The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate “128-bit encryption,” and J. P. Morgan Chase has said that its cards, which it calls Blink, use “the highest level of encryption allowed by the U.S. government. ”But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder’s name and [credit card number] was being transmitted without encryption and in plain text.
Sounds like RFID Credit Cards are as bad as they could possibly be. Response from the PR people at the credit card companies is also as bad as it could possibly be. “This is an interesting technical exercise,” said Brian Triplett, senior vice president for emerging-product development for Visa, “but as a real threat to a consumer — that threat really doesn’t exist.”
Brian Triplett sounds like Marie Antoinette. If there is a single RFID credit card that has my name, just my name, unencrypted, that is a privacy threat to the consumer that is unacceptable. Period. But it gets worse: The companies, however, argue that testing just 20 cards does not provide an accurate picture of the card market, which generally uses higher security standards than the cards that were tested. “It’s a small sample,” said Art Kranzley, an executive with MasterCard. “This is almost akin to somebody standing up in the theater and yelling, ‘Fire!’ because somebody lit a cigarette.”
The choice of analogy here is obviously intended to imply that the researchers may not have the legal right to tell the public what they are telling them. Its an implicit threat. Glad I don't have a Mastercard. |