Shostack + Friends Blog Archive


Contactless Credit Cards Cracked

Well calling it cracked implies encryption or some semblance of security of which there is none according to the New York Times. In Researchers See Privacy Pitfalls in No-Swipe Credit Cards we learn that a team of folks from UMass Amherst and EMC/RSA tested a small batch of RFID Credit Cards from Amex, Visa and Master Card and found that they were all susceptible to skimming attacks that revealed a variety of information including, the cardholder name, the complete credit card number, and the expiration date. Though some cards did some obfuscation of the data, the cards were discovered to reuse strings within a short period of time.
One choice bit from the article is MasterCard’s response:

Mr. Kranzley said the MasterCard-issuing banks decided how much security they wanted to implement, but said that with 10 million of the company’s chip-bearing cards on the market, some 98 percent of them used the highest standards.

It’s ever so comforting that MasterCard advertises how secure the technology is but then leaves the implementation up to its member banks. I guess it’s just as well that I don’t carry a MasterCard, now I don’t need to try to convince my bank to tell me what features they did or didn’t implement. This does make me worry about my Visa though…
For those who want more detail, the Times has kindly posted the team’s submission to Financial Cryptography 2007 and a technical report as well.

3 comments on "Contactless Credit Cards Cracked"

  • The solution is to have banks ship the Identity Stronghold Secure Sleeve with every card. It is a Tyvek like sleeve that shields your card and prevents it from being read while it is in it. Until the issuers start including it you can buy them at the companies website. You can also get a new epassport sleeve very soon. See

  • Adam says:

    Kudos to you for having a business to fix the problems that these credit card companies are creating, but I’d prefer them to just have to accept the liability for their decisions.

Comments are closed.