News
News
10/24/2006
05:21 PM
50%
50%

Researchers Expose Contactless Credit Card Flaws

Information including names, card numbers, and expiration dates can be gleaned from credit cards with just around $150 worth of gear, according to a report released this week.

Researchers at the University of Massachusetts have demonstrated how to read personal information from contactless credit and debit cards using about $150 worth of equipment.

Tom Heydt-Benjamin and Kevin Fu, of the RFID Consortium for Security and Privacy (RFID-CUSP), showed how to glean information, like names, card numbers and expiration dates from credit cards. The details were released in a report Monday, which highlights the latest in a series of demonstrations showing vulnerabilities in some of the cards. However, since credit card fraud is widespread and companies already address the problem, RFID-CUSP said that it is unlikely RFID credit cards will trigger a new wave of fraud.

"Rather, what the RFID-CUSP report highlights most significantly is the new physical dimension of vulnerability that RFID credit cards introduce," the group stated on its blog. "Without even removing their cards from wallets or pockets, consumers can potentially see their privacy and security compromised. A scanner in a crowded subway station might surreptitiously harvest credit-card data from passersby."

The team also points to the possibility of "Johnny Carson" attacks, named after Carson's Carnac the Magnificent act, in which he deciphered the contents of sealed envelopes held against his forehead. This could be deployed near mailboxes, according to RFID-CUSP. The researchers said that some of the cards they tested were not encrypted, despite common assurances to the contrary.

"Given that RFID as a broad technology is already a flashpoint for consumer fears, the choice of credit-card associations not to confer stronger protections on RFID-enabled cards is somewhat surprising," RFID-CUSP stated. "Numerous media reports have drawn attention to consumer concerns about RFID privacy and security, and various government bodies are mulling over RFID-privacy regulations."

Researchers did not field test skimming attacks because of potential legal vulnerabilities. Until credit card groups disclose how many vulnerable cards they have issued, researchers said they would be unable to determine how many cards are affected by the security flaws they have discovered. The researchers have offered to work with credit card issuers and merchants.

Fu has received $1.1 million from the National Science Foundation to lead a team of researchers at the University of Massachusetts Amherst in developing cryptographic protocols, hardware and applications for smart tags.

A video posted on YouTube demonstrates how the cards can be read.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.