[LINK] Smart Card Association rebuffs RFID fraud claims

Richard Chirgwin rchirgwin at ozemail.com.au
Wed Nov 22 07:34:41 AEDT 2006 

Geoff Ramadan wrote:
> http://www.finextra.com/fullstory.asp?id=16160
>
> The (USA) Smart Card Association (SCA) has dismissed claims by US 
> researchers that a security flaw in RFID contactless payment cards 
> leaves customers open to fraud.
>
> [snip]
> However the SCA claims that nothing in the report supports the 
> conclusion that a criminal could complete a fraudulent contactless 
> payment transaction in the real world.
Nothing in the report ever purported to demonstrate fraudulent 
transactions. The demonstration was of skimming data from the cards. 
It's therefore fair to consider this criticism to be an attempt to 
distract rather than to inform.
>
> "One reason is that the researchers conducted these tests in a lab 
> setting using only contactless cards and readers and did not interact 
> with the payment networks in any way. One cannot draw valid 
> conclusions about the security of a payment network if you ignore the 
> network," says the SCA statement.
See above. Skimming data is not compromising a network, and the 
researchers themselves did not claim the network was compromised, only 
the cards.
>
> In response to the risk of a cardholder's name being harvested by 
> criminals, SCA states that many contactless payment cards do not 
> include the cardholder name on the chip, so this is not transmittted.
Telling us that some cards are okay doesn't refute the possibility of 
skimming when the card is vulnerable.
>
> The SCA also points out that a contactless payment smart chip 
> calculates a unique numeric value, or security code, that serves as a 
> proof of authenticity for each transaction and this feature protects 
> against the possible replay of any transaction data to create a 
> fraudulent transaction. Any attempt to reuse an encrypted security 
> code for another payments would result in the transaction being rejected.
>
> "The card calculates these unique identifiers using secret information 
> that is encrypted, never leaves the card and differs from one card to 
> the next, which prevents successful cloning of contactless cards," 
> says the SCA. "Even in the unlikely event a fraudster is able to 
> record information from a contactless transaction, it would be useless."
This last quote is deliberately misleading: the risk is not only that 
the card might be used for transactions, but that harvested card data 
could be used as the basis of a broader identity fraud.

RC
>
>
> Regards
>
> Geoffrey Ramadan, B.E.(Elec)
> Chairman, Automatic Data Capture Australia (www.adca.com.au)
> and
> Managing Director, Unique Micro Design (www.umd.com.au)
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
>

More information about the Link mailing list