About The Blog

Debate at the intersection of business, technology and culture in the world of digital money, both commercial and government, a blog born from the Digital Money Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Low fat hazelnut frappachino on credit | Main | Who will pay? »

Talk of the town

By davebirch posted Oct 24 2006 at 11:07 PM

[Dave Birch] Down here at the RSA Conference Europe, a couple of people asked me about the article in the New York Times concerning contactless card security. In particular, the potential for mail interception (since you can read the cards inside the envelope). As the article says, "Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers. Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen."

You know, I bet the US issuing banks never thought of that.

Technorati Tags: , ,

The specifics of the attacks discussed in the actual research paper aren't the point: it's what is implied in the newspaper article that bothers me. Does the New York Times think that (for example) MasterCard had never thought of the problem? That they didn't realise that the cards could be read through an envelope? That they didn't assess the risks?

The first generation of the US cards simply transmitted the cardholder name because it was easy to do and the banks wanted to get the cards out there to see if consumers and merchants liked them as much as the pilots and trials would suggest. Now the personalisation systems have been upgraded, they can choose to send the cards out with (and I stress that this is just as example, I am not commenting on any specific scheme) the cardholder name set to "SUPPLIED/NOT" and the card number replaced with a pseudo-number. The point I'm making, I suppose, is that I'm a sensitive soul and I wouldn't like people reading these stories to get the impression that consultants (and I stress that I'm speaking for myself here) who have been working with international card schemes on contactless payments (for several years) know nothing about security and had never considered the possibility of eavesdropping on card-to-terminal transmissions or scanning envelopes in the mail. As I wrote a while ago, there are well-known ways to secure contactless transactions. When to implement them is a matter of risk analysis, which is something that banks are rather used to doing.


The comments to this entry are closed.