The other day, I saw a report on the CBC about increasingly sophisticated methods thieves use to steal credit and bank card numbers. They showed, for instance, how a thief can easily grab a store card reader when the clerk is not looking, replacing it with a modified reader that steals card numbers and PIN codes.
That such thefts can happen in the first place, however, I attribute to the criminal negligence of the financial institutions involved. There is no question about it, when it’s important to a corporation, they certainly find ways to implement cryptographically secure methods to deny access by unauthorized equipment. Such technology has been in use by cable companies for many years already, making it very difficult to use unauthorized equipment to view cable TV. So how hard can it be to incorporate strong cryptographic authentication into bank card reader terminals, and why do banks not do it?
The other topic of the report was the use of insecure (they didn’t call it insecure but that’s what it is) RFID technology on some newer credit cards, the information from which can be stolen in a split second by a thief that just stands or sits next to you in a crowded mall. The use of such technology on supposedly “secure” new electronic credit cards is both incomprehensible and inexcusable. But, I am sure the technical consultant who recommended this technology to the banks in some bloated report full of flowery prose and multisyllable jargon received a nice paycheck.