[LINK] Smart Card Association rebuffs RFID fraud claims

Geoffrey Ramadan gramadan at umd.com.au
Wed Nov 22 17:46:08 AEDT 2006 

Richard Chirgwin wrote:
> Geoff Ramadan wrote:
>> http://www.finextra.com/fullstory.asp?id=16160
>>
>> The (USA) Smart Card Association (SCA) has dismissed claims by US 
>> researchers that a security flaw in RFID contactless payment cards 
>> leaves customers open to fraud.
>>
>> [snip]
>> However the SCA claims that nothing in the report supports the 
>> conclusion that a criminal could complete a fraudulent contactless 
>> payment transaction in the real world.
> Nothing in the report ever purported to demonstrate fraudulent 
> transactions. The demonstration was of skimming data from the cards. 
> It's therefore fair to consider this criticism to be an attempt to 
> distract rather than to inform.
Though I accept this point, and obviously you understand the difference, 
but I (and I assume the SCA) would be concerned that many would not and 
therefore clarifying this point is important.
>>
>> "One reason is that the researchers conducted these tests in a lab 
>> setting using only contactless cards and readers and did not interact 
>> with the payment networks in any way. One cannot draw valid 
>> conclusions about the security of a payment network if you ignore the 
>> network," says the SCA statement.
> See above. Skimming data is not compromising a network, and the 
> researchers themselves did not claim the network was compromised, only 
> the cards.
As many have stated, reading a RFID tag/chip is not remarkable.
>>
>> In response to the risk of a cardholder's name being harvested by 
>> criminals, SCA states that many contactless payment cards do not 
>> include the cardholder name on the chip, so this is not transmittted.
> Telling us that some cards are okay doesn't refute the possibility of 
> skimming when the card is vulnerable.
>>
>> The SCA also points out that a contactless payment smart chip 
>> calculates a unique numeric value, or security code, that serves as a 
>> proof of authenticity for each transaction and this feature protects 
>> against the possible replay of any transaction data to create a 
>> fraudulent transaction. Any attempt to reuse an encrypted security 
>> code for another payments would result in the transaction being 
>> rejected.
>>
>> "The card calculates these unique identifiers using secret 
>> information that is encrypted, never leaves the card and differs from 
>> one card to the next, which prevents successful cloning of 
>> contactless cards," says the SCA. "Even in the unlikely event a 
>> fraudster is able to record information from a contactless 
>> transaction, it would be useless."
> This last quote is deliberately misleading: the risk is not only that 
> the card might be used for transactions, but that harvested card data 
> could be used as the basis of a broader identity fraud.
I would accept that there is a risk associated with skimming. Like all 
risk you try and minimise it like:  Where possible cards should not 
contain any personal data, and probably  the easiest solution would be 
to provide a metal wallet to hold the Card. Just like your drivers 
licence etc, you provide and appropriate "security" measure to protect 
it (wallet).

Geoffrey Ramadan



>
> RC
>>
>>
>> Regards
>>
>> Geoffrey Ramadan, B.E.(Elec)
>> Chairman, Automatic Data Capture Australia (www.adca.com.au)
>> and
>> Managing Director, Unique Micro Design (www.umd.com.au)
>>
>> _______________________________________________
>> Link mailing list
>> Link at mailman.anu.edu.au
>> http://mailman.anu.edu.au/mailman/listinfo/link
>>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

More information about the Link mailing list