Are you prepared for a "Johnny Carson" attack?
They call it the "Johnny Carson attack," for the
entertainer's comic pose as a psychic divining the contents of an
envelope.
They call it the "Johnny Carson attack," for the entertainer's comic pose as a psychic divining the contents of an envelope.
Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.
Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.
The card companies have implied through their marketing that the data are encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate "128-bit encryption," and J.P. Morgan Chase has said that its cards, which it calls Blink, use "the highest level of encryption allowed by the U.S. government."
But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder's name and other data were being transmitted without encryption and in plain text. The researchers could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.
They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak.
"Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?"
Does anyone ever take the time to explain "security" to the marketing types who build these ad campaigns?
Posted: Tue - October 24, 2006 at 09:21 AM