Security Researchers Cry Wolf On RFID Credit Cards
from the bark->-bite dept
Two security researchers allege that the contactless payment solutions credit-card companies have begun building into their cards are relatively insecure, and transmit sensitive information without any encryption. The story plays into the most common fears about RFID and other similar technologies: that they turn people into walking clouds of identity theft, where their personal information's just waiting to be grabbed out of the ether. But the credit-card companies say the researchers' work doesn't point to a large-scale real-world threat, and it appears they're mostly right. First off, the researchers admit they used a small sample -- just 20 cards, and the article doesn't disclose how many of them actually transmit the information without encryption. Also, the researchers work with RSA Labs, part of a company that sells encryption technology, something else the article glosses over. But a bigger problem is that the researchers don't seem to have considered just how difficult it would be for criminals to collect any useful information from these cards on a scale large enough to make their efforts (and the expense of buying and building the necessary equipment) worthwhile. One of the researchers says that it would be easy to collect the data from mailboxes by walking down a street and acting as if you were dropping fliers in each one. While nobody might notice, the odds that you'd actually find one of the cards is ridiculously slim. Worries about information being stolen at the point of purchase are overblown as well, since most of the imaginable scenarios don't make things much easier than were somebody to try to steal the card information from a swipe card. Furthermore, the researchers haven't considered that mechanisms in the radio broadcast are just one part of the overall security system of these cards, and they enjoy the same anti-fraud protection (and lack of consumer liability for unauthorized purchases) as cards without the contactless technology. While transmitting the information unencrypted isn't a great idea and should be changed, it seems highly unlikely that the security situation here is nearly as bad as these researchers intimate.