I wrote the other day about the safety of RFID-based, “contactless” credit cards. In that piece, I cited another article that made a variety of claims about the security of these cards, including the fact that your data is encrypted prior to transmission.
As a followup, I just wanted to point out a NY Times article on the same subject that claims that credit cards often transmit your data unencrypted. The test described in this article was based on a sample of 20 credit cards from Visa, MasterCard, and American Express.
Unfortunately, the article didn’t actually provide details on how many of the cards that tested failed to encrypt the data, so it’s hard to determine how widespread this problem is. Moreover, that article is over two years old, and it’s unclear (at least to me) how much things have changed with regard to the RFID technology that card issuers are using. It’s also worth noting that this study was carried out by a company that specializes in data encryption techniques (RSA), so it’s not exactly unbiased.
Nonetheless, a recent article over at BoingBoing.net talked about how to steal unencrypted data from an RFID-enable credit card using just $8 worth of gear. While others have claimed that the risks associated with unencrypted data are incredibly slim, it amazes me that credit card issuers wouldn’t implement at least rudimentary security features when designing these cards.