Privacy Pitfalls in No-Swipe Credit Cards

Nrbelex writes to mention a New York Times article about the privacy pitfalls of 'no-swipe' credit cards. Despite assurances from the card companies, researchers Tom Heydt-Benjamin and Kevin Fu were able to easily retrieve data from the new cards ... data available without encryption and in plain text. From the article: "They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. 'Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?' Mr. Heydt-Benjamin, a graduate student, asked."

Pickpocketing at a new level

In the old days, you used to actually have to stick your hand into someone's pocket or purse.

In the new days, you apparently only have to sit next to them on the bus.

Why we're moving to non-swipe cards

[mgkimsal2]

I probably sound like a paranoid nut, but banks are pushing this 'touchless' card technology because we buy more when we use it. By 'we' I mean consumers. And we buy more when using plastic than when using cash. In this USAToday article - http://www.usatoday.com/money/perfi/credit/2006-10 -09-credit-cards-usat_x.htm - a great quote sums it up:

Merchants, too, benefit from faster no-signature transactions, credit card companies say, because the stores can serve more customers -- resulting in higher overall sales. And "people will spend more if they come in with a card vs. cash," says Gareth Forsey of MasterCard Worldwide (MA).

"People will spend more".

So, if people already spend more by putting a card in a reader, it stands to reason that they'll spend even more when they don't even have to get the card out of the wallet - just wave it around in front of the reader. The speedpass technology is pretty much doing this already, and McDonald's adopted it a few years back. Obviously it was a pretty big expense for them to put the machines in, refit their networks to accomodate it, etc. Why would they do it unless it meant people were buying more? In fact, Visa's own website (http://merchants.visa.com/solutions/qsr.jsp) states that

A recent Visa study of 100,000 QSR transactions showed that customers using payment cards spent an average of 30 percent more than those who paid with cash. Other industry studies suggest that the average spread may be even higher.

So for everyone saying "when did we get so lazy?" and similar notions, it's not that we're lazy. We simply spend more the less psychologically painful it is to do so. If I lay down 5 $20s to do my grocery shopping, it's more painful than swiping a card, because it's not as real at that moment. When I get view my statement later, yes, it all tallies up, but there's no difference between using plastic for groceries, clothes, the movies, or anything else, even if all the prices are wildly different.

Re:Hah. Screw it.

[ac7xc]

When there is credit card fraud the merchants get stuck with the bill and you end up paying higher prices.

Re:Dumber then not signing

[spectral]

Encryption isn't magic. All you've done is substitute one set of unique information for another set of unique information, the fact that the information means nothing to you doesn't change it. If I read "CastrTroy, 1234-5678-9012-3456, 12/09" from a credit card, stuck ", $1000" on the end and sent it to the credit card company, that's no different than being able to read "oinasdfomasdfpmweasdfhqervsad, $1000". The credit card company still associates that random crap with you. It's always the same, so it means nothing.

There are ways around this, but maintaining the physical security of the card is one of the better ways. Not being able to shoot your wallet with radiation and get money back seems like a good first step.. having the data only available after physically plugging/sliding the card in to a reader AND be encrypted while still on the card (smart chip) using a public key granted to the store (so the store would be able to reproduce the data, but you wouldn't have any real information available to you to use on a different place, so all the stolen transactions are quite quickly tracked back) would be a good first start.

There's probably flaws in that plan that I'm unaware of.. though the fact that my credit card has one of these chips and I didn't ask for it to and have no idea how to turn it off is one of the flaws, I'm suspecting. :P