The worry about RFID security is not new. However, these concerns grew when the US MRT company and Chase started issuing RFID-enabled credit cards last year. The fear escalated when researchers at the University of Massachusetts announced in October this year that they had breached the credit card RFID security feature.
RFID usage
So far, RFID chips have been used only for labels of goods, transport containers and livestock. These chips are able to transmit data about the tagged product to a reader that records such data via radio signals. The application of RFID has its own advantages. One benefit is that RFID-enabled containers can be automatically tracked in stock. Because the RFID system automatically transfers data to the supply chain management system, the goods no longer need to be manually registered. However, this technique provides the same convenience for thieves. Thieves can use RFID security breaches to trick shipping products or track the products they ship in order to steal tagged goods.
The worry about RFID security
Since RFID is embedded in some credit cards, it opens the door to credit card fraud. Security and privacy experts say their biggest concern is the ability of RFID cards to "distribute" personal information publicly in the air. Some people worry that some malicious users can make a card reader to steal credit cards, even if the credit card safely in his pocket is not spared.
The results of the University of Massachusetts study were not helpful. In one experiment, the school "sniffed" the username and account number of the credit card embedded in the RFID chip with only a $150 home-made device. To allay this concern, credit card companies responded by refuting the findings.
First, credit-card companies argue that their customer information is adequately protected. They say that the RFID signal is 128-bit encrypted, the actual user name and card number is not transmitted out. Instead, their facilities use a pseudo-number that translates into user account information in the process of processing credit card business. However, the researchers retort that they checked Visa's credit cards, MasterCard's "Onesmart" card and American Express Expresspay Company's credit cards, all of which sent out unencrypted usernames and account numbers.
Then, the credit card companies said, the researchers used 20 research samples (only 20 cards) too few. They have so far not received any reports of such attacks, nor have they seen the equipment produced by researchers. However, this kind of vague security. Vague security is not safe.
the challenge of RFID security
However, the RFID chip in the credit card itself has some security challenges that need to be understood. RFID chips are small, and memory and storage capacity are also small. This limits the number of digits it can hold and the length of the encryption key, making it difficult to implement the public key exchange required for strong encryption.
Another helpful thing is that most RFID chips are static. The small size of the chip makes it difficult to make a programmable chip capable of fine-tuning. Once the information is burned into the chip, the data in the chip cannot be changed. Some chips have limited remote programming capabilities. However, this chip is rare.
ensure RFID credit card security: Best Practices
Don't study this argument further, let's look at some best practices for protecting RFID credit card security. Unfortunately, for many consumers with such credit cards, there is not much protection, as the security measures for these credit cards are still immature. Using a box that can block radio signals is unrealistic for most users, and it is unrealistic to use a knife to pull the RFID chip out of the credit card.
However, it is possible to check whether the credit card meets some of the minimum security requirements before filling out the application form. Before signing an agreement, RFID credit card applicants should ask the card issuer four questions:
1. What is the data that is sent? Is it a credit card number or a pseudo-number representing a credit card? RFID chips can be programmed to send pseudo numbers that match accounts on the card processor back-end system. If this pseudo-number is sniffed, this number is useless for credit card thieves.
2. Is the data sent from the credit card encrypted, and if it is encrypted, what is the length? If the credit card sends the user's real information, including the cardholder's name, account number, and expiration time, all data is transmitted in an encrypted manner. You should use powerful encryption measures, at least 128 bits.
3. How far can the credit card data be sent? The data transmission of the RFID chip is only a few feet away and cannot be transferred to the parking lot. The shorter the transmission distance, the less risky it is to capture the data maliciously.
4. Does the issuer of this credit card have a back-end fraud system? Check if the issuer uses a fraud detection system similar to the fair Issac Company's "Falcon Fraud manager" (Falcon Scam manager). This system does not protect the data loss of the credit card itself, but it can prevent fraudulent transactions using data from a maliciously-stolen RFID credit card.
Keep in mind that RFID credit card security is still evolving. Although these recommendations do not provide overall RFID security, these recommendations can provide cardholders with some control methods and protection measures to mitigate the threat.