,000) and social tricks such as asking them not to tell anyone about their winnings.

At the end they ask the recipient to send them a few personal details, which the scammers then use to steal money from your bank accounts.

The email uses broken English and is full of "official looking" random letters and numbers.

Below are some quotes from the scam email. If you receive this email just delete it.

South Africa FIFA World Cup 2010
Government Accredited Licensed!!
Online National Lottery South African
Batch: 12/25/DC34 RE:LOTTO

Your email have luckily won the sum of USD$850,000.00

Which subsequently won you the lottery in the 2nd category i.e. match 5 plus bonus. You have therefore been approved to claim a total sum of $850,000.00 USD… In cash credited to file KPC/9080118308/02. All participants for the online version were selected randomly from World Wide Web sites through computer draw system and extracted from over 100,000 union associations and corporate bodies that are listed online this promotion takes place weekly.

Our agent will immediately commence the process to facilitate the release of your funds as soon as you contact him. For security reasons, you are advised to keep your winning information confidential till your claims is processed and your money remitted to you in whatever manner you deem fit to claim your prize. This is part of our precautionary measure to avoid double claiming and unwarranted abuse of this program your request to fill the information below.

And it goes on and on.

Some people who fall for these things have never entered a lottery, but they want to believe it so much that they don’t stop to consider why they were selected.

Now you might be wondering who could possibly be so foolish to fall for lottery scams. In fact, a large number of people fall for these things. In Australia alone (and with a small population of 21 million) 329,000 people lost money to lottery and phishing scams in one year. 3.6 million people fell for these scams in USA. Imagine how many people worldwide fall for these things.

Not everyone in the world reads You can help by talking to people about lottery scams, making them aware of what they are and how they work (there’s more information here). Help educate people, especially those who are less tech savvy or might be desperate for money. You could also help them subscribe to – get them to enter their email address in the top right corner of this page, sometimes email is an easier way to receive these updates.

Keep the wolves at bay

Fake hi5 Requests

hi5 is a social network, much like Facebook or Myspace. A fake email has been going around pretending to be from someone called "Sarah xxx" (the name could change), and asking the reader to add them as a friend. The message says:

hi5 Friend Request from Sarah xxx


I’d like to add you to my hi5 friends network. You have to confirm that we are friends, and we’ll each get to meet more people. Please approve or reject my request by accessing the hi5 web site:

Accept Friend



hands friends This seems real enough but there’s one serious flaw. They include a link you can click on (where it says "Accept Friend"). Clicking on this link doesn’t take you to hi5’s web site, instead it takes you to a phishing site.

Assuming you had a hi5 account, when you enter your login details into the fake hi5 login page the system records your username and password and shares it with the criminals running this site.

Like all phishing sites, it’s just a fake page designed to steal your password.

What can you do?

  • If you use hi5 or any other social network, when you receive a notification email you can go their web page yourself, without clicking on the links in the email. In other words, open a web browser and type in the name of the web site (or use a bookmark).
  • When you see a link in an email, place the mouse pointer over it for a couple of seconds. Most email clients will display the real address it points to. Of course it helps to have a bit of experience recognising real addresses from fake ones – read this FraudO article to learn more.
  • Use a good anti-virus package. The big commercial packages scan your emails for fake emails like this one and filter them out. They also scan the address of every web page you go to and if it’s known to be a scam they’re filtered out too.
  • And if you don’t know anyone called "Sarah xxx" who signs her name as "Adelina" then you can just ignore the email entirely.

Malicious Firefox Add-On

One of the best things you can do to avoid falling victim to malware is to use an alternative browser.

poppies Microsoft’s Internet Explorer (IE) is very popular. Not long ago almost everyone used IE, it comes setup with almost every new PC sold (Windows PCs). And malware writers targeted IE because they could attack a majority of users just by concentrating on exploiting one browser. You could call it tall poppy syndrome.

Today Firefox is extremely popular. It’s gone from a small minority of people using it to an amazing 44% (depending on which statistics you read – I used this one). This makes for a fairly large demographic, and malware writers are taking notice.

There’s a new trojan that hides in a Firefox add-on. Once installed it waits for you to go to an online banking site. When it detects that you’re using online banking it starts recording your actions (account details, your password). Then it sends this off to cyber criminals who auction off your details and eventually someone can log into your online banking and transfer money. This isn’t good.

There are a few things you can do to avoid this:

  • If you want to install an add-on for Firefox, make sure you get it from a well known site. This is the official Mozilla site for Firefox add-ons:
  • Use a good anti-virus package (it’s a small investment you make to protect your PC). Make sure it’s kept up to date.
  • Once a web browser becomes too popular it’s time to start looking at less mainstream alternatives. At the moment you should consider Opera, Safari and Chrome (these are available for all the popular platforms)

In summary, Firefox is a very secure browser. It’s also fast and powerful, explaining why it’s become so popular. You just shouldn’t take its security for granted. Most malware infections happen when users are tricked into clicking something they shouldn’t have.

Facebook Exposes Birth Dates

dates A flaw in a beta version of Facebook made it possible to see member birth dates, even those set to hide this information. Birth dates are often used to confirm someone’s identity. By having a full name and birth date it’s possible to phone up companies and ask for more private information (this is called Identity Theft).

Facebook has already fixed the flaw. However it’s a good reminder that any private information you enter into a social network such as Facebook could some day be read by someone not meant to read it.

If something is important enough to be private then don’t enter it into someone else’s system without thinking through the potential consequences.

You can view a video of how this flaw works here.

Skype Phishing Emails

Skype has issued a warning that people have been receiving emails that appear to be from Skype. When a user clicks on a link in the email, they’re taken to a login page that looks like Skype’s website (but in fact it’s operated by someone else). When you enter your username and password, they’re sent to someone who will then use them for some malicious purpose.

How can you tell a real Skype login page from a fake one?

According to Skype the only page that they will ask you for login details is:…(anything else is ok here)…

If you’re about to enter your Skype details into a website that doesn’t exactly match the above then it’s probably fake. What if it’s just a few letters different? What if the dot’s in the wrong place?

The part after the // and before the first / needs to be an exact match. I’ve made this bold just to make it as clear as possible. The part at the end is ok.

Below is a copy of one of these Skype phishing emails. I’ve copied the contents here to help Google index this page. When you receive suspicious emails it’s a good idea to copy and paste a few lines into Google. You’ll soon be able to tell if it’s a known fake email or real.

Account blocked


We have to notice that your account is suspended because Skype major Terms are being changed.
To re-activate your account you need to agree with the new Terms here:

Follow this link to re-activate: ACTIVATE

after that, your account will be automatically re-activated.

Thank You!

Skype Administration

The word ACTIVATE has a link that goes to the fake Skype login page. In most email clients, if you hold the mouse pointer over the link you can see the real destination. If it’s not like the one shown at the top of this article then it’s fake. See this screenshot of the fake one:

Google Calendar Phishing

password Here’s a new spin in phishing attacks. The idea is to trick people into providing confidential data. This new technique is aimed at Gmail users. Here’s how it works:

  • An email arrives in your Gmail inbox. It’s a genuine email addressed to you so Gmail won’t filter it out.
  • The email was sent by someone called "customer care". This is enough to get most people’s attention.
  • The email is well laid out with a link to your Gmail calendar. This is pretty special as far as spam goes. How did they get a valid link to a calendar entry in there? (Spammers found a way to place calendar entries in other people’s Gmail calendar).
  • The email says:


This Email is from Gmail Customer Care and we are sending it to every Gmail Email User Accounts Owner for safety. we are having congestions due to the anonymous registration of Gmail accounts so we are shutting down some Gmail accounts and your account was among those to be deleted.We are sending you this email to so that you can verify and let us know if you still want to use this account. (…)

You will have to confirm your E-mail by filling out your Login Information below after clicking the reply button, or your account will be suspended within 24 hours for security reasons.

* Username:

* Password:

It’s an attempt to get you to provide your username and password. If you see anything like that simply delete it.


Vishing is short for voice phishing. This involves tricking someone into calling a phone number, listening to a recorded message, then being tricked into providing personal information to the phone service.

phoneWhy would someone want to set this up? To collect your personal information, such as credit card number, its expiry date, your date of birth, PIN codes, etc. That information is then either sold on the black market or used by the scammers to steal or spend your money (this is also called identity theft).

Setting up an automated phone system like the ones described here is fairly easy these days, and fairly cheap.

Do people fall for it? Oddly enough, yes. Hopefully by now everyone’s getting the message not to trust strange web sites on the internet. But less obvious methods such as automated phone services are easily forgotten.

Anti virus software can’t stop you making a phone call. And people can be more trusting of “old fashioned” technology such as phones.

How does it work in practice? Here’s a summary of a recent vishing attempt.

  1. Emails are sent in bulk to as many people as possible.
  2. The emails have forged headers to appear to come from
  3. The email contains an important looking message. Note that it doesn’t have any links to click on, instead it gives a phone number.
  1. Internal Revenue Service Tax Refund

    After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $215.

    Tax Refund Number: <number here> – Will Expire on <date here>


    Tax refunds can be sent only to VISA or Mastercard DEBIT CARDS.

    To receive your tax refund please call the IRS Tax Refund Department at: 602-427-59x

    Internal Revenue Service

  • The reader takes an interest because of the offer for free money (who wouldn’t!) and calls the number shown.
  • Because the email already warned people they need a VISA or Mastercard card to receive payment they would be more willing to provide the card’s details.
  • Tips to avoid this scam:

    • A good anti virus package will detect fraudulent emails such as the one above and filter them out, so invest in one if you haven’t already.
    • In a company (small or large) invest in mail filtering. This is usually not included in corporate anti virus software.
    • Think carefully why you received this email. Did you really lodge a tax submit a tax return recently, and in the country the email says it’s from? (e.g., if you live in USA and receive an email offering a tax refund from Australia, it’s most probably a scam).
    • Does your country’s tax department even have your email address? If you didn’t give it to them then why are you receiving this email?
    • Don’t blindly dial the number shown in the email. Look them up in your local phone book.

    This isn’t limited to tax refunds. Other vishing variations may appear to be from banks or other financial institutions.

    Another variation of this scam is to send people an SMS instead of an email, with a shorter version of the message above. Treat SMS’s like you would treat emails. Note: it’s also easy to forge SMS’s to appear to come from other people.

    Automated voice systems can also initiate phone calls with fake caller IDs. The technology’s easily available. VoIP systems are even easier to set up.

    The potential to trick people into handing over personal details is just as easy using phones as it is using emails and web pages.

    Protect Your Tax File Number

    In Australia your Tax File Number (TFN) is used by the Australian Tax Office to identify you. It could be used against you by other people to commit identity theft and fraud so you should take measures to ensure its security. Below are some tips to help you with this:

    • Don’t give it out to just anyone else who asks – it’s confidential. See the list below.
    • There have been bogus job ads on the internet and in newspapers that ask people to provide quite detailed personal information including tax file numbers. Don’t provide any of this information until you’ve met the potential employer at their office and confirmed their validity.
    • Don’t carry your Tax File Number in your wallet or mobile phone
    • Securely destroy any mail you receive from the Tax Office showing this number
    • Only use tax agents that are registered on the Tax Agents Board,

    tax The following are allowed to request your Tax File Number:

    • the Tax Office
    • employers
    • banks & other financial institutions
    • tax agents
    • Centrelink
    • superannuation funds