funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Researchers See Privacy Pitfalls in No-Swipe Credit Cards

From: "Richard M. Smith" <rms () bsf-llc com>
Date: Mon, 23 Oct 2006 08:58:59 -0400
http://www.nytimes.com/2006/10/23/business/23card.html?ref=business

October 23, 2006

 Researchers See Privacy Pitfalls in No-Swipe Credit Cards
 By JOHN SCHWARTZ

 AMHERST, Mass. - They call it the "Johnny Carson attack," for his comic
pose
 as a psychic divining the contents of an envelope.

 Tom Heydt-Benjamin tapped an envelope against a black plastic box connected
 to his computer. Within moments, the screen showed a garbled string of
 characters that included this: fu/kevine, along with some numbers.

 Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card,
 fresh from the issuing bank. The card bore the name of Kevin E. Fu, a
 computer science professor at the University of Massachusetts, Amherst, who
 was standing nearby. The card number and expiration date matched those
 numbers on the screen.

 The demonstration revealed potential security and privacy holes in a new
 generation of credit cards - cards whose data is relayed by radio waves
 without need of a signature or physical swiping through a machine. Tens of
 millions of the cards have been issued, and equipment for their use is
 showing up at a growing number of locations, including CVS pharmacies,
 McDonald's restaurants and many movie theaters.

 The card companies have implied through their marketing that the data is
 encrypted to make sure that a digital eavesdropper cannot get any
 intelligible information. American Express has said its cards incorporate
 "128-bit encryption," and J. P. Morgan Chase has said that its cards, which
 it calls Blink, use "the highest level of encryption allowed by the U.S.
 government."

 But in tests on 20 cards from Visa, MasterCard and American Express, the
 researchers here found that the cardholder's name and other data was being
 transmitted without encryption and in plain text. They could skim and store
 the information from a card with a device the size of a couple of paperback
 books, which they cobbled together from readily available computer and
radio
 components for $150.

 They say they could probably make another one even smaller and cheaper:
 about the size of a pack of gum for less than $50.

...

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: