You know, I bet the US issuing banks never thought of that.
The specifics of the attacks discussed in the actual research paper aren’t the point: it’s what is implied in the newspaper article that bothers me. Does the New York Times think that (for example) MasterCard had never thought of the problem? That they didn’t realise that the cards could be read through an envelope? That they didn’t assess the risks?
The first generation of the US cards simply transmitted the cardholder name because it was easy to do and the banks wanted to get the cards out there to see if consumers and merchants liked them as much as the pilots and trials would suggest. Now the personalisation systems have been upgraded, they can choose to send the cards out with (and I stress that this is just as example, I am not commenting on any specific scheme) the cardholder name set to “SUPPLIED/NOT” and the card number replaced with a pseudo-number. The point I’m making, I suppose, is that I’m a sensitive soul and I wouldn’t like people reading these stories to get the impression that consultants (and I stress that I’m speaking for myself here) who have been working with international card schemes on contactless payments (for several years) know nothing about security and had never considered the possibility of eavesdropping on card-to-terminal transmissions or scanning envelopes in the mail. As I wrote a while ago, there are well-known ways to secure contactless transactions. When to implement them is a matter of risk analysis, which is something that banks are rather used to doing.