FutureWire - futurism and emerging technology

Monday, January 30, 2006

Are RFID Credit Cards Secure?

JPMorgan Chase's new "Blink" and American Express' new ExpressPay credit cards, designed to give consumers greater speed and convenience when shopping, are a fraud and identity theft crisis waiting to happen, according to some critics.

The cards, which use RFID chips, speed the checkout process by eliminating signatures and PIN numbers. The shopper simply place the card near a reader, and they're done. However, the elimination of these forms of authentication is precisely what worries security experts.

"I consider what Chase is doing irresponsible on many levels," said Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego-based watchdog group. "The fact is they are adopting and promoting a technology that could actually exacerbate fraud." Adds Mark Ferullo of the Public Interest Research Group, "It's certainly a big concern when companies make it easier for thieves to use stolen credit cards... No matter how good a bank says its detection systems are, fraud still falls through the cracks."

Chase, however, contends that its technology, in addition to being virtually hack-proof, incorporates sophisticated fraud and theft detection systems. Says Chase senior vice president Tom O'Donnell, "More than 75 percent of the time, when a card is lost or stolen, we find out about it long before the customer does." And, as with ordinary credit cards, RFID cardholders are not accountable for fraudulent charges. Additionally, during a Blink transaction, no one involved (cashiers, other people in line, etc.) ever see an account number, meaning they can't record it for purposes of identity theft.

Chase also notes that a team of Johns Hopkins cybersecurity researchers that last year cracked the encryption in ExxonMobil's Speedpass payment system has thus far been unable to break the Blink encryption.

One other concern about RFID cards, as noted in Howstuffworks.com, is the range of the terminal that reads cards. The read range is supposed to be set at 4 inches, but a tampered or improperly positioned terminal might be able to read much farther, charging unsuspecting cardholder for others' purchases either by accident or on purpose. In response, Howstuffworks predicts the emergence of wallets and purses that have RFID-blocking capability.

As payment systems like Blink are rolled out across the country, cybersecurity experts will be watching carefully to see how quickly instances of fraud emerge, and under what circumstances. Crooks, after all, can be remarkably creative in ways that even experts can't anticipate. In the meantime, consumers interested in using Blink and similar technologies would be advised to wait until either the technologies prove to be as secure as their creators claim, or become more "battle hardened" under real-world use.

Sources: Orlando Sentinel, Engadget