Tuesday, October 24, 2006

RFID Security Lapse in Credit Cards

Classic case of technology outpacing security. Luckily RFID scanners aren't nearly as widespread as WiFi yet.

A report released today by a team of scientists in the RFID Consortium for Security and Privacy (RFID-CUSP) reveals lapses in the security and privacy features of several types of currently deployed RFID credit cards. The report (of which I am a co-author) highlights two basic vulnerabilities in the cards under study:

1. Names in the clear: The RFID credit cards transmit bearer names promiscuously. Any device capable of scanning a card can learn the name imprinted on it—with or without the owner’s consent.

2. Payment fraud: In varying degrees, the RFID credit cards are vulnerable to an attack called “skimming.” An attacker with an RFID reader can harvest information from a card, create an inexpensive clone device, and make charges against the legitimate card. (Alternatively, an attacker may be able to perform online transactions with harvested credit-card information.) Skimming requires minimal technical expertise and expense.



Link

No comments: