Huge security flaw in the new RFID spychip credit cards
Is anyone really surprised?
My main complaint about these cards is that they are promiscuous (meaning they ?sound off? to any reader within range) and they are silent (meaning, they do not inform the owner with a beep or something when they are being accessed). Besides that, researchers have now discovered that beyond being promiscuous, these new ?contactless smart cards? sound off indiscrimantly with the owners’ plaintext name, credit card number, and expiration date.
The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate ?128-bit encryption,? and J. P. Morgan Chase has said that its cards, which it calls Blink, use ?the highest level of encryption allowed by the U.S. government.?
But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder?s name and other data was being transmitted without encryption and in plain text.…
And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. ?Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?? Mr. Heydt-Benjamin, a graduate student, asked.
The Credit card issuing companies, of course, say the threat is unrealistic.
Companies that make and issue the cards argue that what looks shocking in the lab could not lead to widespread abuse in the real world, and that additional data protection and antifraud measures in the payment system protect consumers from end to end.
?This is an interesting technical exercise,? said Brian Triplett, senior vice president for emerging-product development for Visa, ?but as a real threat to a consumer ? that threat really doesn?t exist.?
And:
Though information on the cards may be transmitted in plain text, the company representatives argued, the process of making purchases with the cards involves verification procedures based on powerful encryption that make each transaction unique. Most cards, they said, actually transmit a dummy number that does not match the number embossed on the card, and that number can be used only in connection with the verification ?token,? or a small bit of code, that is encrypted before being sent.
What he’s saying is that after the credit card is placed near the reader, and the plaintext is transferred, there’s an additional challenge and response exchange going on to prove that the card is indeed genuine. However, if the key bits of info (name, CC number, and expiration) fall into nefarious hands, they can use that data to order stuff online, or encode that data on a standard magnetic strip and use it at a regular terminal.
?It?s the classic ?Let?s depend on security through obscurity ? who?s going to look?? ? he said. ?Then, whoops! As soon as somebody does look, you roll out the security.?
There’s tremendous inertia in the industry to use the RFID system, and I’m not entirely sure why. My best guess is that with the contactless promiscuous RFID cards they can snoop in on you, recording whenever a customer enters the store, how long they spend shopping, what displays they linger over, and how often a consumer buys something, even if they pay cash.
All these benefits are lost if they adopt the other type of smartcard, (the one with little gold contacts, widely rolled out in Europe) such as the Amex Blue, because this kind of card only squeals your most personal information when card ?A? is inserted in to slot ?B?.
[Thanks Claire]
