Monday, October 23, 2006

RFID Credit Cards and Fraud

NYTimes reports that a few of the new RFID-enabled credit card products will transmit the bearer's name, credit card number, and expiration date unencrypted to any RFID reader that gets close enough to ask for them.

Typically, a fraud investigator can zero in on a source of stolen credit card numbers using data-mining techniques. e.g., when it turns out that a given set of victims of credit card fraud all shopped from the same business within a period of a few months, that particular business is a good place to start asking questions.

And what's interesting about this attack is that data mining comes up empty. Victims whose credit card numbers were skimmed on subways and in elevators would not have anything in common that might emerge from typical data-mining techniques, except perhaps, for geographic proximity.