The NewStandard ceased publishing on April 27, 2007.

Report Reveals RFID Credit Cards Ripe for Info Skimming

by Catherine Komp

Oct. 24, 2006 – Privacy advocates and computer-security experts are sounding the alarm in response to newly exposed security flaws potentially affecting millions of new "swipe free" credit cards.

Email to a Friend
Print-friendly Version
Add to My Morning Paper

The cards are equipped with radio-frequency identification (RFID) chips, which transmit payment information using a tiny antenna.

In a report made public by the New York Times on Monday, a team of security experts demonstrated how sensitive personal information contained in the RFID-enabled cards can be obtained clandestinely using "cheap off-the-shelf hardware and software" and "modest technical skills."

Researchers also said they planned to release video and other documentation to support the "technical report."

In a demonstration for the Times, the researchers passed a sealed envelope containing a credit card in front of a small RFID reader; within minutes, the name and number of the card holder, one of the report’s authors, was revealed.

For their study, researchers bought a $200 commercial RFID reader to simulate a "skimming" attack. Security experts warn that this technology is increasingly available to identity thieves and others who could scan people’s cards through their pockets, wallets and purses undetected.

"There is a certain amount of privacy that consumers expect," Aviel Rubin, professor of computer security at Johns Hopkins University, told the Times, "and I believe that credit card companies have crossed the line."

The study’s authors, from the University of Massachusetts at Amherst and the information-technology company EMC, said cards from most issuers leave names, complete card numbers, expiration dates and card types "totally unprotected by any cryptographic security mechanism."

Though companies like Visa, MasterCard and American Express defended the security of their cards to the Times, calling the scannable personal information "useless" and a threat that "doesn’t exist," consumer watchdogs want the industry to institute a recall of the cards.

"For these financial institutions to put RFID in credit cards, one of the most sensitive items we carry, is absolute lunacy," said Katherine Albrecht in a press statement. Albrecht is founder and director of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) and co-author of Spychips, a book critical of the increasing use of RFID technology.

CASPIAN, in a press statement, advised consumers "not to mail the cards back or simply throw them away due to the risk of their personal information being skimmed."

Send to Friends Respond to Editors or Reporter

The NewStandard ceased publishing on April 27, 2007.

Catherine Komp is a contributing journalist.

Recent contributions by Catherine Komp: