Medical Views of 9/11’s Dust Show Big Gaps (a.k.a. "Cover Ups")
By ANTHONY DePALMA
Published: October 24, 2006
In 2004, Kenneth R. Feinberg, special master of the federal Sept. 11 Victim Compensation Fund, awarded $2.6 million to the family of a downtown office worker who died from a rare lung disease five months after fleeing from the dust cloud released when the twin towers fell. That decision made the worker, Felicia Dunn-Jones, a 42-year-old lawyer, the first official fatality of the dust, and one of only two deaths to be formally linked to the toxic air at ground zero.
The New York City medical examiner’s office, however, has refused to put her on its official list of 9/11 victims, saying that by its standards there was insufficient medical evidence to link her death to the dust.
Mrs. Dunn-Jones’s case shows how difficult it can be to prove a causal connection with any scientific certainty — and how even government agencies can disagree. With thousands of people now seeking compensation and treatment for dust exposure, the debate about the relationship between the toxic particles and disease will be a central issue in the flood of Sept. 11-related lawsuits. Health experts are starting to document the connections, but any firm conclusion is still years away.
Most of the suits involve workers who spent weeks and months on the pile at ground zero and say the city and other agencies failed to protect them from the toxic dust. Others involve residents who say they were made sick by dust that settled in their homes. Mrs. Dunn-Jones was among those downtown office workers caught in the initial fallout.
The question that arises in all these cases is straightforward: Can a link between the dust and disease be proved with scientific certainty? The answer is anything but simple.
“Certainty is a word we always dance around,” said Joseph Graziano, associate dean for research at the Mailman School of Public Health at Columbia University. For him, searching for the cause of disease is like developing film. “At first you see a faint image of what the real picture is,” Dr. Graziano said, “and then, over time, you see it with much more clarity. In these relatively early times, the image is still faint.”
It can take decades to approach any degree of certainty. For instance, only after years of observation did doctors agree that there was a strong link between asbestos and diseases like asbestosis and mesothelioma.
In legal cases, “a reasonable degree of medical certainty” is considered the gold standard in making a causal connection. Last week, a federal judge cleared the way for thousands of workers’ lawsuits to go to trial. When the cases are heard, any proof that does not meet that legal standard is likely to be challenged.
But outside the courtroom, scientists say, even a less rigorous link could be sufficient to warrant expanding the range of illnesses covered by treatment programs, and to serve as the basis for issuing cautions to people in high-risk groups. When the health effects are too new or the evidence is too vague for a strong link, lesser indicators like the concurrence of different studies have to be relied on.
For example, nearly every ground zero study shows that workers and residents exposed to the dust in the hours after the collapse have suffered the worst health problems. The consistency in that data has helped doctors monitor and treat people since Sept. 11.
And it may also help explain why Mrs. Dunn-Jones, a dynamic civil rights lawyer with the United States Department of Education, became so sick so quickly. As she was swallowed by a whirling dust plume filled with asbestos, benzene, dioxin and other hazards when the first tower fell, all she could do was cover her nose and mouth as she fled from her office one block north of the World Trade Center.
It was night by the time she got home to Staten Island. “She was in a state of shock,” her husband, Joseph Jones, recalled. Her clothes were still dusty, but he didn’t pay much attention. “I was just so happy to see her,” he said.
For the next few months, life returned to normal, until Mrs. Dunn-Jones developed a cough. In January 2002, the cough grew worse. On Feb. 10, she suddenly stopped breathing and died.
Mr. Jones, 54, an assistant manager at a Brooklyn pharmacy, was stunned. Then, when he received the official death certificate months later, he was shocked to see an unfamiliar word — sarcoidosis.
“Even though I was in the medical field, I had never heard of it,” he said.
After reading several medical reports on sarcoidosis — including one by Dr. David J. Prezant, deputy chief medical officer of the New York Fire Department — Mr. Jones and his lawyer, Richard H. Bennett, wondered if Mrs. Dunn-Jones’s mysterious death could be linked to 9/11 dust because sarcoidosis, which produces microscopic lumps called granulomas, on vital organs, is often associated with exposure to environmental hazards.
They took the case to Mr. Feinberg and the victim compensation fund, which gave $7 billion to the families of those killed or injured on 9/11.
Mr. Feinberg initially expressed doubts about the claim and demanded to see definitive medical evidence linking Mrs. Dunn-Jones’s sarcoidosis to the dust.
Dr. Prezant, who declined to be interviewed for this article, was one of two experts who testified at a hearing conducted by Mr. Feinberg. In the first four years after 9/11, he found 20 cases of sarcoidosis in the Fire Department, a rate of 80 per 100,000 in the first year (with treatment, all are now stable), compared with a national rate of fewer than 6 per 100,000, according to the American Thoracic Society.
The other expert was Dr. Alan M. Fein, a clinical professor of medicine at the New York University School of Medicine. He, too, was skeptical at first, but he said he changed his mind after reviewing Mrs. Dunn-Jones’s medical record, including the autopsy report. “I’m comfortable saying her death was caused by exposure to the dust,” Dr. Fein said in an interview.
In March 2004, Mr. Feinberg agreed, making Mrs. Dunn-Jones’s death the only dust-related fatality recognized by the fund. Only one other death has been formally linked to the dust: In April, a New Jersey coroner determined that James Zadroga, 34, a New York City police detective, had died of a disease similar to sarcoidosis, also caused by his exposure to ground zero dust.
Mr. Jones welcomed the settlement from the victim compensation fund, and believes that his wife was a 9/11 victim as surely as if she had died in the towers. He sent Mr. Feinberg’s decision to the city’s chief medical examiner, Dr. Charles S. Hirsch, and asked that his wife be put on the official list so that her name could be read on Sept. 11. Dr. Hirsch refused, a spokeswoman said, because the available evidence did not prove the connection “with a reasonable degree of medical certainty”— the highest medical standard generally used in legal cases.
Mr. Feinberg’s decision had been based on a different standard: a preponderance of medical evidence.
That was proof enough for the Staten Island Memorial Commission, which has engraved Mrs. Dunn-Jones’s name on the bone-white memorial on the island’s north shore.
Representative Carolyn B. Maloney, who has fought to get medical care for 9/11 victims, said the contradictory conclusions about Mrs. Dunn-Jones’s death underscored the importance of deciding who has the final say on causal links. “They should be medical decisions, not political ones,” she said, suggesting that city officials may have a conflict of interest in making such determinations since the city is a defendant in the ground zero workers’ lawsuits.
She has introduced a bill to reopen the federal compensation fund to people whose illnesses became known after the original eligibility period ended in 2003.
In the effort to collect definitive data, Dr. John Howard, the federal government’s 9/11 health coordinator, recently circulated a draft set of autopsy protocols that directs pathologists to use a standard of proof that establishes both biological plausibility and unequivocal evidence of a causal connection to the dust. But doctors and elected officials have said those standards are so restrictive that almost no death could be linked to the dust for years to come. A spokesman for Dr. Howard said the guidelines were being refined.
In another effort, the Mount Sinai Medical Center, which has screened thousands of ground zero workers, has begun a long-term study of the incidence of diseases to identify any rates that exceed national averages.
“Right now we’re in the process of confirming every case of interstitial lung disease, every cancer, every sarcoidosis that has been reported to us by responders in their visits,” said Dr. Jeanne M. Stellman, director of the public health program at Columbia University, is leading the data collection project.
“We are actively trying to determine whether Detective Zadroga and Mrs. Dunn-Jones are alone,” she said. “And we are trying to find a way to do this that is scientifically correct while also being responsive to the needs and fears of the communities involved.”
Friday, October 27, 2006
Report Warns of Potential Voting Problems in 10 States
Report Warns of Potential Voting Problems in 10 States
By Amy Goldstein
Washington Post Staff Writer
Wednesday, October 25, 2006; Page A03
Two weeks before the midterm elections, at least 10 states, including Maryland, remain ripe for voting problems, according to a study released yesterday by a nonpartisan clearinghouse that tracks electoral reforms across the United States
The report by Electionline.org says those states, and possibly others, could encounter trouble on Election Day because they have a combustible mix of fledgling voting-machine technology, confusion over voting procedures or recent litigation over election rules -- and close races.
The report cautions that the Nov. 7 elections, which will determine which political party controls the House and Senate, promise "to bring more of what voters have come to expect since the 2000 elections -- a divided body politic, an election system in flux and the possibility -- if not certainty -- of problems at polls nationwide."
In a state-by-state canvass, the 75-page report singles out places, such as Indiana and Arizona, where courts have upheld stringent new laws requiring voters to show poll workers specific forms of identification. It cites states such as Ohio and Pennsylvania, which have switched to electronic voting machines whose accuracy has been challenged. And it points to states such as Colorado and Washington, which have departed from the tradition of polling sites in neighborhood precincts.
The report of the clearinghouse, sponsored by the Pew Charitable Trusts, is the latest of several warnings in recent weeks and months by organizations and scholars who say that electoral problems persist in spite of six years of efforts by the federal government and states to correct voting flaws. The flaws gripped the public's attention after the close 2000 presidential election, which led to recounts in Florida and the intervention of the Supreme Court.
The election shambles of 2000 prompted Congress to pass in 2002 legislation intended to help states make significant election changes, such as by replacing outdated voting equipment. Some of the changes, including making sure that databases of registered voters are accurate, were required to be in effect by this year.
Doug Chapin, director of Electionline.org, said "things are getting better over time." But he said many of the changes in recent years have led to new problems and disputes. For instance, the decisions by many states to convert to electronic voting machines have yielded new concerns about whether they are secure and accurate, about paper records as backup proof and -- this year -- about whether the electronic or paper record should be considered the official tally if a candidate demands a recount.
The report cites Maryland for what it calls a "dismal primary" in September that "included human and machine failures galore," in part because Montgomery County election officials forgot to distribute to polling places the access cards needed for its electronic machines to work. The study raises questions about whether Montgomery officials are prepared for the bigger crowds in the general election and whether large numbers of mistrustful voters will resort to absentee ballots.
By Amy Goldstein
Washington Post Staff Writer
Wednesday, October 25, 2006; Page A03
Two weeks before the midterm elections, at least 10 states, including Maryland, remain ripe for voting problems, according to a study released yesterday by a nonpartisan clearinghouse that tracks electoral reforms across the United States
The report by Electionline.org says those states, and possibly others, could encounter trouble on Election Day because they have a combustible mix of fledgling voting-machine technology, confusion over voting procedures or recent litigation over election rules -- and close races.
The report cautions that the Nov. 7 elections, which will determine which political party controls the House and Senate, promise "to bring more of what voters have come to expect since the 2000 elections -- a divided body politic, an election system in flux and the possibility -- if not certainty -- of problems at polls nationwide."
In a state-by-state canvass, the 75-page report singles out places, such as Indiana and Arizona, where courts have upheld stringent new laws requiring voters to show poll workers specific forms of identification. It cites states such as Ohio and Pennsylvania, which have switched to electronic voting machines whose accuracy has been challenged. And it points to states such as Colorado and Washington, which have departed from the tradition of polling sites in neighborhood precincts.
The report of the clearinghouse, sponsored by the Pew Charitable Trusts, is the latest of several warnings in recent weeks and months by organizations and scholars who say that electoral problems persist in spite of six years of efforts by the federal government and states to correct voting flaws. The flaws gripped the public's attention after the close 2000 presidential election, which led to recounts in Florida and the intervention of the Supreme Court.
The election shambles of 2000 prompted Congress to pass in 2002 legislation intended to help states make significant election changes, such as by replacing outdated voting equipment. Some of the changes, including making sure that databases of registered voters are accurate, were required to be in effect by this year.
Doug Chapin, director of Electionline.org, said "things are getting better over time." But he said many of the changes in recent years have led to new problems and disputes. For instance, the decisions by many states to convert to electronic voting machines have yielded new concerns about whether they are secure and accurate, about paper records as backup proof and -- this year -- about whether the electronic or paper record should be considered the official tally if a candidate demands a recount.
The report cites Maryland for what it calls a "dismal primary" in September that "included human and machine failures galore," in part because Montgomery County election officials forgot to distribute to polling places the access cards needed for its electronic machines to work. The study raises questions about whether Montgomery officials are prepared for the bigger crowds in the general election and whether large numbers of mistrustful voters will resort to absentee ballots.
Thursday, October 26, 2006
NY Times Editorial: Money Down the Drain in Iraq
Commentary: The Bush administrations actions with respect to Iraq are not merely misfeasance and incompetence. Bush's actions are criminal. The 600,000+ people murdered in Iraq under the guise of freedom are properly called War Crimes. Dress it up any way you like, but the money the US taxpayers have spent in Iraq has been used for murder and enrichment of American interests (like Halliburton). We're going to be paying for a long time for what Bush started and can never finish.
EDITORIAL
Money Down the Drain in Iraq
Published: October 26, 2006
When the full encyclopedia of Bush administration misfeasance in Iraq is compiled, it will have to include a lengthy section on the contracting fiascos that wasted billions of taxpayer dollars in the name of rebuilding the country. It isn’t only money that was lost.
Washington’s disgraceful failure to deliver on its promises to restore electricity, water and oil distribution, and to rebuild education and health facilities, turned millions of once sympathetic Iraqis against the American presence.
Their discovery that the world’s richest, most technologically advanced country could not restore basic services to minimal prewar levels left an impression of American weakness and, worse, of indifference to the well-being of ordinary Iraqis. That further poisoned a situation already soured by White House intelligence breakdowns, military misjudgments and political blunders.
The latest contracting revelations came in a report issued Tuesday by the office of the Special Inspector General for Iraq Reconstruction. The office reviewed records covering $1.3 billion out of the $18.4 billion that Congress voted for Iraq reconstruction two years ago. Reported overhead costs ran from a low of 11 percent for several contracts awarded to Lucent to a high of 55 percent for, you guessed it, the Halliburton subsidiary, KBR Inc.
On similar projects in the United States, overhead is typically just a few percent. Given the difficult security environment in Iraq, overhead was expected to run closer to 10 percent. But in many of the contracts examined, it ran much, much higher, in some cases consuming over half the allocated funds. And the report may have actually underestimated total overhead because the government agencies that were supposed to be supervising these reconstruction projects sometimes failed to systematically track overhead expenses.
The main explanation for these excessive overhead rates turned out to be not special security costs but simply the costly down time that resulted from sending workers and equipment to Iraq months before there was any actual work for them to do. That is yet another example of the shoddy contract writing, lax oversight and absent supervision that has consistently characterized Washington’s approach to Iraq reconstruction from the start.
Bush administration incompetence, not corporate greed, is the chief culprit. Still, these charges are one more example of how the favored American companies lucky enough to be awarded reconstruction contracts made large sums of money while the Iraqis failed to get most of the promised benefits.
As Americans now look for explanations of how things went so horribly wrong in Iraq, they should not overlook the shameful breakdowns in reconstruction contracting. They need to insist that Congress impose tough new rules on the Pentagon to ensure more competitive bidding, tighter contract writing and more rigorous supervision. That is the best way to ensure that such a costly and damaging failure never happens again.
EDITORIAL
Money Down the Drain in Iraq
Published: October 26, 2006
When the full encyclopedia of Bush administration misfeasance in Iraq is compiled, it will have to include a lengthy section on the contracting fiascos that wasted billions of taxpayer dollars in the name of rebuilding the country. It isn’t only money that was lost.
Washington’s disgraceful failure to deliver on its promises to restore electricity, water and oil distribution, and to rebuild education and health facilities, turned millions of once sympathetic Iraqis against the American presence.
Their discovery that the world’s richest, most technologically advanced country could not restore basic services to minimal prewar levels left an impression of American weakness and, worse, of indifference to the well-being of ordinary Iraqis. That further poisoned a situation already soured by White House intelligence breakdowns, military misjudgments and political blunders.
The latest contracting revelations came in a report issued Tuesday by the office of the Special Inspector General for Iraq Reconstruction. The office reviewed records covering $1.3 billion out of the $18.4 billion that Congress voted for Iraq reconstruction two years ago. Reported overhead costs ran from a low of 11 percent for several contracts awarded to Lucent to a high of 55 percent for, you guessed it, the Halliburton subsidiary, KBR Inc.
On similar projects in the United States, overhead is typically just a few percent. Given the difficult security environment in Iraq, overhead was expected to run closer to 10 percent. But in many of the contracts examined, it ran much, much higher, in some cases consuming over half the allocated funds. And the report may have actually underestimated total overhead because the government agencies that were supposed to be supervising these reconstruction projects sometimes failed to systematically track overhead expenses.
The main explanation for these excessive overhead rates turned out to be not special security costs but simply the costly down time that resulted from sending workers and equipment to Iraq months before there was any actual work for them to do. That is yet another example of the shoddy contract writing, lax oversight and absent supervision that has consistently characterized Washington’s approach to Iraq reconstruction from the start.
Bush administration incompetence, not corporate greed, is the chief culprit. Still, these charges are one more example of how the favored American companies lucky enough to be awarded reconstruction contracts made large sums of money while the Iraqis failed to get most of the promised benefits.
As Americans now look for explanations of how things went so horribly wrong in Iraq, they should not overlook the shameful breakdowns in reconstruction contracting. They need to insist that Congress impose tough new rules on the Pentagon to ensure more competitive bidding, tighter contract writing and more rigorous supervision. That is the best way to ensure that such a costly and damaging failure never happens again.
Monday, October 23, 2006
Bush War Crimes Billboard Advertisement
This is a photo of an electronic billboard taken on July 14, 2005 along interstate I-10 in a spot where traffic backs up for hours every day in Baton Rouge, Louisiana.
PENTAGON PLANTED PROPAGANDA; BUYING OF NEWS BY BUSH'S AIDES IS RULED ILLEGAL - "Covert Propaganda"
BUYING OF NEWS BY BUSH'S AIDES IS RULED ILLEGAL - "Covert Propaganda"
Originally uploaded by Antifluff Superstar.
And the Pentagon has been spending Millions for years now on "covert progaganda". This was especially wrong when those millions were first discovered being spent right after Katrina devastated New Orleans. And we all know how Bush handled that. So, let's be clear: Bush is spending your tax dollars to advertise and support the justifcation of an illegal war that has taken the lives of hundreds of thousands of civilian men, women and children. For freedom of course. At what point does this paradox become a war crime?
Washington Post: EDITORIAL
Planted Propaganda
It's a bad idea, whether or not it violates regulations. Too bad the Pentagon won't say that.
Monday, October 23, 2006; Page A20
THE DEFENSE Department inspector general has concluded that having a Pentagon contractor secretly pay Iraqi journalists and news organizations to run positive news stories about the war doesn't violate any laws or regulations. It's almost impossible to tell whether that conclusion is correct: The scanty, two-page summary released by the Pentagon provides no details about the activities of the contractor, the Lincoln Group, the contract under which it was operating or the applicable rules.
We won't dwell too long, though, on the irony that an assessment of the military's secret propaganda operations is itself -- except for the largely exculpatory conclusion -- secret. The more important point is that, assuming the inspector general's legal assessment is right, it only makes the problem worse. The U.S. government has a legitimate interest in conveying its point of view. The problem is when it does so in secret. The government shouldn't be in the business of covertly peddling propaganda -- especially in a war based on the notion of seeking to export democratic values such as, say, a free press.
But don't just take it from us. Take it from, among others, the chairman of the Joint Chiefs of Staff, Gen. Peter Pace, who criticized the program in comments to the Los Angeles Times in March. "I think there are ways to get your message out, but get it out in a form that people understand how the message got there," Gen. Pace said. "They need to know that, so they can make their own judgment about what they believe and don't believe in the article. The worst thing you can have is people feeling like somehow they've been snookered."
Or take it from Defense Secretary Donald M. Rumsfeld, who told PBS's Charlie Rose in February, "When we heard about it, we said, 'Gee, that's not what we ought to be doing.' " Or take it from Mr. Rumsfeld's former chief spokesman, Lawrence Di Rita, who said in December of the inspector general's investigation, "If somebody comes back to me and says there's nothing wrong with the Department of Defense paying journalists, I'll say, 'Even if there's nothing wrong, does it make sense?' "
No, it doesn't. But when we called the Pentagon to determine its policy position, the response we received -- even after citing the statements of Mr. Rumsfeld and Gen. Pace -- reflected no understanding of that bedrock principle. "The current situation in Iraq necessitates that the coalition maintain the capability to communicate with the Iraqi people via the Iraqi media," the statement said. "A thorough investigation concluded that the U.S. followed established doctrine by paying to place truthful articles and advertisements in Iraqi newspapers. The IG report made no recommendations to the contrary." But making recommendations wasn't the inspector general's job. If this is "established doctrine," it needs swift reexamination.
CONSUMER WATCHDOGS DEMAND RECALL OF SPYCHIPPED CREDIT CARDS
Synopsis: RFID Payment Card Vulnerabilities Technical Report
“There is a certain amount of privacy that consumers expect, and I believe that credit card companies have crossed the line.”
FOR IMMEDIATE RELEASE
October 23, 2006
Advises Consumers to Immediately Remove Cards from Wallets
Consumer watchdog group CASPIAN is demanding a recall of millions of
RFID-equipped contactless credit cards in light of serious security
flaws reported today in the New York Times. The paper reports that a
team of security researchers has found that virtually every one of these
cards tested is vulnerable to unauthorized charges and puts consumers at
risk for identity theft.
Radio Frequency Identification (RFID) is a controversial technology that
uses tiny microchips to transmit information at a distance. These RFID
microchips have earned the nickname "spychips" because the data they
contain can be read silently and invisibly by radio waves without an
individual's knowledge or consent. The technology has long been the
target of criticism by privacy and civil liberties groups.
"For these financial institutions to put RFID in credit cards, one of
the most sensitive items we carry, is absolute lunacy," said Dr.
Katherine Albrecht, founder and director of CASPIAN, a consumer group
with over 12,000 members in 30 countries worldwide.
Researchers are showing how a thief could skim information from the
cards right through purses, backpacks and wallets. This information
includes the cardholder's name, credit card number, expiration date and
other data that would be sufficient to make unauthorized purchases. They
say the information could even be used to identify and track people, a
scenario Albrecht and co-author Liz McIntyre lay out in their book,
"Spychips: How Major Corporations and Government Plan to Track Your
Every Purchase and Watch Your Every Move."
Despite earlier assurances by the issuing companies that the data
contained in the credit cards would be secure, researchers found that
the majority of cards they tested did not use encryption or protect the
data in any way. The information on them was readily available to
unauthorized parties using equipment that could be assembled for as
little as $50, the researchers said.
"We cautioned companies against using item-level RFID, and they didn't
heed us. Now the credit card industry is facing an unprecedented PR and
financial disaster," says McIntyre, who is also a former bank examiner.
She points to the astronomical cost to replace the cards, not to mention
the potential financial losses, litigation expenses, and erosion of
consumer trust.
Albrecht and McIntyre are calling on the industry to issue a public
alert detailing the dangers of the cards they've issued, institute an
active recall, and make safe versions without RFID available to
concerned consumers.
"This recall has to be very clear and very directed since consumers may
not know their cards contain RFID tags," says Albrecht. "The industry
has repeatedly resisted calls to clearly label the cards. Rather,
they've given the cards innocent-sounding names like 'Blink.'"
CASPIAN is advising consumers to immediately remove the credit cards
from their wallets and call the 800 number on the back to insist on an
RFID-free replacement card. The group is cautioning consumers not to
mail the cards back or simply throw them away due to the risk of their
personal information being skimmed.
Today's New York Times article by John Schwartz can be found here:
http://www.nytimes.com/2006/10/23/business/23card.html?ref=business
A research report detailing the findings can be found here:
http://www.nytimes.com/packages/pdf/business/20061023_CARD/techreport.pdf
New York Times:
RFID Payment Card Vulnerabilities Technical Report
By JOHN SCHWARTZ
Published: October 23, 2006
AMHERST, Mass. — They call it the “Johnny Carson attack,” for his comic pose as a psychic divining the contents of an envelope.
Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.
Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.
The demonstration revealed potential security and privacy holes in a new generation of credit cards — cards whose data is relayed by radio waves without need of a signature or physical swiping through a machine. Tens of millions of the cards have been issued, and equipment for their use is showing up at a growing number of locations, including CVS pharmacies, McDonald’s restaurants and many movie theaters.
The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate “128-bit encryption,” and J. P. Morgan Chase has said that its cards, which it calls Blink, use “the highest level of encryption allowed by the U.S. government.”
But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder’s name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.
They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50.
And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. “Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?” Mr. Heydt-Benjamin, a graduate student, asked.
Companies that make and issue the cards argue that what looks shocking in the lab could not lead to widespread abuse in the real world, and that additional data protection and antifraud measures in the payment system protect consumers from end to end.
“This is an interesting technical exercise,” said Brian Triplett, senior vice president for emerging-product development for Visa, “but as a real threat to a consumer — that threat really doesn’t exist.”
The finding comes at a time of strong suspicion among privacy advocates and consumer groups about the security of the underlying technology, called radio frequency identification, or RFID. Though the systems are designed to allow a card to be read only in close proximity, researchers have found that they can extend the distance.
The actual distance is still a matter of debate, but the claims range from several inches to many feet. And even the shortest distance could allow a would-be card skimmer to mill about in a crowded place and pull data from the wallets of passersby, or to collect data from envelopes sitting in mailboxes.
“No one’s going to look at me funny if I walk down the street and put a flier in everybody’s mailbox,” Mr. Heydt-Benjamin said.
The experiment was conducted by researchers here working with RSA Labs, a part of EMC, an information management and storage company. The resulting paper, which has been submitted to a computer security conference, is the first fruit of a new consortium of industry and academic researchers financed by the National Science Foundation to study RFID.
Security experts who were not involved in the research have praised the paper, and said that they were startled by the findings. Aviel D. Rubin, a professor of computer security at Johns Hopkins University, said, “There is a certain amount of privacy that consumers expect, and I believe that credit card companies have crossed the line.”
The companies, however, argue that testing just 20 cards does not provide an accurate picture of the card market, which generally uses higher security standards than the cards that were tested. “It’s a small sample,” said Art Kranzley, an executive with MasterCard. “This is almost akin to somebody standing up in the theater and yelling, ‘Fire!’ because somebody lit a cigarette.”
Chips like those used by the credit card companies can encrypt the data they send, but that can slow down transactions and make building and maintaining the payment networks more expensive. Other systems, including the Speedpass keychain device offered by Exxon Mobil, encrypt the transmission — though Exxon came under fire for using encryption that experts said was weak.
Though information on the cards may be transmitted in plain text, the company representatives argued, the process of making purchases with the cards involves verification procedures based on powerful encryption that make each transaction unique. Most cards, they said, actually transmit a dummy number that does not match the number embossed on the card, and that number can be used only in connection with the verification “token,” or a small bit of code, that is encrypted before being sent.
“It’s basically useless information,” said David Bonalle, vice president and general manager for advanced payments at American Express. “You can’t steal that data and just play it back and expect that transaction to work.”
While the researchers found that these claims were true for some of the cards they tested, other cards gave up the actual credit card number and did not use a token or change data from one transaction to another. They also took data in from some cards and transmitted it to a card-reader in the lab and tricked it into accepting the transaction. Mr. Heydt-Benjamin, in fact, was able to purchase electronic equipment online using a number skimmed from a card he ordered for himself and which was sealed in an envelope.
(Page 2 of 2)
(None of the cards transmits the additional number on the front or back, known as the card validation code, that some businesses require for online purchases; Mr. Heydt-Benjamin chose a store that does not require the code.)
Mr. Kranzley said the MasterCard-issuing banks decided how much security they wanted to implement, but said that with 10 million of the company’s chip-bearing cards on the market, some 98 percent of them used the highest standards.
“Today, there’s an extremely small percentage of cards that have the characteristics that RSA has looked at in this report,” he said. Visa and American Express representatives said all their cards conformed to the highest security standard.
Beyond the security on the cards themselves, the companies said, they have deployed fraud detection and prevention measures that block suspect purchases. And each company stressed that cardholders were not liable for fraud.
Dr. Fu acknowledged that the research involved a small sample, and added, “We would be happy to examine cards that have better security so that we can verify these claims.” He added, however, that all of the cards they tested were issued this year, and all were felled by at least one of the attacks that they attempted.
Tom O’Donnell, a senior vice president at Chase, the largest issuer of the new cards, said that the attacks described in the paper would be too cumbersome in the real world. And the researchers said that other kinds of fraud, like so-called phishing scams in which criminals trick people into revealing credit card information through misleading e-mail messages and Web sites, were currently more effective.
Still, John Pescatore, vice president for Internet security at Gartner, a technology market research firm, said he was surprised by the lack of security in transmitting personal data. He said it was a mistake that companies often made in rolling out early versions of a technology.
“It’s the classic ‘Let’s depend on security through obscurity — who’s going to look?’ ” he said. “Then, whoops! As soon as somebody does look, you roll out the security.”
All of the card companies said that they were in the process of deleting names from the stream of data transmitted to the card readers. “As a best practice, issuers are not including the cardholder name,” Mr. Triplett of Visa said.
“There is a certain amount of privacy that consumers expect, and I believe that credit card companies have crossed the line.”
FOR IMMEDIATE RELEASE
October 23, 2006
Advises Consumers to Immediately Remove Cards from Wallets
Consumer watchdog group CASPIAN is demanding a recall of millions of
RFID-equipped contactless credit cards in light of serious security
flaws reported today in the New York Times. The paper reports that a
team of security researchers has found that virtually every one of these
cards tested is vulnerable to unauthorized charges and puts consumers at
risk for identity theft.
Radio Frequency Identification (RFID) is a controversial technology that
uses tiny microchips to transmit information at a distance. These RFID
microchips have earned the nickname "spychips" because the data they
contain can be read silently and invisibly by radio waves without an
individual's knowledge or consent. The technology has long been the
target of criticism by privacy and civil liberties groups.
"For these financial institutions to put RFID in credit cards, one of
the most sensitive items we carry, is absolute lunacy," said Dr.
Katherine Albrecht, founder and director of CASPIAN, a consumer group
with over 12,000 members in 30 countries worldwide.
Researchers are showing how a thief could skim information from the
cards right through purses, backpacks and wallets. This information
includes the cardholder's name, credit card number, expiration date and
other data that would be sufficient to make unauthorized purchases. They
say the information could even be used to identify and track people, a
scenario Albrecht and co-author Liz McIntyre lay out in their book,
"Spychips: How Major Corporations and Government Plan to Track Your
Every Purchase and Watch Your Every Move."
Despite earlier assurances by the issuing companies that the data
contained in the credit cards would be secure, researchers found that
the majority of cards they tested did not use encryption or protect the
data in any way. The information on them was readily available to
unauthorized parties using equipment that could be assembled for as
little as $50, the researchers said.
"We cautioned companies against using item-level RFID, and they didn't
heed us. Now the credit card industry is facing an unprecedented PR and
financial disaster," says McIntyre, who is also a former bank examiner.
She points to the astronomical cost to replace the cards, not to mention
the potential financial losses, litigation expenses, and erosion of
consumer trust.
Albrecht and McIntyre are calling on the industry to issue a public
alert detailing the dangers of the cards they've issued, institute an
active recall, and make safe versions without RFID available to
concerned consumers.
"This recall has to be very clear and very directed since consumers may
not know their cards contain RFID tags," says Albrecht. "The industry
has repeatedly resisted calls to clearly label the cards. Rather,
they've given the cards innocent-sounding names like 'Blink.'"
CASPIAN is advising consumers to immediately remove the credit cards
from their wallets and call the 800 number on the back to insist on an
RFID-free replacement card. The group is cautioning consumers not to
mail the cards back or simply throw them away due to the risk of their
personal information being skimmed.
Today's New York Times article by John Schwartz can be found here:
http://www.nytimes.com/2006/10/23/business/23card.html?ref=business
A research report detailing the findings can be found here:
http://www.nytimes.com/packages/pdf/business/20061023_CARD/techreport.pdf
New York Times:
RFID Payment Card Vulnerabilities Technical Report
By JOHN SCHWARTZ
Published: October 23, 2006
AMHERST, Mass. — They call it the “Johnny Carson attack,” for his comic pose as a psychic divining the contents of an envelope.
Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.
Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.
The demonstration revealed potential security and privacy holes in a new generation of credit cards — cards whose data is relayed by radio waves without need of a signature or physical swiping through a machine. Tens of millions of the cards have been issued, and equipment for their use is showing up at a growing number of locations, including CVS pharmacies, McDonald’s restaurants and many movie theaters.
The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate “128-bit encryption,” and J. P. Morgan Chase has said that its cards, which it calls Blink, use “the highest level of encryption allowed by the U.S. government.”
But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder’s name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.
They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50.
And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. “Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?” Mr. Heydt-Benjamin, a graduate student, asked.
Companies that make and issue the cards argue that what looks shocking in the lab could not lead to widespread abuse in the real world, and that additional data protection and antifraud measures in the payment system protect consumers from end to end.
“This is an interesting technical exercise,” said Brian Triplett, senior vice president for emerging-product development for Visa, “but as a real threat to a consumer — that threat really doesn’t exist.”
The finding comes at a time of strong suspicion among privacy advocates and consumer groups about the security of the underlying technology, called radio frequency identification, or RFID. Though the systems are designed to allow a card to be read only in close proximity, researchers have found that they can extend the distance.
The actual distance is still a matter of debate, but the claims range from several inches to many feet. And even the shortest distance could allow a would-be card skimmer to mill about in a crowded place and pull data from the wallets of passersby, or to collect data from envelopes sitting in mailboxes.
“No one’s going to look at me funny if I walk down the street and put a flier in everybody’s mailbox,” Mr. Heydt-Benjamin said.
The experiment was conducted by researchers here working with RSA Labs, a part of EMC, an information management and storage company. The resulting paper, which has been submitted to a computer security conference, is the first fruit of a new consortium of industry and academic researchers financed by the National Science Foundation to study RFID.
Security experts who were not involved in the research have praised the paper, and said that they were startled by the findings. Aviel D. Rubin, a professor of computer security at Johns Hopkins University, said, “There is a certain amount of privacy that consumers expect, and I believe that credit card companies have crossed the line.”
The companies, however, argue that testing just 20 cards does not provide an accurate picture of the card market, which generally uses higher security standards than the cards that were tested. “It’s a small sample,” said Art Kranzley, an executive with MasterCard. “This is almost akin to somebody standing up in the theater and yelling, ‘Fire!’ because somebody lit a cigarette.”
Chips like those used by the credit card companies can encrypt the data they send, but that can slow down transactions and make building and maintaining the payment networks more expensive. Other systems, including the Speedpass keychain device offered by Exxon Mobil, encrypt the transmission — though Exxon came under fire for using encryption that experts said was weak.
Though information on the cards may be transmitted in plain text, the company representatives argued, the process of making purchases with the cards involves verification procedures based on powerful encryption that make each transaction unique. Most cards, they said, actually transmit a dummy number that does not match the number embossed on the card, and that number can be used only in connection with the verification “token,” or a small bit of code, that is encrypted before being sent.
“It’s basically useless information,” said David Bonalle, vice president and general manager for advanced payments at American Express. “You can’t steal that data and just play it back and expect that transaction to work.”
While the researchers found that these claims were true for some of the cards they tested, other cards gave up the actual credit card number and did not use a token or change data from one transaction to another. They also took data in from some cards and transmitted it to a card-reader in the lab and tricked it into accepting the transaction. Mr. Heydt-Benjamin, in fact, was able to purchase electronic equipment online using a number skimmed from a card he ordered for himself and which was sealed in an envelope.
(Page 2 of 2)
(None of the cards transmits the additional number on the front or back, known as the card validation code, that some businesses require for online purchases; Mr. Heydt-Benjamin chose a store that does not require the code.)
Mr. Kranzley said the MasterCard-issuing banks decided how much security they wanted to implement, but said that with 10 million of the company’s chip-bearing cards on the market, some 98 percent of them used the highest standards.
“Today, there’s an extremely small percentage of cards that have the characteristics that RSA has looked at in this report,” he said. Visa and American Express representatives said all their cards conformed to the highest security standard.
Beyond the security on the cards themselves, the companies said, they have deployed fraud detection and prevention measures that block suspect purchases. And each company stressed that cardholders were not liable for fraud.
Dr. Fu acknowledged that the research involved a small sample, and added, “We would be happy to examine cards that have better security so that we can verify these claims.” He added, however, that all of the cards they tested were issued this year, and all were felled by at least one of the attacks that they attempted.
Tom O’Donnell, a senior vice president at Chase, the largest issuer of the new cards, said that the attacks described in the paper would be too cumbersome in the real world. And the researchers said that other kinds of fraud, like so-called phishing scams in which criminals trick people into revealing credit card information through misleading e-mail messages and Web sites, were currently more effective.
Still, John Pescatore, vice president for Internet security at Gartner, a technology market research firm, said he was surprised by the lack of security in transmitting personal data. He said it was a mistake that companies often made in rolling out early versions of a technology.
“It’s the classic ‘Let’s depend on security through obscurity — who’s going to look?’ ” he said. “Then, whoops! As soon as somebody does look, you roll out the security.”
All of the card companies said that they were in the process of deleting names from the stream of data transmitted to the card readers. “As a best practice, issuers are not including the cardholder name,” Mr. Triplett of Visa said.
Subscribe to:
Posts (Atom)