I got a replacement Mastercard in the mail today and was slightly surprised to learn that it has an embedded radio frequency identification (RFID) tag in it. The idea is that it will let merchants bill you card by having you put it near a reader, rather than swipe it though a magnetic strip reader. The existence of the RFID tag does raise a couple of issues, however.
First, it has been shown that such tags can be activated using inexpensive directional transmitters from relatively long ranges. The way they work is by using the energy in the incoming radio signal to power the circuitry that produces a response. I don’t know if the tag in my card simply has a unique identifier, or whether it actually performs a challenge-response authentication. Either way, it is likely that the presence of the card, and the fact that it is a Mastercard, can be determined at a distance of several tens of metres at least, using information and equipment fairly easily acquired.
Secondly, I don’t know about the liability associated with such cards. I know that if I lose my Mastercard and report it promptly, I am only liable or $50 at the most. I am not sure about a situation where somebody clones the RFID tag and uses it to make purchases.
Overall, I see little value in contact-free payment systems. I would rather have a traditional card without new features and vulnerabilities. Unfotunately, Mastercard says that RFID-free cards are no longer available.
More on RFID: