RFID Lowdown: Privacy Issues and Contactless Payment

October 28, 2006

Privacy Issues and Contactless Payment

-- By Pushpa Sathish, Staff Writer

The experiment conducted by researchers at RSA Labs, a division of information and storage management company EMC, has only added fuel to the fire of privacy concerns in the RFID sphere. Based on trial read runs on 20 credit cards issued by Visa, MasterCard, and American Express, Tom Heydt-Benjamin and his team proves that they were able to glean names, card numbers and expiration dates by passing the cards over a device connected to their computer.

Privacy issues relating to contactless payment applications have reared their ugly head again with this latest security report compiled as part of an RFID study sponsored by the National Science Foundation. Credit card companies are downplaying the problem with the arguments:

Twenty cards is not a large enough sample to reach generalized conclusions
The best encryption technology is being used in a majority of the cards (Art Kranzley, an executive with MasterCard says that 98 percent of the cards issued used the highest standards of encryption)
The data skimmed off the cards is worthless because the number transmitted is not the one on the card, but a dummy number which has to be used in conjunction with an encrypted token on the card for the transaction to be valid
The distance that the cards can be read from is still under contention

A different version comes from RSA Labs though, where Heydt-Benjamin was able to order electronic goods online with details read off his own card and transferred to a reader. Only a few cards used the dummy number, and in others, there was no verification token in sight.

A strong point in the favor of the card companies is the fine print at the end of the report which states that the card validation code is not transmitted during these surreptitious reads. Since most stores require this piece of data for valid transactions, the cards have only a small chance of being misused. Other advocates of these credit cards will also cite RFID-blocking wallets as reason enough to use them.

Maybe the researchers will come up with a way to make the cards spit out the validation code too, fancy wallet or otherwise – that’s another issue. But what I’m concerned about is the fact that not all cards carry the same amount of security. Are consumers aware of this difference and the reason that it exists? The card companies may shout themselves hoarse that cardholders are not liable for fraud, but why this discrimination between one client and the other?

--
Did you enjoy this post?

October 28, 2006 | Permalink