I recently exchanged posts with security consultant Chris Paget on PBS Newshour‘s Web site (see Radio Frequency Identification Tags: Identity Theft Danger or Modern Aid?). The back and forth is long, and included the security of RFID-enabled credit cards. Paget wrote, “RFID tags in credit cards have made our credit card infrastructure less secure, and have significantly complicated the problems of how to detect and prevent credit card fraud. While the tags themselves have the capability to operate in a very secure manner, the architecture of the system is fatally flawed and introduces several additional attack vectors into a legacy technology that is horribly broken.”
I can’t believe the credit-card companies would introduce technology that makes fraud more likely, so to get the facts, I spoke with Elvira Swanson, a spokesperson for Visa, and Randy Vanderhoof, the executive director of the Smart Card Alliance. Both stated categorically that RFID-enabled credit cards are more secure than cards with data stored on magnetic stripes. One reason is that during the transaction, the card never leaves a consumer’s hand. In many cases, you have to hand over a magstripe card to a waiter or gas station attendant to swipe, thereby providing an opportunity for that individual to swipe the card through a device that can capture all of the card’s information, and potentially photocopy the back so that the signature can be forged.
According to Swanson, a magstripe card contains the card holder’s name, a 16-digit credit card number, an expiration date and a credit verification value (CVV)—a three- or four-digit number used in transactions in which the card is not present and the signature cannot be verified (mainly, online purchases). With this information, the card can then be cloned and the new card would be indistinguishable from the original. A criminal could also conduct transactions online without a problem.
RFID-enabled cards retain their magnetic stripe, so they can be used with existing point-of-sale terminals. Therefore, the information is still vulnerable. But the chip in the RFID transponder has additional security features that credit-card companies say make it more secure. Each time the card is used for a legitimate transaction, the chip generates a new CVV—which is different from the one printed on the card—and communicates that CVV to the network, which uses it to validate the next transaction. If someone were to skim information off the card, that person could not clone the card since the CVV is only good for a single transaction.
The electronic CVV is invalid for online transactions. So if a criminal skimmed a credit card and obtained the electronic CVV, and then tried to use it to buy something at a Web site that conducted a CVV check, the transaction would be rejected. The only way a skimmed card could be used online would be to purchase something at a site that doesn’t check either the cardholder’s name or the printed CVV. One benefit of RFID-enabled cards is that you are not handing over your card to a waiter or gas station attendant, who can then write down you credit-card number and the printed CVV, and use the card for online purchases.
In addition, Vanderhoof says, newer contactless cards host a key that creates a dynamic cryptogram—usually a three-digit security code—that is sent to the back-end system to uniquely identify each contactless transaction. The key used to create the cyrptogram from the credit-card number, expiration date and so forth is never broadcast, so it can not be skimmed using an RFID reader. Thus, there is no way to utilize a cloned card to execute a transaction at a store that accepts contactless payments.
Swanson notes that there are no known cases of data being skimmed from contactless cards and used in fraudulent transactions (though it would be difficult for a fraudulent transaction to be traced back to someone having their RFID-enabled card skimmed). And Vanderhoof says there is no doubt that the use of contactless cards has reduced the threat to consumers.
“It is absolutely the case that contactless cards have added security over traditional cards,” Vanderhoof says. “The use of dynamic data on the card, the cryptogram and the way the transaction is handled all add up to more security than magstripe cards. This is definitely an improvement over existing technology. Until all cards have chips and the magstripe disappears, we will have fraud because of the legacy system.”
So to summarize, a magstripe is simply a way to store data on a card. Copy the data off that magstripe, and you have everything you need to create a duplicate card that can then be used for fraudulent transactions. With newer RFID-enabled cards, however, the chip in the transponder contains only a credit-card number, an expiration date and a dynamically generated CVV that is different from that printed on the card. This information is sent to the terminal along with a cryptogram that verifies the card’s authenticity.
The key can’t be skimmed since it isn’t broadcast, so it’s impossible to skim the key and clone the tag. Moreover, a new CVV is generated dynamically and sent to the back-end system for verification of the next transaction. This makes it very difficult to spoof the system and run a fraudulent transaction at a retailer that accepts contactless cards. And since the CVV dynamically generated by the RFID-enabled card differs from the one printed on the card, a skimmed CVV can’t be used for an online transaction at any site that performs a printed CVV check.
If Paget and others believe that the possibility of skimming makes RFID-enabled credit cards less secure, I would welcome them to explain why, by either posting a comment below or writing a response to this article.
Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below. To read more of Mark’s opinions, visit the RFID Journal Blog or the Editor’s Note archive.