New Credit Cards May Leak Personal Information

Anne & Lynn Wheeler lynn at garlic.com
Fri Feb 16 13:50:50 EST 2007


New Credit Cards May Leak Personal Information
http://news.yahoo.com/s/pcworld/20070216/tc_pcworld/129096;_ylt=A0WTUeOD9tVFrwkA7SwjtBAF

from above:

You may be carrying a new type of credit card that can transmit your personal information to anyone who gets close to you with a scanner.

The new cards--millions of which have been issued over the past year--use RFID, or Radio Frequency Identification, technology. RFID allows scanners to use radio signals at varying distances to read information stored on a computer chip. 

... snip ...

this is somewhat discussed in recent post
http://www.garlic.com/~lynn/aadsm26.htm#35 Failure of PKI in messaging

i.e. x9.59 eliminating divulged account number as a vulnerability ... effectively substituting
authentication & integrity for privacy/confidentiality (leading to claim that x9.59 was privacy agnostic)
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#privacy

The other item mentioned in the article was leaking names. Part of the x9a10 financial standard working group ... starting in the mid-90s ... was taking into account of an EU-directive (from the period) that electronic point-of-sale transactions should be as anonymous as cash. Somewhat the x9a10 assertion was that name on credit card was required so that point-of-sale clerk could do additional authentication by matching that name with the name on various forms of identification. Given a sufficiently high integrity authentication implementation ... the additional forms of authentication could be eliminated and therefor the name on the card could be eliminated.

This also goes along with similar earlier discussions about RFID-enabled passposts
http://www.garlic.com/~lynn/aadsm25.htm#45 Flaw in RFID-enabled passports
http://www.garlic.com/~lynn/aadsm26.htm#0 Flaw in RFID-enabled passports (part 2?)

i.e. avoid unnecessarily spraying personal information all over the world
http://www.garlic.com/~lynn/aadsm26.htm#29 News.com: IBM donates new privacy tool to open-source Higgins

the parallel was drawn between these mechanisms deploying static data personal identification information infrastructures and the x.509 identity digital certificates from the early 90s ... also raising their own enormous privacy issues. In that period, there was even suggestions that the x.509 identity digital certificates could be overloaded with sufficient personal information that they could also serve as electronic driver licenses and passports.

In the x9.59/aads model ... simple strong authentication and integrity is used with sufficient countermeasures for things like replay attacks and other kinds of exploits ... eliminating requirements for significant amounts of additional personal information for transactions
http://www.garlic.com/~lynn/x959.html#aads

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list