They call it the “Johnny Carson attack,” for his comic pose as a psychic divining the contents of an envelope.
Tom Heydt-Benjamin tapped an
envelope against a black plastic box connected to his computer. Within
moments, the screen showed a garbled string of characters that included
this: fu/kevine, along with some numbers.
Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit
card, fresh from the issuing bank. The card bore the name of Kevin E.
Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.
The card companies have implied through their marketing that the
data is encrypted to make sure that a digital eavesdropper cannot get
any intelligible information. American Express has said its cards incorporate “128-bit encryption,” and J. P. Morgan Chase has said that its cards, which it calls Blink, use “the highest level of encryption allowed by the U.S. government.”
But in tests on 20 cards from Visa, MasterCard
and American Express, the researchers here found that the cardholder’s
name and other data was being transmitted without encryption and in
plain text. They could skim and store the information from a card with
a device the size of a couple of paperback books, which they cobbled
together from readily available computer and radio components for $150.
Consumerist has a post worth reading here.