Contactless Securityless Report Could Depress Online Sales

Written by Evan Schuman
November 3rd, 2006

A recent report that raised serious scientific questions about how secure the new contactless credit cards are could ultimately depress online sales, as consumers might doubt overall credit card security protections, according to a Friday audiocast panel of retail analysts.

To listen to the panel’s discussion, please click here

The chief author of the report, University of Massachusetts computer science professor Kevin Fu, told the panel about his team’s ease in scanning name and often credit card numbers and expiration dates from consumers carrying contactless cards. “We’ve demonstrated it walking by somebody in an elevator. You can skim all of their credit card information through their clothing, through their jeans, through their wallet,” Fu said. “Some fairly famous researchers decided not to look into the security of these credit cards because they heard they use encryption. ‘Of course it?s going to be perfectly secure. Let’s not put any time into looking at it.’ We were surprised at how easy it was to skim this kind of information.”

Former federal prosecutor?and now security consultant?Mark Rasch said the degree to which the systems were penetrated is unexpected, but the fact that RFID-enabled credit cards are not secure is not a surprise.

“Anytime you’re transmitting information, you run the risk that somebody else is going to intercept it and they’re going to retransmit it. It’s always been a recognized security vulnerability of any transmittal type of system. What mitigates it principally is that it requires physical proximity to do it,” Rasch said. “Also, you generally have to do it as a one-off , one at a time. It’s much harder to do it collectively. But what you can do is you can collect the transmittal information from a lot of people as they pass through.” As technology improves, thieves “could literally put something on a turnstile on a subway and just collect the information from just about everybody.”

Fu added that an expected technique will be to secretly place small readers by building entrance panels. Why? Consumers are often told to place wallets against the panels to gain building entrance. A surreptitious reader could read all contactless credit cards while the authorized reader is looking for the security authentication device.

Panelists agreed that the simplest and most cost-effective way to address the contactless problem is to add some kind of a PIN or some other user-known authentication approach/password. The problem is that such an approach would defeat the entire convenience/efficiency advantage of a contactless card.

IHL President Greg Buzek said the move actually plays into the hands of MasterCard, which has said it will soon introduce a debit card program using just such an authentication system.

The industry’s initial response to RFID security fears was encryption, but the university’s investigators didn’t try to break the encryption. They merely passed it along.

“The problem was that people put too much faith into encryption. Encryption is blocking someone from trying to get at the contents of the message,” Rasch said. “What this type of attack does is it says, ‘I don’t care what the contents of the message is. I’m simply going to retransmit whatever the message was without knowing what it is.’ In other words, ‘I don’t want to be you. I just want to use your credit card information.'”

The very nature of RFID invites security problems, such as the ones these first-generation credit cards are experiencing, Rasch said.

“This points out one of the problems with RFID. RFID is continuously transmitting. It’s much less of a risk if it?s only transmitting at the point and time of authentication,” he said. “There’s still a risk that it might be a clone device. But if you’re transmitting all the time, you’re at risk all the time.”

Rasch also said credit card players need to be focus time and money on having the systems check each other instead of it being one way.

“We spend a lot of time in RFID authenticating the card to the merchant. We need to spend an equal amount of time authenticating the merchant to the card. The idea is that I have an RFID card, which is saying, ‘I’m ready to buy something. Who’s out there?'” Rasch said. “What it should be saying is, ‘I’m ready to buy something. If you’re an authorized, accredited merchant with a valid certificate, I’ll exchange my information with you.’ It requires both. So you have some kind of a certificate built into the merchant’s request for information and there has to be a handshake between the two. You still would risk that somebody’s going to get a valid merchant’s certificate and be able to suck up the data, but at least you’ll know where the compromise occurred and how it occurred and be able to mitigate the damages.”

Fu added that such a system would bring with it “a lot of hidden costs and overhead.”

Jupiter Research retail analyst Patti Freeman Evans told the rest of the panel that the problems with contactless security perceptions could impact a lot more than merely those contactless cards. It could easily impact E-Commerce sales as it plays off of the existing consumer fears that it’s easy to get ripped off online because security is so lax.

“This just feeds into all of the fears that people were having about this kind of technology and it undermines the credibility of the credit card security systems overall,” Evans said, adding that fraud concerns are “the biggest inhibitor to people transacting online. This just fuels the fire of consumer fears that they already have.”


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.