RFID Payment Card Vulnerabilities

After reading a technical report regarding RFID Payment Card Vulnerabilities by Thomas S. Heydt & Kevin Fu (University of Massachusetts at Amherst); in conjunction with Benjamin Daniel V. Bailey and Ari Juels (RSA Security); as well as, Tom O’Hare from Innealta, Inc. I believe that the typical RFID payment cardholder does not understand that their payment card can be used to track their movements, even while in their clothing, wallet, or purse. According to the authors, it is also apparent that these cards invade our privacy by revealing our names, credit card numbers, and other information to unauthorized readers making it critical for consumers to create an open dialogue between themselves, customer advocates, and credit card companies. If this is not done the consumer may as well be wearing a T shirt that tells the world their full name, their credit card number, and card expiration since these same pieces of information are available at a distance to any entity, regardless of authorization. 

So what is a RFID Card? IT is a credit card that contains a tiny wireless computer known as a Radio Frequency Identifier or a contactless smart card chip. These new types of payment cards have reportedly been issued to over 20 million users in the
United States and are rapidly increasing as more and more are being issued daily. This technology, according to Visa, has been “the fastest acceptance of new payment technology in the history of the industry” providing contactless payment transactions, which are more reliable than magstripe transactions, and require only physical proximity (rather than physical contact) between the credit card and the reader.

The dangers of this type of payment card are that while traditional credit cards require direct physical contact to obtain card information such as the cardholder’s name and the credit card number; RFID credit cards make these sensitive pieces of data available using a small radio transponder that is energized and interrogated by a reader.  

According to the authors, when they examined RFID enabled credit cards in various transactions including specialized point-of-sale equipment deployed by major retailers they determined that cheap off-the-shelf hardware and software were sufficient for an adversary with only modest technical skills to obtain critically sensitive data from the RF interface of the cards. It appears, however, that off-the-shelf hardware requires reasonably close proximity in order to read this data from an RFID credit card but even then, it is sufficient to read a credit card through clothing or a wallet. Additional experiments conducted by Royal Dutch Shell of Canada reported in “How safe are the new contactless payment systems?” in “e Week”, June 20, 2005, indicates a read range of 26 inches, which is supported by the academic literature.  Frighteningly, since only one frequency and a very simple radio protocol is needed to create an RFID reader those desiring to access your personal information will find it easy to create such units. This information with detailed instructions on how to build and operate such a specialized reader can be found on the World Wide Web “How to Build a Low-Cost, Extended-Range RFID Skimmer”, e-print archive 2006:054. To verify this information the authors built a prototype cloning device, with its antenna detached and a pencil for scale, and managed to intercept and replay a transaction between an RFID credit card and an RFID credit card reader. Needless to say, I find this situation alarming and wonder when the government may decide that such a device may be beneficial for tracking its citizenry in the name of Homeland Defense. [tags]RFID Payment Cards, Radio Frequency Payment Cards, Visa Cards, Invasion of privacy, Tracking potential, Identity theft, smart cards[/tags]