This story appeared on Network World at
More 'security as an afterthought'
By Scott Bradner, Network World, 10/30/06
The top story on The New York Times business section on Monday details a perfect example of businesses developing a product and only thinking seriously about security or privacy after someone else reports problems. In this case, like most others, the businesses claim there really is no problem for anyone to worry about. In this case, believing the businesses would require a suspension of logic.
The Times reports that University of Massachusetts researcher Tom Heydt-Benjamin has demonstrated that it is quite easy to extract information from the new generation of RFID-equipped credit cards without having to look at them.
According to story, Heydt-Benjamin has written this up in a paper he has submitted to a security conference (I have not seen a copy of the paper and am relying on The Times article for my information.).
It seems that Heydt-Benjamin kludged up an RFID reader, tried it out on 20 of the new credit cards and was able to read unencrypted information from all of them. In at least some cases, the information included the card holder's name, the credit card number and expiration date. In other words, all the information you would need to buy things online, and maybe enough information to create your own RFID or non-RFID credit card for in-person use.
The reaction from the credit card companies was predictable if not fully believable. A Mastercard spokesperson said that 98% of their RFID cards used "the highest standards" without saying what that meant in terms of exposed information or why all of the Mastercard cards tested somehow fell into the 2% of not-so-good cards. An American Express spokesperson said: "It's basically useless information. You can't steal that data and play it back and expect that transaction to work."
The spokesperson did not explain away the fact that the researchers did just that with data from some cards. The card companies also pointed to their fraud-detection software that would detect the use of stolen card numbers. Pardon me if I do not accept the assumption that all fraudulent use would be caught. I do accept the fact that some such use is caught because I got a call from Mastercard about such a case with one of my cards.
This column is not meant merely as a rant against RFID-based credit cards, although I do not want to have one for a number of years until all the bugs get worked out. I'm trying to point out two behaviors that are all too common. The first is rolling out products without thinking through the security or privacy implications, and the second is the quick dismissal when someone points out the flaws in such products.
The Times reports that all of the card companies said they were removing the card holder name from the information that is retrieved from the cards as a best practice. Why did they include the name in the first place? Why did they not encrypt it if they had a real reason to include it?
If you are working on a new product or service, break the mold - think about security before you ship it.
Disclaimer: Some at Harvard are all for breaking molds while others cling to them, but this advice is mine.