[LINK] Researchers See Privacy Pitfalls in No-Swipe Credit Cards
kim at holburn.net
Tue Oct 24 07:26:55 EST 2006
> AMHERST, Mass. — They call it the “Johnny Carson attack,” for his
> comic pose as a psychic divining the contents of an envelope.
> Tom Heydt-Benjamin tapped an envelope against a black plastic box
> connected to his computer. Within moments, the screen showed a
> garbled string of characters that included this: fu/kevine, along
> with some numbers.
> Mr. Heydt-Benjamin then ripped open the envelope. Inside was a
> credit card, fresh from the issuing bank. The card bore the name of
> Kevin E. Fu, a computer science professor at the University of
> Massachusetts, Amherst, who was standing nearby. The card number
> and expiration date matched those numbers on the screen.
> The demonstration revealed potential security and privacy holes in
> a new generation of credit cards — cards whose data is relayed by
> radio waves without need of a signature or physical swiping through
> a machine. Tens of millions of the cards have been issued, and
> equipment for their use is showing up at a growing number of
> locations, including CVS pharmacies, McDonald’s restaurants and
> many movie theaters.
> The card companies have implied through their marketing that the
> data is encrypted to make sure that a digital eavesdropper cannot
> get any intelligible information. American Express has said its
> cards incorporate “128-bit encryption,” and J. P. Morgan Chase has
> said that its cards, which it calls Blink, use “the highest level
> of encryption allowed by the U.S. government.”
> But in tests on 20 cards from Visa, MasterCard and American
> Express, the researchers here found that the cardholder’s name and
> other data was being transmitted without encryption and in plain
> text. They could skim and store the information from a card with a
> device the size of a couple of paperback books, which they cobbled
> together from readily available computer and radio components for
> They say they could probably make another one even smaller and
> cheaper: about the size of a pack of gum for less than $50.
> And because the cards can be read even through a wallet or an item
> of clothing, the security of the information, the researchers say,
> is startlingly weak. “Would you be comfortable wearing your name,
> your credit card number and your card expiration date on your T-
> shirt?” Mr. Heydt-Benjamin, a graduate student, asked.
> Companies that make and issue the cards argue that what looks
> shocking in the lab could not lead to widespread abuse in the real
> world, and that additional data protection and antifraud measures
> in the payment system protect consumers from end to end.
> “This is an interesting technical exercise,” said Brian Triplett,
> senior vice president for emerging-product development for Visa,
> “but as a real threat to a consumer — that threat really doesn’t
> The finding comes at a time of strong suspicion among privacy
> advocates and consumer groups about the security of the underlying
> technology, called radio frequency identification, or RFID. Though
> the systems are designed to allow a card to be read only in close
> proximity, researchers have found that they can extend the distance.
> The actual distance is still a matter of debate, but the claims
> range from several inches to many feet. And even the shortest
> distance could allow a would-be card skimmer to mill about in a
> crowded place and pull data from the wallets of passersby, or to
> collect data from envelopes sitting in mailboxes.
> “No one’s going to look at me funny if I walk down the street and
> put a flier in everybody’s mailbox,” Mr. Heydt-Benjamin said.
> The experiment was conducted by researchers here working with RSA
> Labs, a part of EMC, an information management and storage company.
> The resulting paper, which has been submitted to a computer
> security conference, is the first fruit of a new consortium of
> industry and academic researchers financed by the National Science
> Foundation to study RFID.
> Security experts who were not involved in the research have praised
> the paper, and said that they were startled by the findings. Aviel
> D. Rubin, a professor of computer security at Johns Hopkins
> University, said, “There is a certain amount of privacy that
> consumers expect, and I believe that credit card companies have
> crossed the line.”
> The companies, however, argue that testing just 20 cards does not
> provide an accurate picture of the card market, which generally
> uses higher security standards than the cards that were tested.
> “It’s a small sample,” said Art Kranzley, an executive with
> MasterCard. “This is almost akin to somebody standing up in the
> theater and yelling, ‘Fire!’ because somebody lit a cigarette.”
> Chips like those used by the credit card companies can encrypt the
> data they send, but that can slow down transactions and make
> building and maintaining the payment networks more expensive. Other
> systems, including the Speedpass keychain device offered by Exxon
> Mobil, encrypt the transmission — though Exxon came under fire for
> using encryption that experts said was weak.
> Though information on the cards may be transmitted in plain text,
> the company representatives argued, the process of making purchases
> with the cards involves verification procedures based on powerful
> encryption that make each transaction unique. Most cards, they
> said, actually transmit a dummy number that does not match the
> number embossed on the card, and that number can be used only in
> connection with the verification “token,” or a small bit of code,
> that is encrypted before being sent.
> “It’s basically useless information,” said David Bonalle, vice
> president and general manager for advanced payments at American
> Express. “You can’t steal that data and just play it back and
> expect that transaction to work.”
> While the researchers found that these claims were true for some of
> the cards they tested, other cards gave up the actual credit card
> number and did not use a token or change data from one transaction
> to another. They also took data in from some cards and transmitted
> it to a card-reader in the lab and tricked it into accepting the
> transaction. Mr. Heydt-Benjamin, in fact, was able to purchase
> electronic equipment online using a number skimmed from a card he
> ordered for himself and which was sealed in an envelope.
> (None of the cards transmits the additional number on the front or
> back, known as the card validation code, that some businesses
> require for online purchases; Mr. Heydt-Benjamin chose a store that
> does not require the code.)
> Mr. Kranzley said the MasterCard-issuing banks decided how much
> security they wanted to implement, but said that with 10 million of
> the company’s chip-bearing cards on the market, some 98 percent of
> them used the highest standards.
> “Today, there’s an extremely small percentage of cards that have
> the characteristics that RSA has looked at in this report,” he
> said. Visa and American Express representatives said all their
> cards conformed to the highest security standard.
IT Network & Security Consultant
Ph: +61 2 61258620 M: +61 417820641 F: +61 2 6230 6121
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.
Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the Link