title: More 'security as an afterthought'

More 'security as an afterthought'

By Scott Bradner

The top story on the New York Times business section on October 23rd details a perfect example of businesses developing a product and only thinking seriously about security or privacy after someone else reports problems. In this case, like most others, the businesses claim there really is no problem for anyone to worry about. In this case, believing the businesses would require a suspension of logic.

The Times reports that U. Mass. researcher Tom Heydt-Benjamin has demonstrated that it is quite easy to extract information from the new generation of RFID equipped credit cards without having to look at them. According to the Times, Heydt-Benjamin has written this up in a paper he has submitted to a security conference - I've not seen a copy of the paper and am relying on the Times article for my information.

It seems that Mr. Heydt-Benjamin kludged up a RFID reader, tried it out on 20 of the new credit cards and was able to read unencrypted information from all of them. In at least some cases, the information included the card holder's name, the credit card number and expiration date. In other words all the information you would need to buy things on-line and, maybe depending on the details, enough information to create your own RFID or non-RFID credit card for in-person use.

The reaction from the credit card companies was predictable if not fully believable. A Mastercard spokesperson said that 98% of their RFID cards used "the highest standards" without saying just what that meant in terms of exposed information or just why all of the Mastercard cards tested somehow fell into the 2% of not so good cards. An American Express spokesperson said "It's basically useless information. You can't steal that data and play it back and expect that transaction to work." The spokesperson did not explain away the fact that the researchers did just that with data from some cards. The card companies also pointed to their fraud-detection software that would detect the use of stolen card numbers. Pardon me if I do not accept the assumption that all fraudulent use would be caught. I do accept the fact that some such use is caught since I got a call from Mastercard about one such case with one of my credit cards.

This column is not meant merely as a rant against RFID-based credit cards, although I do not want to have one for a number of years so that all the bugs get worked out. I'm trying to point out two all too common behaviors. First rolling out products without thinking through the security or privacy implications and, second, the quick dismissal when someone points out the flaws in the products that were prematurely rolled out.

At the end of the article, the Times reports that all of the card companies said they were removing the cardholder name from the information that is retrieved from the cards as a "best practice." Why did they include the name in the first place? Why did the not encrypt it if they had a real reason to include it?

If you are working on a new product or service, break the mold - think about security before you ship it.

disclaimer: Some at Harvard are all for breaking molds while others cling to them but this advice is mine.