Researchers from the University of Massachusetts, RSA Laboratories and Innealta, Inc. affiliated with the RFID Consortium for Security and Privacy (RFID CUSP) released a draft of a study Sunday that indicates holes in the security of the next generation of credit cards. The study looked at 20 credit cards issued this year by Visa, Master Card and American Express that use RFID technology to wirelessly transmit data to a reader, forgoing the need to physically swipe the card. 20 million of these types of cards are currently in circulation in the U.S. with 150,000 readers in place in such locations as McDonald’s, CVS and Regal Theaters.
The team discovered that all of the cards were susceptible to some form of attack, and using a homemade device costing around $150 they were able to clone information transmitted from some of the cards that could potentially be retransmitted as part of a “replay” attack.
Encryption is supposed to prevent a passer-by from using a recording device to read sensitive information transmitted by the cards (without ever seeing the card, as they can transmit through clothing), but in many cases the study found such encryption lacking or absent from the cards.
The study, “Vulnerabilities in First-Generation RFID-enabled Credit Cards,” can be found here: http://new.dealerscope.com/enews/image.bsp?sid=39287&var=image
