Bruce schneier has published an entry about the use of RFID to skim credit cards. Although I completeley agree with the fact that the use of RFID makes skimming easier, I disagree on the fact that RFID is the main issue here. For me, the source of the problem is that the applications that are used do not take sufficiently into accounts the new threats related to RFID. However, things should not be as bad as it seems:
- By skimming RFID, it is not possible to get the Card Verification Code, which is printed on the back of the card, because this code is only use in online transactions, and not in transactions that use a physical card (magstripe or RFID).
- Transactions that use a physical card actually use another Card Verification Code, which is recorded on the magstripe. A least in some configurations, this Card Verification Code is sent encrypted using a session key, and it can therefore not be retrieved by simply skimming a transaction (in some other transactions, the encryption is static, which is much less secure).
The conclusion is that, at least for the banks use the dynamic encryption scheme, the skimmers will still miss an important part of the card’s data, which restricts a lot the use of the card number.
Then, I can’t help a few remarks about the use of payment cards and RFID in the US:
- Most of the world is turning to smart payment cards, based on the EMV standard, while the US will keep magstripe for a bit longer. The consequence is that the US could become quite attractive for attackers of all kinds, as the security level of payment cards raises in other places.
- RFID payment is not used only in the US. Many countries are interested in the NFC technology, which enables payments through a RFID interface on mobile phone. Asia is ahead, but there is strong interest in Europe. I don’t have detailed information about the exact payment schemes, but they seemto be more secure than those in use in the US.