Enterprise Applications - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Enterprise Applications


Report Blasts Holes in Contactless Card Security Claims



 By: Evan Schuman
2006-10-30
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Enterprise Applications story.


  Table of Contents:
  1. Report Blasts Holes in Contactless Card Security Claims
  2. ' How the researchers '
  3. ' Grabbing the Data Before '

Rate This Article:
Poor Best
Report Blasts Holes in Contactless Card Security Claims
( Page 1 of 3 )

Accusations that RFID-based contactless credit cards can be easily read by thieves are nothing new, but this time a group of scientists at UMass has gone quite far to try to prove it.Accusations that RFID-based contactless credit cards can be easily read by thieves are nothing new, but this time a group of scientists at the University of Massachusetts has gone quite far to try to prove it.

The group—calling itself the RFID Consortium for Security and Privacy—is a group of computer scientists from the University of Massachusetts at Amherst, RSA Laboratories and Innealta, with some nontraditional partners, including the San Francisco Bay Area Rapid Transit District (BART), the MIT Auto-ID Labs and the Programme for Advanced Contactless Technology (PROACT) at Graz University of Technology in Austria. The National Science Foundation funds much of the research, according to the groups Web site.

The group tested about 20 samples from various contactless credit cards and concluded that "the cardholders name and often credit card number and expiration date are leaked in plain text to unauthenticated readers" and "our homemade device costing around $150 effectively clones one type of skimmed cards."

Perhaps of greatest concern is the reports conclusion that "RFID-enabled credit cards are susceptible in various degrees to a range of other traditional RFID attacks such as skimming and relaying."

Representatives of contactless companies and credit card firms have made the argument that the information intercepted by the techniques used in the UMass study are insufficient to make a purchase, that other information related to the specific purchase—coupled with data identifying the exact time and location of the purchase—is necessary to buy something.

Resource Library:
They also add that the non-embossed verification number on the card—known in the industry as the CVD (card-validation code)—is not intercepted by such techniques, a claim confirmed by the researchers.

"With any data that you can gather from a contactless card, you are not able to do a transaction," said Mohammad Khan, president and founder of ViVOtech, a vendor that sells contactless/NFC payment software, transaction management systems and readers.

SanDisk and Philips team up to secure contactless payments. Click here to read more.

But there are two problems with those defenses. The first is that the CVC number is not universally required, although more and more merchants are insisting on it, especially online. The second problem is that not all cards use such an encrypted verification system, which the researchers proved by making an actual purchase with data they had skimmed from one of the evaluated cards.

As a practical matter, both sides concede, the current risk is not especially high for actual fraudulent activity with contactless over the long term. Todays cards are very much first-generation, and subsequent cards are likely to use stronger encryption—which slows down the cards processing speed.

Also, there are many easier and faster methods for credit card fraud than what the researchers tried, including tricking consumers into revealing their information.

But the risk with weak contactless security is not limited to credit card fraud: Its also an issue with identify theft and privacy. That is a much greater concern, and even contactless industry advocate Khan concedes that changes are needed, including the possible removal of the name from the visible data stream.

"Card issuers have a choice to not put the name of the card," said Khan, who was careful to not directly say that he wanted the name removed. "The industry may well decide they should stop putting the name on the [cards data stream]. Its controversial, but it might be the appropriate thing to do. It might be better to not have the name on the card. The only downside is that your receipt wont have your name on it."

The identity theft fear is that a thief could identify people by simply getting near them—or near their mail—with a hidden reader. If a thief sees someone in a store buying expensive items and thinks they would make an attractive target, a discreet credit card scan could provide a name.

An even more frightening scenario is a physical attack, where a violent criminal might see a good target for an assault and could easily identify the potential victims name for later pursuit.

Next Page: How the researchers did it.





  Reader Comments: Report Blasts Holes in Contactless Card Security Claims
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Enterprise Applications Articles          >>> More By Evan Schuman
 


x}r㶲s\@♵M"b{)ْZc[^fI*EBc"){~u~|.KkLb["h4y$sW7-gL.\sfS;uA@ Y>%w>{ '(+ԯ1mnf]S/ _hoL|Nშ :#:@.Pk< Z57껲54o/ne0S-ڎIQ>)VNմH>ش^$)qHh] ]( Ѽ$pm<"Q}# QTBQ5w0NK <[8$C5nCUVekFVluy! 1#o ݿ!Hͤ޸@d`jId:4G"0,C63!p5\ap*)ZHZ6tG-#HPN$=+AbArxưcIHo*!)lpi#¼t'@>x u-C¿{+߀Cݸ1̷L[좖>'l"R ?q7`BaC5LjZE&> ؗCY͢`F3l˸-:4 HS(G~@?8rދWcm9NeW4[޾K\(Uu7ںs m9k%sruO}~N6nx9vtx//;YHMDU%`ZJG4_::~XB^ ,9@FI?n/ny%rPH+).##-b|+0CF_8rri[򓹥}o__]wzmo_wڧ>1fPUM~ 3he+%2h\uܜn9n:MvIs!+|qg>!5M0\̱¬:sUZ\vO^SQ?&:aZ+jI-Gf=jIo]}:>$7Yn[90N`mYn_H!-a(7fhX@?$eR2|&r* ߱n^S@5'/iV=88ୱJ+҄& 9B:A`̺NR49V/8蟉$Wm4@r5XSl؅ R揇o4eOM XZEU>hi"A[T]ϧˊfoF"> 23yB(pHqb&μb8Oದyp!rY]4'tauAUi3ӟ}ޡ:itnUO^ S3G#洋вns榣V$c~+e_;ڇU95zQnʼnl :2X jXR7HaQgtA`::)ҧ>RӚMCqRO#Gs>H2胎6mb8-ƙ" ,70}HOqI4o Qx٭lE%_¤< ) zA;=H:]6(Z\?`c VC@B뎂9{׿ޚB"QޒС4aqj =*~3=w}   @lWk 6G~[>l03գN\JQz[ dSJJd$D!-i]R@Az8 -,rrl++E쎄~ .<BI>ڹLXأXB YX/E_R23#CdɬaX91{MfT`"[/Kቖ&JlkVNdF E=4!Гޙ`|=-0Xհݙ2r|>I4?kVzv}n7MAV?k pl7+ w&rG|媞5 jx0?s\LdFfkeuE$ciz:2Y4hS\ESkHb8"T paBXa0 S]JlQԼ;(V4:E80eCf+[ꯦT+jpzۻ(Sg&;Ql˘@/-#1$6/Pk .a@C%)& cVb\FBk ZCbP&ܔwц.[XR]/XL+*9Gqϟ  sFWyQFfZa0KyԪRVM'VQrh_V8+ 8 #UQ@X5Ɂ;΁Eo⽿2Ms`@o(?`3|x+ߙ[W`eƘ]H?`W._kW2)N<:arMTՑG7`sk'(k=0ECV8! H*7hVІ{egjړ@헖aLL:+l30UfSfyr;505Vu 2 \Ezďuvɭ-YE8&WO!SB9^%L wܒ; +@X'W-(7O40pR2^>](lY@;|6i4DZ6ȈDzzT|1'Yo\s ܮ:Rr r=cte>u1i}KUה1Ze }o(SYmq'&F.҄^]fRvQLlvLTcdTRZ|~Z/\f8C+`WRjjjvL*'o&ŏh(5rvOC>QkQA%UHUگjYIz$ :*i6Y+(#t+Yǽam.E<[% 1ķʨXISW*.wD<4Ϩ;}Nbi4PG cWՄθ 4;fXd;ɳڴiD@kX+#nƭj`.jV$$: <{dG=^UH&rf2z30|  qΟݚwr`>xI ʾv@ljpwG2M3 Wj_1|ʢ'p?n ]V(A솣t9#T`| @-c'd1s<ɷonjC<8 +Aנn)ɡXXD>QkFR{e"nxR* -111u?|{qiwozU)oRo(0h_hCmM0:;_ ݘ`3at -ⴔQԕ|wiIIcԧ˾tڼ9A&̫{;At;C:LGp֏3 ﵲu珅%< 8sj|HG-?\w?]ECjFyn8F&{PvB, oHŤ}vl{{l:k6zv>G72CH#rECR|{޽y-{w[r܃,= YF#B򜜷ǍAk3d4) 3`X#axs#&DH[(`u}͙C碮9ki.Dz=t_5g0YT h% ۯ}g#( Z`!灙w1ߐtxPZ# (ʑ=`` Vwu .f_ @AnpKz!NU Hy*e4Д e5:M!94rYAG$ r>c.A-6ܾN9$4sJd":A%;?m[ħ{, /䎑F=:d =LgP6'in&.Z7t[b)sNxsyؠ#%tBU[CT䵴f[YUHO~@)!\8)DzH0QH吜Ճ~q=zpPuwXG:Q$. tFnt7ÝԆ+^@)s^EXL2kx'gY6/t0w쯁 8dcΣdfcT c1! =ѧ@ǂ f A] ުMZ%79aM`aE8F<.%g-'Mw[GZ]ry}M_gqW{$ tD=(oY7۸{.z|(=~!GzE>sF.Zٽuڻoue'3 CݿNvA]iNw74-7UzyB J~l't:D(jE[e[{C9Ȫ̅S.{R؉'G#3~`q8-:`tH_/lFځ;-3(m3F-߸_2{K=7 x=*AOϺw42]awmB%umJˢ.{%nw^hr;T%%y:/IQ)"{"F%{twoBuU6mt_'Kmx<~o :l0̠@ b@ff7\#9S@id=hl|nwcJdjl 81Qhr٦h " Va' zYC,GIIbwl[#ƣtǷMi|o(<L8s{C8pU_r w^?39&p$qIM{fr+ )?8 »/VDe[bw[8| vtj9J;~|ːu9>}+)6A[KJ<+ѻ$naDm'+Ya:bofhukEKP-:tRGIg,xf酮2K, ; <?g~^c\Sc\/=pgl%bGV87!3_+_n}66|$7?15 L;f7ף7,ո+U4Vپ.ZcG4-,aMws[ ؋zg"F0uF1h47\Лv@p⻳1.M4)uNHl€B$`L1!%8C"Bҍ꿼"K+f Ĩǂxz[B[oœ׫ qũW;Ww+[! fr] S φDEkȹ@b Kt&F&.^c" dXRWo͓iV\+mz TYf y;&@S+3XTR o Zߤ<&m_may^g'/*귵O]A6%`5H nmYw pizl/XOYf%e։))V$^S&e5l~kZt8=|'98\ O; /۝ݽ]C|Ms-E  _ -.K{~i sqioIKWCi@{- zq!Zp6P]}zUctbJtY5X}~ly <>.N-£EeJo|֊OZZ]YΞCmgư,YHQIclRx@$D@amIYx =MZ.b쀼 Q :&Mq#oh?.$u(,@N`MqEw£w٧0_ "EB~`:vxe=I.4bœ{e<~G\rdT#=tjmۏo|s^b(H[ B,==di3Cכdž岯,G*o|x|u@YDi.`WD0m+`{_+A#샒=%xu ,q!Dw uv3<QmIMm&ކ kQpO3VGBA8AXJo,"%xa sIc8(ĒI PFpxIz(jsh*b4KB-'"}L11%`sZk^gYr+Șz~b=! c-{TAN9-S5ySo*GZ!դFK5-5֠)\ۜ>3-iM13bmCym+=u`m;b7ik+mLtG8Ow| e޼vwO %YՉJn%膎Ԙ7E;=ee\Llܥ9H>5BYQ7<؎ה=g`9Ehcu emTd0o@,VKtlsQ&ˇtxZڊRB{?ED90ǖC/0%n4ܵ,qBxڵϔ8.M "g}XC @&Du#i 'Y,1t:ssE vb"mkmnAzTcH}1~$: SUXqYqc[VjJYb;7s":;K 9v2>3K]SV濽#RF¯R~%rUq{V]^'LtKW16jvN[Ļe UkL(_F1@> p#SMC7RyVmIz/#\CP |$S7Wp+TՔݷGܿȺextJ"r[-eUi[c:&nCG8SVMI٫TT6uGw,՜Fd>^hTJӑu t>m;A=~7kLLROf 0pb XB\7}D['ٍCahb#0z$!FL?4;};ozxX2k ``6uXȟ?@S 5F7BwjL!'vq]Q s⍰J"aKOv1q1$U?fC7,>1 >B$!i2ozeO9PJIݹa?Ð3{c6Z"VZ1ш@Q->ɹcMNVJE< ,iMYC) \cW6"))ĴF#1CLD:5,ǰg&'6=/؋wכXct/#+&(?q֋D {GLƙ;fSZ,ɟ ~H- Tf3t]\TP*@H>QeA??­!~Rfjs# x_򘙍r4`ynʹ{Ƀ~V-x} tHM djAKlRt=:rtT*ʞ |{C` g ci S2C´vt`~LR ] 4Bq0h𠔴W*vtE 1ºޛXF #}AaP8Z  +z+5'I]S@)9#{˪gwy2=9ݬ߲!4W PRx  V #v(CdQaGL€،\ݹXh4ο5iv>N;WN_[ǁ%}RGݪ;֗՗es/4N-<·_s}i)|Q)X7KGYFyfvʌPN6u\ «1.ys8,tG0}4yE~Rf}YQJ/Ni01}cl۽OֆCYCVʼnt,'}ҽlIJ/6ρs?Bǜ_k(^]~NmwS_]9'P~sC9 ?.?g嘽ӯ,ureN9Bc/ Y]~sl׸ " {C E}./?/r"?QF/s sϠ,P ()K..n~+r޿rs3ק 9}}Ρ   M:Iʙ#g+\8=>9)/9R{ WKӜ(gsVڍnV`{CJg_/G+@/IsumR+ ]q%>=-{ᘴ[ͺrn@ ȣ{i K{#68xE£B+gٔl?vFnmV=՞bMedGE⬏G\%[n3'rO=]"X̽qo>u= ҟ\2fA<'ԎsnOAr^EwMw[0/:)7.p{ZӛڎwڝGfzuieDd;w6 oCd Yf%G6y}2oفBo\gU9n{d4qa >c? B` ,j?5[nb橵U$7OS \"9<'$`B#s{Īݯhj8t^0H_ *6wdb "n#ѥil3AZA/`9qR&&[c7O_bT"m_م7G"U?Ɏ6ИI-3;~ɱ ( kDF(l#bY̡Pnl@P\|݆Nlwf۝0'=("= uK600wYW -^As5 D =b oYLE2g~1~-pIeh/ 0S\q?Jhbv]"6 R Ň%Os˙}e7w= p_Uh-O/N~'i86FՋpO`wBGa|#5J(KESXn傾]#r/"ODOlӦeM$f@g^l(VxHDZڮeHCgrT~{J}*P=fښSO:] v",dv/+0bŽϥOvHyU_Z}$+t#R.ڋOFې/)0XP4 <pЅ)n93x0^? xi+nS-˖) Mm+#84"<ܼmQF޺׸6Vx}ư҄ ]@1SpY ѫvc5W*Ef9a7ct?_ԕe`7g~*VCA>m+ЍiO|3'ȱ ya1 g{yW=?5j3l3Gajn,eH}Kqd.5" $$r嵖I;;Q0&|iE-ȓl`Cv_.~ph[?2YA wVǰ>dBLN7 S 3pRaL $b[иSV7v6Ȅ В#nMvbec>!