The next time you pull up to the drive-through window at McDonald's, you might want to reach into your pocket for some good-old fashioned cash. The "swipe free" credit card you've gotten accustomed to using to pay for a Big Mac and fries might actually be putting your personal information at risk.
In tests conducted this fall, researchers from the RFID Consortium for Security and Privacy were able to hack into the information stored on first-generation "swipe free" credit cards that use RFID technology. Though the information is supposedly encrypted, the group reported that all of the cards it tested revealed important personal information whose disclosure could lead to identity fraud and theft.
Nearly 20 million of the RFID-enabled cards have been issued by credit card companies like American Express and MasterCard, and are now being used by consumers at a growing number of retail outlets, including CVS drug stores and McDonald's.
Researchers from the consortium, which includes members from both industry and academia, found problems with all of the cards they tested, although they tested fewer than two dozen cards. "Every single RFID credit card and debit card that I have seen in my lab has revealed at the least the full user name and card expiration date, and the vast majority also revealed the full credit card number," says Tom Heydt-Benjamin, a graduate student at the University of Massachusetts and one of the study's architects.
Because the information is transmitted via radio waves, the cards can be read through a wallet, an item of clothing or an envelope. To illustrate how easily personal data could be skimmed from cards, Heydt-Benjamin outlined a scenario in which somebody posing as a campaign volunteer walked the streets stuffing fliers into mailboxes. It would be a simple matter for that person to use a concealed RFID reader to skim information from any credit cards that happened to be in those mailboxes, he said.
Privacy advocates called for credit card issuers to recall all of the cards in question and replace them with more secure versions. The group Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) advised consumers to remove the credit cards from their wallets immediately and request an RFID-free replacement card. The group is cautioning consumers not to mail the cards back because of the risk that their personal information might be exposed.
Although he acknowledges that RFIDenabled cards have security flaws that must be addressed, Heydt-Benjamin says that when it comes to the overall risk of identity theft, "leaky" cards pose only a minor risk. Practices like phishing, he says, represent a much bigger threat to individual consumers.
"I hope this doesn't set the whole technology back," says Heydt-Benjamin. "We firmly believe that RFID is not a dangerous technology. Our research is about bringing appropriate security and privacy mechanisms into the RFID world. Our message is that while this issue is something that very much should be part of the RFID privacy debate, we don't see it as indicating that RFID technology is an evil or dangerous technology."
If you're going to tag 65 products, you might as well tag them all. That at least appears to be Hewlett-Packard's thinking. The consumer electronics giant is considering the monumental step of applying RFID tags to all of the products it makes. Right now, it is tagging 65 product SKUs that it supplies to Wal-Mart, Target and Best Buy in compliance with the retailers' mandates. But company executives say HP has an internal study under way to determine if it would be more efficient to just tag everything.
Last year, HP used about 6 million RFID tags. That number is expected to reach 10 million by the end of 2006, making HP one of the largest consumers of RFID tags.
HP, which started running RFID pilots four years ago, now has 34 facilities that are RFID-enabled. The company is already doing some item-level tagging for products like computer printers that ship one product to a case.
