The widespread use, especially in US credit cards, of RFID chips which can be read through clothing or wallets for contactless payments can lead to cards being read without the owners knowledge or permission. At the Shmoocon security conference held in Washington D.C., US business magazine Forbes reports that Kristin Paget impressively demonstrated the ability to read data on RFID chipped credit cards and make a payment that hadn't been authorised by the card owner. However, credit card manufacturers don't think that there is an increased risk.

Credit cards have always favoured convenience over security; misuse is a calculated risk that is ultimately carried by the credit card issuer. When a card is used to pay at a restaurant, for example, waiters could easily copy all necessary transaction data from the card and then do their own internet shopping with this data. With about 100 million RFID cards issued, this could now also be done without card owners handing over their cards – or even without their knowledge.

No security measures such as card reader authentication are in place. However, the RFID data doesn't include the three-digit CVV number that is printed on the back of the card which is usually required when making an online transaction. Instead, the chip issues a one-time CVV that is only valid for one transaction. Using this CVV repeatedly will cause the card to be blocked.

Randy Vanderhoof from the Smart Card Alliance told Forbes that he doesn't think that contactless credit card payments present an increased risk; no cases of misuse have been observed in the six years that the method has been in use, he added. In Vanderhoof's opinion, this is mainly because criminals would find it difficult to monetise such an attack scenario.

As stolen credit card data is typically sold by the thousand and only costs a few dollars per card, his assessment isn't entirely unfounded. In the US, Visa markets RFID credit cards as payWave and in the UK as Contactless by Visa. Mastercard markets their RFID credit cards as Paypass in the US and UK.

(ehe)