Report: "contactless" credit cards with RFID are easily hacked

In today's NYT, a story by John Schwartz on a demonstration of serious security vulnerabilities with RFID-enabled "contactless" credit cards. Snip:

They call it the "Johnny Carson attack," for his comic pose as a psychic divining the contents of an envelope.

Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.

Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.

The demonstration revealed potential security and privacy holes in a new generation of credit cards – cards whose data is relayed by radio waves without need of a signature or physical swiping through a machine. Tens of millions of the cards have been issued, and equipment for their use is showing up at a growing number of locations, including CVS pharmacies, McDonald's restaurants and many movie theaters.

The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate "128-bit encryption," and J. P. Morgan Chase has said that its cards, which it calls Blink, use "the highest level of encryption allowed by the U.S. government."

But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder's name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.

Reg-free link to "Researchers See Privacy Pitfalls in No-Swipe Credit Cards."

And here is a related post from the guys who did the hack on RFID-cusp blog. (Thanks, Tom Heydt-Benjamin).

Consumerist has a post worth reading here.

Anti-RFID activist group CASPIAN has a response here (see also these previous BB posts about the group's founder, Katherine Albrecht).

Image: "Tom Heydt-Benjamin, left, and Kevin Fu, a University of Massachusetts professor, cull information from a credit card with a card reader." Shot by Nancy Palmieri for The New York Times.

Reader comment: Aaron says,

Since I have a Chase RFID enabled card, I've read about things like this before. One bit of useful info to pass along to other readers who have these cards is that the radio signal can be easily blocked with as little as a sheat of tinfoil or the anti-static material (like what an EZ-Pass ships in.)
Putting a bit of foil or anti-static material between your card and the outside of your wallet will block potential ID thieves.

Brian Kofford says,

Although I don't have one of these new RFID credit cards, I have been using an Altoids tin as a wallet for almost three years now. Guess I was just planning ahead.