You may be carrying a new type of credit card that can transmit your personal information to anyone who gets close to you with a scanner.
The new cards--millions of them have been issued over the past year--use RFID, or Radio Frequency Identification, technology. RFID allows scanners to use radio signals at varying distances to read information stored on a computer chip, a chip that is embedded in the card (click on image above).
According to a study by researchers at the University of Massachusetts and at security companies RSA and Innealta, many of these cards will transmit your name, the credit card's number, and its expiration date (but not the three-digit security code) unencrypted to anyone nearby with an RFID scanner. (To see the full report as a PDF file, go to "Vulnerabilities in First-Generation RFID-enabled Credit Cards".)
Swipe and Pay
RFID is widely used to track shipments and inventory. In credit cards, it allows customers to swipe the cards past readers in such establishments as McDonald's restaurants and CVS pharmacies, making for quick and easy transactions. Visa says it has distributed over 6 million "contactless" cards worldwide, and the UMass study estimates that at least 20 million exist, with the total growing rapidly.
In an e-mail, one of the UMass researchers, Kevin Fu, wrote that "in our collection of approximately 20 cards, the vast majority revealed [the credit card holder's] name, CC number, and expiration" when the researchers scanned them with a commercial RFID reader they had modified to work with such cards. The cards in the sample came from American Express, MasterCard, and Visa, and had been issued by several major banks.
The credit cards use an encrypted security code to verify a transaction, which can protect against certain types of fraud--but not against someone who pulls the name and number from a card and uses the information to make online purchases, for instance.
As additional protection, Visa has begun requiring that banks not issue cards that transmit the cardholder's name, according to Brian Tripplett, the company's senior vice president of emerging product development (previously Visa only suggested this). Cards issued by American Express after this February also do not send the name, according to a spokesperson. MasterCard did not respond to PC World's requests for information.
According to American Express, for added security its cards transmit a card number different from that displayed on the card. Visa's Tripplett says that the contactless-card standard has a shorter read range and communicates differently than does the simple RFID used for such purposes as inventory management.
Do you have RFID?
How do you tell if your card has one of these chips? You can see the actual chip in the American Express cards (see image near the beginning of this story). And Tripplett says that Visa contactless cards have a symbol: four vertical wavelike bands on the front or the back. But to know for sure, and also to know whether your card sends your name, you must call your bank (or American Express) and ask. You should also be able to request a card that comes without the contactless technology if you prefer, or at least one that doesn't transmit your name.
Even for the first-generation cards that do send the holder's name, some other factors mitigate the risk.
First, while the researchers used a commercially available RFID reader, they made modifications to it that take "technical skills and know-how," Fu wrote. Also, the reader must be close to an RFID chip: Card specifications say only a couple of inches, but Fu points out that some research papers have put the maximum range at about 6 inches.
And most important, phishing, keyloggers, and other means of online ID theft are far too successful at this time for criminals to expend the effort required by this type of fraud. So the risk probably isn't significant--for now.
Major risk or not, however, credit cards should have included the recent security upgrades from the beginning. Whether the threat is large or small, adding another opportunity for ID theft where there simply doesn't need to be any clearly makes no sense.