In our 20/20 story about the security problems of the Speedpass we said that without better security, any credit cards using RF technology will be vulnerable to the same weaknesses as the Speedpass. The Smart Card Association contacted us to say that they have already created more secure RF technology. We invited them to give us a statement, which is below.
Statement by Randy Vanderhoof, executive director, Smart Card Alliance
I am responding to the June 16th 20/20 segment, "Got Tape? You Can Steal an Identity." After viewing the program and reading the transcript, I would like to point out that the section of the report that covers RFID technology is factually inaccurate and misleading. The new credit cards and e-passport that include contactless technology are based on secure "smart card" technology and have built-in security features not found in Speedpass and therefore counter the risks discussed in this story.
The Johns Hopkins research that highlighted vulnerabilities in the ExxonMobil Speedpass payment application cannot be generalized to indict all RF-based technologies as having security flaws. There is a wide range of RF technologies used for a variety of applications -- each with different operational parameters, frequencies, read ranges and capabilities to support security and privacy features.
The report specifically states that using RF technology introduces risk to both credit cards and the new ePassport until they are made secure. This is not factually accurate, because both already have built-in security features that eliminate the risks presented in the story.
Contactless credit card payment, as implemented by American Express, MasterCard and Visa, was designed to be more secure than traditional magnetic stripe cards and RFID technologies like Speedpass. Contactless payment transactions are processed through the same secure financial payment networks as magnetic stripe card transactions. The primary difference is that the contactless payment device uses a smart card chip and antenna and radio frequency (RF) technology to send payment account information to the merchant's POS terminal, instead of requiring the payment card's magnetic stripe to be swiped. In addition to the security already built into the financial payment networks, American Express, MasterCard and Visa contactless payment implementations support features that are designed specifically for contactless card transactions. For example, every contactless payment transaction generates an individual one-time numeric value that is unique to that transaction. This means that transaction information cannot be used to "replay" another contactless transaction and purchase goods fraudulently using the same transaction data. Consumers using their contactless cards at payment terminals that support contactless do not have to surrender either the card or their account information to a clerk during a transaction, eliminating the risk that is present with magnetic stripe cards that unscrupulous clerks could use to skim credit card data.
The new U.S. ePassport also has implemented secure contactless technology, using the same international standard smart card chip technology used by credit and debit card issuers, which includes other unique security features. For example, the ePassport application requires a physical scan of information in the passport, prior to communicating any personal information via RF from the ePassport to the reader.
Randy Vanderhoof, Executive Director
Smart Card Alliance
191 Clarksville Road Princeton Junction, New Jersey, 08550 USAM