Study Warns Privacy Risk of No-Swipe Credit Cards

I read an article yesterday on the New York Times website about the potential privacy risk of no-swipe credit cards, those cards that don't require mannually swiping through a machine, therefore, no signature needed. For a customer with a no-swipe card (for exampel, the Blink card from Chase), all he/she needs to do is waving the card in front of a terminal, which will pick up customer's data stored in the mirco-chip embedded in the card and process the transaction. While the card can speed up checkout and provide convenience for customers, the card issuers have only one thing in their minds: get people use credit cards at places like convenience stores and fast food restaurants where people usually pay cash for small items.

With these cards, a natural concern is the security of customer's data, which is transmitted via radio waves. To ensure customers the safty of their personal information, Chase claimed that their Blink card employes “the highest level of encryption allowed by the U.S. government.” However, the Times article said that in an experiment, researchers found that

the cardholder’s name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.

Also since the micro-chip embedded in the card emit signals even when the carrier is away from the terminal,

the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak.

On the other hand, credit card issuers argue that

the process of making purchases with the cards involves verification procedures based on powerful encryption that make each transaction unique. Most cards, they said, actually transmit a dummy number that does not match the number embossed on the card, and that number can be used only in connection with the verification “token,” or a small bit of code, that is encrypted before being sent.

But not every card uses "a token or change data from one transaction to another" to make the stealed information usless when palyed back.

In the end, the Times article saids that all the no-swipe card issuers "said that they were in the process of deleting names from the stream of data transmitted to the card readers." It seems that the credit card companies are taking a wait-and-see approach, if nothing happens with the current measure, they will keep it as long as they can, assuming nobody will really test it.

Click here to read the full article (you have to register, though free, before you can access the article).

If you enjoyed reading this post, please consider subscribing to my full RSS feed (What's RSS feed?). Or you can also choose to have free daily updates delivered right to your inbox.

• Buy stocks at TradeKing at a flat $4.95 commission per trade. Check out the TradeKing review and use these TradeKing promotion codes to open an account.
• Get the most out of your money with these online banks that pay top interest rates: EverBank: 4.75% APY, FNBO Direct: 3.50% APY, Washington Mutual: 3.75% APY.