To listen to the panel's discussion, please click here
The chief author of the report, University of Massachusetts computer science professor Kevin Fu, told the panel about his team's ease in scanning name and often credit card numbers and expiration dates from consumers carrying contactless cards. "We've demonstrated it walking by somebody in an elevator. You can skim all of their credit card information through their clothing, through their jeans, through their wallet," Fu said. "Some fairly famous researchers decided not to look into the security of these credit cards because they heard they use encryption. 'Of course it?s going to be perfectly secure. Let's not put any time into looking at it.' We were surprised at how easy it was to skim this kind of information."
Former federal prosecutor?and now security consultant?Mark Rasch said the degree to which the systems were penetrated is unexpected, but the fact that RFID-enabled credit cards are not secure is not a surprise.
"Anytime you're transmitting information, you run the risk that somebody else is going to intercept it and they're going to retransmit it. It's always been a recognized security vulnerability of any transmittal type of system. What mitigates it principally is that it requires physical proximity to do it," Rasch said. "Also, you generally have to do it as a one-off , one at a time. It's much harder to do it collectively. But what you can do is you can collect the transmittal information from a lot of people as they pass through." As technology improves, thieves "could literally put something on a turnstile on a subway and just collect the information from just about everybody."
Fu added that an expected technique will be to secretly place small readers by building entrance panels. Why? Consumers are often told to place wallets against the panels to gain building entrance. A surreptitious reader could read all contactless credit cards while the authorized reader is looking for the security authentication device.
Panelists agreed that the simplest and most cost-effective way to address the contactless problem is to add some kind of a PIN or some other user-known authentication approach/password. The problem is that such an approach would defeat the entire convenience/efficiency advantage of a contactless card.
IHL President Greg Buzek said the move actually plays into the hands of MasterCard, which has said it will soon introduce a debit card program using just such an authentication system.
The industry's initial response to RFID security fears was encryption, but the university's investigators didn't try to break the encryption. They merely passed it along.
"The problem was that people put too much faith into encryption. Encryption is blocking someone from trying to get at the contents of the message," Rasch said. "What this type of attack does is it says, 'I don't care what the contents of the message is. I'm simply going to retransmit whatever the message was without knowing what it is.' In other words, 'I don't want to be you. I just want to use your credit card information.'"
The very nature of RFID invites security problems, such as the ones these first-generation credit cards are experiencing, Rasch said.
"This points out one of the problems with RFID. RFID is continuously transmitting. It's much less of a risk if it?s only transmitting at the point and time of authentication," he said. "There's still a risk that it might be a clone device. But if you're transmitting all the time, you're at risk all the time."
Rasch also said credit card players need to be focus time and money on having the systems check each other instead of it being one way.
"We spend a lot of time in RFID authenticating the card to the merchant. We need to spend an equal amount of time authenticating the merchant to the card. The idea is that I have an RFID card, which is saying, 'I'm ready to buy something. Who's out there?'" Rasch said. "What it should be saying is, 'I'm ready to buy something. If you're an authorized, accredited merchant with a valid certificate, I'll exchange my information with you.' It requires both. So you have some kind of a certificate built into the merchant's request for information and there has to be a handshake between the two. You still would risk that somebody's going to get a valid merchant's certificate and be able to suck up the data, but at least you'll know where the compromise occurred and how it occurred and be able to mitigate the damages."
Fu added that such a system would bring with it "a lot of hidden costs and overhead."
Jupiter Research retail analyst Patti Freeman Evans told the rest of the panel that the problems with contactless security perceptions could impact a lot more than merely those contactless cards. It could easily impact E-Commerce sales as it plays off of the existing consumer fears that it's easy to get ripped off online because security is so lax.
"This just feeds into all of the fears that people were having about this kind of technology and it undermines the credibility of the credit card security systems overall," Evans said, adding that fraud concerns are "the biggest inhibitor to people transacting online. This just fuels the fire of consumer fears that they already have."