USA   |   UK   |   Australia   |   Canada
ADVERTISEMENT

No-swipe credit cards could let thieves swipe your info

By

Credit cards that allow transactions without having to be swiped are advertised as making shopping quicker and easier.  But based on the findings of two University of Massachusetts computer scientists, these no-swipe credit cards could also make it easier for identity thieves to grab your credit card information.    

The two scientists tested 20 credit cards and were able to grab and store information (including credit card numbers and expiration dates) from each credit card with a device about the size of a few paperback books which they built for $150 using readily available computer and radio components.  And, it could be made smaller and cheaper.  The duo noted that they could probably put together a device that was about the size of a pack of gum for under $50.

In what they labeled the "Johnny Carson attack," in reference to the late comic's skit where he pretended to read the contents of an envelope simply by holding it to his forehead, the scientists were able to take information even from a new credit card still sealed in its original envelope.  That suggests that a thief could get access to a credit card still in the owner's wallet with the correct equipment.

Credit card companies have issued tens of millions of these no-swipe credit cards, which relay data via radio waves without the need for a signature or a physical swipe through a card reader.  Locations including drug stores, fast food chains and movie theaters have started accepting these credit cards.   

Credit card issuing banks have suggested through their marketing that the data is encrypted to prevent a digital eavesdropper from getting intelligible information, using encryption to prevent thieves from reading any intercepted data.

But in their testing of the 20 credit cards, the scientists discovered that the cardholder's name and other data was being transmitted without encryption and in plain text.  Additionally, since such a credit card can be read through a wallet or an item of clothing, the researchers say the security of the information is very poor.

Privacy advocates and consumer groups have recently expressed intense concern regarding the security of such credit cards' underlying technology, known as radio frequency identification, or RFID.  Even though the systems are designed to only allow a credit card to be read from very close, researchers have discovered that they can increase the distance.

The actual distance remains a subject of debate, but claims range from between several inches and many feet.  Even the smallest distance could let a thief capture data from the wallets of passer-by in a busy area, or to collect credit card data from envelopes sitting in mailboxes.      

Companies that make and issue the no-swipe credit cards explain that what appears unsettling in the lab could not result in widespread abuse in the real world, adding that further data protection and anti-fraud measures in the payment system offer end-to-end credit card protection for consumers.  They note that testing only 20 credit cards does not provide an accurate picture of the credit card market, which usually employs higher security standards than the credit cards that were tested.  

And, these companies say, although card information may be transmitted in plain text, the process or making purchases with such a credit card involves verification procedures based on powerful encryption that make every transaction one-of-a-kind.  They stated that most credit cards actually transmit a dummy number that differs from the number printed on the credit card, and that number can only be used along with the verification "token," or a short piece of code, that is encrypted before being sent.

Still, the scientists found that while these claims were true for some of the credit cards they tested, other cards yielded the actual credit card number and did not use a token or alter data from one transaction to the next.  They were able to grab data from some credit cards which was transmitted to a card-reader in the lab that they tricked into accepting the transaction. 

One of the scientists was actually able to buy electronic equipment online with a number skimmed from a credit card he ordered for himself that was still sealed in an envelope.  Since none of the credit cards transmits the credit card identification number on the reverse side of the card, the scientist ordered from a store that does not require the code for online purchases. 

Credit card companies said that cardholders are not liable for fraud, and that they have deployed fraud detection and prevention measures that deter suspect transactions.  And, all of the credit card companies indicated that they were in the process of deleting names from the stream of data sent to the credit card readers. 

One of the UMass scientists acknowledged that their research involved a small sample, but said they would be happy to examine credit cards that have better security.  He said that all the credit cards tested were issued in 2006, and that all were overcome by at least one of the attacks they mounted.

Consumers worried over the danger to their personal information from the use of a no-swipe credit card may want to opt for sticking with the sort of standard, tried-and-true credit cards offered at CreditCards.com.

Published: March 23, 2007



Join the discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

Three most recent Innovations, features, new products stories:

Share This Story




Follow Us!


Credit Card Rate Report

Updated: 10-25-2014

National Average 15.07%
Low Interest 10.37%
Business 12.80%
Balance Transfer 12.82%
Student 13.14%
Cash Back 14.98%
Reward 15.05%
Airline 15.46%
Bad Credit 22.73%
Instant Approval 28.00%

ADVERTISEMENT
ADVERTISEMENT