Thursday, October 26, 2006

"Speedpassing" RFID Privacy Strategies Not Ready For Primetime

Tom Heydt-Benjamin, left, and Kevin Fu, a University of Massachusetts professor, cull information from a credit card with a card reader. Image Credit: Nancy Palmieri for The New York Times

"Speedpassing" RFID Privacy Strategies Not Ready For Primetime

At Symblogogy, we have chronicled many strategies where people would be able to pay for items with an ever gaining popular technology that is based in radio frequency detection and reading.

The neat thing about this technology is a little like being recognized at the checkout … as if you were raised with and have lived with the people who are serving you. Proximity.

It is an illusion though because the equipment they are using would be able to read ones payment information without one having to reach into ones wallet … just like being recognized by ones personal banker, or ones mother.

From cellphones, passports, and now even credit cards are being embedded with proximity RFID technology that allow personal identification and financial information to be captured without the person carrying this "technology" know that the information has been given up.

Excerpts from The New York Times -

Researchers See Privacy Pitfalls in No-Swipe Credit Cards
By JOHN SCHWARTZ - Published: October 23, 2006


AMHERST, Mass. - They call it the "Johnny Carson attack," for his comic pose as a psychic divining the contents of an envelope.

Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.

Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the
University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.

RFID pick-up/input reader system Image Credit: Dima Gavrysh/Associated Press

The demonstration revealed potential security and privacy holes in a new generation of credit cards - cards whose data is relayed by radio waves without need of a signature or physical swiping through a machine. Tens of millions of the cards have been issued, and equipment for their use is showing up at a growing number of locations, including CVS pharmacies, McDonald's restaurants and many movie theaters.

The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate "128-bit encryption," and J. P. Morgan Chase has said that its cards, which it calls Blink, use "the highest level of encryption allowed by the U.S. government."

But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder's name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.

They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50.

And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. "Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?" Mr. Heydt-Benjamin, a graduate student, asked.

----
The finding comes at a time of strong suspicion among privacy advocates and consumer groups about the security of the underlying technology, called radio frequency identification, or RFID. Though the systems are designed to allow a card to be read only in close proximity, researchers have found that they can extend the distance.

The actual distance is still a matter of debate, but the claims range from several inches to many feet. And even the shortest distance could allow a would-be card skimmer to mill about in a crowded place and pull data from the wallets of passersby, or to collect data from envelopes sitting in mailboxes.

----
The experiment was conducted by researchers here working with RSA Labs, a part of EMC, an information management and storage company. The resulting paper, which has been submitted to a computer security conference, is the first fruit of a new consortium of industry and academic researchers financed by the National Science Foundation to study RFID.

Security experts who were not involved in the research have praised the paper, and said that they were startled by the findings. Aviel D. Rubin, a professor of computer security at Johns Hopkins University, said, "There is a certain amount of privacy that consumers expect, and I believe that credit card companies have crossed the line."

----
Chips like those used by the credit card companies can encrypt the data they send, but that can slow down transactions and make building and maintaining the payment networks more expensive. Other systems, including the Speedpass keychain device offered by Exxon Mobil, encrypt the transmission - though Exxon came under fire for using encryption that experts said was weak.

Though information on the cards may be transmitted in plain text, the company representatives argued, the process of making purchases with the cards involves verification procedures based on powerful encryption that make each transaction unique. Most cards, they said, actually transmit a dummy number that does not match the number embossed on the card, and that number can be used only in connection with the verification "token," or a small bit of code, that is encrypted before being sent.

----
Tom O'Donnell, a senior vice president at Chase, the largest issuer of the new cards, said that the attacks described in the paper would be too cumbersome in the real world. And the researchers said that other kinds of fraud, like so-called phishing scams in which criminals trick people into revealing credit card information through misleading e-mail messages and Web sites, were currently more effective.

Still, John Pescatore, vice president for Internet security at Gartner, a technology market research firm, said he was surprised by the lack of security in transmitting personal data. He said it was a mistake that companies often made in rolling out early versions of a technology.

"It's the classic 'Let's depend on security through obscurity - who's going to look?' " he said. "Then, whoops! As soon as somebody does look, you roll out the security."

All of the card companies said that they were in the process of deleting names from the stream of data transmitted to the card readers. "As a best practice, issuers are not including the cardholder name," Mr. Triplett of Visa said.

Read All>> (free subscription)

The seriousness of breaches in security and ID privacy cannot be understated. "Security through obscurity" doesn't work in this day and age of easy access of information through the internet and the spread of identity theft schemes in our society.

This technology just may go one step too far.


No comments:

Post a Comment