Study Warns Privacy Risk of No-Swipe Credit Cards
I read an article yesterday on the New York Times website about the potential privacy risk of no-swipe credit cards, those cards that don’t require manually swiping through a machine, therefore, no signature needed. For a customer with a no-swipe card (for example, the Blink card from Chase), all he/she needs to do is waving the card in front of a terminal, which will pick up customer’s data stored in the mirco-chip embedded in the card and process the transaction. While the card can speed up checkout and provide convenience for customers, the card issuers have only one thing in their minds: get people use credit cards at places like convenience stores and fast food restaurants where people usually pay cash for small items.
With these cards, a natural concern is the security of customer’s data, which is transmitted via radio waves. To ensure customers the safety of their personal information, Chase claimed that their Blink card employs “the highest level of encryption allowed by the U.S. government.” However, the Times article said that in an experiment, researchers found that
the cardholder’s name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.
Also since the micro-chip embedded in the card emit signals even when the carrier is away from the terminal,
the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak.
On the other hand, credit card issuers argue that
the process of making purchases with the cards involves verification procedures based on powerful encryption that make each transaction unique. Most cards, they said, actually transmit a dummy number that does not match the number embossed on the card, and that number can be used only in connection with the verification “token,” or a small bit of code, that is encrypted before being sent.
But not every card uses “a token or change data from one transaction to another” to make the stolen information useless when played back.
In the end, the Times article said that all the no-swipe card issuers “said that they were in the process of deleting names from the stream of data transmitted to the card readers.” It seems that the credit card companies are taking a wait-and-see approach, if nothing happens with the current measure, they will keep it as long as they can, assuming nobody will really test it.
This article was originally written or modified on . If you enjoyed reading this post, please consider subscribing to my full RSS feed. Or you can also choose to have free daily updates delivered right to your inbox.