Using built-in radio transponders, the cards require no contact, only proximity, with a reader and are billed as faster and more reliable than conventional credit cards whose magnetic strip must be swiped to register.
But the cutting-edge technology may easily allow attackers to lift personally identifiable information off the cards, according to results of the study, headed by researchers at the University of Massachusetts in Amherst and RSA Laboratories in Bedford.
The study employed two readers purchased from independent manufactures and about 20 RFID-enabled credit cards issued last year by the three major providers - Visa, MasterCard and American Express - and several banks.
The experiment determined the cards - said to be protected by deep levels of encryption software - were subject to numerous vulnerabilities, notably live relay and replay attacks and personal identification disclosure, according to an Oct. 22 white paper summarising the study.
"Despite the millions of RFID-enabled payment cards already in circulation, and the large investment required for their manufacture, personalisation and distribution, all the cards we examined are susceptible to privacy invasion and relay attacks," the white paper concluded.
Relay attacks are similar to man-in-the-middle attacks and involve the malicious user getting between the card holder and card reader to steal personal information, according to the study. In a replay attack, attackers replay a previous, exact interaction between the radio frequency device and a reader for their own use without the network discerning between a hacker's replay and a legitimate cash transaction.
The most simple to understand attack concept is skimming. This occurs when an unauthorised, secretly-placed reader registers the RFID tag of an unsuspecting user, the white paper said.
MasterCard, which has popularised the RFID payment space with its PayPass technology, said in a statement today to SCMagazine.com that the experiment only studies one piece of the transaction security lifecycle.
"Attacks on the card number and expiration date do not take into account the multiple layers of security protecting end-to-end and built into the financial payment system," the statement said. "These protections include special message indicators and checks, embedded transaction security data, risk management and fraud detection systems, neutral networking and online authorization networks."
Visa said in a statement today that the concerns have little real-world implication.
"The RSA tests were enacted in a laboratory setting unconnected to the Visa payment network, which does not provide an accurate representation of the security measures in place," said in a statement to SCMagazine.com.
Researchers cite risks in swipe-free credit cards
By Dan Kaplan on Oct 26, 2006 11:17PM