((("Big problem," say the white-hat hackers at SANS. Because they predicted this. Who COULDN'T have predicted this?
Everybody who knew anything predicted this, except the guys who were blazingly eager to launch and cash in.)))
TOP OF THE NEWS
–RFID Credit Cards Transmit Some Data in Plaintext
(24 & 23 October 2006)
Academic researchers have found that the new RFID chip-equipped credit cards can transmit sensitive data unencrypted. With the help of an inexpensively-built device, researchers at the University of
Massachusetts, Amherst, were able to read a card through the envelope in which it was sent; in some cases, the cardholder's name, card number and expiration date were readable in plaintext. The cards are widely advertised for their convenience of being "no-swipe;" users simply wave the card in front of readers. Some of the companies' ads imply the data on the cards are encrypted. Tests on 20 cards from Visa, MasterCard and
American Express found otherwise. The cards can be read through wallets and through clothing. The card issuers maintain that other security measures would prevent the RFID payment system from abuse. The study has been criticized for using a small sample.
http://news.com.com/2102-1029_3-6128407.html?tag=st.util.print http://www.theregister.co.uk/2006/10/24/rfid_credit_card_hack/print.html
[Editor's Note (Pescatore): The fact that all 20 of the ones they tested have problems is indicative of a big problem. This isn't a popularity contest or an election - the fact that the cards are shipped without even using the security capabilities built into the contactless cards is bad, as is the fact that the individual issuers got to decide whether to turn on features to protect card holder data. The industry response is pure old-style spin; the response should have been "this is bad, we are working hard to fix it".]
