New Credit Cards Leak Personal Info

 http://www.pcworld.com/printable/article/id,129377/printable.html
PC World: Technology Advice You Can Trust

New Credit Cards Leak Personal Info
Some cards equipped with RFID chips send out names and account
numbers.

Erik Larkin, PC World
Friday, March 23, 2007 03:00 PM PDT

You may be carrying a new type of credit card that can transmit your
personal information to anyone who gets close to you with a scanner.

The new cards--millions of them have been issued over the past year--
use RFID, or Radio Frequency Identification, technology. RFID allows
scanners to use radio signals at varying distances to read information
stored on a computer chip, a chip that is embedded in the card (click
on image above).

According to a study by researchers at the University of Massachusetts
and at security companies RSA and Innealta, many of these cards will
transmit your name, the credit card's number, and its expiration date
(but not the three-digit security code) unencrypted to anyone nearby
with an RFID scanner. (To see the full report as a PDF file, go to
"Vulnerabilities in First-Generation RFID-enabled Credit Cards".)

Swipe and Pay
RFID is widely used to track shipments and inventory. In credit cards,
it allows customers to swipe the cards past readers in such
establishments as McDonald's restaurants and CVS pharmacies, making
for quick and easy transactions. Visa says it has distributed over 6
million "contactless" cards worldwide, and the UMass study estimates
that at least 20 million exist, with the total growing rapidly.

In an e-mail, one of the UMass researchers, Kevin Fu, wrote that "in
our collection of approximately 20 cards, the vast majority revealed
[the credit card holder's] name, CC number, and expiration" when the
researchers scanned them with a commercial RFID reader they had
modified to work with such cards. The cards in the sample came from
American Express, MasterCard, and Visa, and had been issued by several
major banks.

The credit cards use an encrypted security code to verify a
transaction, which can protect against certain types of fraud--but not
against someone who pulls the name and number from a card and uses the
information to make online purchases, for instance.

As additional protection, Visa has begun requiring that banks not
issue cards that transmit the cardholder's name, according to Brian
Tripplett, the company's senior vice president of emerging product
development (previously Visa only suggested this). Cards issued by
American Express after this February also do not send the name,
according to a spokesperson. MasterCard did not respond to PC World's
requests for information.

According to American Express, for added security its cards transmit a
card number different from that displayed on the card. Visa's
Tripplett says that the contactless-card standard has a shorter read
range and communicates differently than does the simple RFID used for
such purposes as inventory management.
Do you have RFID?

How do you tell if your card has one of these chips? You can see the
actual chip in the American Express cards (see image near the
beginning of this story). And Tripplett says that Visa contactless
cards have a symbol: four vertical wavelike bands on the front or the
back. But to know for sure, and also to know whether your card sends
your name, you must call your bank (or American Express) and ask. You
should also be able to request a card that comes without the
contactless technology if you prefer, or at least one that doesn't
transmit your name.

Also, you can block RFID signals with a "Faraday cage," which uses a
metal mesh or casing. For instance, at ThinkGeek.com, you can buy an
"RFID-blocking wallet."

Even for the first-generation cards that do send the holder's name,
some other factors mitigate the risk.

First, while the researchers used a commercially available RFID
reader, they made modifications to it that take "technical skills and
know-how," Fu wrote. Also, the reader must be close to an RFID chip:
Card specifications say only a couple of inches, but Fu points out
that some research papers have put the maximum range at about 6
inches.

And most important, phishing, keyloggers, and other means of online ID
theft are far too successful at this time for criminals to expend the
effort required by this type of fraud. So the risk probably isn't
significant--for now.

Major risk or not, however, credit cards should have included the
recent security upgrades from the beginning. Whether the threat is
large or small, adding another opportunity for ID theft where there
simply doesn't need to be any clearly makes no sense.
-------------------

 

Credit cards should have been left alone. RFID on a cc does nothing for me.
It's an infinite risk/reward ratio.