RFID credit cards and (lack of) privacy?

A story over at Slashdot points to an NYT article describing how some researchers cobbled together a device to read those newfangled RFID credit cards. Everything was built using OTS components, and the researchers say an even smaller device could be made. So conceivably, a nefarious bad guy cracker with a modicum of skills could cobble one together, mingle through crowds and lift info off these cards through people's pants and purses.

The finding comes at a time of strong suspicion among privacy advocates and consumer groups about the security of the underlying technology, called radio frequency identification, or RFID. Though the systems are designed to allow a card to be read only in close proximity, researchers have found that they can extend the distance.

The actual distance is still a matter of debate, but the claims range from several inches to many feet. And even the shortest distance could allow a would-be card skimmer to mill about in a crowded place and pull data from the wallets of passersby, or to collect data from envelopes sitting in mailboxes.

Naturally credit card companies and banks say this is a highly impractical attack method given that other methods (i.e. phishing) are so much more effective. Excellent application of security through obscurity. I guess they haven't learned that even if it might be less practical than current methods, it just becomes another item in the bad guys' arsenal.

NYT also provides a link to a paper by the researchers. It's an interesting read with a lot of good info on how the RFID cards work.