The fear of RFID security is not new. However, when US Express and Chase began issuing RFID-enabled credit cards last year, these concerns grew. When Massachusetts University researchers announced in October that they broke the credit card RFID security feature, this fear escalated.
RFID use
So far, RFID chips have only been used for labels on goods, shipping containers and livestock. These chiplets are capable of transmitting data about the product of the tag to a card reader that records such data by radio signals. RFID applications have their own benefits. One benefit is that RFID-enabled containers can automatically track inventory. Since the RFID system automatically transfers the data to the supply chain management system, the goods no longer need to be manually registered. However, this technology also provides the same convenience for thieves. Thieves can use RFID security vulnerabilities to trick traffic products or track shipments themselves in order to steal tagged goods.
RFID security concerns
Since RFID is embedded in some credit cards, this opens the door to credit card fraud. Security and privacy experts say their biggest concern is that RFID cards can "distribute" personal information in the air. Some people worry that some malicious users can make a card reader to steal credit card numbers, even if they are safely placed in their pockets.
The results of the University of Massachusetts study were not helpful. In one experiment, the school “sniffed†the username and account number in the credit card embedded in the RFID chip using only a $150 home-made device. In order to eliminate this concern, the credit card company responded by refuting these findings.
First, credit card companies argue that their customer information is fully protected. They said that the RFID signal is encrypted with 128 bits and the actual username and card number are not transmitted. Instead, their facility uses a pseudo-number that can be translated into user account information in the process of processing credit card business. However, the researchers countered that they checked Visa's credit card, MasterCard's "OneSmart" card and American Express ExpressPay's credit card, all of which issued unencrypted usernames and account numbers.
Then, these credit card companies said that the 20 research samples (only 20 cards) used by the researchers were too few. They have not received any reports of such attacks so far, nor have they seen such equipment made by researchers. However, this kind of ambiguity is safe. Unclear security is not safe.
RFID security challenge
However, the RFID chip in the credit card itself has some security problems that need to be understood. The RFID chip is small, and the memory and storage capacity are also small. This limits the length of the digital and encryption keys it can hold, making it difficult to implement the public key exchange required for strong encryption.
Another helpful thing is that most RFID chips are static. The small size of this chip makes it difficult to make a programmable chip that can be fine-tuned. Once the information is burned into the chip, the data in the chip cannot be changed. Some chips have limited remote programming capabilities. However, such chips are rare.
Secure RFID Credit Cards: Best Practices
Do not delve further into this debate, let us study some best practices for securing RFID credit cards. Unfortunately, for many consumers who own such credit cards, there are not many protective measures because the security measures for these credit cards are still immature. It is unrealistic for most users to carry a credit card in a box that can block radio signals. It is not practical to use a knife to remove the RFID chip from the credit card.
However, it is still possible to see if such a credit card can meet certain minimum security requirements before filling out the application form. Before signing the agreement, RFID credit card applicants should ask the card issuer four questions:
1. What does the data actually send? Is it a credit card number or a fake number representing the credit card? The RFID chip can programmatically send a pseudo number that matches the account number on the card processor backend system. If this pseudo number is smelled, this number is useless for credit card thieves.
2. Is the data sent in the credit card encrypted? If it is encrypted, what is the length? If the credit card sends the user's real information, including the cardholder's name, account number and expiration time, then all the data must be Transfer in encrypted form. You should use strong encryption, at least 128 bits.
3. How far can the data of this credit card be sent? The data transmission distance of the RFID chip can only be a few feet and cannot be transmitted outside the parking lot. The shorter the transmission distance, the less risk of maliciously capturing this data.
4. Does the issuer of this credit card have a back-end anti-fraud system? Check if the issuer uses a fraud detection system like Fair Issac's "Falcon Fraud Manager". Such a system does not protect the credit card itself from data loss, but it can block fraudulent transactions using data from maliciously stolen RFID credit cards.
Keep in mind that RFID credit card security is still evolving. While these recommendations do not provide overall RFID security, these recommendations provide cardholders with some control and protection measures to mitigate threats.
RFID use
So far, RFID chips have only been used for labels on goods, shipping containers and livestock. These chiplets are capable of transmitting data about the product of the tag to a card reader that records such data by radio signals. RFID applications have their own benefits. One benefit is that RFID-enabled containers can automatically track inventory. Since the RFID system automatically transfers the data to the supply chain management system, the goods no longer need to be manually registered. However, this technology also provides the same convenience for thieves. Thieves can use RFID security vulnerabilities to trick traffic products or track shipments themselves in order to steal tagged goods.
RFID security concerns
Since RFID is embedded in some credit cards, this opens the door to credit card fraud. Security and privacy experts say their biggest concern is that RFID cards can "distribute" personal information in the air. Some people worry that some malicious users can make a card reader to steal credit card numbers, even if they are safely placed in their pockets.
The results of the University of Massachusetts study were not helpful. In one experiment, the school “sniffed†the username and account number in the credit card embedded in the RFID chip using only a $150 home-made device. In order to eliminate this concern, the credit card company responded by refuting these findings.
First, credit card companies argue that their customer information is fully protected. They said that the RFID signal is encrypted with 128 bits and the actual username and card number are not transmitted. Instead, their facility uses a pseudo-number that can be translated into user account information in the process of processing credit card business. However, the researchers countered that they checked Visa's credit card, MasterCard's "OneSmart" card and American Express ExpressPay's credit card, all of which issued unencrypted usernames and account numbers.
Then, these credit card companies said that the 20 research samples (only 20 cards) used by the researchers were too few. They have not received any reports of such attacks so far, nor have they seen such equipment made by researchers. However, this kind of ambiguity is safe. Unclear security is not safe.
RFID security challenge
However, the RFID chip in the credit card itself has some security problems that need to be understood. The RFID chip is small, and the memory and storage capacity are also small. This limits the length of the digital and encryption keys it can hold, making it difficult to implement the public key exchange required for strong encryption.
Another helpful thing is that most RFID chips are static. The small size of this chip makes it difficult to make a programmable chip that can be fine-tuned. Once the information is burned into the chip, the data in the chip cannot be changed. Some chips have limited remote programming capabilities. However, such chips are rare.
Secure RFID Credit Cards: Best Practices
Do not delve further into this debate, let us study some best practices for securing RFID credit cards. Unfortunately, for many consumers who own such credit cards, there are not many protective measures because the security measures for these credit cards are still immature. It is unrealistic for most users to carry a credit card in a box that can block radio signals. It is not practical to use a knife to remove the RFID chip from the credit card.
However, it is still possible to see if such a credit card can meet certain minimum security requirements before filling out the application form. Before signing the agreement, RFID credit card applicants should ask the card issuer four questions:
1. What does the data actually send? Is it a credit card number or a fake number representing the credit card? The RFID chip can programmatically send a pseudo number that matches the account number on the card processor backend system. If this pseudo number is smelled, this number is useless for credit card thieves.
2. Is the data sent in the credit card encrypted? If it is encrypted, what is the length? If the credit card sends the user's real information, including the cardholder's name, account number and expiration time, then all the data must be Transfer in encrypted form. You should use strong encryption, at least 128 bits.
3. How far can the data of this credit card be sent? The data transmission distance of the RFID chip can only be a few feet and cannot be transmitted outside the parking lot. The shorter the transmission distance, the less risk of maliciously capturing this data.
4. Does the issuer of this credit card have a back-end anti-fraud system? Check if the issuer uses a fraud detection system like Fair Issac's "Falcon Fraud Manager". Such a system does not protect the credit card itself from data loss, but it can block fraudulent transactions using data from maliciously stolen RFID credit cards.
Keep in mind that RFID credit card security is still evolving. While these recommendations do not provide overall RFID security, these recommendations provide cardholders with some control and protection measures to mitigate threats.
Stamp Pad,Stamp Ink Refill,White Stamp Ink,Black Stamp Pad
Huhua Stationary Co., Ltd , https://www.huhuastamp.com