“No swipe” credit cards are ripe pickings for thieves.

Do you have one of those RFID chipped credit cards in your wallet? You know, the ones where you just have to wave it at the card reader to pay for something instead of actually sliding it through? Convenient little buggers aren’t they? Yeah, thieves probably think so too. Especially considering that they don’t have to physically steal them in order to steal them:

AMHERST, Mass. — They call it the “Johnny Carson attack,” for his comic pose as a psychic divining the contents of an envelope.

Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.

Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.

The demonstration revealed potential security and privacy holes in a new generation of credit cards — cards whose data is relayed by radio waves without need of a signature or physical swiping through a machine. Tens of millions of the cards have been issued, and equipment for their use is showing up at a growing number of locations, including CVS pharmacies, McDonald’s restaurants and many movie theaters.

The credit card companies will tell you there’s nothing to worry about because they’re using encryption to protect your data. Problem is, they’re not:

The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate “128-bit encryption,” and J. P. Morgan Chase has said that its cards, which it calls Blink, use “the highest level of encryption allowed by the U.S. government.”

But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder’s name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.

They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50.

And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. “Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?” Mr. Heydt-Benjamin, a graduate student, asked.

Oops. I don’t have any such cards myself, but if I did I’d be on the phone getting them replaced by plain old cards immediately. A thief walking through a crowd with one of these scanners with the receiver running down the sleeve of his coat could scan literally hundreds of cards with no one being the wiser. Jinkies!

6 thoughts on ““No swipe” credit cards are ripe pickings for thieves.

  1. Keep in mind that it’s not just your money they can get from these cards.  Once they’ve got your name & credit card info; it’s a very small jump to stealing your identity.  Once they’ve got your identity, they can apply for loans, credit cards, whatever.  Identity theft can really screw a person over and unfortunately I think it’s only going to get worse.

    Especially since the US government seems to be in the pocket of the corporations and is unlikely to pass laws to better protect the consumer anytime soon.

  2. I see a lot of problems with this, but the solution is not the federal government. The solution is for extremely severe penalties for identy theft, no slap on the hand, a hard no parole possible sentance for first times and a life sentance with no parole for second offenders. In my current mood I am not really all that adverse to public execution for those scum bags and we can place a hacker on either side so they won’t be lonely.

  3. @James Old Guy: If you’re talking about penalties for both the thief and the company who compromised your data.  The companies won’t take the security of our data seriously until they have something at stake.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.