[Dave Birch] Down here at the RSA Conference Europe, a couple of people asked me about the article in the New York Times concerning contactless card security. In particular, the potential for mail interception (since you can read the cards inside the envelope). As the article says, “Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers. Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.”

You know, I bet the US issuing banks never thought of that.

Technorati Tags: , ,

The specifics of the attacks discussed in the actual research paper aren’t the point: it’s what is implied in the newspaper article that bothers me. Does the New York Times think that (for example) MasterCard had never thought of the problem? That they didn’t realise that the cards could be read through an envelope? That they didn’t assess the risks?

The first generation of the US cards simply transmitted the cardholder name because it was easy to do and the banks wanted to get the cards out there to see if consumers and merchants liked them as much as the pilots and trials would suggest. Now the personalisation systems have been upgraded, they can choose to send the cards out with (and I stress that this is just as example, I am not commenting on any specific scheme) the cardholder name set to “SUPPLIED/NOT” and the card number replaced with a pseudo-number. The point I’m making, I suppose, is that I’m a sensitive soul and I wouldn’t like people reading these stories to get the impression that consultants (and I stress that I’m speaking for myself here) who have been working with international card schemes on contactless payments (for several years) know nothing about security and had never considered the possibility of eavesdropping on card-to-terminal transmissions or scanning envelopes in the mail. As I wrote a while ago, there are well-known ways to secure contactless transactions. When to implement them is a matter of risk analysis, which is something that banks are rather used to doing.

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: