02/05 - MasterCard International and American Express executives maintain that their contactless chips are safe and secure although researchers at Johns Hopkins University of Baltimore cracked the security in a contactless chip used in vehicle security systems and in the ExxonMobil SpeedPass device.

A story in Saturday's edition of The New York Times detailed the efforts of the Johns Hopkins graduate students to get past the security barriers in the Texas Instruments chip, which uses 40-bit encryption with a proprietary encryption algorithm.

Don Turk, a SpeedPass spokesman, says the students’ work is being taken seriously, but it’s not seen as a grievous blow to the key fob device that more than 6 million U.S. consumers use to pay for gas with a wave of their tag. “This is still a secure transaction system,” he says, adding that there haven’t been any fraudulent purchases using a SpeedPass device since its launch in 1997. Turk says the SpeedPass device contains no personal information and it uses other practices, such as monitoring usage patterns, to provide security.

The SpeedPass chip differs in several respects from the chips used in the American Express ExpressPay or MasterCard PayPass contactless payment cards, says William Allen, a Texas Instruments spokesman. "They operate at a different frequency. They use different algorithms," Allen says. "The most current encryption, which is incorporated into ExpressPay and PayPass, uses the highest level of encryption that is allowable by the federal government."

Those payment chips use 128-bit keys and triple-DES encryption, he says, more robust protocols. Avi Rubin, the professor of computer science who led the research team, says their efforts would have been for naught had the chip had triple-DES protection or 128-bit encryption. "We wouldn't have been able to break it," Rubin says.

A MasterCard spokeswoman confirms to Card Technology that the chip described in the Times's story is not the same as used in PayPass. She also says the PayPass chips go through extensive testing and use technology that changes the input data each time the card is used to mitigate possible attacks that copy and replay data. An American Express spokeswoman also confirmed the students' work bore no relation to ExpressPay.

Allen says Texas Instruments has not heard of any instances of fraud from its customers who use the 40-bit chip. Colin Tanner, a consultant with United Kingdom-based Consult Hyperion, discounted the implication of the students' work on contactless financial payment cards. "Technically, there's no implication whatsoever," Tanner says. "What MasterCard, American and Visa have been doing is designing systems based on triple-DES. Those systems are going to be very secure."