Privacy Pitfalls in No-Swipe Credit Cards

Nrbelex writes to mention a New York Times article about the privacy pitfalls of 'no-swipe' credit cards. Despite assurances from the card companies, researchers Tom Heydt-Benjamin and Kevin Fu were able to easily retrieve data from the new cards ... data available without encryption and in plain text. From the article: "They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. 'Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?' Mr. Heydt-Benjamin, a graduate student, asked."

Hah. Screw it.

[Concern (819622)]

Let them do this. I think it's time these idiots suffered a really big catastrophe; it'd probably the most (only?) effective way to really set the tone re. RFID.

Meantime, don't carry these cards yourselves, and avoid banks that use them...

Re:Hah. Screw it.

[ac7xc (686042)]

When there is credit card fraud the merchants get stuck with the bill and you end up paying higher prices.

Pickpocketing at a new level

[by Anonymous Coward]

In the old days, you used to actually have to stick your hand into someone's pocket or purse.

In the new days, you apparently only have to sit next to them on the bus.

Pickpocketing at the same old level

[xplenumx (703804)]

I've been to Thailand three times in the past five years, and while I've never been pick-pocketed, after all three trips mysterious people tried to make fraudulent charges to the credit card that I used for that particular trip. I know two coworkers who have had people attempt to make fraudulent charges on their credit card (from inside the US in each case) even though neither credit card was physically stolen.

These 'old days' you talk about ended long, long ago. These 'new days' you predict started decades ago. I'm far more worried about the minimum wage employee handling my credit card info or someone digging through improperly discarded credit card receipts than I am of a technophile taking the time and effort to build a mobile card reader. A stolen credit card is a stolen credit card, regardless how it's done - and we already have measures to counter this. I fail to see how this 'new world' is any different than today's status quo.

Re:Pickpocketing at the same old level

[superflippy (442879)]

I'm far more worried about the minimum wage employee handling my credit card info or someone digging through improperly discarded credit card receipts than I am of a technophile taking the time and effort to build a mobile card reader.

While I agree that the first scenario is more likely than the second, OTBE, I'm always more wary of the smarter thief.

Geeks Rejoice!

[narftrek (549077)]

FINALLY! Us geeks have something to be happy about. For once we can walk confidently sporting our tinfoil wallets and WE'LL be the ones laughing...all teh way to the bank!

Oyster Cards on the London Underground

[QuatermassX (808146)]

In London, TfL can track my movements for the past several years, but I do wonder how often people have their Oyster data swiped. Of course, what would the purpose be, really ... use and abuse that season ticket? Hmmm ...

Of course, I found this interesting blog post from several years ago: http://www.spy.org.uk/spyblog/2004/02/foiling_the_ oyster_card.html [spy.org.uk]

I just wish TfL would get the bloody Silverlink / North London Line railways on the system rather than posting stormtrooper rent-a-cops at selected stations on random mornings. I actually do pay my fare, but I'm deeply distressed by the rudeness of some of the non-TfL staff. Treat customers not as potential fare-evaders but customers!

Re:Oyster Cards on the London Underground

[CowboyBob500 (580695)]

Take anything on that Spy Blog with a very large sack of salt. They wrote about one of the projects I was involved in a few years back, and it was just about the most complete load of uninformed bollocks I've ever read.

Bob

Re:Oyster Cards on the London Underground

[SenseiLeNoir (699164)]

Silverlink Metro will be coming under the new tfl "London Overground" system in 2007. And yes will be fully oysterised.

I do know about the thugs who pose as Ticket inspectors... I was once getting off the SilverLink COunty service from Euston to Harrow and Wealdstone, and the "thugs" were waiting on the stairs.. I shown my Oyster (travelcard, not pre pay) and he checked with the reader, then grunted in a few loud syllables that would make an orangutang proud "Not Valid". And pushed me aside.... (for once i was glad there was CCTV in the area).

I piped up, louder "Of course its bloody valid!" and fished out my record card. It seems there was another chap also given the rough treatment...

Mr gorrilla, said "That record card must be fake!" with obvious snicker.

"Call your manager NOW, before I call the Police!"

He was saying "You do that sonny," when his supervisor came to see what the commotion was about (The other guy next to me was makign an equally loud commotion)..

He checked my record card, and saw it was perfectly valid.. then checked the readers of the baboons, and found them set for zone 6.. WTF.

With a lot of apologies, we were allowed to move on.

My suggestions for anyone who has an issue with these blokes, write a letter to both TfL and Silverlink.

I do understand they do need to check for tickets, they are loosing millions of pounds a year thanks to fare avaders. And nothing annoys me more than watching people chance it.

However, their bahviour is not on.

Why are we upgrading again?

[boyfaceddog (788041)]

Okay, magnetic swipe cards are better than the old way of making a carbon from the raised info on the little plastic cards, but what is the advantage of an RFID credit card? I still need to get the RFID-thing out of my wallet or out of my pocket to use it. Is saving five seconds such a big deal that I wouldn't spend that five seconds in order to protect my identity?

Upgrades for the sake of the "wow-factor" are stupid.

Re:Why are we upgrading again?

[aadvancedGIR (959466)]

I mostly agree with your point of view, but I would like to react on magnetic strip:
-Yes, it is better than the good old carbon, but it is still easy to copy in a couple of sec with 50bucks of equipment. The PIN-protected chip is the only relatively safe part of the card.
-As long as you can still buy stuff on the net or by phone with only the card number and validity date, the thief only needs a good visual memory or a camera to steal that from you when you are removing your card from your tinfoil wallet to pay for your grocery.

Re:Why are we upgrading again?

[Feyr (449684)]

signatures are next to useless, they don't actually check that it match one that they have on file, only that its there.

i'd know, my signature is always different and no one ever called me about it, removed a charge, or made any kind of inquiry about it. not on credit cards, not on checks, not even on loan applications.

it's a social convention based on honor that was extended further that it was ever meant to go

Re:Why are we upgrading again?

[SuiteSisterMary (123932)]

I've said it before, and I'll say it again: duress code. A pin number that works perfectly well, and gives no outward sign of being used, but flags the transaction(s) as being 'under duress', kicks in a high-resolution camera (say, in an ATM kiosk) and summons the police. Woe if you use it inappropriately....

Also, an easy trick for the RFID cards would be for it to have two numbers; one which is transmitted when you swipe it, allowing for normal purchases, and a differnet number on the RFID side, which allows up to $50/transaction, or whatever, maybe a # of purchases/time constraint, and so on. That way, somebody waving an RFID reader over your wallet doesn't get your full purchasing power.

If you are innocent

[aadvancedGIR (959466)]

...then you have nothing to hide, right? So why are you bothering hiding your credit card from the other law abiding citizens, are you a terrorist?

Re:If you are innocent

[Opportunist (166417)]

Not yet. But it sounds more and more tempting.

Seriously. When the law turns against you, it's time to turn against the law.

A new line of accessories is in order

[Dr Strangelove (13729)]

Lead-lined sleeves for credit cards, driver's licences, passports, and airport visitor tags. In an assortment of new colors for our autumn lineup!

When did this happen

[Zadaz (950521)]

When did we get too lazy to swipe credit cards?

If you're too lazy to have any security, you won't have any.

How they think about fraud

[truthsearch (249536)]

As a former employee of one of the credit card companies, I'd like to explain a little bit of how they think. Banks and credit card companies take fraud for granted. They have departments which analyze potential and reported fraud. They set certain thresholds which they consider acceptable. Since they know it's going to happen they study it and figure out the best way to flag accounts. To the credit card companies it makes the most financial sense to not bother with the technological blocks and catch the fraud on the tail end. For example, with smaller purchases no longer requiring a signiture, card use for small purchases has gone up. If a few percent of those purchases are fraud the banks and credit card companies don't care because in the end they're making more money. People who notice fraudulent transactions on their statements will make calls and the banks will eat the cost of the purchases. Banks who suspect fraud has taken place simply block the accounts until the card holder calls. It all works out to the benefit of the banks and credit card companies.

So even though the credit card companies should do more to protect the information from a logical and PR perspective, they've already decided that the small potential increase in the cost of fraud is outweighed by the increased use of these cards that some people consider more convenient.

Why we're moving to non-swipe cards

[mgkimsal2 (200677)]

I probably sound like a paranoid nut, but banks are pushing this 'touchless' card technology because we buy more when we use it. By 'we' I mean consumers. And we buy more when using plastic than when using cash. In this USAToday article - http://www.usatoday.com/money/perfi/credit/2006-10 -09-credit-cards-usat_x.htm [usatoday.com] - a great quote sums it up:

Merchants, too, benefit from faster no-signature transactions, credit card companies say, because the stores can serve more customers -- resulting in higher overall sales. And "people will spend more if they come in with a card vs. cash," says Gareth Forsey of MasterCard Worldwide (MA).

"People will spend more".

So, if people already spend more by putting a card in a reader, it stands to reason that they'll spend even more when they don't even have to get the card out of the wallet - just wave it around in front of the reader. The speedpass technology is pretty much doing this already, and McDonald's adopted it a few years back. Obviously it was a pretty big expense for them to put the machines in, refit their networks to accomodate it, etc. Why would they do it unless it meant people were buying more? In fact, Visa's own website (http://merchants.visa.com/solutions/qsr.jsp) states that

A recent Visa study of 100,000 QSR transactions showed that customers using payment cards spent an average of 30 percent more than those who paid with cash. Other industry studies suggest that the average spread may be even higher.

So for everyone saying "when did we get so lazy?" and similar notions, it's not that we're lazy. We simply spend more the less psychologically painful it is to do so. If I lay down 5 $20s to do my grocery shopping, it's more painful than swiping a card, because it's not as real at that moment. When I get view my statement later, yes, it all tallies up, but there's no difference between using plastic for groceries, clothes, the movies, or anything else, even if all the prices are wildly different.

Re:You mean...

[finkployd (12902)]

You honestly think a minimum wage counter jockey at the 7/11 is going to perform a proper signature analysis on your credit card slip? Why would they check your signature? They are in no position to validate it against the one on the card anyway. The only reason you sign it is so that there is a record in case you contest the charge later. It gives the CC company a way to try to prove you DID buy something.

Finkployd

Re:You mean...

[NightWhistler (542034)]

Here in the Netherlands the overwhelming majority of payments is made with direct-debit cards, so credit cards are not used as much. Whenever you do want to pay with a credit card, they require some form of ID for any payment over 50 euros.

My autograph is pretty small and ugly and worst of all I've never really gotten the hang of getting it consistant. I've been called on it a number of times when I wanted to pay with my credit card. One store actually went so far as to hand me a notepad and have me write down my signature a couple of times, to check the variations with my card and my driver's license.

Now most stores aren't this paranoid, but credit cards are thoroughly checked around here...

Re:Dumber then not signing

[CastrTroy (595695)]

Wouldn't it make more sense to leave all the information on the credit card encrypted, have the information left encrypted and sent to the credit card company, still encrypted, and only be able to decrypt the information at the credit card company? It seems to me that even if you need physical access to copy the number it's still not that secure. It would make much more sense to have a card that's blank and devoid of any identifying information than to have something that just about anybody can get the information off of.

Re:Dumber then not signing

[spectral (158121)]

Encryption isn't magic. All you've done is substitute one set of unique information for another set of unique information, the fact that the information means nothing to you doesn't change it. If I read "CastrTroy, 1234-5678-9012-3456, 12/09" from a credit card, stuck ", $1000" on the end and sent it to the credit card company, that's no different than being able to read "oinasdfomasdfpmweasdfhqervsad, $1000". The credit card company still associates that random crap with you. It's always the same, so it means nothing.

There are ways around this, but maintaining the physical security of the card is one of the better ways. Not being able to shoot your wallet with radiation and get money back seems like a good first step.. having the data only available after physically plugging/sliding the card in to a reader AND be encrypted while still on the card (smart chip) using a public key granted to the store (so the store would be able to reproduce the data, but you wouldn't have any real information available to you to use on a different place, so all the stolen transactions are quite quickly tracked back) would be a good first start.

There's probably flaws in that plan that I'm unaware of.. though the fact that my credit card has one of these chips and I didn't ask for it to and have no idea how to turn it off is one of the flaws, I'm suspecting. :P

Re:Dumber then not signing

[Jerf (17166)]

I hear zapping chips in microwaves toasts them pretty quick; if you have a stripe to fall back then the card wouldn't be useless, but I don't know if it would survive.

Does anybody know how magnetic stripes respond to being microwaved? Not much use if you toast that too. And how long do you have to zap a chip to burn it out? (Sub-second?)

(Note the stripe only has to be significantly more robust than the chip, it doesn't have to be immune to microwaves. If there's a range where the chip dies but the stripe still works, it doesn't matter if the stripe would stop working in another ten seconds.)

Re:Dumber then not signing

[Alpha232 (922118)]

Working in the hotel business, I handle a large number of credit cards. The trend I have seen for people wanting to "disable" the RF portion is to use a hole punch through the chip. I've seen about ten or so this past month, all have the little radio icon on the back and a hole punched right through the card. Not a bad way to do it I must say.