the LYNCH report

***UPDATE: Mythbusters gagged by credit card companies from airing show describing how easily hackable RFID is – click here for video***

Opening a recent piece of mail from Mastercard, I expected to find the usual bill and assorted ads for things I neither want, nor need. Instead, the envelope contained a new replacement card.

That seemed a little odd, since my current card doesn’t expire for another year. So, instead of throwing the envelope in the shredder (and wondering, as I do every month, why they bother with physically mailing me a bill…), I decided to read the enclosed letter and find out why my card should be replaced mid-term.

The letter informed me the new card is “PayPass enabled”. This means the user can complete a transaction without signing a receipt, simply by swiping the card near a PayPass reader. Since the PayPass reader doesn’t require physical contact, I realized the card must transmit the cardholder’s data to the reader, which immediately made me wonder how secure my shiny new Mastercard really was. I’ve had fraudulent transactions appear on a Mastercard statement before, and have gone through the ordeal of getting them removed: some research seemed in order. Off to the internet I went.

The cards use RFID technology: Radio Frequency Identification, an ultra-low-cost method for transmitting information also used in automated toll booths, inventory tracking and car security systems. The technology is everywhere, and since it’s both low-cost and ubiquitous, you can pick up RFID readers easily and cheaply.

The first thing I encountered was a commercial for Mastercard which features an elephant stealing its caretaker’s card and going on a shopping spree. I guess the intended message is, “Even if you’re as dumb as an animal you’ll be able to figure out how to use this card.” The message I got, however, was that I’d better guard the card tooth and nail lest someone (or some rogue elephant…) get hold of it and go on a no-signature-required shopping spree.

Then I came across a video on YouTube wherein Pablo Holman shows how an $8 device, available on Ebay, can be used to get complete credit card details remotely, simply by swiping it near the wallet of a user.

Mr. Holman also, quite rightly, points out the related privacy issues: with the reader’s signal boosted, it can scan a coffee shop and determine exactly who is inside. Investigators’ jobs just got a whole lot easier.

I wanted to know more about the security of the credit cards: Mr. Holman mentions that the decryption occurs locally between the reader and the card (rather than remotely, at a secure data facility). I found an excellent video, this one on Google Videos, featuring a detailed presentation by Matt Greene, a researcher at Johns Hopkins specializing in applied cryptography, among other things. The video is rather long (it clocks in at 68 minutes) but here are the take aways:

• The encryption used, (where any is used at all), is 40 bit.
• 40 bit encryption is remarkably simple to crack, and is susceptible to brute force attacks, since there are only about a trillion possible keys (that may seem a lot, but a middle-of-the-road home computer can process at least a million keys a second).
• Once the encryption is deciphered, there are no safeguards against unauthorized use – no one bats an eye at a car filled with electronic gear or the use of a device (other than a credit card) on the card reader.

I decided against enabling the new PayPass credit card (it has “PayPass” boldly emblazoned on it, the better to alert a thief no signature will be required…) and called up Mastercard.

I advised the representative I spoke with that I would not be enabling the new PayPass card and was told my current card (with an expiry date a year away) will cease to work within 120 days from the date Mastercard mailed my new card. Is a non-PayPass enabled card available instead? I was told no: all new cards will contain the RFID chips. She asked if my concern was security. Indeed it is, I replied, to which she explained the new cards are actually more secure than the old cards. Well, I asked, was she aware an elephant could indulge in a shopping spree using the new cards with nary an eyebrow raised? At least that got a chuckle. However after explaining to me that every credit card company will be issuing PayPass enabled cards, she asked if I was ready to activate my new credit card.

I decided to pass, and so ended my relationship with Mastercard…

**************************************************************

Around the same time, my girlfriend received a new Visa, replacing an expiring card. On first using the card, she was told by the merchant that a PIN number was required. We encountered this again at a restaurant later that night, with the server having no idea why a PIN should be required but insisting my girlfriend enter one. That seemed odd, so we checked out the info which had accompanied the card.

It turns out this is another new “feature” of credit cards: a PIN entry is required if a transaction exceeds a certain amount. Additionally, the bank had “helpfully” added her ATM card’s PIN number to the (also RFID containing) credit card!

The use of a PIN makes things particularly awkward in, for example, fine restaurants: instead of handing the server the card and enjoying an after dinner coffee while the card is processed, you’re required to interrupt your meal and accompany the server to the PIN pad. Very annoying.

Bearing in mind the liability to the cardholder in the event of theft or fraudulent transactions on the card is $0, the added inconvenience comes with no discernible benefit to the cardholder.

**************************************************************

It’s a strange time, for the credit card companies to go down this path. On the one hand, they proffer cards which require no signature up to a certain amount ($50 per transaction, in my case); on the other hand they insist on the inconvenience of PIN numbers for other transactions.

In terms of the timing, the credit card companies are not exactly in the best of economic climates currently: a record number of people are facing foreclosures, unemployment is trending upward and the price of gas is forcing cutbacks on other purchases. Personally, I don’t know of too many people planning elaborate, plastic-fueled spending sprees these days, and a turn around doesn’t appear to be imminent: the next wave of adjustable mortgages is right around the corner, this time for prime borrowers, of which there are an awful lot more than sub-prime borrowers.

It seems an odd time for the credit card companies to throw obstacles like PIN numbers in the path of those consumers still charging larger amounts to their credit cards. And I can already envision the conversation with a credit card company’s security rep after having my card data stolen remotely:

“Has the card ever been out of your possession sir?”

“No, it hasn’t.”

“Well, then I’m afraid your liable for the charges.”

“Could someone have scanned the card data remotely?”

“That’s impossible, sir: these new cards are actually more secure…”

As much as we’ve grown unaccustomed to cash these days, it’s starting to seem the simpler, safer route…