Many of my earlier diaries were about the danger of RFID tags. Here’s proof of the danger of the RFID technology. I sure hope the Diebold voting machines don’t use these.
October 23, 2006
CONSUMER WATCHDOGS DEMAND RECALL OF SPYCHIPPED CREDIT CARDS
CASPIAN Advises Consumers to Immediately Remove Cards from Wallets
Consumer watchdog group CASPIAN is demanding a recall of millions of RFID-equipped contactless credit cards in light of serious security flaws reported today in the New York Times. The paper reports that a team of security researchers has found that virtually every one of these
cards tested is vulnerable to unauthorized charges and puts consumers at risk for identity theft.
“For these financial institutions to put RFID in credit cards, one of the most sensitive items we carry, is absolute lunacy,” said Dr. Katherine Albrecht, founder and director of CASPIAN, a consumer group with over 12,000 members in 30 countries worldwide.
Researchers are showing how a thief could skim information from the cards right through purses, backpacks and wallets. This information includes the cardholder’s name, credit card number, expiration date and other data that would be sufficient to make unauthorized purchases. They
say the information could even be used to identify and track people, a scenario Albrecht and co-author Liz McIntyre lay out in their book, “Spychips: How Major Corporations and Government Plan to Track Your
Every Purchase and Watch Your Every Move.”
Despite earlier assurances by the issuing companies that the data contained in the credit cards would be secure, researchers found that the majority of cards they tested did not use encryption or protect the data in any way. The information on them was readily available to
unauthorized parties using equipment that could be assembled for as little as $50, the researchers said.
“We cautioned companies against using item-level RFID, and they didn’t heed us. Now the credit card industry is facing an unprecedented PR and financial disaster,” says McIntyre, who is also a former bank examiner.
She points to the astronomical cost to replace the cards, not to mention the potential financial losses, litigation expenses, and erosion of consumer trust.
Albrecht and McIntyre are calling on the industry to issue a public alert detailing the dangers of the cards they’ve issued, institute an active recall, and make safe versions without RFID available to concerned consumers.
“This recall has to be very clear and very directed since consumers may not know their cards contain RFID tags,” says Albrecht. “The industry has repeatedly resisted calls to clearly label the cards. Rather, they’ve given the cards innocent-sounding names like ‘Blink.'”
CASPIAN is advising consumers to immediately remove the credit cards from their wallets and call the 800 number on the back to insist on an RFID-free replacement card. The group is cautioning consumers not to mail the cards back or simply throw them away due to the risk of their personal information being skimmed.
Today’s New York Times article by John Schwartz can be found here:
LINK
A research report detailing the findings can be found here:
Link
This RFID stuff has bothered me since I first read about it a few years ago. I know it has a practical side regarding inventory tracking, but I find it obscene when used to track us in any form.
I have one of these that draws on an account I never use anymore and plan to close the first chance I get. When I first heard about them I wondered why any sane organization would use them in the first place.
And the US government wants to put them in our possports. I need to go get a passport, just in case I should need it in the next ten years (like, say, if they start requiring passports for travel into Canada), before this happens. I have no plans to do any major overseas traveling anytime soon, but I also have no intent to have my personal information — or even the fact that I’m an American — broadcast to the world.
Plus it will stop the questions at the border as to why I have an ID card instead of a driver’s license. We’ve been asked several times, and the subtext is “Do you have any driving restrictions, like a DUI, that would keep you from entering Canada?” Up there DUI is a felony, and if you have a conviction in the States they can turn you away at the border. I don’t have a driver’s license becasue I don’t drive by choice, not because it was taken away, and they always accept that explanation, but I’d just as soon not have to explain.
I’ve seen and can recognize them at places like Home Depot and Walmart, but what does it look like on a credit card.
Regarding the passport- the chip is expected to be imbedded very soon so maybe you should get that passport tomorrow.
has been a bit of a crusade w/ me the past few years…since the last time I renewed mine…which was several years ago. Had to provide a lot of additional info…and I recommend you use it when traveling to either Mexico, or Canada, regardless of the current req’mts.
ALL members of my family have gotten theirs, having tired of my cajoling, even though most of them have no intention of traveling outside the country. IMO, anyone who does not have, or apply to get a passport soon, is very much out of touch with the travails that surround their freedom to travel outside the country.
I can’t exactly tell you because I don’t exactly know. The card is a Key Bank “paypass” MasterCard brand debit card, and the reason I know it’s an RFID card is because of the “paypass” logo and the description I got of how to use it when the bank sent it to me. (Googling “RFID paypass” confirms this.) It wasn’t anything I requested. The RFID chip isn’t visible but guessing by the position of the signature strip it’s probably on the left side of the card as you look at the face.
Frankly I don’t understand why RFID chips are necessary for the type of system the Feds envision and the intended result (faster customs clearance). If you look at a UPS package, for instance, you’ll see a series of seemingly random dots on the shipping label (if UPS itself generated the label, at least). The dots contain all sorts of information, none of it human readable. Having a similar system to create a dot-pattern of your ID information on the inside cover of a passport would seem to serve the same purpose as the RFID chip, without radiating anything out into the ether. You just have people run the dot-block across a scanner on the way to the customs station, and the information would be there when you meet with the agent.
I am a bit ambivolent to this as I can see the advantages. The only information that should be on such a card is to identify the card account number. I would hope that the setup would either require a signatue on a paper sheet or, as is more common these days, the input of a PIN on a keypad. This is the procedure used with “chip and PIN” type cards with the gold window on the front.
This sort of verification is possible even for very small payments and has been trialled in “electronic purse” schemes. These used a variation of the London Transport “Oyster card”. Those were not RFID version but the one used in the transport system is. In this case no PIN is needed but it is used as a “pay as you go” card the equivalent of cash on buses etc. The cash handling cost savings are passed on with very deep discounts compared with coins.
http://www.tfl.gov.uk/tfl/fares-tickets/2006/index.shtml
Useage can be verified by checking at a tube station ticket machine or on line if you have registered. While the train elements are recorded as a check in/check out because of the fare structure, bus and tram usage is only on a check in on boarding basis.