Tuesday, October 24, 2006
So, what about no-contact credit cards?
Instead of swiping a magnetic strip through a reader, you simply hold one of these up to a point of sale machine. You may not even have to take it out of your wallet.
Vendors say contactless payment cards are safe. There are two key things they have to get right for safety. One, the card shouldn't talk to anything but a genuine merchant terminal, so bad guys can't start asking it what your credit card number is. Second, once the card is talking to a payment terminal, your credit card number should be scrambled.
They claim to be doing both.
Security researchers from RSA Security (established firm) and others have found that the cards will talk to anybody and disclose your name, full account number, and expiration date.
Readers don't have to be close to the card if someone who knows a little about radio builds the readers. You could have your credit card "read" by someone you can't see.
For once, ignoring the whole problem isn't crazy. There are already so many ways to steal your credit card information that one more hardly matters, there's no evidence the bad guys are using this method yet, and if your credit card info gets stolen the bank eats the loss. You just get a hassle and some lost time. (Don't get a contactless debit card though).
If you're worried enough to protect yourself, but not worried enough to give up your no-contact credit card (?!), you can buy a shielded wallet, but that shielding is harder to get right than you might think. I'd want to see test results.
|
Vendors say contactless payment cards are safe. There are two key things they have to get right for safety. One, the card shouldn't talk to anything but a genuine merchant terminal, so bad guys can't start asking it what your credit card number is. Second, once the card is talking to a payment terminal, your credit card number should be scrambled.
They claim to be doing both.
Security researchers from RSA Security (established firm) and others have found that the cards will talk to anybody and disclose your name, full account number, and expiration date.
Readers don't have to be close to the card if someone who knows a little about radio builds the readers. You could have your credit card "read" by someone you can't see.
For once, ignoring the whole problem isn't crazy. There are already so many ways to steal your credit card information that one more hardly matters, there's no evidence the bad guys are using this method yet, and if your credit card info gets stolen the bank eats the loss. You just get a hassle and some lost time. (Don't get a contactless debit card though).
If you're worried enough to protect yourself, but not worried enough to give up your no-contact credit card (?!), you can buy a shielded wallet, but that shielding is harder to get right than you might think. I'd want to see test results.
# posted by Frederick @ 6:12 PM Email to a friend:
Haloscan: they provide trackback