November 21, 2006

Jack in the Box Adopts RFID Payments Despite Warnings


Despite warnings about the insecurity of contactless RFID credit cards, Jack in the Box is pushing forward with an unprecedented plan to install RFID card readers in its fast food restaurants. By the end of December, all Jack locations should have the infrastructure in place, according to a report at RFID Product News.

The New York Times recently ran a story revealing that virtually every RFID credit card tested by security researchers, including Visa, Mastercard, and American Express, was vulnerable to unauthorized charges and put consumers at risk for identity theft. Information like the credit card number, card holder's name, and expiration date could be gleaned right through purses, backpacks or wallets without consumer knowledge or consent using a relatively inexpensive device made with over-the-counter hardware. CASPIAN demanded a recall of the spychipped credit cards, but credit card companies have not even notified consumers about the risks.

Of course, identity thieves aren't the only concern. Those who have read our book "Spychips" know that "authorized users" of RFID technology have been planning to siphon information from RFID-laced credit, debit, and "loyalty" cards to deliver up targeted advertising and perform in-depth marketing research. One day, Jack could hide RFID readers in its restaurant doorways, order counters, tables and other locations to grab information you would never offer up voluntarily.

Next time you want to eat fast food, consider passing by Jack in the Box for a more consumer-conscious restaurant--and be sure to tell Jack that you oppose the use of RFID reader devices in public places.

- Liz McIntyre

Posted by liz at 2:55 PM | Comments (1)

October 27, 2006

Spychipped Credit Card Q & A


The recent NY Times article that reveals the security flaws of RFID-enabled credit cards has consumers wondering if the cards in their own wallets are putting them at risk. We've been getting lots of questions and thought it might be helpful to share some thoughts here about what steps cardholders can take to protect themselves and their identities.

Q. Am I really at any risk if I carry an RFID-enabled credit card?

A. Security researchers have demonstrated that someone can siphon your name, credit card number and other information from these cards right through your purse, backback, or wallet--without your knowledge or consent. If you tote the "spychipped" cards, you could be opening yourself up to identity theft and surreptitious tracking of your movements and behavior. This "someone" could be the credit card issuer or a retail store--it could also be a stalker or thief.

Q. Does my credit card contain an RFID tag? How can I tell?

A. Call your credit card company and ask if your card contains an RFID tag. RFID tags are so small and thin that they can be hidden within the plastic. An RFID tag communicates by silent, invisible radio waves. If you don't ask, you might never know that your card can beam back information like your credit card number, name etc. The exception is the American Express Blue card. You can see the RFID tag through the clear plastic.

Q. Don't credit card companies tell you when they send RFID-enabled credit cards and alert consumers to the information security issues?

A. Millions of RFID-enabled credit cards have been issued with innocent-sounding names like "Blink" and "EasyPay." Most consumers don't understand this is a way the card companies have been trying to get the public to accept the cards without needing to explain the serious privacy concerns. After all, the RFID industry's own studies have shown that 75% of consumers object to RFID on privacy grounds once they understand how it works and how companies plan to use it.

Q. What credit card brands contain RFID tags that have security issues?

A. I spoke with one of the researchers quoted in the NY Times article. He wouldn't reveal the names of the issuers of cards tested in the sample, but he said the team found problems across all brands, including Visa, MasterCard, and American Express.

Q. What should I do if my credit card contains an RFID tag?

A. We believe credit card companies should recall RFID-enabled credit cards that leak information about consumers. However, we haven't heard of any company taking this responsible action. It's going to be up to you to demand a replacement card that is spychip-free.

Most credit card issuers will send you a new card without an RFID tag at no charge. However, we've heard that American Express customer service representatives are telling consumers who call with concerns not to worry because they can disable the RFID functionality from headquaters.

The RFID-enabled American Express Blue card has dual functionality and contains two distinct credit card numbers. One number resides on the mag stripe. The other number resides on the embedded RFID tag. AMEX customer service representatives are likely disabling the card number that resides on the RFID tag in the company database. This should help prevent unauthorized purchases via numbers read by radio waves. HOWEVER, this is only a partial solution.

The tag within the card could still be read by authorized and unauthorized persons and be used to track you and your behavior. We are recommending that consumers demand a spychip-free version or take their business elsewhere. Do you really want someone to scan information about you through your purse, backpack or wallet without your knowledge or consent?

Note: Do not mail or throw away the RFID-enabled credit card before destroying the RFID tag. Tags can be read right through envelopes and trash. You can destroy the tag by shredding the card or by cutting or crushing the chip.

Q. Can I disable the RFID tag in my microwave?

A. Don't do it. While putting an RFID tag in the microwave can disable a tag, doing so can also start a fire and damage the microwave. (We recount our microwave disabling trials in our book "Spychips.")

If you have any other questions, send them to me, and I'll try to share an answer:

- Liz McIntyre

Posted by liz at 5:54 PM | Comments (5)

October 12, 2006

Do young people want microchip payment implants? Not really.


The sky is falling! Or is it? .

A breathless report in yesterday's UK Daily Mail proclaimed that "young shoppers want to pay with chip in skin." While this headline is certainly explosive (it got the attention of the Drudge report), it is also utterly preposterous. If you read the article, you will quickly discover that young people do NOT want to "pay with a chip in the skin." Indeed, 92% of them said they did not.

Picking up a survey in which virtually all respondents say they would NOT do something and reporting it as a ringing endorsement is misleading journalism, plain and simple. The Daily Mail should be ashamed.

But assuming there was some real news here, how significant is it that 8% of teens said they'd get a payment chip? Just for kicks, I looked around the net at other studies of UK teens. Let's compare a few statistics. While 8% of teens say they would consider a payment chip implant, another survey shows that 20% of teens are experiencing psychological problems at any given time, and nearly a third of college students have contemplated suicide at some point in their lives. Contemplating suicide would seem far more dramatic than considering a chip implant, yet we don't read stories proclaiming that UK youth are lining up in droves to kill themselves.

What's more, a third of UK teens reported vandalizing property within the last year, a quarter reporterd shoplifting, forty percent had binged on alcohol, and half reported committing at least one criminal act. [Source] In other words, teens (as we know) are still trying to figure out the basic rules of social behavior and self-control, and are likely to harm themselves in the process.

Given these other eye-opening statistics, the amazing part of the chipping study is that more teens didn't agree, even on paper (where there's no reality check in the form of a massive hypodermic needle), to get a chip implant.

What all this boils down to is that, statistically speaking, teens prefer suicide over chip implants. The headline should instead read, "I'd sooner kill myself than get chipped."

-Katherine Albrecht

Posted by Katherine Albrecht at 10:38 AM | Comments (3)

December 16, 2005

Cash, check, or iPod?

Here's the latest RF-based cashless payment method. It's an iPod, of all things, equipped with a radio frequency transmitter.

Though Contactless News calls it "cool," any time you use a unique ID number to make a payment (whether it's through a credit card, an iPod, or a chip implant) you create a trail of your purchases -- and your whereabouts.

To me, nothing says "cool" like a handful of anonymous greenbacks.


Source: Contactless News, 12-14-05

Posted by Katherine Albrecht at 4:28 PM | Comments (2)