Privacy Pitfalls in No-Swipe Credit Cards

Nrbelex writes to mention a New York Times article about the privacy pitfalls of 'no-swipe' credit cards. Despite assurances from the card companies, researchers Tom Heydt-Benjamin and Kevin Fu were able to easily retrieve data from the new cards ... data available without encryption and in plain text. From the article: "They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. 'Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?' Mr. Heydt-Benjamin, a graduate student, asked."

Oyster Cards on the London Underground

[QuatermassX]

In London, TfL can track my movements for the past several years, but I do wonder how often people have their Oyster data swiped. Of course, what would the purpose be, really ... use and abuse that season ticket? Hmmm ...

Of course, I found this interesting blog post from several years ago: http://www.spy.org.uk/spyblog/2004/02/foiling_the_ oyster_card.html [spy.org.uk]

I just wish TfL would get the bloody Silverlink / North London Line railways on the system rather than posting stormtrooper rent-a-cops at selected stations on random mornings. I actually do pay my fare, but I'm deeply distressed by the rudeness of some of the non-TfL staff. Treat customers not as potential fare-evaders but customers!

Why are we upgrading again?

[boyfaceddog]

Okay, magnetic swipe cards are better than the old way of making a carbon from the raised info on the little plastic cards, but what is the advantage of an RFID credit card? I still need to get the RFID-thing out of my wallet or out of my pocket to use it. Is saving five seconds such a big deal that I wouldn't spend that five seconds in order to protect my identity?

Upgrades for the sake of the "wow-factor" are stupid.

You mean...

[Atheose]

...swipe cards aren't secure? Hell, I'm still waiting for CREDIT cards to become secure.

I've been waiting for 2 years for cashiers and salespeople to check my signature whenever I buy something with my credit card. Sometimes I'll sign "Mickey Mouse" or "Donald Trump", or even write a phrase like "Yankees suck!", and I still have yet to be asked even once. With the lack of security on older cards, it doesn't surprise me that these newer ones are no less safe.

Re:You mean...

[BenjyD]

I think a lot of countries are adding security by requiring PINs for swipe credit/debit card transactions.

Re:When did this happen

[MikeBabcock]

On a really cold winter's day up here in Canada, I'd quite like a system that didn't require removing the card from my wallet while wearing heavy gloves. That would require a keyfob that worked from several feet and had some form of passcode required of course, but it would be awful nice.

Re:How they think about fraud

[Anonymous Coward]

People who notice fraudulent transactions on their statements will make calls and the banks will eat the cost of the purchases.

Actually the bank performs a chargeback, requiring the merchant that accepted the transaction to prove that they did everything right. In the end it's usually the merchant that eats the cost of the fraud. They, in turn, recover this cost of doing business by factoring it into the cost of the goods that you and I purchase.

Re:Why are we upgrading again?

[barzok]

Asking your bank for one? I was given mine by my bank, no other option. "Here, you're taking this."

While they were at it, they issued a new card # to my wife, for the same account - the old cards had the same number on both hers and mine.

For the tinfoil crowd, the few times I've used it, I had to make physical contact between the card and the reader - I couldn't just wave it by. In fact, the first 2 times I used it, it took me several attempts to get a read. It's pretty weak, but I don't know if that's the card or the reader.

Re:You mean...

[NightWhistler]

Here in the Netherlands the overwhelming majority of payments is made with direct-debit cards, so credit cards are not used as much. Whenever you do want to pay with a credit card, they require some form of ID for any payment over 50 euros.

My autograph is pretty small and ugly and worst of all I've never really gotten the hang of getting it consistant. I've been called on it a number of times when I wanted to pay with my credit card. One store actually went so far as to hand me a notepad and have me write down my signature a couple of times, to check the variations with my card and my driver's license.

Now most stores aren't this paranoid, but credit cards are thoroughly checked around here...

This is stupid

[Anonymous Coward]

There seems to be a really huge gap between the security research community and the companies developing RFID credit cards, RFID passports and voting machines, in other words, the people making the practical applications. It is clear that these companies have absolutely no competence whatsoever regarding information security and don't care to ask anyone for advice either. Beautiful. Security by obscurity is the default and often there's not even much obscurity..

Aren't there any rules regarding the handling of sensitive customer information? No laws? Is it enough to just say: "Don't worry. Your data is safe with our technology." when it is actually not?

Re:Dumber then not signing

[CastrTroy]

Wouldn't it make more sense to leave all the information on the credit card encrypted, have the information left encrypted and sent to the credit card company, still encrypted, and only be able to decrypt the information at the credit card company? It seems to me that even if you need physical access to copy the number it's still not that secure. It would make much more sense to have a card that's blank and devoid of any identifying information than to have something that just about anybody can get the information off of.

Re:Hah. Screw it.

[Anonymous Coward]

You know, when there is enough money behind it, they will outlaw the stuff that makes it stupid, so get ready for an FBI investigation next time you shop around for one of these components....

Re:Geeks Rejoice!

[Beltonius]

I have one of those cards. I lined my wallet with as soon as my bank informed me that I would received an RFID-equipped credit-card at no extra charge!

Pickpocketing at the same old level

[xplenumx]

I've been to Thailand three times in the past five years, and while I've never been pick-pocketed, after all three trips mysterious people tried to make fraudulent charges to the credit card that I used for that particular trip. I know two coworkers who have had people attempt to make fraudulent charges on their credit card (from inside the US in each case) even though neither credit card was physically stolen.

These 'old days' you talk about ended long, long ago. These 'new days' you predict started decades ago. I'm far more worried about the minimum wage employee handling my credit card info or someone digging through improperly discarded credit card receipts than I am of a technophile taking the time and effort to build a mobile card reader. A stolen credit card is a stolen credit card, regardless how it's done - and we already have measures to counter this. I fail to see how this 'new world' is any different than today's status quo.

Re:Dumber then not signing

[ZachPruckowski]

"All you've done is substitute one set of unique information for another set of unique information, the fact that the information means nothing to you doesn't change it."

Yes, but it's information that's harder to obtain. I mean, you can't read it off the card's front, you have to scan to get it, and once you get it, you can't use that series of encrypted info at the online stores, you have to find a credit card of a similar type and "flash" it to that encrypted series.

Re:Why are we upgrading again?

[z4pp4]

Read EMV [wikipedia.org].
The big credit card companies are well aware of the risks. After all, its the main determinator of their income.
What some people don't realise: It's not about the risk of theft, its about the risk of liability.
With the new EMV system, the credit card companies will firstly start to roll out Smart card based credit cards, and to force credit card merchants to use the new machines, they will change contracts so that merchants are fully liable for chargebacks on magstipe transactions, and a lot less liable for smart card / card present transactions.
Note that the paranoia mongering of Smart cards versus Magstripe is pointless: Smart cards are a lot better than magstripe to begin with. If the company that controls the information is up to scratch, I'd rather go for smart cards.
Remember: Magstripe credit cards do not provide full 3 factor authentication. At best, it provides 2. Smart cards on the other hand can provide full 3 factor authentication.
As for the whole RFID thing: I call BS. If the information is encrypted and the PKI is implemented, it does not matter how far the information travels, it is still safe. The private key on the smart card cannot be compromised, unless you have a very expensive piece of machinery with micro probes to detect the internal chip state.

Re:Dumber then not signing

[Jerf]

I hear zapping chips in microwaves toasts them pretty quick; if you have a stripe to fall back then the card wouldn't be useless, but I don't know if it would survive.

Does anybody know how magnetic stripes respond to being microwaved? Not much use if you toast that too. And how long do you have to zap a chip to burn it out? (Sub-second?)

(Note the stripe only has to be significantly more robust than the chip, it doesn't have to be immune to microwaves. If there's a range where the chip dies but the stripe still works, it doesn't matter if the stripe would stop working in another ten seconds.)

Re:Why are we upgrading again?

[SuiteSisterMary]

I've said it before, and I'll say it again: duress code. A pin number that works perfectly well, and gives no outward sign of being used, but flags the transaction(s) as being 'under duress', kicks in a high-resolution camera (say, in an ATM kiosk) and summons the police. Woe if you use it inappropriately....

Also, an easy trick for the RFID cards would be for it to have two numbers; one which is transmitted when you swipe it, allowing for normal purchases, and a differnet number on the RFID side, which allows up to $50/transaction, or whatever, maybe a # of purchases/time constraint, and so on. That way, somebody waving an RFID reader over your wallet doesn't get your full purchasing power.

Re:Hah. Screw it.

[Miqel]

My wife's CC was recently skimmed. They made face-to-face transactions totalling $5100. In these cases, according to the bank, they make a card with their own information on the front and our information on the magnetic strip. In this case, an ID check would have shown that the card was being used by the apparently correct owner. We need to implement PINs and smart chips on our CCs to eliminate these types of fraud.

Re:Dumber then not signing

[Alpha232]

Working in the hotel business, I handle a large number of credit cards. The trend I have seen for people wanting to "disable" the RF portion is to use a hole punch through the chip. I've seen about ten or so this past month, all have the little radio icon on the back and a hole punched right through the card. Not a bad way to do it I must say.