Use Your PDA As A Secure 'Wallet'

← Back to Stories (view on slashdot.org)

Use Your PDA As A Secure 'Wallet'

Posted by timothy on Wednesday May 7, 2003 @06:51AM from the point-and-pay dept.

aphor writes "The The Infrared Data Association has drafted a standard for IrDA "Point and Pay" devices. Its called Infrared Financial Messaging (IrFM) Point & Pay, and its supposed to turn your handheld computer or cell phone into a digital wallet that can handle credit card, debit, check [and maybe even secure anonymous digital cash ala CyberCash?] transactions. I think this is significant, because instead of trusting a closed device like a smart card or magstripe on a credit card (we all know the problems with those), you receive a challenge from the vendor on your IR port, and you control how your device responds to it. Palm OS and Linux are specifically mentioned in their documentation as platforms for IrFM Point-and-Pay. BTW: I can't see anything that would prevent turning your Palm device into a handheld cash register. The specs for their protocol can be downloaded for free."

15 comments

Min score:

Reason:

Sort:

NYC and MetroCards by sporty · 2003-05-07 07:00 · Score: 5, Interesting

I see a significant relation between this and metro cards. They are a piece of plastic, thinner than a credit card, but has a magnetic strip.

I have what's called a "weekly" metrocard. Unlimited trips for the entire week. The way to stop people from swiping others through, is by limiting the amount of time before you can use it in that spot. You can go to other spots w/o a problem serially. Just not the same one before 20 minutes are up.

The problem is, when this thing misreads/miswrites. It would give an error, to see the clerk and won't let me through. The clerk will usually find something like, "You just used this 4 minutes ago." It's up to the discression of the clerk to either let you through, computer error, or to wait 20 minutes.

What happens when this happens with these little devices? Neat in theory, but there's something that humans do better than any machines. Communicate and understand, in full duplex, a transaction.

--
-
ping -f 255.255.255.255 # if only
1. Re:NYC and MetroCards by aphor · 2003-05-08 02:16 · Score: 2, Interesting
  
  there's something that humans do better than any machines. Communicate and understand, in full duplex, a transaction
  
  That's what IrFM does. The cash-register/POS terminal, IrDA connection, and your handheld device all mediate the same conversation you're talking about.
  
  You get some stuff to the checkout at the store. They stuff gets scanned. The message on the screen flashes "Credit/Debit/Cash," and your Palm Pilot flashes the vendor name at the top of a list of the stuff that was scanned, tax, and totals (JUST LIKE A RECIEPT), but gives you a choice of the payment protocols that you have in common with the POS terminal. You click one (Visa?) and you type the password into your Palm Pilot. Your Palm negotiates a secure connection to the POS terminal, and might ask you if you trust the vendor's certificate (ala SSL). It then sends the Visa credit card number with a signed certificate of the stuff you agreed to buy. The POS terminal flashes "Visa payment authorized," and the checkout clerk starts ringing up the next person.
  
  --
  --- Nothing clever here: move along now...
so you mean.... by m00by · 2003-05-07 07:18 · Score: 1

my pda could be more than a portable bookshelf/organizer/address book?! wow! it sounds like it could be ever better if some phone makers *ahem*ericsson*ahem* would pick this up as an addition to their already feature laden phones. bluetooth would also be neat, but oh, the security implications....and if they could incorportate my GnuPG key....dooood! something seriously useful!!! ah shit! I'm vibrating....time to leave work! =D
Hmm... by i0wnzj005uck4 · 2003-05-07 08:03 · Score: 1

NTT DoCoMo did something like this using their cell phones a while back... I don't know if it was IR based, though, but a number of people adopted the ability to use a cell phone to pay at convenience stores, etc.

My issue would be with IR signal jacking. Ever changed the channel on your tv by aiming the remote away from it and into a mirror? What's to stop someone from using an IR sniffer device, to pick up random reflected transmissions?

--
- Cloud
1. Re:Hmm... by foosnarf · 2003-05-07 08:44 · Score: 0, Flamebait
  
  come on man, haven't you heard of encryption? for christ's sake, you could even do it over SSL. technically this is little different (even less sniffable, even) than using your credit card to pay for something on a website over 802.11b.
Didn't PayPal start out with this by Anonymous Coward · 2003-05-07 08:29 · Score: 0

If I remember right, PayPal initially was designed to let your PDA beam money around and receive it.
Would PayPal sue? by cant_get_a_good_nick · 2003-05-07 08:38 · Score: 2, Insightful

PayPal originated with this concept, kind of a money among friends thing. Say, you were with your friends, no cash, so you "beamed" them some cash. They figured what the problem was, everybody needed $200 Pal devices for this to work. Soon they got the idea of the PayPal service we all know and love/loathe. Just wondering if PayPal has any rights to this concept.
I give it 6 months... by km790816 · 2003-05-07 09:26 · Score: 4, Funny

before homeless guys are asking "Can you beam me any change?"

So much for my 'I only have plastic' excuse.

--
A speech...
Smart card less secure ? by makapuf · 2003-05-07 11:24 · Score: 1

sorry, but smart cards are MORE secure than this, much more.
There always is a challenge & response, plus the device itself cannot be tampered with : there is no possibility to use a probe to get internal content.
Lets be honest by skinfitz · 2003-05-07 11:57 · Score: 1

...it's simply NOT going to catch on. The whole industry is driven by standardisation - either everyone gets a PDA (not going to happen) or they will still use cards - it's that simple!
1. Re:Lets be honest by Anonymous Coward · 2003-05-08 03:16 · Score: 1, Insightful
  
  everybody gets a PDA: not going to happen
  a LOT of people get a mobile phone with irDA and Java: is ALREADY happening
Steal a smart card vs. steal a Palm IrFM device by aphor · 2003-05-08 02:03 · Score: 4, Insightful

Smart cards are more OBSCURED than this. If someone steals your palm-pilot, they would still have to guess your password before they could use it. Steal a smart card, and then keep on stealing! If you think tampering is an issue, then you don't know about zero-knowledge proofs, public-key crypto, haven't actually understood the IrFM protocol, and thus you aren't qualified to make the inference you draw between tamper-resistance and security. The devil is in the details.

--
--- Nothing clever here: move along now...
1. Re:Steal a smart card vs. steal a Palm IrFM device by makapuf · 2003-05-11 22:34 · Score: 1
  
  false, steal a smart card, then try to guess the PIN (passwd) to let it work.
  Of course, a blank password on a smartcard is a bummer.
2. Re:Steal a smart card vs. steal a Palm IrFM device by aphor · 2003-05-12 01:29 · Score: 1
  
  I have two smart card badges to access the building and then security doors where I work. Neither of these cards has any kind of PIN.
  
  If a smart-card has no data display or input, then how are you supposed to know what kind of challenge (from whom) you are actually answering? This is very vulnerable to sniffing and known plaintext cryptanalysis attacks (if the CRAM is encrypted).
  
  --
  --- Nothing clever here: move along now...