Wednesday, October 25, 2006

Are RFID Credit Cards Safe?

The RFID ConsortiUm for Security and Privacy (CUSP) has issued a study about vulnerabilities in first-generation RFID-enabled credit cards.

In their blog, Ari Juels writes:

Consumers in the United States today carry some twenty million or so credit cards and debit cards equipped with RFID (Radio-Frequency IDentification) chips. RFID chips communicate transaction data over short distances via radio. They eliminate the need to swipe cards or hand them to merchants. Consumers can instead make payments simply by waving their cards—or even just their wallets—near point-of-sale terminals.

While appealing to both consumers and merchants, the convenience of RFID credit cards has a flip side. What a legitimate merchant terminal can read, a malicious scanning device can also read without a consumer’s consent or knowledge. RFID credit cards therefore call for particularly careful security design.

Blog post, here.

In a "nutshell," the study warns that current RFID credit cards are vulnerable to having the identities of the cardholder scanned from afar and the information could also be used in credit/debit card skimming.

They also state that this can be accomplished without great technical difficulty and that "slightly stronger data protections and cryptography would largely prevent the problems they discovered."

The study admits that "card skimming" is already a big problem, therefore these cards are unlikely to change anything that isn't already going on.

My question is when will we start developing technology that will protect the consumer instead of developing technology that will "probably" add to the problem?

There is an interesting demonstration posted by RFID-CUSP on YouTube about this, here.

Here is a previous post, I did on RFID:

RFID, A Necessary Evil; or an Invasion of Privacy?

No comments: