You can now obtain a sticker that acts as a credit card. That’s right, you read me correctly: you can stick it to your cell phone, wallet, shoe, coffee mug, etc. The possibilities are endless! Actually, I’ve exaggerated a bit. You can stick the sticker almost everywhere, but the technology is not so new. In fact, the credit-card-sticker has been in use in Japan and Malaysia for some time now. The sticker contains a chip that uses Radio-frequency identification (RFID) to emit a signal. That signal, like the magnetic strip on your average credit card, contains information that allows you to “charge” a purchase. Sound familiar? You may be using RFID already, in the MobilePass wand that you use at the gas station. The Chicago Transit Authority has been utilizing RFID for years, and the New York Transit Authority is preparing to start a trial. In fact, your very own United States passport may contain RFID technology. So why am I such a scaredy-cat? I received a replacement credit card today because my account number “may have been illegally obtained as a result of a merchant database compromise and could be at risk for unauthorized use.” I was not informed of the time, place, manner of the “compromise” and if the identity of the “compromisers” or their methods are known, I remain ignorant of them. I’m leery of the credit-card-sticker because where there’s a will, there is a way.
History suggests that RFIDs can be remotely read and stolen, cloned, infected, or otherwise used for unintended purposes. Now, Visa is preparing to launch a product that allows you to use your phone as a credit card (and not just in Malaysia). This means that if you’re using the technology and you lose your phone, you may be losing your expensive toy, contacts, pictures, applications, etc. stored on that expensive toy, and control over the use of one or several of your credit card accounts. Sure, there are ways to encrypt this information, but with every safeguard comes a more determined hacker. I’m going to stick to the inconvenient plastic card because the “authorities” are used to tracking its thieves and (I would not discount this factor) it’s probably less sexy to steal!
The skimming of RFID data has been ongoing for a while now. Many credit card providers offer a keyfob rfid device such as the "paypass" that can be read from a distance of up to 2 or 3 feet away. Credit card thieves, using custom adapters on pocket PCs have been caught "harvesting" paypass id's in crowded areas.
This article from a the "Needs of the many" blog points out the inherent insecurity of rfid as an identifier in business transactions.
RFID is not without reasonable uses. They are excellent for inventory management of plane assets. Similarly, an RFID asset tag can be embedded in expensive electronic equipment to aid in recovery if the gear is stolen.
Using an RFID for credit card transactions is slightly more secure that having your credit card number and security code and embroidered as 2 inch tall hot pink numbers on the back of your coat.
RFID tags lead to a similar threat of abuse as universal ID numbers, as I mentioned last week.
One can buy <a href="http://www.google.com/products?hl=en&q=rfid+shield+wallet" title="Google Products" & target="_blank" rel="nofollow">shielded wallets and pocket liners to prevent scanning of tags in credit cards until they are pulled out.
Or here's how to make your own <a href="http://www.rpi-polymath.com/ducttape/RFIDWallet.php" target="_blank" rel="nofollow">RFID Blocking Wallet using aluminum duct tape (not to be confused with that sticky fabric Duck tape, designed and named for amphibious vehicles).