TELECOM Digest OnLine - Sorted: New Style Credit Cards Can Broadcast Your Personal Information


New Style Credit Cards Can Broadcast Your Personal Information


Erik Larkin, PC World (pcworld@telecom-digest.org)
Thu, 15 Feb 2007 23:51:11 -0600

by Erik Larkin, PC World

You may be carrying a new type of credit card that can transmit your
personal information to anyone who gets close to you with a scanner.

The new cards -- millions of which have been issued over the past year
-- use RFID, or Radio Frequency Identification, technology. RFID
allows scanners to use radio signals at varying distances to read
information stored on a computer chip.

According to a study from academic and business researchers at the
University of Massachusetts, RSA, and Innealta, many of the cards will
transmit your name, credit card number, and expiration date (but not
the three-digit security code) in the clear to anyone nearby with a
scanner. One of the researchers, Kevin Fu of the University of
Massachusetts, provided an electronic copy of the report's
just-finished final version to PC World. The draft version is
available online.

Millions of Cards in Use

RFID is widely used to track shipments and store inventory--and now
it's in credit cards, allowing customers to swipe the cards past
readers in McDonald's restaurants, CVS pharmacies, and elsewhere,
making for quick and easy transactions. Visa says more than 6 million
"contactless" cards exist worldwide, and their number is growing
rapidly.

In an e-mail, Fu wrote that "in our collection of approximately 20
cards, the vast majority revealed CC name, CC number, and expiration"
when the researchers scanned with a commercial RFID reader that they
modified to work with the credit cards. According to the FAQ on the
study, the sample cards "spanned all three major U.S. payment
associations and several major issuing banks."

According to a Visa spokesperson, the company's contactless card network
uses an encrypted security code to verify a transaction. That should
protect against certain types of fraud -- but again, it doesn't protect
against someone pulling the name and number.

However, second-generation Visa Contactless cards no longer send the
name, says Brian Tripplett, the company's senior vice president of
emerging product development. The new cards still send their numbers,
but those would be difficult to use without the card holder's
name. With the first generation of cards, Visa suggested that banks
not issue cards that transmit the name; with new cards, that's
required.

Tripplett also says that Visa's technology has a shorter read range
and communicates differently than does the standard RFID used for
inventory management, for example. Mastercard didn't respond in time
for this story.

Is Your Card RFID-Equipped?

How do you tell if your card has one of these chips? Some cards have
visible microchips, according to the study's FAQ, but others don't.
Tripplett says that Visa Contactless cards have a symbol: four
vertical wave-like bands on the front or the back.

But to know for sure, and to know whether you have a first- or
second-generation Visa card, you need to call your bank and ask. You
should be able to request a card without the technology, or at least
one that doesn't transmit your name.

Also, you can block RFID signals with a "Faraday cage," which uses a
metal mesh or casing. A quick online search turned up some wallets and
wallet inserts that incorporate the cages.

Other Risk Reductions

Even for the first-generation cards that do send the name, some other
mitigating factors exist. First, while the researchers used a
commercially available RFID reader, they made modifications to it that
take "technical skills and know-how," Fu wrote. Also, the reader must
be close: The card specs say only a couple of inches, but Fu says some
research papers put the max range at about 6 inches.

And most important, phishing, keyloggers, and other kinds of online ID
theft are far too successful right now for criminals to put in the
effort required for this type of fraud. So the risk probably isn't
significant -- for now.

Major risk or not, however, there's no way I'd want my credit card to
transmit its information without any encryption. Adding yet another
opportunity for ID theft where there doesn't need to be any, whether
the threat is large or small, simply makes no sense.

Copyright 2007 PC World Communications, Inc.

NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
http://telecom-digest.org/forum (or)
http://telecom-digest.org/chat/index.html

For more news and headlines, please go to:
http://telecom-digest.org/td-extra/technews.html

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Reuters News Wire: "Webcams Broadcast Israeli Dig"
Go to Previous message: Mike Sandman: "Re: Which CLEC Handles Exchange"
TELECOM Digest: Home Page