November 21, 2006

Jack in the Box Adopts RFID Payments Despite Warnings


Despite warnings about the insecurity of contactless RFID credit cards, Jack in the Box is pushing forward with an unprecedented plan to install RFID card readers in its fast food restaurants. By the end of December, all Jack locations should have the infrastructure in place, according to a report at RFID Product News.

The New York Times recently ran a story revealing that virtually every RFID credit card tested by security researchers, including Visa, Mastercard, and American Express, was vulnerable to unauthorized charges and put consumers at risk for identity theft. Information like the credit card number, card holder's name, and expiration date could be gleaned right through purses, backpacks or wallets without consumer knowledge or consent using a relatively inexpensive device made with over-the-counter hardware. CASPIAN demanded a recall of the spychipped credit cards, but credit card companies have not even notified consumers about the risks.

Of course, identity thieves aren't the only concern. Those who have read our book "Spychips" know that "authorized users" of RFID technology have been planning to siphon information from RFID-laced credit, debit, and "loyalty" cards to deliver up targeted advertising and perform in-depth marketing research. One day, Jack could hide RFID readers in its restaurant doorways, order counters, tables and other locations to grab information you would never offer up voluntarily.

Next time you want to eat fast food, consider passing by Jack in the Box for a more consumer-conscious restaurant--and be sure to tell Jack that you oppose the use of RFID reader devices in public places.

- Liz McIntyre

Posted by liz at 2:55 PM | Comments (1)

October 27, 2006

Spychipped Credit Card Q & A


The recent NY Times article that reveals the security flaws of RFID-enabled credit cards has consumers wondering if the cards in their own wallets are putting them at risk. We've been getting lots of questions and thought it might be helpful to share some thoughts here about what steps cardholders can take to protect themselves and their identities.

Q. Am I really at any risk if I carry an RFID-enabled credit card?

A. Security researchers have demonstrated that someone can siphon your name, credit card number and other information from these cards right through your purse, backback, or wallet--without your knowledge or consent. If you tote the "spychipped" cards, you could be opening yourself up to identity theft and surreptitious tracking of your movements and behavior. This "someone" could be the credit card issuer or a retail store--it could also be a stalker or thief.

Q. Does my credit card contain an RFID tag? How can I tell?

A. Call your credit card company and ask if your card contains an RFID tag. RFID tags are so small and thin that they can be hidden within the plastic. An RFID tag communicates by silent, invisible radio waves. If you don't ask, you might never know that your card can beam back information like your credit card number, name etc. The exception is the American Express Blue card. You can see the RFID tag through the clear plastic.

Q. Don't credit card companies tell you when they send RFID-enabled credit cards and alert consumers to the information security issues?

A. Millions of RFID-enabled credit cards have been issued with innocent-sounding names like "Blink" and "EasyPay." Most consumers don't understand this is a way the card companies have been trying to get the public to accept the cards without needing to explain the serious privacy concerns. After all, the RFID industry's own studies have shown that 75% of consumers object to RFID on privacy grounds once they understand how it works and how companies plan to use it.

Q. What credit card brands contain RFID tags that have security issues?

A. I spoke with one of the researchers quoted in the NY Times article. He wouldn't reveal the names of the issuers of cards tested in the sample, but he said the team found problems across all brands, including Visa, MasterCard, and American Express.

Q. What should I do if my credit card contains an RFID tag?

A. We believe credit card companies should recall RFID-enabled credit cards that leak information about consumers. However, we haven't heard of any company taking this responsible action. It's going to be up to you to demand a replacement card that is spychip-free.

Most credit card issuers will send you a new card without an RFID tag at no charge. However, we've heard that American Express customer service representatives are telling consumers who call with concerns not to worry because they can disable the RFID functionality from headquaters.

The RFID-enabled American Express Blue card has dual functionality and contains two distinct credit card numbers. One number resides on the mag stripe. The other number resides on the embedded RFID tag. AMEX customer service representatives are likely disabling the card number that resides on the RFID tag in the company database. This should help prevent unauthorized purchases via numbers read by radio waves. HOWEVER, this is only a partial solution.

The tag within the card could still be read by authorized and unauthorized persons and be used to track you and your behavior. We are recommending that consumers demand a spychip-free version or take their business elsewhere. Do you really want someone to scan information about you through your purse, backpack or wallet without your knowledge or consent?

Note: Do not mail or throw away the RFID-enabled credit card before destroying the RFID tag. Tags can be read right through envelopes and trash. You can destroy the tag by shredding the card or by cutting or crushing the chip.

Q. Can I disable the RFID tag in my microwave?

A. Don't do it. While putting an RFID tag in the microwave can disable a tag, doing so can also start a fire and damage the microwave. (We recount our microwave disabling trials in our book "Spychips.")

If you have any other questions, send them to me, and I'll try to share an answer:

- Liz McIntyre

Posted by liz at 5:54 PM | Comments (5)

March 27, 2006

How to kill the spychips in your credit card

Has your bank issued you a new "contactless" or "smart" credit card or ATM card? Then you might be uncomfortable knowing that anyone with the right reader device could silently and invisibly read your account number - and potentially even charge something to it - right through your wallet, purse, or backpack.

What's a privacy-loving anti-RFID consumer to do? You can either refuse to use the card and demand one without an RFID tag in it (which is what I would do), or you can knock it silly with a hammer.

Ball peen hammer, as seen on Wikipedia.

If you choose the hammer option, here's an email I received with a link describing how it's done:

"I posted instructions on my website on how to disable the new PayPass chips that one of our regional banks started putting in their ATM cards. The information would probably apply to others as well."

-Katherine Albrecht

Posted by Katherine Albrecht at 12:55 PM | Comments (9)

January 5, 2006

Help! Greenpeace ate my bank balance!

Well, not mine, fortunately. But some UK Greenpeace supporters woke up one morning to find a gaping hole where their bank balance used to be. Turns out a computer glitch tacked two extra zeroes onto the monthly donations people had arranged to have automatically debited from their accounts to support the environmental group. The result was a 100-fold increase in the debit amount going to Greenpeace. (Egads! How did my $25 donation suddenly become $2500?)

This example illustrates the risks of letting others control the money flowing into and out of your bank account. Direct deposit and direct debit both leave me cold.

Source: Error hits Greenpeace donations, BBC News, 12/30/05

Posted by Katherine Albrecht at 10:10 AM | Comments (0)