Monty Solomon <monty@roscom.com> wrote:
> By JOHN SCHWARTZ
> The New York Times
> October 23, 2006
> Tom Heydt-Benjamin tapped an envelope against a black plastic box
> connected to his computer. Within moments, the screen showed a garbled
> string of characters that included this: fu/kevine, along with some
> numbers.
> Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit
> card, fresh from the issuing bank. The card bore the name of Kevin E.
> Fu, a computer science professor at the University of Massachusetts,
> Amherst, who was standing nearby. The card number and expiration date
> matched those numbers on the screen.
> The demonstration revealed potential security and privacy holes in a
> new generation of credit cards -- cards whose data is relayed by radio
> waves without need of a signature or physical swiping through a machine.
> The card companies have implied through their marketing that the data
> is encrypted to make sure that a digital eavesdropper cannot get any
> intelligible information.
> But in tests on 20 cards from Visa, MasterCard and American Express,
> the researchers here found that the cardholder's name and other data
> was being transmitted without encryption and in plain text. They could
> skim and store the information from a card with a device the size of a
> couple of paperback books, which they cobbled together from readily
> available computer and radio components for $150.
I had Chase send me one of their "Blink" cards as a "favor". Not only
was the replacement sent well before the expiry date (years before,
not just months) it was also completely unsolicited. Why is it that,
for some stupid marketing or re-branding, these companies send out
cards you are not expecting? This just increases the amount of fraud
possible due to the fact that you're not expecting it to arrive and if
it doesn't show up you'll be none the wiser until it's too late. Now
with RFID enabled cards maybe you'll receive it and not even realize
someone already stole the information without signs of tampering.
The card they sent was not just a credit card either, it was linked to
my bank accounts. At least with a credit card you have a lot better
protection against liability for fraudulent charges, with a debit card
it could turn into a nightmare situation. Their marketing literature
tried to sell me on how great the benefits of the card were. The only
"benefit" they could really point out was that it might be 20 seconds
faster in the checkout line because you didn't have to swipe the card
or sign for transactions about some small amount. This is ridiculous
because chances are you've already pulled your wallet and card out
anyway (especially if you have multiple RFID based cards, you couldn't
just stick them all on the swipe pad at once unless you like playing
card roulette), so why not just swipe the mag stripe? I doubt you'll
notice the claimed "20 second time savings". The only benefit I saw,
that they didn't even point out, is that the mag stripes wear out or
become unreliable sometimes (very infrequently) and RFID shouldn't.
I don't care how secure they claim these are, how short they claim the
range to be, or anything else for that matter. I am confident they
will be compromised from a distance sooner or later. I told Chase to
stick their card where the sun doesn't shine and send me a new one
without the RFID chip or if they can't do that to close my accounts.
I did get a replacement card without the chip, but I do wonder if at
some point they will try to force the issue onto people with no
choices. If you are concerned about your security and privacy and
your bank does the same I suggest you reject their card and ask for a
replacement. I really wonder how much money these companies waste on
ad-hoc card replacements like this just for non-value ideas dreamed up
by their marketing people.
B. Wright (bmwright@xmission.com)