Slashdot Mirror

← Back to Stories (view on slashdot.org)

Privacy Pitfalls in No-Swipe Credit Cards

Posted by ryuzaki0 on from the swipe-this dept.

Nrbelex writes to mention a New York Times article about the privacy pitfalls of 'no-swipe' credit cards. Despite assurances from the card companies, researchers Tom Heydt-Benjamin and Kevin Fu were able to easily retrieve data from the new cards ... data available without encryption and in plain text. From the article: "They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. 'Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?' Mr. Heydt-Benjamin, a graduate student, asked."

9 of 261 comments (clear)

  1. Oyster Cards on the London Underground by QuatermassX · · Score: 5, Interesting
    In London, TfL can track my movements for the past several years, but I do wonder how often people have their Oyster data swiped. Of course, what would the purpose be, really ... use and abuse that season ticket? Hmmm ...

    Of course, I found this interesting blog post from several years ago: http://www.spy.org.uk/spyblog/2004/02/foiling_the_ oyster_card.html

    I just wish TfL would get the bloody Silverlink / North London Line railways on the system rather than posting stormtrooper rent-a-cops at selected stations on random mornings. I actually do pay my fare, but I'm deeply distressed by the rudeness of some of the non-TfL staff. Treat customers not as potential fare-evaders but customers!

  2. Why are we upgrading again? by boyfaceddog · · Score: 5, Interesting

    Okay, magnetic swipe cards are better than the old way of making a carbon from the raised info on the little plastic cards, but what is the advantage of an RFID credit card? I still need to get the RFID-thing out of my wallet or out of my pocket to use it. Is saving five seconds such a big deal that I wouldn't spend that five seconds in order to protect my identity?

    Upgrades for the sake of the "wow-factor" are stupid.

    --
    Here will be an old abusing of God's patience and the king's English.
    1. Re:Why are we upgrading again? by SuiteSisterMary · · Score: 4, Interesting

      I've said it before, and I'll say it again: duress code. A pin number that works perfectly well, and gives no outward sign of being used, but flags the transaction(s) as being 'under duress', kicks in a high-resolution camera (say, in an ATM kiosk) and summons the police. Woe if you use it inappropriately....

      Also, an easy trick for the RFID cards would be for it to have two numbers; one which is transmitted when you swipe it, allowing for normal purchases, and a differnet number on the RFID side, which allows up to $50/transaction, or whatever, maybe a # of purchases/time constraint, and so on. That way, somebody waving an RFID reader over your wallet doesn't get your full purchasing power.

      --
      Vintage computer games and RPG books available. Email me if you're interested.
  3. You mean... by Atheose · · Score: 4, Interesting

    ...swipe cards aren't secure? Hell, I'm still waiting for CREDIT cards to become secure.

    I've been waiting for 2 years for cashiers and salespeople to check my signature whenever I buy something with my credit card. Sometimes I'll sign "Mickey Mouse" or "Donald Trump", or even write a phrase like "Yankees suck!", and I still have yet to be asked even once. With the lack of security on older cards, it doesn't surprise me that these newer ones are no less safe.

    1. Re:You mean... by NightWhistler · · Score: 4, Interesting

      Here in the Netherlands the overwhelming majority of payments is made with direct-debit cards, so credit cards are not used as much. Whenever you do want to pay with a credit card, they require some form of ID for any payment over 50 euros.

      My autograph is pretty small and ugly and worst of all I've never really gotten the hang of getting it consistant. I've been called on it a number of times when I wanted to pay with my credit card. One store actually went so far as to hand me a notepad and have me write down my signature a couple of times, to check the variations with my card and my driver's license.

      Now most stores aren't this paranoid, but credit cards are thoroughly checked around here...

      --
      PageTurner Reader: open-source e-reader for Android with cloudsync. http://pageturner-reader.org
  4. Re:Dumber then not signing by CastrTroy · · Score: 4, Interesting

    Wouldn't it make more sense to leave all the information on the credit card encrypted, have the information left encrypted and sent to the credit card company, still encrypted, and only be able to decrypt the information at the credit card company? It seems to me that even if you need physical access to copy the number it's still not that secure. It would make much more sense to have a card that's blank and devoid of any identifying information than to have something that just about anybody can get the information off of.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  5. Pickpocketing at the same old level by xplenumx · · Score: 4, Interesting
    I've been to Thailand three times in the past five years, and while I've never been pick-pocketed, after all three trips mysterious people tried to make fraudulent charges to the credit card that I used for that particular trip. I know two coworkers who have had people attempt to make fraudulent charges on their credit card (from inside the US in each case) even though neither credit card was physically stolen.

    These 'old days' you talk about ended long, long ago. These 'new days' you predict started decades ago. I'm far more worried about the minimum wage employee handling my credit card info or someone digging through improperly discarded credit card receipts than I am of a technophile taking the time and effort to build a mobile card reader. A stolen credit card is a stolen credit card, regardless how it's done - and we already have measures to counter this. I fail to see how this 'new world' is any different than today's status quo.

  6. Re:Dumber then not signing by Jerf · · Score: 4, Interesting

    I hear zapping chips in microwaves toasts them pretty quick; if you have a stripe to fall back then the card wouldn't be useless, but I don't know if it would survive.

    Does anybody know how magnetic stripes respond to being microwaved? Not much use if you toast that too. And how long do you have to zap a chip to burn it out? (Sub-second?)

    (Note the stripe only has to be significantly more robust than the chip, it doesn't have to be immune to microwaves. If there's a range where the chip dies but the stripe still works, it doesn't matter if the stripe would stop working in another ten seconds.)

  7. Re:Dumber then not signing by Alpha232 · · Score: 5, Interesting

    Working in the hotel business, I handle a large number of credit cards. The trend I have seen for people wanting to "disable" the RF portion is to use a hole punch through the chip. I've seen about ten or so this past month, all have the little radio icon on the back and a hole punched right through the card. Not a bad way to do it I must say.