CBC News reports on security questions surrounding credit cards that are “contactless,” meaning they use radio frequency identification (RFID) technology. (RFID transmits data wirelessly from a chip or tag to a reader).
It has been proven time and again that unsecured RFID tags can be scanned with cheap, off-the-shelf technology, but people remain shocked when confronted with the evidence. Some states have laws that would protect such data. For example, Washington state has a law to prevent “skimming” (unauthorized gathering of data from RFID tags).
CBC News reports:
Most newly issued credit cards pose major fraud and privacy concerns because of how they’re designed to be scanned through the air, some cyber-security experts warn. […]
The credit cards have an embedded computer chip called a radio frequency identification, or RFID, tag. When waved near a payment terminal in a store, the chip supplies the card’s number and expiry date through radio waves, avoiding the need to swipe or insert the card or have a cashier handle it.
And that’s the first problem, U.S. cyber-security expert Pablos Holman says.
Anyone can buy an RFID credit card reader online, where second-hand units sometimes sell for under $10, and start scanning cards in public — without cardholders knowing.
“It’s not encrypted, which is not what we were expecting,” said Holman, who has gone on U.S. TV newscasts to demonstrate the security gap. “It’s really easy to read. … Now you can get a generic RFID reader and use open-source programs available on the web and read cards.” […]
Using his laptop, a PayPass reader and some software, [3ric Johanson, an IT security expert], sitting in the lobby of a downtown Toronto hotel, extracted a credit card’s number and expiry date, using his own reader at close range. Earlier in his trip, he had pulled off a similar feat in front of a stunned audience at a security conference, using a random audience member’s RFID credit card.