Docstoc

Keith_

Document Sample
Keith_ Powered By Docstoc
					     Keith,



     Thank you for the opportunity for allowing me to present some contradicting facts to the
     claims being made by Walt Augustinowitz, CEO of Identity Stronghold. You probably
     know that he has been touring numerous cities and has appeared on at least 6 television
     news broadcasts in different markets attempting to get free publicity for his company
      that manufacturers protective sleeves for contactless (RFID) credit cards.



     Let me begin by stating that the Smart Card Alliance has been educating the industry
     about the capabilities and security of contactless payment cards since 2005, when these
     cards were first introduced to the market by MasterCard and American Express. It was
     shortly after these cards were first introduced that the first claims about the security risks
     of contactless credit cards were raise. The Smart Card Alliance published an industry
     report on contactless payments security in November, 2006. We recently reviewed and
     updated this report based on changes to the technology and banking best practices which
     is going through a final review before being published later this week. I have attached a
     ―pre-released’ version of the report here.



     I hope you review this information and the additional key points below and consider
     including these facts from the payments industry experts that contributed to this report by
     the Smart Card Alliance. Despite Mr. Augustinowitz self-proclaimed ―security expert’
     status, he is just a business man trying to sell his products.



1.    Who is the Smart Card Alliance? An industry association made up of companies that
     supply and use secure chip (also called smart card) technology for payments and identity.

2.    Is contactless payments technology secure? The payments industry behind the use of
     this technology take security very seriously. They have to. They absorb the fraud losses
     if hackers or thieves can make fraudulent transactions. Consumers are never liable if a
     hacker or thief uses any technique to steal your credit card data or make unauthorized
     payment transactions with any payment card, including these that have contactless chips
     inside them.

3.    What protects consumers from being victimized by ―electronic pickpocketing‖ of a
     contactless payment card? There are multiple layers of security behind contactless
     payment cards. The data that can be read by an RFID pickpocket (account number and
     expiration date) is not enough to create a duplicate magnetic stripe card or rfid card
     (called a cloned card). The 3 digit or 4 digit security code, for example, that is printed on
     the card and encoded on the magnetic stripe can not be read from the contactless chip.
     Each time the contactless chip is read by a point of sale reader, the chip generates a
     unique one time code, called a cryptogram, that works only one time for that transactions
     and if someone were to capture that cryptogram and attempt to use it a second time, the
     transaction would be rejected by the payments authorization network. These and other
     layers of security protect consumers and the issuers from fraud.

4.    How do you know people are not being victimized by this attack? The card issuers and
     the payments brands (Visa, Amex, MasterCard, Discover) would know. Every credit
     card transaction is validated online at the time of the transaction. Consumers receive a
     statement each month that shows every contactless purchase. If anyone reports a
     fraudulent transaction, the bank card issuers can determine if the transaction was made
     using the contactless method or by swiping the magnetic stripe at the POS terminal.
       Also, two watchdog organizations, the Identity Theft Resource Center in San Diego and
     the U.S. Secret Service who investigate fraud and identity theft have reports no cases of
     this alleged fraud. (SEE Mark Roberti article) Consider this fact – over 75 million cards
     issued, 200,000 merchant locations who accept this form of payment, 5 years of
     transaction history and no one has reported being victimized by an electronic pickpocket.
     It can only mean one thing – real thieves have realized that this type of attack has no
     monetary benefit, and those thieves who are motivated to commit card fraud have far
     easier ways to get this information from consumers that they don’t need to be poking
     people with a ―rfid prod’ to steal their information.

5.    Why doesn’t card issuers provide protective sleeves for consumers? Nobody is
     demanding them and even if they were given one when they received their card, most
     people would throw them away because they don’t slip easily into your wallet or purse
     and it takes longer to complete your purchase which takes away the speed and
     convenience that people like when using this technology. It is like demanding baby
     carriage manufacturers put airbags inside a baby stroller – even if there is a possibility of
     some risk, there is no reasonable basis for consumers to fear using their stroller without
     an airbag.



     I might add, that the reaction on the faces of people in the video that Walt presents, the
     fear and concern that they might be victimized, underscores the seriousness of this
     elaborate demonstration that Mr. Augustinowitz is funding to promote himself and his
     company. Is Fox News in Phoenix going to contribute to this?



     Finally, I would like to include an article written by Mark Roberti, editor and publisher of
     RFID Journal, a respected news publication about the RFID industry and a person with
     no ties at all to the payments industry or the Smart Card Alliance. He wrote about recent
     media reports that have been stimulated by Mr Augustinowitz assertions. I would
     suggest contacting Mr. Roberti for this report as well.
A Reasonable Story on RFID Credit
Cards
Posted By Mark Roberti, 02.08.2011 Post a Comment!

mroberti@rfidjournal.com



Last year, I wrote a great deal about the issue of whether credit-card information could be
stolen and used by thieves carrying radio frequency identification readers purchased
online. My blogs were in response to news stories by television journalists that were
nothing more than scare pieces aimed at getting viewers to tune in (see L.A. Broadcaster
Misinforms Public About RFID Credit Cards, ABC Eyewitness News Presents Selective
Facts About RFID Credit Cards and Are RFID-Enabled Credit Cards Safer Than
Magstripe Cards?).

Recently, I came across an article published online that is a credible piece written by a
reporter with journalistic ethics.

The article in question was published by the Columbus Dispatch, a local newspaper in
Columbus, Ohio. Like so many other articles, this one quotes Walt Augustinowicz, the
founder of Identity Stronghold, as claiming that scammers can purchase portable RFID
readers and a battery pack for less than $100 on the Internet, and then use them to pick up
information being broadcast from the cards, such as account numbers and expiration
dates, from several inches away (see Portable scanners 'pickpocket' data on credit cards,
some say).

But unlike most other articles that I've read, the reporter for this piece, Josh Jarman,
actually looks into the claim instead of taking it at face-value. He writes: "The U.S.
Secret Service, which handles financial-access-device fraud, has no open investigations
of electronic pick-pocketing and does not know of any, said national spokesman Robert
Novy. Federal Bureau of Investigations agents in Columbus and Cincinnati said they
know of no cases in Ohio."

Jarman quotes Augustinowicz as pointing out that the theft would be difficult to detect
unless police caught someone in the act—which is a fair point. But Jarman doesn't leave
it at that. To his credit, he does a little more research and quotes Jay Foley, the executive
director of the nonprofit Identity Theft Resource Center, in San Diego, as noting there has
never been any evidence of crooks using such scanners. He also quotes Foley as pointing
out that some of those sounding the alarm bells about this kind of theft are profiting from
scaring people (which is why I have been so vociferous in my criticism of TV journalists
who play up the concerns about credit cards using RFID).



The writer also spoke to several credit-card companies. "MasterCard said in a statement
that its RFID-enabled cards have additional safety features, such as randomly generated
codes that accompany all wireless transactions," he writes. "Representatives for VISA
also said its cards have additional safety features to prevent this type of crime. Both
companies say their fraud-protection policies don't hold customers liable for fraudulent
purchases."

It has long frustrated me that when it comes to a relatively new technology, many
journalists abandon their principles and write scare stories. My hat is off to Josh Jarman
and the Columbus Dispatch for rising above that practice.

Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on
this article, click on the link below. To read more of Mark's opinions, visit the RFID
Journal Blog, the Editor's Note archive or RFID Connect.




Sincerely,



Randy Vanderhoof

*************************************************

Randy Vanderhoof            Address: 191 Clarksville Road, Princeton Junction, New Jersey (USA) 08550

Executive Director          Direct Phone: (1)609.587.4208 Alliance Main Phone: (1)800.556.6828 Cell:
(1)609.731.8251

Smart Card Alliance        Direct Email: rvanderhoof@smartcardalliance.org Alliance Main Email:
info@smartcardalliance.org

www.smartcardalliance.org

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:47
posted:4/3/2011
language:English
pages:4