TELECOM Digest OnLine - Sorted: Researchers See Privacy Pitfalls in No-Swipe Credit Cards


Researchers See Privacy Pitfalls in No-Swipe Credit Cards


Monty Solomon (monty@roscom.com)
Sun, 29 Oct 2006 00:39:04 -0400

By JOHN SCHWARTZ
The New York Times
October 23, 2006

AMHERST, Mass. - They call it the "Johnny Carson attack," for his
comic pose as a psychic divining the contents of an envelope.

Tom Heydt-Benjamin tapped an envelope against a black plastic box
connected to his computer. Within moments, the screen showed a garbled
string of characters that included this: fu/kevine, along with some
numbers.

Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit
card, fresh from the issuing bank. The card bore the name of Kevin E.
Fu, a computer science professor at the University of Massachusetts,
Amherst, who was standing nearby. The card number and expiration date
matched those numbers on the screen.

The demonstration revealed potential security and privacy holes in a
new generation of credit cards -- cards whose data is relayed by radio
waves without need of a signature or physical swiping through a
machine. Tens of millions of the cards have been issued, and equipment
for their use is showing up at a growing number of locations,
including CVS pharmacies, McDonald's restaurants and many movie
theaters.

The card companies have implied through their marketing that the data
is encrypted to make sure that a digital eavesdropper cannot get any
intelligible information. American Express has said its cards
incorporate "128-bit encryption," and J. P. Morgan Chase has said that
its cards, which it calls Blink, use "the highest level of encryption
allowed by the U.S. government."

But in tests on 20 cards from Visa, MasterCard and American Express,
the researchers here found that the cardholder's name and other data
was being transmitted without encryption and in plain text. They could
skim and store the information from a card with a device the size of a
couple of paperback books, which they cobbled together from readily
available computer and radio components for $150.

http://www.nytimes.com/2006/10/23/business/23card.html?ex=1319256000&en=76401b1601fc06e3&ei=5090

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: mc: "Re: Diebold Source Code Leaked Once Again"
Go to Previous message: USTelecom dailyLead: "Verizon's Q3 Net Buoyed by Wireless"
Next in thread: B. Wright: "Re: Researchers See Privacy Pitfalls in No-Swipe Credit Cards"
May be reply: B. Wright: "Re: Researchers See Privacy Pitfalls in No-Swipe Credit Cards"
TELECOM Digest: Home Page