the LYNCH report

The Power of Clear Insight

Visa/Mastercard PayPass: A New Opportunity for Credit Theft…

with 13 comments

***UPDATE: Mythbusters gagged by credit card companies from airing show describing how easily hackable RFID is – click here for video***

Opening a recent piece of mail from Mastercard, I expected to find the usual bill and assorted ads for things I neither want, nor need. Instead, the envelope contained a new replacement card.

That seemed a little odd, since my current card doesn’t expire for another year. So, instead of throwing the envelope in the shredder (and wondering, as I do every month, why they bother with physically mailing me a bill…), I decided to read the enclosed letter and find out why my card should be replaced mid-term.

The letter informed me the new card is “PayPass enabled”. This means the user can complete a transaction without signing a receipt, simply by swiping the card near a PayPass reader. Since the PayPass reader doesn’t require physical contact, I realized the card must transmit the cardholder’s data to the reader, which immediately made me wonder how secure my shiny new Mastercard really was. I’ve had fraudulent transactions appear on a Mastercard statement before, and have gone through the ordeal of getting them removed: some research seemed in order. Off to the internet I went.

The cards use RFID technology: Radio Frequency Identification, an ultra-low-cost method for transmitting information also used in automated toll booths, inventory tracking and car security systems. The technology is everywhere, and since it’s both low-cost and ubiquitous, you can pick up RFID readers easily and cheaply.

The first thing I encountered was a commercial for Mastercard which features an elephant stealing its caretaker’s card and going on a shopping spree. I guess the intended message is, “Even if you’re as dumb as an animal you’ll be able to figure out how to use this card.” The message I got, however, was that I’d better guard the card tooth and nail lest someone (or some rogue elephant…) get hold of it and go on a no-signature-required shopping spree.

Then I came across a video on YouTube wherein Pablo Holman shows how an $8 device, available on Ebay, can be used to get complete credit card details remotely, simply by swiping it near the wallet of a user.

Mr. Holman also, quite rightly, points out the related privacy issues: with the reader’s signal boosted, it can scan a coffee shop and determine exactly who is inside. Investigators’ jobs just got a whole lot easier.

I wanted to know more about the security of the credit cards: Mr. Holman mentions that the decryption occurs locally between the reader and the card (rather than remotely, at a secure data facility). I found an excellent video, this one on Google Videos, featuring a detailed presentation by Matt Greene, a researcher at Johns Hopkins specializing in applied cryptography, among other things. The video is rather long (it clocks in at 68 minutes) but here are the take aways:

  • The encryption used, (where any is used at all), is 40 bit.
  • 40 bit encryption is remarkably simple to crack, and is susceptible to brute force attacks, since there are only about a trillion possible keys (that may seem a lot, but a middle-of-the-road home computer can process at least a million keys a second).
  • Once the encryption is deciphered, there are no safeguards against unauthorized use – no one bats an eye at a car filled with electronic gear or the use of a device (other than a credit card) on the card reader.

I decided against enabling the new PayPass credit card (it has “PayPass” boldly emblazoned on it, the better to alert a thief no signature will be required…) and called up Mastercard.

I advised the representative I spoke with that I would not be enabling the new PayPass card and was told my current card (with an expiry date a year away) will cease to work within 120 days from the date Mastercard mailed my new card. Is a non-PayPass enabled card available instead? I was told no: all new cards will contain the RFID chips. She asked if my concern was security. Indeed it is, I replied, to which she explained the new cards are actually more secure than the old cards. Well, I asked, was she aware an elephant could indulge in a shopping spree using the new cards with nary an eyebrow raised? At least that got a chuckle. However after explaining to me that every credit card company will be issuing PayPass enabled cards, she asked if I was ready to activate my new credit card.

I decided to pass, and so ended my relationship with Mastercard…

**************************************************************

Around the same time, my girlfriend received a new Visa, replacing an expiring card. On first using the card, she was told by the merchant that a PIN number was required. We encountered this again at a restaurant later that night, with the server having no idea why a PIN should be required but insisting my girlfriend enter one. That seemed odd, so we checked out the info which had accompanied the card.

It turns out this is another new “feature” of credit cards: a PIN entry is required if a transaction exceeds a certain amount. Additionally, the bank had “helpfully” added her ATM card’s PIN number to the (also RFID containing) credit card!

The use of a PIN makes things particularly awkward in, for example, fine restaurants: instead of handing the server the card and enjoying an after dinner coffee while the card is processed, you’re required to interrupt your meal and accompany the server to the PIN pad. Very annoying.

Bearing in mind the liability to the cardholder in the event of theft or fraudulent transactions on the card is $0, the added inconvenience comes with no discernible benefit to the cardholder.

**************************************************************

It’s a strange time, for the credit card companies to go down this path. On the one hand, they proffer cards which require no signature up to a certain amount ($50 per transaction, in my case); on the other hand they insist on the inconvenience of PIN numbers for other transactions.

In terms of the timing, the credit card companies are not exactly in the best of economic climates currently: a record number of people are facing foreclosures, unemployment is trending upward and the price of gas is forcing cutbacks on other purchases. Personally, I don’t know of too many people planning elaborate, plastic-fueled spending sprees these days, and a turn around doesn’t appear to be imminent: the next wave of adjustable mortgages is right around the corner, this time for prime borrowers, of which there are an awful lot more than sub-prime borrowers.

It seems an odd time for the credit card companies to throw obstacles like PIN numbers in the path of those consumers still charging larger amounts to their credit cards. And I can already envision the conversation with a credit card company’s security rep after having my card data stolen remotely:

“Has the card ever been out of your possession sir?”

“No, it hasn’t.”

“Well, then I’m afraid your liable for the charges.”

“Could someone have scanned the card data remotely?”

“That’s impossible, sir: these new cards are actually more secure…”

As much as we’ve grown unaccustomed to cash these days, it’s starting to seem the simpler, safer route…

13 Responses

Subscribe to comments with RSS.

  1. Actually, the Federal Trade Commission limits the cost of fraudulent transactions to a maximum of $50, not the $0 you stated above. Still a minor expenses to the card holder.

    Additionally, I for one am happy to hear about an added layer of security in the guise of a pin number. Last year alone, online credit card fraud topped $4 billion dollars. The pretty much negated many of the profits generated by the credit card company.

    Who in turn has to pay for this loss, but the consumer? We all pay for it not only with higher credit card interest charges and fees, but in the form of increased retail prices.

    Jane

    March 6, 2009 at 11:43 am

    • I understand about the FTC limit, however my card (and many others) offer a $0 deductible as a feature.

      I think you may have missed the point of the article: the new cards are inherently less secure. If you read the entire article, you’ll see that card details can be obtained remotely, and a clone card made easily.

      Similarly, passports containing RFID chips have had their data scanned from 30 feet away, and that data was, like the credit cards, insufficiently encrypted, making identity theft remarkably simple.

      Identity theft is a much greater threat to the consumer than increased interest rates as a result of fraudulent transactions – identity theft bears a very real and substantial cost to the victim, as it takes days of effort to sort things out and convince various parties that the other “you” isn’t, in fact, you.

      westcoastsuccess

      March 6, 2009 at 7:59 pm

  2. These days I have not noticed people even asking for ID or even to take a card. They just wait for you to swipe and go. Its as if the cashier does not even want to touch the card or help with payment in anyway. Talk about lazy. This is specially true at grocery stores, wal-mart, and many cheap low paying retail job places. And trust me food at the grocery store, and blu-ray players at walmart can add up quick. Hey darling you like that new Sony TV just swipe and go. I easily buy things under $50 dollars with just a swipe and over I just have to sign on a pad that no one is watch, heck most ppl seem to have lost the art of Cursive so there signature might as well be a line or something similar. I think the paypass is not all that much worse than swiping is becoming, with the exception of maybe scanning, hopefully it soon 128-bit encryption so at least the data is not quite as easily hackable.

    My final thoughts is they need to just add finger scanning with this and it would be a done deal. Tap and Scan. It still would be fast and much more secure. Plus if someone gets my fingerprints and my paypass info then they deserve to rip me off. Oh and another thing most ppl are not intelligent enough to steal data via scanners and hack the 40-bit encryption. Most ppl I know are lucky they know where the start button is. Bottomline if you want to steal it just takes a bit of work and intelligence. Maybe you have to learn a thing or two, but if you can do all that why not just get a “real” job anyway instead of risking jail time …

    Michael

    November 25, 2009 at 1:58 pm

    • “most ppl are not intelligent enough to steal data via scanners and hack the 40-bit encryption”

      Really? And do you think little pixies are going around installing card skimmers at ATMs?

      SS

      May 30, 2011 at 8:29 pm

  3. Wait? You made your Girlfriend pay for dinner…? But seriously great article, cash is king it would appear.

    Ryan

    April 12, 2011 at 9:01 pm

  4. What we need now are lead-lined credit card holders to protect our cards from unwanted scanning.

    SS

    May 30, 2011 at 8:36 pm

  5. The inconvenience of keying in a PIN code? You must be kidding… In modern shops / restaurants the waiters / staff have a portable device that they bring to you: your credit card never leaves you. Much safer, totally hassle-free. I don’t see why it can be a problem (I haven’t been asked to go to the actual device in years: they always come to me). We’ve had this for ages in Europe, it’s pretty neat.

    Nicolas Blaisot-Balette

    July 20, 2011 at 7:19 am

    • And how would you know that the device receiving your PIN is a true encrypting PIN Pad and activated to read a secure PIN, and only for the intended purpose? It is all a matter of how that payment application is programmed. Maybe you just gave away your card data as well as your PIN…

      Biometric verification is the better way, even if it is as low tech as a manual signature…

      not_safe

      December 22, 2011 at 1:49 am

  6. I’m not an expert like the author, but my understanding of biometrics is that they are about as unreliable as smart bombs.

    Anonymous

    January 9, 2012 at 9:15 am

  7. Wow, whiny.

    spookym

    March 4, 2012 at 9:11 pm

  8. This is an informative article that initially had me worried because I’ve recently started using PayPass to pay for some transactions.

    But I was relieved to find out that using PayPass via NFC on my mobile phone alleviates many of the security problems pointed out by the author.

    1. NFC is a subset of RFID that requires very close proximity in order to transmit the data. So there should be no hackers 30 feet away skimming my credit card information.
    2. A PIN is required for purchases over $50 and unlike the examples given in this article the PIN is entered on my mobile phone so it’s neither an inconvenience or a security risk.

    The source of my NFC vs RFID info is: http://www.differencebetween.net/technology/difference-between-rfid-and-nfc/

    I think the author should update this article to emphasize that RFID enabled cards are the risk not PayPass itself since if it’s used via an NFC enabled phone it’s much more secure.

    Concerned Consumer

    March 22, 2012 at 5:26 pm

    • An additional layer of security here is that the information which needs protection will only be available as long as the application is running on the smartphone. Not like the creditcard rfid which is “on” 24/7.

      Anonymous

      May 11, 2012 at 1:30 pm

    • “So there should be no hackers 30 feet away skimming my credit card information.” How do you know this, they could be stood right next to you skimming your card and many others.

      Anonymous

      April 27, 2013 at 1:48 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: