Contactless Credit Cards Cracked
Well calling it cracked implies encryption or some semblance of security of which there is none according to the New York Times. In Researchers See Privacy Pitfalls in No-Swipe Credit Cards we learn that a team of folks from UMass Amherst and EMC/RSA tested a small batch of RFID Credit Cards from Amex, Visa and Master Card and found that they were all susceptible to skimming attacks that revealed a variety of information including, the cardholder name, the complete credit card number, and the expiration date. Though some cards did some obfuscation of the data, the cards were discovered to reuse strings within a short period of time.
One choice bit from the article is MasterCard’s response:
Mr. Kranzley said the MasterCard-issuing banks decided how much security they wanted to implement, but said that with 10 million of the company’s chip-bearing cards on the market, some 98 percent of them used the highest standards.
It’s ever so comforting that MasterCard advertises how secure the technology is but then leaves the implementation up to its member banks. I guess it’s just as well that I don’t carry a MasterCard, now I don’t need to try to convince my bank to tell me what features they did or didn’t implement. This does make me worry about my Visa though…
For those who want more detail, the Times has kindly posted the team’s submission to Financial Cryptography 2007 and a technical report as well.