New Credit Cards May Leak Personal Information
http://news.yahoo.com/s/pcworld/20070216/tc_pcworld/129096;_ylt=A0WTUeOD9tVFrwkA7SwjtBAF
from above:
You may be carrying a new type of credit card that can transmit your personal
information to anyone who gets close to you with a scanner.
The new cards--millions of which have been issued over the past year--use RFID, or Radio Frequency Identification, technology. RFID allows scanners to use radio signals at varying distances to read information stored on a computer chip.
... snip ...
this is somewhat discussed in recent post
http://www.garlic.com/~lynn/aadsm26.htm#35 Failure of PKI in messaging
i.e. x9.59 eliminating divulged account number as a vulnerability ...
effectively substituting
authentication & integrity for privacy/confidentiality (leading to claim that
x9.59 was privacy agnostic)
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#privacy
The other item mentioned in the article was leaking names. Part of the x9a10
financial standard working group ... starting in the mid-90s ... was taking
into account of an EU-directive (from the period) that electronic point-of-sale
transactions should be as anonymous as cash. Somewhat the x9a10 assertion was
that name on credit card was required so that point-of-sale clerk could do
additional authentication by matching that name with the name on various forms
of identification. Given a sufficiently high integrity authentication
implementation ... the additional forms of authentication could be eliminated
and therefor the name on the card could be eliminated.
This also goes along with similar earlier discussions about RFID-enabled
passposts
http://www.garlic.com/~lynn/aadsm25.htm#45 Flaw in RFID-enabled passports
http://www.garlic.com/~lynn/aadsm26.htm#0 Flaw in RFID-enabled passports (part
2?)
i.e. avoid unnecessarily spraying personal information all over the world
http://www.garlic.com/~lynn/aadsm26.htm#29 News.com: IBM donates new privacy
tool to open-source Higgins
the parallel was drawn between these mechanisms deploying static data personal
identification information infrastructures and the x.509 identity digital
certificates from the early 90s ... also raising their own enormous privacy
issues. In that period, there was even suggestions that the x.509 identity
digital certificates could be overloaded with sufficient personal information
that they could also serve as electronic driver licenses and passports.
In the x9.59/aads model ... simple strong authentication and integrity is used
with sufficient countermeasures for things like replay attacks and other kinds
of exploits ... eliminating requirements for significant amounts of additional
personal information for transactions
http://www.garlic.com/~lynn/x959.html#aads
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
