- Consumer watchdog group CASPIAN is demanding a recall
of millions of RFID-equipped contactless credit cards in light of serious
security flaws reported today in the New York Times. The paper reports
that a team of security researchers has found that virtually every one
of these cards tested is vulnerable to unauthorized charges and puts consumers
at risk for identity theft.
- Radio Frequency Identification (RFID) is a controversial
technology that uses tiny microchips to transmit information at a distance.
These RFID microchips have earned the nickname "spychips" because
the data they contain can be read silently and invisibly by radio waves
without an individual's knowledge or consent. The technology has long been
the target of criticism by privacy and civil liberties groups.
- "For these financial institutions to put RFID in
credit cards, one of the most sensitive items we carry, is absolute lunacy,"
said Dr. Katherine Albrecht, founder and director of CASPIAN, a consumer
group with over 12,000 members in 30 countries worldwide.
- Researchers are showing how a thief could skim information
from the cards right through purses, backpacks and wallets. This information
includes the cardholder's name, credit card number, expiration date and
other data that would be sufficient to make unauthorized purchases. They
say the information could even be used to identify and track people, a
scenario Albrecht and co-author Liz McIntyre lay out in their book, "Spychips:
How Major Corporations and Government Plan to Track Your Every Purchase
and Watch Your Every Move."
- Despite earlier assurances by the issuing companies that
the data contained in the credit cards would be secure, researchers found
that the majority of cards they tested did not use encryption or protect
the data in any way. The information on them was readily available to unauthorized
parties using equipment that could be assembled for as little as $50, the
- "We cautioned companies against using item-level
RFID, and they didn't heed us. Now the credit card industry is facing an
unprecedented PR and financial disaster," says McIntyre, who is also
a former bank examiner. She points to the astronomical cost to replace
the cards, not to mention the potential financial losses, litigation expenses,
and erosion of consumer trust.
- Albrecht and McIntyre are calling on the industry to
issue a public alert detailing the dangers of the cards they've issued,
institute an active recall, and make safe versions without RFID available
to concerned consumers.
- "This recall has to be very clear and very directed
since consumers may not know their cards contain RFID tags," says
Albrecht. "The industry has repeatedly resisted calls to clearly label
the cards. Rather, they've given the cards innocent-sounding names like
- CASPIAN is advising consumers to immediately remove the
credit cards from their wallets and call the 800 number on the back to
insist on an RFID-free replacement card. The group is cautioning consumers
not to mail the cards back or simply throw them away due to the risk of
their personal information being skimmed.
- Today's New York Times article by John Schwartz can be
found here: http://www.nytimes.com/2006/10/23/business/23card.html?ref=business
- A research report detailing the findings can be found
- ABOUT CASPIAN
- CASPIAN (Consumers Against Supermarket Privacy Invasion
and Numbering) is a grass-roots consumer group fighting retail surveillance
schemes since 1999. With thousands of members in all 50 U.S. states and
over 30 countries worldwide, CASPIAN seeks to educate consumers about marketing
strategies that invade their privacy and encourage privacy-conscious shopping
habits across the retail spectrum.
- For more information, visit CASPIAN's RFID privacy website