RFID Credit Cards

18:28 Wed 18 Jul 2007
[, , ]

One of my credit cards expired recently, so I was issued a new one. This new one came equipped with an RFID chip. It’s supposed to be a convenience thing, allowing the card to be read without swiping it, but the first thing I thought was “security flaw”.

Sure enough, there are plenty of vulnerabilities.

That seems pretty damn obvious, though, doesn’t it? Credit card fraud is already rampant. Yet the credit card companies go ahead and make your card broadcast its info in the clear. (If it’s not truly “in the clear”, it’s near enough, since all legitimate readers will have to be able to read it, and they will be ubiqitous enough to mean that their decryption process, if they have one, will be widely available and understood.)

Some fairly easy countermeasures could have been applied to the card to counter some of these problems. The most obvious one is a mode switch—that is, a way for the consumer to turn broadcast mode on or off. Clearly, the cards shouldn’t broadcast except when you authorize them to do so. Even this wouldn’t prevent more clever attacks (leave an RFID reader right next to a purchase point, for example), but it would at least protect the cardholder from having their numbers mass-harvested while walking through public places.

Of course, the credit card companies aren’t really concerned about fraud. If fraud really hurt them, they would do more about it, and they wouldn’t push “features” like this one. I presume it’s mostly the customers who are left to pay for fraud, although it might be split between them and the merchants. The banks/card companies pay some cost, but it’s a cost small enough that they simply accept it as part of the business. (They might even make up a significant amount of it via the “anti-fraud” services they offer, that customers have to pay for to avail of.)

Security and convenience often clash. They don’t absolutely have to, but they certainly do in this instance. Consumers appear entirely willing to give up security for convenience with their purchasing tools, although I assume that this is partly due to ignorance. The other players in the process, the merchants and banks, generally want maximal convenience because they want maximal ease-of-purchase, and as few as possible moments where the consumer considers their decision, or becomes really aware that they’re parting with money. Swiping a credit card—it’s kind of scarily formal, isn’t it? Much less jarring to do away with that entirely.

As for me, I guess I might have to start carrying the card in tinfoil.

Leave a Reply