Report Blasts Holes in Contactless Card Security Claims

By Evan Schuman  |  Posted 10-30-2006
Accusations that RFID-based contactless credit cards can be easily read by thieves are nothing new, but this time a group of scientists at the University of Massachusetts has gone quite far to try to prove it.

The group—calling itself the RFID Consortium for Security and Privacy—is a group of computer scientists from the University of Massachusetts at Amherst, RSA Laboratories and Innealta, with some nontraditional partners, including the San Francisco Bay Area Rapid Transit District (BART), the MIT Auto-ID Labs and the Programme for Advanced Contactless Technology (PROACT) at Graz University of Technology in Austria. The National Science Foundation funds much of the research, according to the group's Web site.

For more on this topic, see RFID Vendors Raise the Stakes with New Products

The group tested about 20 samples from various contactless credit cards and concluded that "the cardholder's name and often credit card number and expiration date are leaked in plain text to unauthenticated readers" and "our homemade device costing around $150 effectively clones one type of skimmed cards."

Perhaps of greatest concern is the report's conclusion that "RFID-enabled credit cards are susceptible in various degrees to a range of other traditional RFID attacks such as skimming and relaying."

Read the full story on eWEEK.com: Report Blasts Holes in Contactless Card Security Claims