Known in espionage circles as the brush-pass, this technique refers to transferring a message between “agents” in some crowded space, such as on a subway or when they pass on a busy street.
Such is the basis of not only spy fiction, but real-world trade craft as well because it is incredibly difficult to detect if performed with even moderate skill. (Don’t ask me how I know.)
Unfortunately, this may also soon apply to the credit cards right in your wallet because all the new instant payment credit and debit cards appear to be designed to let cyberthieves steal your account information as easily as walking through a holiday shopping crowd, or bumping into you in a subway.
It is well known that it may be possible to capture the information on one of these new cards by merely passing a detector near the RFID card in a crowd, but the shocking new information is that a lot of the critical information on the card is NOT EVEN ENCRYPTED!
The vulnerability of the new cards being promoted on TV with a commercial showing a runner stopping by for a quick purchase during a race, have, according to a report on CNET’s News.com, been exposed by tests at U. Mass. Amherst.
The fact that Rom Heydt-Benjamin was able to demonstrate that a card inside an envelope could easily be scanned wasn’t news, but the information gleaned by his computer from the scan was far from comforting – it showed the name of the card holder in plaintext, along with the card number and expiration date – all many businesses require to place a merchandise charge.
The RFID reader he built would cost under $150 and I predict they will soon be available from underground online sites for less than $100. They could easily be made very compact.
Tests of cards from Visa, MasterCard, and American Express all showed the same vulnerabilities so I also look for legitimate companies to begin to offer RF shields for cards or even RF shielded wallets.