Synopsis: RFID Payment Card Vulnerabilities Technical Report
“There is a certain amount of privacy that consumers expect, and I believe that credit card companies have crossed the line.”
FOR IMMEDIATE RELEASE
October 23, 2006
Advises Consumers to Immediately Remove Cards from Wallets
Consumer watchdog group CASPIAN is demanding a recall of millions of
RFID-equipped contactless credit cards in light of serious security
flaws reported today in the New York Times. The paper reports that a
team of security researchers has found that virtually every one of these
cards tested is vulnerable to unauthorized charges and puts consumers at
risk for identity theft.
Radio Frequency Identification (RFID) is a controversial technology that
uses tiny microchips to transmit information at a distance. These RFID
microchips have earned the nickname "spychips" because the data they
contain can be read silently and invisibly by radio waves without an
individual's knowledge or consent. The technology has long been the
target of criticism by privacy and civil liberties groups.
"For these financial institutions to put RFID in credit cards, one of
the most sensitive items we carry, is absolute lunacy," said Dr.
Katherine Albrecht, founder and director of CASPIAN, a consumer group
with over 12,000 members in 30 countries worldwide.
Researchers are showing how a thief could skim information from the
cards right through purses, backpacks and wallets. This information
includes the cardholder's name, credit card number, expiration date and
other data that would be sufficient to make unauthorized purchases. They
say the information could even be used to identify and track people, a
scenario Albrecht and co-author Liz McIntyre lay out in their book,
"Spychips: How Major Corporations and Government Plan to Track Your
Every Purchase and Watch Your Every Move."
Despite earlier assurances by the issuing companies that the data
contained in the credit cards would be secure, researchers found that
the majority of cards they tested did not use encryption or protect the
data in any way. The information on them was readily available to
unauthorized parties using equipment that could be assembled for as
little as $50, the researchers said.
"We cautioned companies against using item-level RFID, and they didn't
heed us. Now the credit card industry is facing an unprecedented PR and
financial disaster," says McIntyre, who is also a former bank examiner.
She points to the astronomical cost to replace the cards, not to mention
the potential financial losses, litigation expenses, and erosion of
consumer trust.
Albrecht and McIntyre are calling on the industry to issue a public
alert detailing the dangers of the cards they've issued, institute an
active recall, and make safe versions without RFID available to
concerned consumers.
"This recall has to be very clear and very directed since consumers may
not know their cards contain RFID tags," says Albrecht. "The industry
has repeatedly resisted calls to clearly label the cards. Rather,
they've given the cards innocent-sounding names like 'Blink.'"
CASPIAN is advising consumers to immediately remove the credit cards
from their wallets and call the 800 number on the back to insist on an
RFID-free replacement card. The group is cautioning consumers not to
mail the cards back or simply throw them away due to the risk of their
personal information being skimmed.
Today's New York Times article by John Schwartz can be found here:
http://www.nytimes.com/2006/10/23/business/23card.html?ref=business
A research report detailing the findings can be found here:
http://www.nytimes.com/packages/pdf/business/20061023_CARD/techreport.pdf
New York Times:
RFID Payment Card Vulnerabilities Technical Report
By JOHN SCHWARTZ
Published: October 23, 2006
AMHERST, Mass. — They call it the “Johnny Carson attack,” for his comic pose as a psychic divining the contents of an envelope.
Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.
Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.
The demonstration revealed potential security and privacy holes in a new generation of credit cards — cards whose data is relayed by radio waves without need of a signature or physical swiping through a machine. Tens of millions of the cards have been issued, and equipment for their use is showing up at a growing number of locations, including CVS pharmacies, McDonald’s restaurants and many movie theaters.
The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate “128-bit encryption,” and J. P. Morgan Chase has said that its cards, which it calls Blink, use “the highest level of encryption allowed by the U.S. government.”
But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder’s name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.
They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50.
And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. “Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?” Mr. Heydt-Benjamin, a graduate student, asked.
Companies that make and issue the cards argue that what looks shocking in the lab could not lead to widespread abuse in the real world, and that additional data protection and antifraud measures in the payment system protect consumers from end to end.
“This is an interesting technical exercise,” said Brian Triplett, senior vice president for emerging-product development for Visa, “but as a real threat to a consumer — that threat really doesn’t exist.”
The finding comes at a time of strong suspicion among privacy advocates and consumer groups about the security of the underlying technology, called radio frequency identification, or RFID. Though the systems are designed to allow a card to be read only in close proximity, researchers have found that they can extend the distance.
The actual distance is still a matter of debate, but the claims range from several inches to many feet. And even the shortest distance could allow a would-be card skimmer to mill about in a crowded place and pull data from the wallets of passersby, or to collect data from envelopes sitting in mailboxes.
“No one’s going to look at me funny if I walk down the street and put a flier in everybody’s mailbox,” Mr. Heydt-Benjamin said.
The experiment was conducted by researchers here working with RSA Labs, a part of EMC, an information management and storage company. The resulting paper, which has been submitted to a computer security conference, is the first fruit of a new consortium of industry and academic researchers financed by the National Science Foundation to study RFID.
Security experts who were not involved in the research have praised the paper, and said that they were startled by the findings. Aviel D. Rubin, a professor of computer security at Johns Hopkins University, said, “There is a certain amount of privacy that consumers expect, and I believe that credit card companies have crossed the line.”
The companies, however, argue that testing just 20 cards does not provide an accurate picture of the card market, which generally uses higher security standards than the cards that were tested. “It’s a small sample,” said Art Kranzley, an executive with MasterCard. “This is almost akin to somebody standing up in the theater and yelling, ‘Fire!’ because somebody lit a cigarette.”
Chips like those used by the credit card companies can encrypt the data they send, but that can slow down transactions and make building and maintaining the payment networks more expensive. Other systems, including the Speedpass keychain device offered by Exxon Mobil, encrypt the transmission — though Exxon came under fire for using encryption that experts said was weak.
Though information on the cards may be transmitted in plain text, the company representatives argued, the process of making purchases with the cards involves verification procedures based on powerful encryption that make each transaction unique. Most cards, they said, actually transmit a dummy number that does not match the number embossed on the card, and that number can be used only in connection with the verification “token,” or a small bit of code, that is encrypted before being sent.
“It’s basically useless information,” said David Bonalle, vice president and general manager for advanced payments at American Express. “You can’t steal that data and just play it back and expect that transaction to work.”
While the researchers found that these claims were true for some of the cards they tested, other cards gave up the actual credit card number and did not use a token or change data from one transaction to another. They also took data in from some cards and transmitted it to a card-reader in the lab and tricked it into accepting the transaction. Mr. Heydt-Benjamin, in fact, was able to purchase electronic equipment online using a number skimmed from a card he ordered for himself and which was sealed in an envelope.
(Page 2 of 2)
(None of the cards transmits the additional number on the front or back, known as the card validation code, that some businesses require for online purchases; Mr. Heydt-Benjamin chose a store that does not require the code.)
Mr. Kranzley said the MasterCard-issuing banks decided how much security they wanted to implement, but said that with 10 million of the company’s chip-bearing cards on the market, some 98 percent of them used the highest standards.
“Today, there’s an extremely small percentage of cards that have the characteristics that RSA has looked at in this report,” he said. Visa and American Express representatives said all their cards conformed to the highest security standard.
Beyond the security on the cards themselves, the companies said, they have deployed fraud detection and prevention measures that block suspect purchases. And each company stressed that cardholders were not liable for fraud.
Dr. Fu acknowledged that the research involved a small sample, and added, “We would be happy to examine cards that have better security so that we can verify these claims.” He added, however, that all of the cards they tested were issued this year, and all were felled by at least one of the attacks that they attempted.
Tom O’Donnell, a senior vice president at Chase, the largest issuer of the new cards, said that the attacks described in the paper would be too cumbersome in the real world. And the researchers said that other kinds of fraud, like so-called phishing scams in which criminals trick people into revealing credit card information through misleading e-mail messages and Web sites, were currently more effective.
Still, John Pescatore, vice president for Internet security at Gartner, a technology market research firm, said he was surprised by the lack of security in transmitting personal data. He said it was a mistake that companies often made in rolling out early versions of a technology.
“It’s the classic ‘Let’s depend on security through obscurity — who’s going to look?’ ” he said. “Then, whoops! As soon as somebody does look, you roll out the security.”
All of the card companies said that they were in the process of deleting names from the stream of data transmitted to the card readers. “As a best practice, issuers are not including the cardholder name,” Mr. Triplett of Visa said.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment