Researchers cite risks in swipe-free credit cards

Share this article:

Swipe-free credit cards are gaining in popularity, but there are significant information security risks associated with the cards' radio frequency identifier (RFID) technology, a group of Massachusetts researchers have determined in findings released this week.

Using built-in radio transponders, the cards require no contact, only proximity, with a reader and are billed as faster and more reliable than conventional credit cards whose magnetic strip must be swiped to register.

But the cutting-edge technology may easily allow attackers to lift personally identifiable information off the cards, according to results of the study, headed by researchers at the University of Massachusetts in Amherst and RSA Laboratories in Bedford.

The study employed two readers purchased from independent manufactures and about 20 RFID-enabled credit cards issued last year by the three major providers - Visa, MasterCard and American Express - and several banks.

The experiment determined the cards - said to be protected by deep levels of encryption software - were subject to numerous vulnerabilities, notably live relay and replay attacks and personal identification disclosure, according to an Oct. 22 white paper summarizing the study.

"Despite the millions of RFID-enabled payment cards already in circulation, and the large investment required for their manufacture, personalization and distribution, all the cards we examined are susceptible to privacy invasion and relay attacks," the white paper concluded.

Relay attacks are similar to man-in-the-middle attacks and involve the malicious user getting between the card holder and card reader to steal personal information, according to the study. In a replay attack, attackers replay a previous, exact interaction between the radio frequency device and a reader for their own use without the network discerning between a hacker's replay and a legitimate cash transaction.

The most simple to understand attack concept is skimming. This occurs when an unauthorized, secretly-placed reader registers the RFID tag of an unsuspecting user, the white paper said.

MasterCard, which has popularized the RFID payment space with its PayPass technology, said in a statement today to SCMagazine.com that the experiment only studies one piece of the transaction security lifecycle.

"Attacks on the card number and expiration date do not take into account the multiple layers of security protecting end-to-end and built into the financial payment system," the statement said. "These protections include special message indicators and checks, embedded transaction security data, risk management and fraud detection systems, neutral networking and online authorization networks."

Visa said in a statement today that the concerns have little real-world implication.

"The RSA tests were enacted in a laboratory setting unconnected to the Visa payment network, which does not provide an accurate representation of the security measures in place," said in a statement to SCMagazine.com.

 

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.