Use Your PDA As A Secure 'Wallet'

aphor writes "The The Infrared Data Association has drafted a standard for IrDA "Point and Pay" devices. Its called Infrared Financial Messaging (IrFM) Point & Pay, and its supposed to turn your handheld computer or cell phone into a digital wallet that can handle credit card, debit, check [and maybe even secure anonymous digital cash ala CyberCash?] transactions. I think this is significant, because instead of trusting a closed device like a smart card or magstripe on a credit card (we all know the problems with those), you receive a challenge from the vendor on your IR port, and you control how your device responds to it. Palm OS and Linux are specifically mentioned in their documentation as platforms for IrFM Point-and-Pay. BTW: I can't see anything that would prevent turning your Palm device into a handheld cash register. The specs for their protocol can be downloaded for free."

NYC and MetroCards

[sporty]

I see a significant relation between this and metro cards. They are a piece of plastic, thinner than a credit card, but has a magnetic strip.

I have what's called a "weekly" metrocard. Unlimited trips for the entire week. The way to stop people from swiping others through, is by limiting the amount of time before you can use it in that spot. You can go to other spots w/o a problem serially. Just not the same one before 20 minutes are up.

The problem is, when this thing misreads/miswrites. It would give an error, to see the clerk and won't let me through. The clerk will usually find something like, "You just used this 4 minutes ago." It's up to the discression of the clerk to either let you through, computer error, or to wait 20 minutes.

What happens when this happens with these little devices? Neat in theory, but there's something that humans do better than any machines. Communicate and understand, in full duplex, a transaction.

Re:NYC and MetroCards

[aphor]

there's something that humans do better than any machines. Communicate and understand, in full duplex, a transaction

That's what IrFM does. The cash-register/POS terminal, IrDA connection, and your handheld device all mediate the same conversation you're talking about.

You get some stuff to the checkout at the store. They stuff gets scanned. The message on the screen flashes "Credit/Debit/Cash," and your Palm Pilot flashes the vendor name at the top of a list of the stuff that was scanned, tax, and totals (JUST LIKE A RECIEPT), but gives you a choice of the payment protocols that you have in common with the POS terminal. You click one (Visa?) and you type the password into your Palm Pilot. Your Palm negotiates a secure connection to the POS terminal, and might ask you if you trust the vendor's certificate (ala SSL). It then sends the Visa credit card number with a signed certificate of the stuff you agreed to buy. The POS terminal flashes "Visa payment authorized," and the checkout clerk starts ringing up the next person.

Would PayPal sue?

[cant_get_a_good_nick]

PayPal originated with this concept, kind of a money among friends thing. Say, you were with your friends, no cash, so you "beamed" them some cash. They figured what the problem was, everybody needed $200 Pal devices for this to work. Soon they got the idea of the PayPal service we all know and love/loathe. Just wondering if PayPal has any rights to this concept.

I give it 6 months...

[km790816]

before homeless guys are asking "Can you beam me any change?"

So much for my 'I only have plastic' excuse.

Steal a smart card vs. steal a Palm IrFM device

[aphor]

Smart cards are more OBSCURED than this. If someone steals your palm-pilot, they would still have to guess your password before they could use it. Steal a smart card, and then keep on stealing! If you think tampering is an issue, then you don't know about zero-knowledge proofs, public-key crypto, haven't actually understood the IrFM protocol, and thus you aren't qualified to make the inference you draw between tamper-resistance and security. The devil is in the details.