Privacy, Security Issues Surround High Tech Cards

December 3, 2008


Prompted by privacy and security issues, two states outlawed electronic eavesdropping and capture of personal data transmitted over radio waves by a wide array of identification, access, credit cards and other devices.

California last month imposed a $1,500 penalty and up to a year in prison for anyone convicted of unauthorized reading of signals from Radio Frequency Identification (RFID) cards. Washington earlier this year passed a law against theft of RFID dat.

Used in an ever growing variety of applications worldwide, RFID-enabled microchips store small amounts of information for transmission to electronic readers. Information stored on the cards can be read through a wallet, a handbag or item of clothing by any nearby reader.

The chips are found in everything from implanted medical devices to passport cards to driver licenses to keyless entry cards and car keys. Some, such as passport cards, can be read from up to 160 feet away. Others, such as credit cards, have a range of less than three inches.

While RFID cards employ various mechanisms to make it more difficult to steal data, these chips have come under increased scrutiny based on incidents such as these over the last three years:

  • Dutch security experts published a paper this month showing how to circumvent the security mechanism of RFID cards which are widely used to provide access to buildings and public transportation systems.
  • A hacker used free software and cheap hardware to manipulate personal data on a passport, tricking airport security. The hacker provided a video showing a machine in Amsterdam’s airport, reading Elvis Presley’s personal information off a chip.
  • MIT students this August reverse engineered the RFID-enabled transit pass, called the CharlieCard, in Boston, riding the rails for free. The Massachusetts Bay Transportation Authority (MBTA) obtained a restraining order to keep the students from presenting their findings. The order later was overturned.
  • High tech criminals in April 2007 used a laptop and a transmitter to open the locks, start the ignition and steal an armor-plated, custom-designed BMW X5 belonging to David Beckham.  It was the second car stolen from Beckham by high-tech thieves.
  • Researchers at the University of Massachusetts in late 2006 used a receiver and laptop to extract a credit card holder’s name from a brand-new RFID-enabled card hidden in a plain white envelope. The chip broadcast the cardholder’s name in plain text, without encryption.
  • Johns Hopkins researchers in 2005 used cheap computer hardware and six microchips purchased for about $200 each to crack the secret encryption code found in more than 150 million automobile keys and 6 million tags that purchase gasoline. Once the key is cracked, an attacker can bypass security and fool the readers in cars or at gas stations.  The Johns Hopkins researchers made their findings available to the chip manufacturer.

Researchers at UMass found in tests on 20 cards from Visa, Mastercard and American Express that the cardholder’s name and other data was being transmitted without encryption and in plain text.  They could skim the information from the cards with a book-sized device. As of 2008, some of the cards were still broadcasting names in the open.

Tens of millions of these cards have been issued with the equipment needed to read them at locations across the country.

The credit card industry acknowledges that the information contained on the “smart cards” can be intercepted by unauthorized readers, but maintains that there is no economic benefit for thieves capturing the information.

“They’ve demonstrated some techniques in lab conditions,” said Randy Vanderhoof, executive director of the Smart Card Alliance, a non-profit industry association promoting the adoption and use of the technology. “None of these relies on any single source of protection. There are multiple sources of prevention.”

Still, in 2007, Mastercard and Visa eliminated cardholder names from the information store on the chips, Vanderhoof said.  American Express cards never included the cardholder name, he said.

Today, the magnetic strip found on the back of a traditional, non-RFID credit card contains more information and poses more of a threat than the microchip on a smart credit card, he said.

“It is not going to create an economic benefit to skim,” he said.