Researchers at the University of Massachusetts have demonstrated how to read personal information from contactless credit and debit cards using about $150 worth of equipment.
Tom Heydt-Benjamin and Kevin Fu, of the RFID Consortium for Security and Privacy (RFID-CUSP), showed how to glean information, like names, card numbers and expiration dates from credit cards. The details were released in a report Monday, which highlights the latest in a series of demonstrations showing vulnerabilities in some of the cards. However, since credit card fraud is widespread and companies already address the problem, RFID-CUSP said that it is unlikely RFID credit cards will trigger a new wave of fraud.
"Rather, what the RFID-CUSP report highlights most significantly is the new physical dimension of vulnerability that RFID credit cards introduce," the group stated on its blog. "Without even removing their cards from wallets or pockets, consumers can potentially see their privacy and security compromised. A scanner in a crowded subway station might surreptitiously harvest credit-card data from passersby."
The team also points to the possibility of "Johnny Carson" attacks, named after Carson's Carnac the Magnificent act, in which he deciphered the contents of sealed envelopes held against his forehead. This could be deployed near mailboxes, according to RFID-CUSP. The researchers said that some of the cards they tested were not encrypted, despite common assurances to the contrary.
"Given that RFID as a broad technology is already a flashpoint for consumer fears, the choice of credit-card associations not to confer stronger protections on RFID-enabled cards is somewhat surprising," RFID-CUSP stated. "Numerous media reports have drawn attention to consumer concerns about RFID privacy and security, and various government bodies are mulling over RFID-privacy regulations."
Researchers did not field test skimming attacks because of potential legal vulnerabilities. Until credit card groups disclose how many vulnerable cards they have issued, researchers said they would be unable to determine how many cards are affected by the security flaws they have discovered. The researchers have offered to work with credit card issuers and merchants.
Fu has received $1.1 million from the National Science Foundation to lead a team of researchers at the University of Massachusetts Amherst in developing cryptographic protocols, hardware and applications for smart tags.
A video posted on YouTube demonstrates how the cards can be read.