Oct. 24, 2006 – Privacy advocates and computer-security experts are sounding the alarm in response to newly exposed security flaws potentially affecting millions of new "swipe free" credit cards.
The cards are equipped with radio-frequency identification (RFID) chips, which transmit payment information using a tiny antenna.
In a report made public by the New York Times on Monday, a team of security experts demonstrated how sensitive personal information contained in the RFID-enabled cards can be obtained clandestinely using "cheap off-the-shelf hardware and software" and "modest technical skills."
Researchers also said they planned to release video and other documentation to support the "technical report."
In a demonstration for the Times, the researchers passed a sealed envelope containing a credit card in front of a small RFID reader; within minutes, the name and number of the card holder, one of the reportâ€™s authors, was revealed.
For their study, researchers bought a $200 commercial RFID reader to simulate a "skimming" attack. Security experts warn that this technology is increasingly available to identity thieves and others who could scan peopleâ€™s cards through their pockets, wallets and purses undetected.
"There is a certain amount of privacy that consumers expect," Aviel Rubin, professor of computer security at Johns Hopkins University, told the Times, "and I believe that credit card companies have crossed the line."
The studyâ€™s authors, from the University of Massachusetts at Amherst and the information-technology company EMC, said cards from most issuers leave names, complete card numbers, expiration dates and card types "totally unprotected by any cryptographic security mechanism."
Though companies like Visa, MasterCard and American Express defended the security of their cards to the Times, calling the scannable personal information "useless" and a threat that "doesnâ€™t exist," consumer watchdogs want the industry to institute a recall of the cards.
"For these financial institutions to put RFID in credit cards, one of the most sensitive items we carry, is absolute lunacy," said Katherine Albrecht in a press statement. Albrecht is founder and director of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) and co-author of Spychips, a book critical of the increasing use of RFID technology.
CASPIAN, in a press statement, advised consumers "not to mail the cards back or simply throw them away due to the risk of their personal information being skimmed."