Using a scanner built from commonly available components, researchers at the University of Massachusetts, Amherst, were able to retrieve sensitive data from credit cards that use RFID technology.

Creditors have issued millions of such cards, saying that they can speed transactions, and many retailers now have technology that accepts the cards, which, instead of being swiped, transmit cardholder and account information through radio waves.

Supporters of the technology, including major credit card companies, argue that scanners must be within a few inches of a card to read it and that data on the cards is typically encrypted.

Other tests have shown that often the data on RFID chips can be read several feet away, and the researchers in this test pointed out that even if closer proximity is necessary, someone could walk among people in a crowd and easily get within a few inches of credit cards in wallets and purses.

Although the test was of a relatively small sample, the researchers also found that many of the cards transmit name and card number without encryption or with encryption that was easily cracked.

Tom Heydt-Benjamin, a graduate student and one of the researchers, compared the situation to walking down a street "wearing your name, your credit card number, and your card expiration date on your T-shirt."

New York Times, 23 October 2006 (registration req'd)



After lengthy delays resulting from security concerns, the United States has begun issuing passports equipped with RFID tags.

The tags, which transmit data including the passport holder's photo and signature, are susceptible to illicit scanners that "skim" the
information from unsuspecting individuals, according to those opposed to e-passports.

The U.S. State Department said it has implemented measures to address security concerns, including a metallic mesh woven into the cover of the passport that "makes it nearly impossible to access the chip when the book is closed."

Additionally, starting this week, all U.S. points of entry will have equipment to read and process information in e-passports issued by the more than two dozen countries in the Visa Waiver Program.

All of those countries issue e-passports, and visitors from those nations are not required to obtain a visa to enter the United States.

Critics said U.S. authorities have not addressed the problems associated with e-passports.

Kevin Mahaffey of security firm Flexilis wrote a report indicating that despite the mesh in the cover, the passports can still be read if they are open "even a fraction of an inch."

Internet News, 23 October 2006