02/05 - MasterCard International and American Express executives maintain that their contactless chips are safe and secure although researchers at Johns Hopkins University of Baltimore cracked the security in a contactless chip used in vehicle security systems and in the ExxonMobil SpeedPass device.
A story in Saturday's edition of The New York Times detailed the efforts of the Johns Hopkins graduate students to get past the security barriers in the Texas Instruments chip, which uses 40-bit encryption with a proprietary encryption algorithm.
Don Turk, a SpeedPass spokesman, says the students’ work is being taken seriously, but it’s not seen as a grievous blow to the key fob device that more than 6 million U.S. consumers use to pay for gas with a wave of their tag. “This is still a secure transaction system,” he says, adding that there haven’t been any fraudulent purchases using a SpeedPass device since its launch in 1997. Turk says the SpeedPass device contains no personal information and it uses other practices, such as monitoring usage patterns, to provide security.
Those payment chips use 128-bit keys and triple-DES encryption, he says, more robust protocols. Avi Rubin, the professor of computer science who led the research team, says their efforts would have been for naught had the chip had triple-DES protection or 128-bit encryption. "We wouldn't have been able to break it," Rubin says.
Allen says Texas Instruments has not heard of any instances of fraud from its customers who use the 40-bit chip. Colin Tanner, a consultant with United Kingdom-based Consult Hyperion, discounted the implication of the students' work on contactless financial payment cards. "Technically, there's no implication whatsoever," Tanner says. "What MasterCard, American and Visa have been doing is designing systems based on triple-DES. Those systems are going to be very secure."