Two UMass computer scientists demonstrated how easy it could be for credit card thieves to grab information from no-swipe credit cards that employ RFID technology.
The two scientists tested 20 credit cards and were able to grab and store information (including credit card numbers and expiration dates) from each credit card with a device about the size of a few paperback books which they built for $150 using readily available computer and radio components. And, it could be made smaller and cheaper. The duo noted that they could probably put together a device that was about the size of a pack of gum for under $50.
In what they labeled the “Johnny Carson attack,” in reference to the late comic’s skit where he pretended to read the contents of an envelope simply by holding it to his forehead, the scientists were able to take information even from a new credit card still sealed in its original envelope. That suggests that a thief could get access to a credit card still in the owner’s wallet with the correct equipment.
Credit card companies have issued tens of millions of these no-swipe credit cards, which relay data via radio waves without the need for a signature or a physical swipe through a card reader. Locations including drug stores, fast food chains and movie theaters have started accepting these credit cards.
Credit card issuing banks have suggested through their marketing that the data is encrypted to prevent a digital eavesdropper from getting intelligible information, using encryption to prevent thieves from reading any intercepted data.
But in their testing of the 20 credit cards, the scientists discovered that the cardholder’s name and other data was being transmitted without encryption and in plain text. Additionally, since such a credit card can be read through a wallet or an item of clothing, the researchers say the security of the information is very poor.
Privacy advocates and consumer groups have recently expressed intense concern regarding the security of such credit cards’ underlying technology, known as radio frequency identification, or RFID. Even though the systems are designed to only allow a credit card to be read from very close, researchers have discovered that they can increase the distance.
The actual distance remains a subject of debate, but claims range from between several inches and many feet. Even the smallest distance could let a thief capture data from the wallets of passer-by in a busy area, or to collect credit card data from envelopes sitting in mailboxes.
Companies that make and issue the no-swipe credit cards explain that what appears unsettling in the lab could not result in widespread abuse in the real world, adding that further data protection and anti-fraud measures in the payment system offer end-to-end credit card protection for consumers. They note that testing only 20 credit cards does not provide an accurate picture of the credit card market, which usually employs higher security standards than the credit cards that were tested.
And, these companies say, although card information may be transmitted in plain text, the process or making purchases with such a credit card involves verification procedures based on powerful encryption that make every transaction one-of-a-kind. They stated that most credit cards actually transmit a dummy number that differs from the number printed on the credit card, and that number can only be used along with the verification “token,” or a short piece of code, that is encrypted before being sent.
Still, the scientists found that while these claims were true for some of the credit cards they tested, other cards yielded the actual credit card number and did not use a token or alter data from one transaction to the next. They were able to grab data from some credit cards which was transmitted to a card-reader in the lab that they tricked into accepting the transaction.
One of the scientists was actually able to buy electronic equipment online with a number skimmed from a credit card he ordered for himself that was still sealed in an envelope. Since none of the credit cards transmits the credit card identification number on the reverse side of the card, the scientist ordered from a store that does not require the code for online purchases.
Credit card companies said that cardholders are not liable for fraud, and that they have deployed fraud detection and prevention measures that deter suspect transactions. And, all of the credit card companies indicated that they were in the process of deleting names from the stream of data sent to the credit card readers.
One of the UMass scientists acknowledged that their research involved a small sample, but said they would be happy to examine credit cards that have better security. He said that all the credit cards tested were issued in 2006, and that all were overcome by at least one of the attacks they mounted.
Consumers worried over the danger to their personal information from the use of a no-swipe credit card may want to opt for sticking with the sort of standard, tried-and-true credit cards offered at CreditCards.com.