TV station reveals serious security flaws with RFID-equipped credit and debit cards
May 2011 by SecureEnvoy
Commenting on a consumer TV report into the insecurity of RFID-equipped credit and debit cards, SecurEnvoy says that the apparent ease with which researchers have been able to create a `magic wand’ that reads cards at a distance shows that more work needs to be done on wireless encryption.
"The report from the Portland, Oregon-based TV channel Katu, in which researchers found that $20-worth of electronics could read the card details of payment cards in people’s wallets and purses, at a range of four inches, is very worrying," said Andy Kemshall, technical director of the 2 factor authentication company.
"Here at SecurEnvoy, we spend our time advising clients on their best options to better defend their data assets, yet here we apparently have a number of card associations issuing payment cards that can have their details lifted by waving a fraudulent reader at users’ wallets, purses and pockets, as they walk past," he added.
The SecurEnvoy director went on to say that four inches may not sound much of a distance, but in a crowded subway, tube or bus - with people pressed up close to each other on their way to and from work - the possibilities for card fraud are significant.
Although the RFID system seen on Visa Paywave and Mastercard Paypass are designed for low value transactions, once the card details have been downloaded into a reader wand’s memory, they can then be used - as these researchers have clearly proven - to make fraudulent online purchases, he explained,
With stores in many city areas of the US and Canada accepting Paywave and Paypass - and the UK ramping up the number of RFID-accepting merchants in preparation for the London Olympics - Gulri said that if the TV station researchers have discovered this loophole in the Visa/Mastercard RFID system, then criminals are certain to have also made similar discoveries.
"And even if they haven’t tumbled to the security problem yet, once news of this TV station’s breathtaking research spreads, they will start deploying this technology to harvest card details from unsuspecting commuters," he said.
"The only piece of advice I can offer is that, if a cardholder receives a Paywave or Paypass enabled card, they ask their card issuer to disable the function, in order to limit the potential losses that might accrue," he added.
"It might not be as convenient to pay cash for small purchases, or bang in a PIN to authenticate a purchase, but this is a small price to pay to stop your card or bank account from being electronically rifled."