Get documents about "Keith_
Document Sample
Keith,
Thank you for the opportunity for allowing me to present some contradicting facts to the
claims being made by Walt Augustinowitz, CEO of Identity Stronghold. You probably
know that he has been touring numerous cities and has appeared on at least 6 television
news broadcasts in different markets attempting to get free publicity for his company
that manufacturers protective sleeves for contactless (RFID) credit cards.
Let me begin by stating that the Smart Card Alliance has been educating the industry
about the capabilities and security of contactless payment cards since 2005, when these
cards were first introduced to the market by MasterCard and American Express. It was
shortly after these cards were first introduced that the first claims about the security risks
of contactless credit cards were raise. The Smart Card Alliance published an industry
report on contactless payments security in November, 2006. We recently reviewed and
updated this report based on changes to the technology and banking best practices which
is going through a final review before being published later this week. I have attached a
―pre-released’ version of the report here.
I hope you review this information and the additional key points below and consider
including these facts from the payments industry experts that contributed to this report by
the Smart Card Alliance. Despite Mr. Augustinowitz self-proclaimed ―security expert’
status, he is just a business man trying to sell his products.
1. Who is the Smart Card Alliance? An industry association made up of companies that
supply and use secure chip (also called smart card) technology for payments and identity.
2. Is contactless payments technology secure? The payments industry behind the use of
this technology take security very seriously. They have to. They absorb the fraud losses
if hackers or thieves can make fraudulent transactions. Consumers are never liable if a
hacker or thief uses any technique to steal your credit card data or make unauthorized
payment transactions with any payment card, including these that have contactless chips
inside them.
3. What protects consumers from being victimized by ―electronic pickpocketing‖ of a
contactless payment card? There are multiple layers of security behind contactless
payment cards. The data that can be read by an RFID pickpocket (account number and
expiration date) is not enough to create a duplicate magnetic stripe card or rfid card
(called a cloned card). The 3 digit or 4 digit security code, for example, that is printed on
the card and encoded on the magnetic stripe can not be read from the contactless chip.
Each time the contactless chip is read by a point of sale reader, the chip generates a
unique one time code, called a cryptogram, that works only one time for that transactions
and if someone were to capture that cryptogram and attempt to use it a second time, the
transaction would be rejected by the payments authorization network. These and other
layers of security protect consumers and the issuers from fraud.
4. How do you know people are not being victimized by this attack? The card issuers and
the payments brands (Visa, Amex, MasterCard, Discover) would know. Every credit
card transaction is validated online at the time of the transaction. Consumers receive a
statement each month that shows every contactless purchase. If anyone reports a
fraudulent transaction, the bank card issuers can determine if the transaction was made
using the contactless method or by swiping the magnetic stripe at the POS terminal.
Also, two watchdog organizations, the Identity Theft Resource Center in San Diego and
the U.S. Secret Service who investigate fraud and identity theft have reports no cases of
this alleged fraud. (SEE Mark Roberti article) Consider this fact – over 75 million cards
issued, 200,000 merchant locations who accept this form of payment, 5 years of
transaction history and no one has reported being victimized by an electronic pickpocket.
It can only mean one thing – real thieves have realized that this type of attack has no
monetary benefit, and those thieves who are motivated to commit card fraud have far
easier ways to get this information from consumers that they don’t need to be poking
people with a ―rfid prod’ to steal their information.
5. Why doesn’t card issuers provide protective sleeves for consumers? Nobody is
demanding them and even if they were given one when they received their card, most
people would throw them away because they don’t slip easily into your wallet or purse
and it takes longer to complete your purchase which takes away the speed and
convenience that people like when using this technology. It is like demanding baby
carriage manufacturers put airbags inside a baby stroller – even if there is a possibility of
some risk, there is no reasonable basis for consumers to fear using their stroller without
an airbag.
I might add, that the reaction on the faces of people in the video that Walt presents, the
fear and concern that they might be victimized, underscores the seriousness of this
elaborate demonstration that Mr. Augustinowitz is funding to promote himself and his
company. Is Fox News in Phoenix going to contribute to this?
Finally, I would like to include an article written by Mark Roberti, editor and publisher of
RFID Journal, a respected news publication about the RFID industry and a person with
no ties at all to the payments industry or the Smart Card Alliance. He wrote about recent
media reports that have been stimulated by Mr Augustinowitz assertions. I would
suggest contacting Mr. Roberti for this report as well.
A Reasonable Story on RFID Credit
Cards
Posted By Mark Roberti, 02.08.2011 Post a Comment!
mroberti@rfidjournal.com
Last year, I wrote a great deal about the issue of whether credit-card information could be
stolen and used by thieves carrying radio frequency identification readers purchased
online. My blogs were in response to news stories by television journalists that were
nothing more than scare pieces aimed at getting viewers to tune in (see L.A. Broadcaster
Misinforms Public About RFID Credit Cards, ABC Eyewitness News Presents Selective
Facts About RFID Credit Cards and Are RFID-Enabled Credit Cards Safer Than
Magstripe Cards?).
Recently, I came across an article published online that is a credible piece written by a
reporter with journalistic ethics.
The article in question was published by the Columbus Dispatch, a local newspaper in
Columbus, Ohio. Like so many other articles, this one quotes Walt Augustinowicz, the
founder of Identity Stronghold, as claiming that scammers can purchase portable RFID
readers and a battery pack for less than $100 on the Internet, and then use them to pick up
information being broadcast from the cards, such as account numbers and expiration
dates, from several inches away (see Portable scanners 'pickpocket' data on credit cards,
some say).
But unlike most other articles that I've read, the reporter for this piece, Josh Jarman,
actually looks into the claim instead of taking it at face-value. He writes: "The U.S.
Secret Service, which handles financial-access-device fraud, has no open investigations
of electronic pick-pocketing and does not know of any, said national spokesman Robert
Novy. Federal Bureau of Investigations agents in Columbus and Cincinnati said they
know of no cases in Ohio."
Jarman quotes Augustinowicz as pointing out that the theft would be difficult to detect
unless police caught someone in the act—which is a fair point. But Jarman doesn't leave
it at that. To his credit, he does a little more research and quotes Jay Foley, the executive
director of the nonprofit Identity Theft Resource Center, in San Diego, as noting there has
never been any evidence of crooks using such scanners. He also quotes Foley as pointing
out that some of those sounding the alarm bells about this kind of theft are profiting from
scaring people (which is why I have been so vociferous in my criticism of TV journalists
who play up the concerns about credit cards using RFID).
The writer also spoke to several credit-card companies. "MasterCard said in a statement
that its RFID-enabled cards have additional safety features, such as randomly generated
codes that accompany all wireless transactions," he writes. "Representatives for VISA
also said its cards have additional safety features to prevent this type of crime. Both
companies say their fraud-protection policies don't hold customers liable for fraudulent
purchases."
It has long frustrated me that when it comes to a relatively new technology, many
journalists abandon their principles and write scare stories. My hat is off to Josh Jarman
and the Columbus Dispatch for rising above that practice.
Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on
this article, click on the link below. To read more of Mark's opinions, visit the RFID
Journal Blog, the Editor's Note archive or RFID Connect.
Sincerely,
Randy Vanderhoof
*************************************************
Randy Vanderhoof Address: 191 Clarksville Road, Princeton Junction, New Jersey (USA) 08550
Executive Director Direct Phone: (1)609.587.4208 Alliance Main Phone: (1)800.556.6828 Cell:
(1)609.731.8251
Smart Card Alliance Direct Email: rvanderhoof@smartcardalliance.org Alliance Main Email:
info@smartcardalliance.org
www.smartcardalliance.org
