New Credit Cards May Leak Personal Information

You may be carrying a new type of credit card that can transmit your personal information to anyone who gets close to you with a scanner.

The new cards--millions of which have been issued over the past year--use RFID, or Radio Frequency Identification, technology. RFID allows scanners to use radio signals at varying distances to read information stored on a computer chip.

According to a study from academic and business researchers at the University of Massachusetts, RSA, and Innealta, many of the cards will transmit your name, credit card number, and expiration date (but not the three-digit security code) in the clear to anyone nearby with a scanner. One of the researchers, Kevin Fu of the University of Massachusetts, provided an electronic copy of the report's just-finished final version to PC World. The draft version is available online.

Millions of Cards in Use

RFID is widely used to track shipments and store inventory--and now it's in credit cards, allowing customers to swipe the cards past readers in McDonald's restaurants, CVS pharmacies, and elsewhere, making for quick and easy transactions. Visa says more than 6 million "contactless" cards exist worldwide, and their number is growing rapidly.

In an e-mail, Fu wrote that "in our collection of approximately 20 cards, the vast majority revealed CC name, CC number, and expiration" when the researchers scanned with a commercial RFID reader that they modified to work with the credit cards. According to the FAQ on the study, the sample cards "spanned all three major U.S. payment associations and several major issuing banks."

According to a Visa spokesperson, the company's contactless card network uses an encrypted security code to verify a transaction. That should protect against certain types of fraud--but again, it doesn't protect against someone pulling the name and number.

However, second-generation Visa Contactless cards no longer send the name, says Brian Tripplett, the company's senior vice president of emerging product development. The new cards still send their numbers, but those would be difficult to use without the card holder's name. With the first generation of cards, Visa suggested that banks not issue cards that transmit the name; with new cards, that's required.

Tripplett also says that Visa's technology has a shorter read range and communicates differently than does the standard RFID used for inventory management, for example. Mastercard didn't respond in time for this story.

Is Your Card RFID-Equipped?

How do you tell if your card has one of these chips? Some cards have visible microchips, according to the study's FAQ, but others don't. Tripplett says that Visa Contactless cards have a symbol: four vertical wave-like bands on the front or the back.

But to know for sure, and to know whether you have a first- or second-generation Visa card, you need to call your bank and ask. You should be able to request a card without the technology, or at least one that doesn't transmit your name.

Also, you can block RFID signals with a "Faraday cage," which uses a metal mesh or casing. A quick online search turned up some wallets and wallet inserts that incorporate the cages.

Other Risk Reductions

Even for the first-generation cards that do send the name, some other mitigating factors exist. First, while the researchers used a commercially available RFID reader, they made modifications to it that take "technical skills and know-how," Fu wrote. Also, the reader must be close: The card specs say only a couple of inches, but Fu says some research papers put the max range at about 6 inches.

And most important, phishing, keyloggers, and other kinds of online ID theft are far too successful right now for criminals to put in the effort required for this type of fraud. So the risk probably isn't significant--for now.

Major risk or not, however, there's no way I'd want my credit card to transmit its information without any encryption. Adding yet another opportunity for ID theft where there doesn't need to be any, whether the threat is large or small, simply makes no sense.

Subscribe to the Security Watch Newsletter

Comments