[LINK] Smart Card Association rebuffs RFID fraud claims

[Geoff Ramadan]

http://www.finextra.com/fullstory.asp?id=16160

The (USA) Smart Card Association (SCA) has dismissed claims by US researchers 
that a security flaw in RFID contactless payment cards leaves customers open to 
fraud.

The statement follow reports that a group calling itself the RFID Consortium for 
Security and Privacy had uncovered lapses in the security and privacy features 
of several types of RFID payment cards.

The group consists of researchers from the University of Massachusetts, RSA 
Laboratories and Innealta and lists partners including The San Francisco Bay 
Area Rapid Transit District, MIT Auto-ID Labs and the Programme for Advanced 
Contactless Technology at Graz University of Technology in Austria.

The researchers tested around 20 contactless credit cards and found that RFID 
cards transmit cardholder names and so any device capable of scanning a card can 
learn the name imprinted on it - with or without the owner's consent

Secondly, the RFID credit cards are vulnerable to skimming. An attacker with an 
RFID reader can harvest information from a card, create an inexpensive clone 
device, and make charges against the legitimate card, says the group. 
Alternatively, a fraudster may be able to perform online transactions with 
harvested credit-card information.

Last month the researchers demonstrated to a New York Times reporter how the 
cards can be compromised and how the cardholder's name and other data can be 
leaked in plaintext to an unauthenticated card reader. A video demo has also 
been posted on YouTube.

However the SCA claims that nothing in the report supports the conclusion that a 
criminal could complete a fraudulent contactless payment transaction in the real 
world.

"One reason is that the researchers conducted these tests in a lab setting using 
only contactless cards and readers and did not interact with the payment 
networks in any way. One cannot draw valid conclusions about the security of a 
payment network if you ignore the network," says the SCA statement.

In response to the risk of a cardholder's name being harvested by criminals, SCA 
states that many contactless payment cards do not include the cardholder name on 
the chip, so this is not transmittted.

The SCA also points out that a contactless payment smart chip calculates a 
unique numeric value, or security code, that serves as a proof of authenticity 
for each transaction and this feature protects against the possible replay of 
any transaction data to create a fraudulent transaction. Any attempt to reuse an 
encrypted security code for another payments would result in the transaction 
being rejected.

"The card calculates these unique identifiers using secret information that is 
encrypted, never leaves the card and differs from one card to the next, which 
prevents successful cloning of contactless cards," says the SCA. "Even in the 
unlikely event a fraudster is able to record information from a contactless 
transaction, it would be useless."


Regards

Geoffrey Ramadan, B.E.(Elec)
Chairman, Automatic Data Capture Australia (www.adca.com.au)
and
Managing Director, Unique Micro Design (www.umd.com.au)