Re: Researchers See Privacy Pitfalls in No-Swipe Credit Cards

By JOHN SCHWARTZ
> The New York Times > October 23, 2006 > Tom Heydt-Benjamin tapped an envelope against a black plastic box > connected to his computer. Within moments, the screen showed a garbled > string of characters that included this: fu/kevine, along with some > numbers. > Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit > card, fresh from the issuing bank. The card bore the name of Kevin E. > Fu, a computer science professor at the University of Massachusetts, > Amherst, who was standing nearby. The card number and expiration date > matched those numbers on the screen. > The demonstration revealed potential security and privacy holes in a > new generation of credit cards -- cards whose data is relayed by radio > waves without need of a signature or physical swiping through a machine. > The card companies have implied through their marketing that the data > is encrypted to make sure that a digital eavesdropper cannot get any > intelligible information. > But in tests on 20 cards from Visa, MasterCard and American Express, > the researchers here found that the cardholder's name and other data > was being transmitted without encryption and in plain text. They could > skim and store the information from a card with a device the size of a > couple of paperback books, which they cobbled together from readily > available computer and radio components for $150.

I had Chase send me one of their "Blink" cards as a "favor". Not only was the replacement sent well before the expiry date (years before, not just months) it was also completely unsolicited. Why is it that, for some stupid marketing or re-branding, these companies send out cards you are not expecting? This just increases the amount of fraud possible due to the fact that you're not expecting it to arrive and if it doesn't show up you'll be none the wiser until it's too late. Now with RFID enabled cards maybe you'll receive it and not even realize someone already stole the information without signs of tampering.

The card they sent was not just a credit card either, it was linked to my bank accounts. At least with a credit card you have a lot better protection against liability for fraudulent charges, with a debit card it could turn into a nightmare situation. Their marketing literature tried to sell me on how great the benefits of the card were. The only "benefit" they could really point out was that it might be 20 seconds faster in the checkout line because you didn't have to swipe the card or sign for transactions about some small amount. This is ridiculous because chances are you've already pulled your wallet and card out anyway (especially if you have multiple RFID based cards, you couldn't just stick them all on the swipe pad at once unless you like playing card roulette), so why not just swipe the mag stripe? I doubt you'll notice the claimed "20 second time savings". The only benefit I saw, that they didn't even point out, is that the mag stripes wear out or become unreliable sometimes (very infrequently) and RFID shouldn't.

I don't care how secure they claim these are, how short they claim the range to be, or anything else for that matter. I am confident they will be compromised from a distance sooner or later. I told Chase to stick their card where the sun doesn't shine and send me a new one without the RFID chip or if they can't do that to close my accounts. I did get a replacement card without the chip, but I do wonder if at some point they will try to force the issue onto people with no choices. If you are concerned about your security and privacy and your bank does the same I suggest you reject their card and ask for a replacement. I really wonder how much money these companies waste on ad-hoc card replacements like this just for non-value ideas dreamed up by their marketing people.