Two kinds of risks with "swipeless" credit cards

by

Yesterday’s New York Times had a good article on security risks from carrying so-called “swipeless” credit cards — credit cards that come with radio transmitters, so you can make a payment just by placing the card near a reader, rather than having to swipe it through a credit card machine:

They call it the “Johnny Carson attack,” for his comic pose as a psychic divining the contents of an envelope.

Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.

Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.

The demonstration revealed potential security and privacy holes in a new generation of credit cards — cards whose data is relayed by radio waves without need of a signature or physical swiping through a machine. Tens of millions of the cards have been issued, and equipment for their use is showing up at a growing number of locations, including CVS pharmacies, McDonald’s restaurants and many movie theaters.

I’m glad to see this research, and to see that people are calling attention to any security problems that exist in these systems now, before the systems become more widespread.

Unintended data loss is really only one of the risks of these systems, though. The whole point of having a swipeless card is to make it easier for you to spend your money quickly and impulsively. That may be a bigger risk! If you can avoid having a radio transmitter in your credit card, it may well be worth asking not to have one, both to protect your privacy, and to make it just a little harder to make those purchases you haven’t really thought through…

One Response to “Two kinds of risks with "swipeless" credit cards”

  1. Ian Says:

    I wonder when the credit card industry is going to give up on this.

    I recall the doomed SpeedPass experiment where McDonalds and Mobil provided free RFID tags for both your keychain and car window. If the basic keychain model wasn’t scary enough, the car window variety was specifically designed to be read from greater distances.

    The SpeedPass encryption was first publicly cracked in 2005, but of course you can’t trust that some private individual(s) hadn’t done the same thing years before–if they are a black hat, why kill their golden goose by taking the findings public?

Comments are closed.


%d bloggers like this: