RFID credit cards vulnerable

October 22nd, 2006

RFID tagToday’s New York Times has an article on vulnerabilities of new credit cards with RFID tags. The article, Researchers See Privacy Pitfalls in No-Swipe Credit Cards, says that researchers have found that some new RDID credit cards have the card holder’s name and the cards number and expiration date in plaintext.

Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers. Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.”

Professor Fu and grad student Heydt-Benjamin are part of the RDID CUSP (RFID ConsortiUm for Security and Privacy), an NSF sponsored effort involving UMASS, JHU and RSA.

What I found somewhat surprising is that each MasterCard issuing bank decided how much security they wanted to implement. Apparently some are less security oriented than others. I can just imagine the conversation I would have if I called up my bank and asked them about the encryption algorithms used in the new RFID card they might try to get me to take.