[LINK] Researchers See Privacy Pitfalls in No-Swipe Credit Cards

Tue Oct 24 07:26:55 AEST 2006

http://www.nytimes.com/2006/10/23/business/23card.html? 
ei=5088&en=5ecec83b0ac06bd8&ex=1319256000&adxnnl=1&partner=rssnyt&emc=rs 
s&adxnnlx=1161638441-PEuml2ejfH4uypgS9RL8Jg

http://www.nytimes.com/2006/10/23/business/23card.html

> AMHERST, Mass. — They call it the “Johnny Carson attack,” for his  
> comic pose as a psychic divining the contents of an envelope.
>
> Tom Heydt-Benjamin tapped an envelope against a black plastic box  
> connected to his computer. Within moments, the screen showed a  
> garbled string of characters that included this: fu/kevine, along  
> with some numbers.
>
> Mr. Heydt-Benjamin then ripped open the envelope. Inside was a  
> credit card, fresh from the issuing bank. The card bore the name of  
> Kevin E. Fu, a computer science professor at the University of  
> Massachusetts, Amherst, who was standing nearby. The card number  
> and expiration date matched those numbers on the screen.
>
> The demonstration revealed potential security and privacy holes in  
> a new generation of credit cards — cards whose data is relayed by  
> radio waves without need of a signature or physical swiping through  
> a machine. Tens of millions of the cards have been issued, and  
> equipment for their use is showing up at a growing number of  
> locations, including CVS pharmacies, McDonald’s restaurants and  
> many movie theaters.
>
> The card companies have implied through their marketing that the  
> data is encrypted to make sure that a digital eavesdropper cannot  
> get any intelligible information. American Express has said its  
> cards incorporate “128-bit encryption,” and J. P. Morgan Chase has  
> said that its cards, which it calls Blink, use “the highest level  
> of encryption allowed by the U.S. government.”
>
> But in tests on 20 cards from Visa, MasterCard and American  
> Express, the researchers here found that the cardholder’s name and  
> other data was being transmitted without encryption and in plain  
> text. They could skim and store the information from a card with a  
> device the size of a couple of paperback books, which they cobbled  
> together from readily available computer and radio components for  
> $150.
>
> They say they could probably make another one even smaller and  
> cheaper: about the size of a pack of gum for less than $50.
>
> And because the cards can be read even through a wallet or an item  
> of clothing, the security of the information, the researchers say,  
> is startlingly weak. “Would you be comfortable wearing your name,  
> your credit card number and your card expiration date on your T- 
> shirt?” Mr. Heydt-Benjamin, a graduate student, asked.
>
> Companies that make and issue the cards argue that what looks  
> shocking in the lab could not lead to widespread abuse in the real  
> world, and that additional data protection and antifraud measures  
> in the payment system protect consumers from end to end.
>
> “This is an interesting technical exercise,” said Brian Triplett,  
> senior vice president for emerging-product development for Visa,  
> “but as a real threat to a consumer — that threat really doesn’t  
> exist.”
>
> The finding comes at a time of strong suspicion among privacy  
> advocates and consumer groups about the security of the underlying  
> technology, called radio frequency identification, or RFID. Though  
> the systems are designed to allow a card to be read only in close  
> proximity, researchers have found that they can extend the distance.
>
> The actual distance is still a matter of debate, but the claims  
> range from several inches to many feet. And even the shortest  
> distance could allow a would-be card skimmer to mill about in a  
> crowded place and pull data from the wallets of passersby, or to  
> collect data from envelopes sitting in mailboxes.
>
> “No one’s going to look at me funny if I walk down the street and  
> put a flier in everybody’s mailbox,” Mr. Heydt-Benjamin said.
>
> The experiment was conducted by researchers here working with RSA  
> Labs, a part of EMC, an information management and storage company.  
> The resulting paper, which has been submitted to a computer  
> security conference, is the first fruit of a new consortium of  
> industry and academic researchers financed by the National Science  
> Foundation to study RFID.
>
> Security experts who were not involved in the research have praised  
> the paper, and said that they were startled by the findings. Aviel  
> D. Rubin, a professor of computer security at Johns Hopkins  
> University, said, “There is a certain amount of privacy that  
> consumers expect, and I believe that credit card companies have  
> crossed the line.”
>
> The companies, however, argue that testing just 20 cards does not  
> provide an accurate picture of the card market, which generally  
> uses higher security standards than the cards that were tested.  
> “It’s a small sample,” said Art Kranzley, an executive with  
> MasterCard. “This is almost akin to somebody standing up in the  
> theater and yelling, ‘Fire!’ because somebody lit a cigarette.”
>
> Chips like those used by the credit card companies can encrypt the  
> data they send, but that can slow down transactions and make  
> building and maintaining the payment networks more expensive. Other  
> systems, including the Speedpass keychain device offered by Exxon  
> Mobil, encrypt the transmission — though Exxon came under fire for  
> using encryption that experts said was weak.
>
> Though information on the cards may be transmitted in plain text,  
> the company representatives argued, the process of making purchases  
> with the cards involves verification procedures based on powerful  
> encryption that make each transaction unique. Most cards, they  
> said, actually transmit a dummy number that does not match the  
> number embossed on the card, and that number can be used only in  
> connection with the verification “token,” or a small bit of code,  
> that is encrypted before being sent.
>
> “It’s basically useless information,” said David Bonalle, vice  
> president and general manager for advanced payments at American  
> Express. “You can’t steal that data and just play it back and  
> expect that transaction to work.”
>
> While the researchers found that these claims were true for some of  
> the cards they tested, other cards gave up the actual credit card  
> number and did not use a token or change data from one transaction  
> to another. They also took data in from some cards and transmitted  
> it to a card-reader in the lab and tricked it into accepting the  
> transaction. Mr. Heydt-Benjamin, in fact, was able to purchase  
> electronic equipment online using a number skimmed from a card he  
> ordered for himself and which was sealed in an envelope.

> (None of the cards transmits the additional number on the front or  
> back, known as the card validation code, that some businesses  
> require for online purchases; Mr. Heydt-Benjamin chose a store that  
> does not require the code.)
>
> Mr. Kranzley said the MasterCard-issuing banks decided how much  
> security they wanted to implement, but said that with 10 million of  
> the company’s chip-bearing cards on the market, some 98 percent of  
> them used the highest standards.
>
> “Today, there’s an extremely small percentage of cards that have  
> the characteristics that RSA has looked at in this report,” he  
> said. Visa and American Express representatives said all their  
> cards conformed to the highest security standard.

--
Kim Holburn
IT Network & Security Consultant
Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.
Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/ 
datefmt.htm

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961