Contactless credit cards, which allow data to be read without swiping through a reader, pose a serious privacy and security risk because some information is not stored encrypted, according to a paper written by five university and industry researchers.
The researchers claim that nearly 20 million radio-frequency identification (RFID) credit cards in circulation today could be vulnerable to skimming attacks, which could harvest names and credit-card details from the cards of passers-by. A skimming attack uses a normal reader, or one that has been enhanced to read cards from a greater distance, to grab unencrypted data from the card.
"Without even removing their cards from wallets or pockets, consumers can potentially see their privacy and security compromised," Ari Juels, an author of the paper and researcher at RSA Labs, stated in a blog post. "A scanner in a crowded subway station might surreptitiously harvest credit-card data from passersby."
The problems are nothing new for security researchers interested in RFID chips, which can store and transmit data. The United States has already begun issuing passports with the chips embedded inside the back cover, despite the privacy concerns of some researchers. The devices could also be used to carry malicious code.
Credit card companies have claimed that the research generalizes from only a very small sample set, and so, is flawed, according to the New York Times.
Posted by: Robert Lemos