Going Cashless with RFID Despite Huge Risks
by Eleanor Bell via stele - ABC (Oz) Tuesday, Jan 31 2012, 3:23am
Consumers warned over tap-and-pay technology
Banks, financial institutions and now internet service providers are tapping into the market for contact-free payment systems
Exploitable RFID wireless transaction
It is a time-saving temptation for busy people, but tech experts say consumers must be aware of the risks when opting for the technology.
Contactless credit cards and mobile phone chips connect to payment terminals via a short range radio frequency identification (RFID).
Unlike traditional payment methods, they do not require a signature or PIN to verify the card holder's identity.
Professor Rob Livingston from the University of Technology says it is a win-win for banks and retailers because cash is expensive.
"There's a number of benefits, some of which relate to increased customer service, a lower per-transaction cost and more importantly the potential elimination of cash," he said.
"For many organisations that are dealing with the public, the cost of maintaining cash is quite expensive.
"Moving to the cashless environment has got distinct advantages in that context."
Professor Livingstone says perhaps the biggest benefit to companies is the creation of a digital signature - a complete record of spending habits, no matter how small.
And that data is worth money.
"For each transaction that you put through the financial system you essentially have got a trail. That is worth something in terms of your spending pattern," he said.
But internet vulnerability experts warn that data can be vulnerable to third parties.
"Cloning is a big problem with RFID solution, being able to read the data remotely with various tools and software so you can track people, you can collect information," Hacklab.com's Chris Gatford said.
"There's been some very famous attacks where people have been reading passport numbers and other serial numbers from RFID-enabled cards.
"Proximity cards, such as the one that you use to get into your secured building, those have been cloneable for quite some time.
"There's all sorts of attack methods available to wireless communication."
While he says it is unlikely tap-and-pay credit cards will be cloned, there are other ways criminals can maliciously access both your money and your details.
"Probably one of the first attacks that we're most likely to see being used by criminals are probably relay attacks," he said.
"When you have your phone in your pocket or your card in your wallet and attackers work out a mechanism to activate the card in your pocket, relay the transaction somewhere else, maybe not even in the country and perform a transaction at a terminal by another party, stealing money from that particular account.
"That's probably the most likely attack that we'll see occurring in the future."
Due in part to the lack of terminals, Australians have been slow to adopt the tap technology.
But that is about to change with Australia's two largest supermarket chains beginning nationwide roll-outs of the technology next month.
© 2012 ABC
<< back to stories