The group—calling itself the RFID Consortium for Security and Privacy—is a group of computer scientists from the University of Massachusetts at Amherst, RSA Laboratories and Innealta, with some nontraditional partners, including the San Francisco Bay Area Rapid Transit District (BART), the MIT Auto-ID Labs and the Programme for Advanced Contactless Technology (PROACT) at Graz University of Technology in Austria. The National Science Foundation funds much of the research, according to the groups Web site.
The group tested about 20 samples from various contactless credit cards and concluded that "the cardholders name and often credit card number and expiration date are leaked in plain text to unauthenticated readers" and "our homemade device costing around $150 effectively clones one type of skimmed cards."
Perhaps of greatest concern is the reports conclusion that "RFID-enabled credit cards are susceptible in various degrees to a range of other traditional RFID attacks such as skimming and relaying."
Representatives of contactless companies and credit card firms have made the argument that the information intercepted by the techniques used in the UMass study are insufficient to make a purchase, that other information related to the specific purchase—coupled with data identifying the exact time and location of the purchase—is necessary to buy something.
They also add that the non-embossed verification number on the card—known in the industry as the CVD (card-validation code)—is not intercepted by such techniques, a claim confirmed by the researchers.
"With any data that you can gather from a contactless card, you are not able to do a transaction," said Mohammad Khan, president and founder of ViVOtech, a vendor that sells contactless/NFC payment software, transaction management systems and readers.
But there are two problems with those defenses. The first is that the CVC number is not universally required, although more and more merchants are insisting on it, especially online. The second problem is that not all cards use such an encrypted verification system, which the researchers proved by making an actual purchase with data they had skimmed from one of the evaluated cards.
As a practical matter, both sides concede, the current risk is not especially high for actual fraudulent activity with contactless over the long term. Todays cards are very much first-generation, and subsequent cards are likely to use stronger encryption—which slows down the cards processing speed.
Also, there are many easier and faster methods for credit card fraud than what the researchers tried, including tricking consumers into revealing their information.
But the risk with weak contactless security is not limited to credit card fraud: Its also an issue with identify theft and privacy. That is a much greater concern, and even contactless industry advocate Khan concedes that changes are needed, including the possible removal of the name from the visible data stream.
"Card issuers have a choice to not put the name of the card," said Khan, who was careful to not directly say that he wanted the name removed. "The industry may well decide they should stop putting the name on the [cards data stream]. Its controversial, but it might be the appropriate thing to do. It might be better to not have the name on the card. The only downside is that your receipt wont have your name on it."
The identity theft fear is that a thief could identify people by simply getting near them—or near their mail—with a hidden reader. If a thief sees someone in a store buying expensive items and thinks they would make an attractive target, a discreet credit card scan could provide a name.
An even more frightening scenario is a physical attack, where a violent criminal might see a good target for an assault and could easily identify the potential victims name for later pursuit.