Re: RFID Flap Silences Security Researchers

["Robert Green" <ROBERT_GREEN1963@xxxxxxxxx>]

"Dan Lanciani" <ddl@danlan.*com> wrote in message

<stuff snipped>

> Given that the CVV2 is not (as yet) used for card-present transactions,
> has anyone considered obscuring or obliterating it on the physical card?

I haven't obscured mine, but I did notice, while inspecting for RFID chips
in my new card, that the rough-surfaced paper signature block on the reverse
is now colored and banded and has the last four digits of the card number
stamped in front of the CVV2.  It's thick enough that the strip it might be
the RFID chip but the cards I've seen that have it are quite obviously RFID
chipped.  I assume the RFID chip has to be located outside the stamping area
so it's likely not in the strip.  But how will card holders really know if
they are chipped without a scanner if the managed to sandwich it into the
card unnoticeably?

I don't believe my newest card has RFID.  But I am also a low volume card
user.  My suspicion is that RFID cards are going to people that use them
frequently for in-person transactions.  I haven't handed my card to someone
who would take it out of my sight in 20 years, at least.  That's when I
*first* learned about skimming while doing IT for local restaurants.  And
liquor watering.  And triple bookkeeping.  And so much more.  There's a
reason mobsters like restaurants.  They are awash in liquor, credit card
numbers, cash and transient workers as well as needing frequent garbage
pickups.

As for CVV2's, in a recent series by Brian Krebs of the Washington Post on
card theft rings,

http://www.google.com/search?hl=en&safe=off&q=+credit+card+fraud+Brian+Krebs

the lists of stolen numbers that command the highest premium are the ones
that advertise as "all CVV2s and billing addresses included."  Apparently
knowing the billing address helps them fly under the automatic fraud
detection software VISA and MC use.

As for the back of the card, one of the TV news shows had a blonde female
tester using the unsigned card PHOTO card of a dark haired, oriental male
producer for the show.  Never a problem, although one clerk volunteered "you
have to sign the card" but took it, unsigned, anyway.  Look at it from the
clerk's POV - who's to prove it wasn't signed a month from now when someone
gets the bill?  Also, if the woman DID sign the card that wasn't hers at the
store, it would pretty obviously be a perfect match for the receipt that she
just signed!

Bringing this back around to HA, wouldn't an RFID reader scanning a wallet
generate a pretty unique "key" - if you have 5 different cards, the scanner
should be reading the equivalent of a 80 digit security code?  Part of the
beauty and curse of RFID is that it can read a lot of tags in a single
swipe.  I wouldn't mind putting a reader at butt height that scanned my
wallet to let me in the house.

--
Bobby G. (feeling better about using cash more and more!)