October 24, 2006

Contactless Credit Cards: Privacy Holes?

With the number of contactless credit cards distributed to consumers increasing, researchers are raising awareness of potential privacy issues in two documents, (NY Times, PDF, 15 pgs) and (NY Times, PDF, 6 pgs). These are part of an (free registration required for just the article, not the PDFs). [via Payments News] I'm summarizing the NY Times article and adding a bit of commentary.

A test mentioned in the NY Times article indicated that researchers could read information from a contactless credit card from inside an envelope. The info culled contained the cardholder's name, expiration date, and even card number from the 20 different contactless cards they tested. This is despite the fact that several financial institutions suggest that their cards are encrypted. Now you're thinking that you have to have special equipment to read the cards. Apparently the researchers built one from an old computer and radio components. It cost them US$150 to make, and they figure they can reduce the cost to $50, and be smaller besides.

So if your mail carrier drops off your new credit card, and someone steals it from your mailbox, they can cull the information from the card. When they're done, they could then place the unopened envelope back in your mailbox. Credit card companies claim that there are additional safeguards, and "that threat really doesn't exist." Well, let's hope so. Since you can purchase products and services online without having to sign for them, fraud is easier online. However, none of the cards tested transmitted the additional "card validation number" which is sometimes needed for online purchases.

Then there's the issue of read distance. It's generally believed that contactless cards only have a read range of a few centimeters. Researchers are claiming that the range can be extended to up to a foot in some instances, so "skimmers" may even be able to read through a mailbox (provided it's not metal).

These are fairly surprising findings (more in the NY Times article), but not unlike the claims made for e-Passports. Several security experts from high-prestige universities are shocked by the findings, with one claiming credit card companies have crossed the line. The credit companies in turn are claiming that the information transmitted is basically useless, especially since there are other safeguards in place.

Obviously, either one party (the researchers) is exaggerating or the other party (financial institutions) is lying. If you do have or plan to get a contactless credit card, protect its information with one of the now multitudinous anti-RF sleeves or wallets available.

--
Did you enjoy this post?

Free RFID Newsletter

Subscribe to The RFID Gazetteer, published monthly. Enter your email address:

« Please Mr Postman: Deutsche Post Uses RFID | Main | RFID Roundup - Wed Oct 25/06 »