There's that old expression that waving money around only tempts thieves. Now, the multimillion-dollar RFID smart-card industry has made waving around your credit (and your credit history) that much easier for thieves to steal. New contactless credit cards, which use RFID technology, broadcast your credit information to credit card readers, so thieves, using equipment that costs less than $200, can now eavesdrop on the wireless transmission. Dubbed the "Johnny Carson attack," so named for Carson's "Carnac the Magnificent" sketch, where Carson would divine the answers to a question without physically opening the envelope containing the information, contactless credit card thieves could wander through crowded markets, picking up broadcasts from within wallets and purses. Of course that's a bit of a stretch; it's likely that most people would have more than one credit card, each chirping out its own string of unique data, mudding the waters. Still, it's a creepy idea that you could walking around shouting out your credit information to anyone who passes by. And yet the Smart Card Alliance and other RFID industry advocates have chosen to ignore this latest problem or, at the very least, minimize awareness of it among credit card users.
Contactless credit cards
Recently two researchers, Tom Heydt-Benjamin and Kevin Fu from the University of Massachusetts and sponsored by RSA Labs (the research arm of RSA Security), demonstrated how easy it is for thieves to intercept data from contactless credit cards. These next-generation credit cards dispense with the hassle of drawing your magnetic card through a swiper; instead, contactless credit cards broadcast your credit information to an RFID reader, which then debits your account automatically. Using off-the-shelf technology, namely a $150 RFID reader, the researchers were able to snag the card number, the expiration and issue dates, and a cardholder's name without ever touching the person's credit card. Missing from the data stream are the printed verification numbers on the card itself, however, there are still many real-world and online merchants that don't require that info, allowing thieves to run up huge bills without the victim knowing.
Contactless credit card thieves could wander through crowded markets, picking up broadcasts from within wallets and purses. It's a creepy idea.
It seems to me that the RFID broadcasts should be encrypted; indeed, several card issuers say that the broadcast information is--or should be--encrypted. Heydt-Benjamin and Fu found the opposite: The cards they tested were broadcasting plain text data. While the tiny batteries within the RFID cards supposedly limit the range to only a few inches, the researchers found that the actual range was more like a few feet.
Credit card issuers respond
In response to Heydt-Benjamin and Fu's research, a spokesperson for Visa told the New York Times that it would soon remove the name of the individual from the data broadcast. That means the name of the person and the verification ID number on the card itself would not be transmitted--going forward. But there are already thousands of cards out there that still will broadcast a person's name. What's the solution for them?
A spokesperson for Mastercard told the Times that testing 20 credit cards was an insignificant sample group. True. Banks, not credit agencies, determine the level of security present; the Mastercard estimate suggests that 98 percent of the cards are set to the highest standards, which includes encryption. However, encryption adds processing time, and some institutions do prefer faster processing.
I am not a fan of smart-card technology in its current implementation; I think the industry underestimates the creativeness of the attacks and overestimates the limitations of the broadcast range.
I am not a fan of smart-card technology in its current implementation; I think the industry underestimates the creativeness of the attacks and overestimates the limitations of the broadcast range. In " Gone in 60 seconds--the high-tech version," l wrote about contactless car-ignition systems being vulnerable. In "Psst. Your shiny new passport has a computer virus," I wrote about viruses that could corrupt the databases used to read the new RFID-enabled U.S. passports. Just because a new technology makes life convenient doesn't mean that it's secure. If you want to learn more about the underlying flaws with RFID smart-card technology, see the RFID CUSP.org site.
Yet despite all the research suggesting everyone go slow with RFID implementation, the smart-card industry remains a big business right now. Even the Department of Homeland Security is not without fault. A new report cites numerous problems with the current implementation of RFID badges that are now required for all DHS employees.
Heads in the sand
Most smart-card vendors I spoke with at the seventeenth annual CardTechSecureTech conference in San Francisco would rather talk about the convenience to customers than security. Earlier this year at the conference, I had an opportunity to talk with a handful of RFID vendors; none wanted to be quoted, nor would any talk on record. And no one at that conference wanted to say when 128-bit AES encryption would replace the current 40-bit code.
Championing this brave new industry is the Smart Card Alliance, a nonprofit, multi-industry organization. After last summer's Black Hat conference, where I saw a video of two security researchers demonstrating how RFID tags in German passports could be cloned and understanding that this would soon affect American passport holders, the U.S.-based Smart Card Alliance issued a press release quoting Randy Vanderhoof, executive director of the Smart Card Alliance: "People do not need to be concerned about the security or privacy-protection features of the new e-passport program." He concluded saying, "People need to be cautious about some claims made by so-called 'experts' when it comes to RF-enabled applications. There is too much misleading and inaccurate information being reported, simply because fear gets people's attention."
While you can (and should) read the individual research reports from any of the experts I have mentioned in my columns, the Smart Card Alliance itself hasn't published its own research to the contrary, only press releases and white papers that belittle those who stand in the way of selling this technology to the masses. I hope that RFID-security is always addressed before implementation by government and businesses, but, given the examples cited above, that seems a bit too much to ask. Are you comfortable with RFID cards broadcasting your credit card information out into the ether? Talk back to me.