RFID-enabled credit cards may be vulnerable, study finds

Oct 31, 2006 12:00 PM

U.S. consumers carry more than twenty million credit cards and debit cards equipped with RFID (Radio-Frequency Identification) chips, which communicate transaction data over short distances via radio, thus eliminating the need to swipe cards or hand them to merchants.

Consumers can instead make payments simply by waving their cards -- or even just their wallets -- near point-of-sale terminals. But while the technology is appealing to both consumers and merchants, the convenience of RFID credit cards has a flip side, according to the RFID Consortium for Security and Privacy -- a group of computer scientists from the University of Massachusetts at Amherst, RSA Laboratories and Innealta, with some nontraditional partners, including the San Francisco Bay Area Rapid Transit District (BART), the MIT Auto-ID Labs and the Programme for Advanced Contactless Technology (PROACT) at Graz University of Technology in Austria.

What a legitimate merchant terminal can read, a malicious scanning device can also read without a consumer's consent or knowledge, the group's report says. RFID credit cards therefore call for particularly careful security design.

The report reveals lapses in the security and privacy features of several types of currently deployed RFID credit cards and highlights two basic vulnerabilities:

* Names in the clear: The RFID credit cards transmit bearer names promiscuously. Any device capable of scanning a card can learn the name imprinted on it -- with or without the owner's consent.

* Payment fraud: In varying degrees, the RFID credit cards are vulnerable to an attack called "skimming." An attacker with an RFID reader can harvest information from a card, create an inexpensive clone device and make charges against the legitimate card. Alternatively, an attacker may be able to perform online transactions with harvested credit-card information.

Credit-card fraud is already widespread in various forms, and financial institutions already address the problem effectively with sophisticated detection and mitigation systems. Despite their flaws, therefore, it is unlikely that RFID credit cards will trigger a large new wave of fraud.

"What the report highlights most significantly is the new physical dimension of vulnerability that RFID credit cards introduce," says Ari Juels, a co-author of the report. "Without even removing their cards from wallets or pockets, consumers can potentially see their privacy and security compromised. A scanner in a crowded subway station might surreptitiously harvest credit-card data from passersby."

Slightly stronger data protections and cryptography could largely prevent attacks and most of the other vulnerabilities illustrated in the study, Juels says.

"The study is, in effect, a product-safety report," Juels says. "By highlighting weaknesses in a significant, fielded RFID system, the study aims to promote strong accountability and security practices in the RFID industry as a whole."

For more details on the study, visit www.rfid-cusp.org.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue