Is Your 'Contactless' Credit Card Secure?
This is accomplished using RFID chip technology. The RFID chip contains your credit card information, and the scanner is an RFID scanner that can capture that information. It is a little like wireless network technology though. What about others in close proximity? If the retail scanner can pick up your credit card info from 6 inches away, then couldn't any attacker with a pocket-sized RFID scanner that manages to get within 6 inches of your wallet do the same thing?
The Discovery show Mythbusters attempted to examine this very issue. However, according to co-host Adam Savage (as quoted in this article from The Register), when the Mythbusters team set up a meeting with Texas Instruments to get more information about the RFID technology and how it is protected, they were blindsided with an army of credit card industry lawayers. Savage says "they [MythBusters production team] were way, way outgunned and they [lawyers] made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was."
So, we apparently won't get to see the Mythbusters episode, but is the implication of this strong-arm legal censorship that your contactless credit card is not secure? Do Visa, Mastercard, and American Express think that attackers can't figure this stuff out unless they see it on Mythbusters? In the wake of Savage's statement though, there has been some contention about the facts, and this recent story seems to tell a different story about the legal pressure. The bottom line? Are we sure that 'contactless' credit card data can't be intercepted by attackers?
Comments
Why is the concern only about “hackers”? Seems to me an employee with a legitimate device could “remote-swipe” cards of anyone in the place and post transactions charging them for things they never bought.
I can’t speak for the article from The Register or any comments from the Mythbusters squad, but I was careful to use the word ‘attacker’ rather than ‘hacker’ in part for that reason. Actually, I would say that ‘hacker’ does not apply at all in this context, but that anyone who tries to illegally obtain your RFID credit card data is an ‘attacker’.
I guess the real question is, can it be made secure even if intercepted?
Because no matter who says what once you go wireless you’ve lost “Physical Security”.
So, the next question is, do you trust the merchant and Card Companies to build in an appropriate level of security?
IMHO, they haven’t done it for contact-swipe cards… Why would we expect them to do it for Contactless Cards.
Until the issuers realize the dangers you need to re-install physical security on your card. Identity Stronghold makes shielded sleeves called Secure Sleeves that block the RF signals from reaching the chip. You can buy them online at www.idstronghold.com