Re: New Credit Cards May Leak Personal Information
| New Credit Cards May Leak Personal Information | http://news.yahoo.com/s/pcworld/20070216/tc_pcworld/129096;_ylt=A0WTUeOD9tVFrwkA7SwjtBAF | | from above: | | You may be carrying a new type of credit card that can transmit your personal | information to anyone who gets close to you with a scanner. | | The new cards--millions of which have been issued over the past year--use | RFID, or Radio Frequency Identification, technology. RFID allows scanners to | use radio signals at varying distances to read information stored on a | computer chip. | ... snip ... This was reported a couple of months back. (In fact, if you follow the links, they get you to a draft version of the report from October of last year.) What struck me in this whole story was: - The gross stupidity of fielding, in this day and age and after all that has happened, a system that leaks valuable information so readily and pointlessly. - The classic response from the vendors: "Oh, yes, that was in old versions of the stuff that no one actually uses, we fixed all that *long* ago" - conveniently ignoring the fact that the study targeted a number of cards found "in the wild", from multiple sources. -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
New Credit Cards May Leak Personal Information
New Credit Cards May Leak Personal Information http://news.yahoo.com/s/pcworld/20070216/tc_pcworld/129096;_ylt=A0WTUeOD9tVFrwkA7SwjtBAF from above: You may be carrying a new type of credit card that can transmit your personal information to anyone who gets close to you with a scanner. The new cards--millions of which have been issued over the past year--use RFID, or Radio Frequency Identification, technology. RFID allows scanners to use radio signals at varying distances to read information stored on a computer chip. ... snip ... this is somewhat discussed in recent post http://www.garlic.com/~lynn/aadsm26.htm#35 Failure of PKI in messaging i.e. x9.59 eliminating divulged account number as a vulnerability ... effectively substituting authentication & integrity for privacy/confidentiality (leading to claim that x9.59 was privacy agnostic) http://www.garlic.com/~lynn/x959.html#x959 http://www.garlic.com/~lynn/subpubkey.html#privacy The other item mentioned in the article was leaking names. Part of the x9a10 financial standard working group ... starting in the mid-90s ... was taking into account of an EU-directive (from the period) that electronic point-of-sale transactions should be as anonymous as cash. Somewhat the x9a10 assertion was that name on credit card was required so that point-of-sale clerk could do additional authentication by matching that name with the name on various forms of identification. Given a sufficiently high integrity authentication implementation ... the additional forms of authentication could be eliminated and therefor the name on the card could be eliminated. This also goes along with similar earlier discussions about RFID-enabled passposts http://www.garlic.com/~lynn/aadsm25.htm#45 Flaw in RFID-enabled passports http://www.garlic.com/~lynn/aadsm26.htm#0 Flaw in RFID-enabled passports (part 2?) i.e. avoid unnecessarily spraying personal information all over the world http://www.garlic.com/~lynn/aadsm26.htm#29 News.com: IBM donates new privacy tool to open-source Higgins the parallel was drawn between these mechanisms deploying static data personal identification information infrastructures and the x.509 identity digital certificates from the early 90s ... also raising their own enormous privacy issues. In that period, there was even suggestions that the x.509 identity digital certificates could be overloaded with sufficient personal information that they could also serve as electronic driver licenses and passports. In the x9.59/aads model ... simple strong authentication and integrity is used with sufficient countermeasures for things like replay attacks and other kinds of exploits ... eliminating requirements for significant amounts of additional personal information for transactions http://www.garlic.com/~lynn/x959.html#aads - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]