A recent report that raised serious scientific questions about how secure the new contactless credit cards are could ultimately depress online sales, as consumers might doubt overall credit card security protections, according to retail analysts.
The chief author of the report, Kevin Fu, a computer science professor at the University of Massachusetts, said it was easy for his team to scan names—and often credit card numbers and expiration dates—from consumers carrying contactless cards. “Weve demonstrated it walking by somebody in an elevator. You can skim all of their credit card information through their clothing, through their jeans, through their wallet,” Fu said.
“Some fairly famous researchers decided not to look into the security of these credit cards because they heard they use encryption. Of course its going to be perfectly secure. Lets not put any time into looking at it. We were surprised at how easy it was to skim this kind of information.”
Mark Rasch, a former federal prosecutor who is now a security consultant, said the degree to which the systems were penetrated is unexpected, but the fact that RFID- (radio-frequency identification) enabled credit cards are not secure is not a surprise.
“Any time youre transmitting information, you run the risk that somebody else is going to intercept it and … retransmit it. Its always been a recognized security vulnerability of any transmittal type of system. What mitigates it principally is that it requires physical proximity to do it,” Rasch said. “Also, you generally have to do it as a one-off, one at a time. Its much harder to do it collectively. But what you can do is you can collect the transmittal information from a lot of people as they pass through.” As technology improves, Rasch said, thieves “could literally put something on a turnstile on a subway and just collect the information from just about everybody.”
Fu added that an expected technique will be to secretly place small readers by building entrance panels since consumers are often told to place wallets against the panels to gain building entrance. A surreptitious reader could read all contactless credit cards while the authorized reader is looking for the security authentication device.
Analysts agree that the simplest and most cost-effective way to address the contactless problem is to add some kind of a PIN or some other user-known authentication approach or password. The problem is that such an approach would defeat the entire convenience and efficiency advantage of a contactless card.
Greg Buzek, founder and president of IHL Consulting Group, in Franklin, Tenn., said the move actually plays into the hands of MasterCard, which has said it will soon introduce a debit card program using just such an authentication system.
The industrys initial response to RFID security fears was encryption, but the University of Massachusetts investigators didnt try to break the encryption. They merely passed it along.
“The problem was that people put too much faith into encryption. Encryption is blocking someone from trying to get at the contents of the message,” Rasch said. “What this type of attack does is it says, I dont care what the contents of the message are. Im simply going to retransmit whatever the message was without knowing what it is. In other words, I dont want to be you. I just want to use your credit card information.”
The very nature of RFID invites security problems, such as the ones these first-generation credit cards are experiencing, Rasch said.
“This points out one of the problems with RFID. RFID is continuously transmitting. Its much less of a risk if its only transmitting at the point and time of authentication,” he said. “Theres still a risk that it might be a clone device. But if youre transmitting all the time, youre at risk all the time.”
Rasch also said credit card players need to focus time and money on having the systems check each other instead of it being one way.
“We spend a lot of time in RFID authenticating the card to the merchant. We need to spend an equal amount of time authenticating the merchant to the card. The idea is that I have an RFID card, which is saying, Im ready to buy something. Whos out there?” Rasch said. “What it should be saying is, Im ready to buy something. If youre an authorized, accredited merchant with a valid certificate, Ill exchange my information with you. It requires both. So you have some kind of a certificate built into the merchants request for information and there has to be a handshake between the two. You still would risk that somebodys going to get a valid merchants certificate and be able to suck up the data, but at least youll know where the compromise occurred and how it occurred and be able to mitigate the damages.”
Fu added that such a system would bring with it “a lot of hidden costs and overhead.”
Patti Freeman Evans, an analyst with Jupiter Research, in New York, said that the problems with contactless security perceptions could impact a lot more than merely those contactless cards. It could easily impact e-commerce sales as it plays off of existing consumer fears that its easy to get ripped off online because security is so lax.
“This just feeds into all of the fears that people were having about this kind of technology and it undermines the credibility of the credit card security systems overall,” Evans said, adding that fraud concerns are “the biggest inhibitor to people transacting online. This just fuels the fire of consumer fears that they already have.”
Retail Center Editor Evan Schuman can be reached at [email protected].