...nobody with a data security background even slightly surprised.
what the RFID-CUSP report highlights most significantly is the new physical dimension of vulnerability that RFID credit cards introduce. Without even removing their cards from wallets or pockets, consumers can potentially see their privacy and security compromised. A scanner in a crowded subway station might surreptitiously harvest credit-card data from passersby. Or consider what the RFID-CUSP research team has dubbed a "Johnny Carson" attack. In the comedian’s Carnac the Magnificent act, he divined the contents of sealed envelopes held against his forehead. Likewise, an attacker can quickly skim data from RFID credit cards in sealed envelopes while they are in transit or sitting in mailboxes.
Slightly stronger data protections and cryptography could largely prevent Johnny Carson attacks and most of the other vulnerabilities illustrated in the RFID-CUSP study. Given that RFID as a broad technology is already a flashpoint for consumer fears, the choice of credit-card associations not to confer stronger protections on RFID-enabled cards is somewhat surprising. Numerous media reports have drawn attention to consumer concerns about RFID privacy and security, and various government bodies are mulling over RFID-privacy regulations. In early 2005, a team of researchers (including some in RFID-CUSP) demonstrated skimming attacks against ExxonMobil SpeedPass, another RFID payment device used by millions of Americans for some number of years. (It should be noted, however, that unlike RFID credit cards, SpeedPass does not reveal personally identifying information.)
Apparently some of these RFID credit cards transmit your name, card number and expiration date in plaintext with no authentication to any radio signal that cares to ask. Nice.