Slashdot Mirror
Contactless Credit Cards
An anonymous reader writes "According to his article in EETimes, Visa and Philips are teaming up to introduce a so-called "contactless credit card". Basically it'll work like the proximity cards many of us use for access to our places of work or apartments. You won't need to physically swipe it, simply waving it over a reader is good enough."
I like the convenience idea of it. The magnetic strip in my credit cards are usually destroyed/useless before the card even expires. Between rubbing against other credit cards, contact with the leather, and/or body sweat highly used cards are usually replaced before they ?expire?.
Where?s the security? I often wonder why the heck credit card purchases don?t require a PIN at the very least. Yeah, we?re all high tech and thumb prints and/or eye scans would be cool, but I?m all for having to know and enter a PIN on each and every purchase.
I tend to go for EFT payment whenever possible as I do have to enter a PIN. Shoulder surfing or a corrupt security camera guy is always a problem. I?m smart enough to remember a purchase PIN and a ATM/Cash type transaction PIN too. I suppose insurance costs and ?shrink? just isn?t too expensive yet?
I?d be impressed if there was a thumb reader built into each plastic card I waived around buying all my shit.
Mobile gas anyone?
... I thought it meant it didn't have any of my contact information. Oh well...
AC comments get piped to
They won't know where to send the bill!
Let's see. A crowded line at an amusement park... I'm sure I could pick up 100 credit card numbers an hour with my wiz-bang pocket card reader. "Excuse me sir... I didn't mean to bump into you..."
... on how long it takes before someone cracks/hacks whatever security these things have and begins making megabucks by planting remote cardreaders in places like mall store entrances?
How long will it be? Say, to the nearest hour or so?
End of lesson. You may press the button.
The nice thing from a security standpoint is that the credit card companies have it in their own best interest to make sure people feel confident using these new technologies. While a single cardholder could be at risk to lose a few thousand dollars, these companies have billions riding on these transactions. When it comes to secure computing, this is one industry that actually keeps it on the front burner...
Stop by my site where I write about ERP systems & more
Just toss the poor bastards at the credit card machine....
I got nothin'.
Shielded wallets/credit card holders. Someone call ThinkGeek.
http://www.paypass.com/ Currently beta testing in Florida...
Fantastic. Now your pocket can be picked just by someone carrying a bag, purse, or package and passing behind you. Who asked for this?
I'm an American. I love this country and the freedoms that we used to have.
This sounds an awful lot like SpeedPass, which is at least 5 years old. Any idea what the difference is?
Other than the magnetic strip not wearing out, what's the advantage? Unless its short-range enough that passers-by can't steal your money, you'll still have to present it to a reader (the article mentions 20cm) Or perhaps they mean it can't be swiped (as in stolen.) It could mean the end of shoplifting though, just use the security scanners to read the RF tags in what has been taken and then take the money straight off the card. (Actually, that could be a great way to shop: pick things off the shelf, walk out and pay without having any queues at the checkout. Where's my patent lawyer?)
Don't go to a brothel if you want to buy broth
...to those laser-scanner things supermarket checkout lines have been using for years?
so THAT's why the Jedi Hand Wave works.
"These are not the droids you're looking for"
(handwave, subtle ka-ching! sound)
"These are not the droids I'm looking for.. move along..."
Doesn't the mobil speed pass already do this? nothing really all that new.
That's how I pay for gas at Mobil, with their Speedpass. It's a small keychain thing that looks like a black magot:
Well, that was how I paid for gas at Mobil. I cut my Speedpass open, took out the glass cylinder, and put it inside my Nextel i90 cell phone, it fit next to the battery. The Speedpass only lasted a few months before dieing. I haven't tried it again yet...
It was cool when it worked though, I just held my cell phone up to the pump to pay for gas.
tbdean
This looks somewhat similar to Mobil's Speedpass, no?
I've been using a contactless credit card for years. I type the number into an HTML form, and my card never comes within the same city as the merchant I'm purchasing something from. For that matter, it sometimes isn't in the same city as I am when I'm making the purchase -- for a couple months last year it was on a different continent.
In fact... let me see here... no, I still haven't gotten around to signing the back.
Tarsnap: Online backups for the truly paranoid
But then, isn't jostling at the bar a good way to meet people?
I personally have never had any experience with these other than having to wear them for work. Perhaps someone who knows the dynamics of these can tell how easy or feasable it is to 'steal' info from these cards. If I'm going to be 'issued' one of these in the future, I would like to know the risks.
:)
Perhaps I can make a fortune patenting shielded wallets.
"When will this FP stuff stop?" "After the great growing..." "The great growing?" "Yea, when people grow up."
if you are using such card to access your apartment perhaps its time to move out.
no, i'm not the pervert who's rubbing up against you for kicks...
well, maybe i am. but i'm taking your money, too.
heh.
www.pixelectric.com
Just think of the ways this can be abused...suppose there was some hot chick who wanted to rip you off. She could build a really small card scanner and hide it in her hand. Then she'd come up to some guy and start rubbing his ass and all, and the dude would be like "COOL!!". But then she would charge $10,000 to his account!!!
So this is obviously not a good idea unless you are a hot chick who wants to rip people off. Or if you work at Six Flags Magic Mountain you can maybe hide a scanner inside those metal detector things that they pat you down with. That would work too.
Read the article. Plenty of subtle reference to rights management and content control. Buy a DVD with this viper and have to wave it next to your DVD player to get it to play.
"Eve of Destruction", it's not just for old hippies anymore...
You won't need to physically swipe it, simply waving it over a reader is good enough.
DON'T OVERWAVE
3.243F6A8885A308D313
That's Philips, with one L, not two. The Phillips with two LL in the middle is a petroleum company.
Lacking <sarcasm> tags,
does it run linux?
Didn't you hear? You're not supposed to use your phone near the pumps! /Inter-office cc:
-Dumb_Nig
data rates as high as 1Megabit/sec over a distance of 20 centimeters
If the action of placing the card close to the reader is supposed to indicate payment, that's too far and invites both security problems and just accidental mixups.
I think IR is actually better suited to these kinds of applications. IrDA already exists, it's on most devices, and it's much more secure. Some businesses are already using it for communicating with PDAs that people bring in (including Sony Theaters).
This is why this challenge is going to be so hard.
You say you are smart enough to remember a purchase PIN and a ATM/Cash type transaction PIN, yet you also claim to be buying shit?
Most, if not all, of the smart people I know never, ever 'buy' shit....they seem to find a way where people continously give them shit, sometimes for no apparent reason. Now I know some would argue that this may well be a gift, but I've watched this happen, over and over, and I'm here to tell you, it seems like it doesn't matter what they do or what they say, someone will eventually give them shit. Really! I am not kidding! It's true!!
If you are having to pay for shit, may I suggest a crash course in shit 'taking'...you can sign up for one online I believe..perhaps right here, if you ask nice.
Didn't read the title at all, since my view (possibly all views?) of the discussion thread displays the messages in line. In fact, didn't even know what your subject line was until I read your message. Of course, if you posted this while logged in, I would've mod'ed you down for being off-topic ;)
While playing oggs.
rmsousa Corp announces the "Faraday Cage Wallet". The perfect companion to the "contactless credit card". And if you call now you'll get entirely free a "Faraday Cage Trenchcoat", the perfect tool to "shoplift"^H^H^H^H^H^H^H^H^H^H"ensure privacy when buying" products with RFID tags.
And this product opens new horizons... Now you can sexually harass women on the street and then say "sorry, I was just trying to steal your credit card".
indeed... maybe metal wallets will become a popular deterrent.
I am Asian, actually. And no, delving deep into my soul, I can honestly say that I harbor no racist feelings. This is an experiment.
I'm in Toronto and this is already in use at several Gas station chains, most notably Esso.
While the speed pass works in the same way of not requiring direct contact, instead of billing you directly you provide them a credit card number to bill to, but the technology in this case is the same and not incredibly amazing.
Business alarm systems have used proximity badges for years now!
Not to be a twit, but I heard about this sort of "keep it in your pocket" magnetic technology being deployed already. Around February of this year, one of my English students in Tokyo, who worked for Sony/Ericsson, told me his company's "secret" new cell phone in development would have this mag card tech built in. It would replace the "Suica Card" existing tech, which is just a card you mash against the reader while keeping it in your wallet. The phone was due to hit the shelves in 6 months, which would be this August. Only in Japan, of course, which means it should be out in America around August 2005.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
The technology in general can be a great convience, I have used them before and it means you don't have to fish the card in and out of your wallet, but what happens when you have more then one of this type of card in your wallet (the reader will read them all properly, but which to use?) and theft is a real concern.
Unless the also use a pin-number system, there is really nothing they can to to prevent theft. If you have a 'shielded wallet' or you have to press a button, then it defeats much of the point, and you have to actually get the card out.
I'm worried that they will try a type of encryption, (info on card is encrypted, and the CC co has the key in a central data base). Now if they were to do a new encryption key for each card, then great, but I could see them using one key for all of them, then what happens if that key is leaked. Even if they do that, it keeps the CC number safe so it cant be used online or such (assumming that the RFID number is even related to the actual CC number, which it probalby wouldn't be) it still cant stop someone from making a new RFID card to retransmit the info.
Basicly it all boils down to that there is no real way for the CC company to protect the card if it is contactless. with 20cm (about 8in) you could easilly walk around a mall with a reader in your pocket picking up the ids of the cards.
My thoughts: Bah. I've seen attention whores, but you my friend are an attention dictator.
on the sixth day God created man.
on the seventh day, man returned the favor.
Great! Akin to war driving to find open nets, now we can "pocket surf" -- aim a super-high gain antenna tuned to the frequency these cards operate at at purses, pockets, and wallets of unsuspecting users and collect credit card information (enough to clone 'em) without being seen.
Now thieves will only need to walk around waving readers over people's butts to snag their CC info...
Let me address your points individually: 1. No, someone could not charge every CC in the world. There is a small computer inside the card and two way communication is required. There is no way for a satalite to charge cards. 2. EMF if used in a mall right now would scramble the mag strips on existing cards and probably screw all the cash registers. No difference.
So what happens if you have multiple cards of these? How do you choose which one to pay with?
I just thought it was yet another racist troll post.
That's 'Philips'...with one L.
same here... too bad!
It's not a new concept. We already practice it here at Slashdot - we don't even have to read the article, we just get near the story and start spouting off comments.
If you have 2 side by side, then there can be issues when trying to use them.
This is something that I have seen with proximity cards for two seperate systems. When the two are together then when system A tries to contact Card A, Card B is also activated and the system cannot make any sense out of what it has received. Therefore no access.
In this case you have to seperate the two cards, in order to read them.
There has been talk about contactless smartcards for the past 10 years.
ExpressPay
You didn't just bite on a troll here, you bit on a JOKE. And you weren't even smart enough to point out that it's EMP, not EMF.
Congrats on doubling the entertainment value of the thread.
You know, back when you could still afford to go out for dinner (DQ doesn't count), how the waitperson would bring the bill on a little plastic tray and lay it on the table....and you'd simply drop your c'card onto the bill...and then someone would take the tray and bill and c'card and....oh, wait, I get it...
Hello, I'm Dwayne, I'll be your card waver this evening.
So, if Visa is the first mover, do they essentially "own" the wallet because the lazy consumer wouldn't want to bother pulling out a different card?
And what happens if there are multiple cards that are contactless? Do I have to pick one out? What's the point of this, then?
My building uses contactless badges. Ironically, we have a badge for the building and another for the garage. I can't keep both cards in the wallet because they interfere with each other.
Finally, is Phillips proposing to make cars run off the card? Wow. Imagine starting your car just by sitting down...
Doesn't this sound a lot like a barcode system?
These cards better have a small range (two feet max) or I don't see how you will manage to perserve the time-honored tradition of the grocery store line.
"Did you swipe your card?"
"Not yet."
"That's funny, because your total has already been paid!"
My concern would be that unscrupulous individuals would use portable readers to get your card number. It would be a form of pick-pocketing that wouldn't actually require any contact or much risk of getting caught.
Hopefully, the cards would use some sort of challenge/response system, rather than a fixed number that could be replayed to a terminal. Still, there are bound to be vulnerabilities, and we'll probably be reading about them in a couple of years.
Actually, what I was hoping for was that we could put mod points on these cards. It would give a whole new meaning to 'arma-whoring,' now wouldn't it?
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
The Swatch Access watch has been able to do this sort of stuff for ages. Here are my old pages from way back.
don't bother folks.
Now simply standing too close to someone can cause my credit card number to be stolen.
GJC
Gregory Casamento
## Chief Maintainer for GNUstep
The internet, today:
Debian.com announces new contactless debian operating system - "untouchable". promises unbreakable security.
Debian.com executives stunned the business community today with the announcement of a new operating system in the debian franchise "untouchable", which they contend, ushers in a new age of contactless technology and "unhaX0rable" enterprise security technology for the enterprise. debian CEO Raymond Stallman issued forth this challenge (meaningless freedom diatribe deleted; words rearranged to form actual english sentences - ed.): "[...] if you can haX0r this [...] system, we [...], debian.com, will give you 100,000 free copies of our next [...] debian release [...] due in 2008".
"untouchable" features specially developed "haX0r freedom" technology, designed specifically to ensure freedom from haX0rs. "haX0r freedom" technology comprises debian's patent-pending "cord-free" technology, which allows debian computers to run without cords, and debian's new "network-free" enterprise security technology, which allows debian computers to run without a network. "Correctly installed, debian computers with haX0r-freedom enabled enterprise security technology are invulnerable from haX0rs and other commie government spies" says debian CTO Raymond Stallman. "the extra freedom built into the core of Untouchable leaves enterprise users freer to enjoy other things in the rich debian untouchable experience, like manually installing soundcards". "we think they'll like it" jokes Stallman, freeing a few extra lice from his freely-kempt beard.
Other debian executives could not be contacted by email for comment.
What if he meant Electro Magnetic Field (or even Force)???
An Electro Magnetic Field in a mall is entirely plausable.
These kinds of cards do not usually have any kind of power source. They rely on a alternating current magnetic field that the reader gives off. This magnetic field energizes the coil that is built into the card. This coil supplies power to the circuitry on the card which causes the card to send its ID via some kind of rf signal. There are no "smarts in the card itself. The card just sends its ID and a computer behind the scenes uses that ID info to open the door or pay the bill.
For those concerned about portable readers consider that a reader would have to send out a powering magnetic field and then capture the ID of the card. My guess is that all kinds of security could be built into these cards. The most obvious kind would be the use of an ID that contained a constantly changing code like the secure IDs many of us use to access various secured dialup and network devices. The only drawback is you would need some kind of contained power source in the card to power the secure ID ciruitry as it has to be constantly powered so it does not lose sychronization with the host system. My guess is the reader could still supply power for the RF signal while the secure ID part used a small lithium cell.
That way the ID would not only have to be correct but the security code would only be good for about 3 minutes. That would make these things fairly secure, probably moreso than a card and a PIN as the PIN can be noted via cameras and the quicksighted.
Physical theft of the card would be a problem but that would not be anything new to get used to.
dzimmerm
Jumping to correct solutions slowly is better than jumping to incorrect solutions quickly.
Well, you could hack you card so that everything is billed to Bill G.
Diplomacy is the art of saying "Nice doggie" until you can find a rock. Will Rogers
I didn't RTFA, but here's an idea to counter some people's fear that a technology like this would necessarily allow you to steal card numbers as you walk through a crowd.
The card could use a challenge/response system with the merchant. Each card has a symmetric key pair - the public key is your account number used for billing. The private key is known only to the card, and is used to sign a challenge phrase from the merchant. Challenge phrases would be unique to each transaction (given out by the financial institution per transaction). This way, cards couldn't be cloned.
Karma: -2147483648 (Mostly affected by integer overflow)
So what happened to the idea of using crystals with air bubbles to create light patterns? That sounds like a much more secure and unique method than this. Really, I have the time to slide my damn card so lets go with security.
I do security
When I visited Hong Kong in 2001, I bought a subway pass with this technology.
If you buy more than about $10 US of subway services, you have the option to get a smart card. My whole stay that card left my wallet only once (to return it for a refund). Othere than that when I used the subway, I would just set my wallet on top of the read. It was so conveneient.
Even better, lots of vendors (such as convenience stores) let you pay using your subway credit.
I guess there are more security concerns when using this with a real credit card, but it seems like it should have happened in this country sooner.
http://yetanotherpoliticalrant.blogspot.com
I live/work in Korea, and my company ID badge has a passive chip, where I only need to get it near a sensor. A Jedi swipe will do the trick, in most cases. This badge/card is also a Visa c'card, and it comes with the traditional swipe stripe. I keep it in my wallet, however. I can't seem to relax when hanging a cord around my neck that has a few thousand dollars attached to it. Why advertise.
Well if that how you would like for us to refer to you..
Diplomacy is the art of saying "Nice doggie" until you can find a rock. Will Rogers
Great, now all a pick-pocket needs to do is brush up against you and he's got all your credit card numbers.
I think that maybe it might be based on the smart card, you wave it and it has an id number that is only good for that minute. The next minute the number is something else all together.
I can see Amazon patenting 0-click technology with this...
- Danny
Think about it.... Some (insert evil persona here) would put somesort of recever anywhere near the sales counter and decrypt any data passed though the !air! Personally I like to think that they would need to have phisical access to the card to steal..... But then again im wierd....
Leave it to those narrow-minded visionaries at VISA and Royal Phillips to come up with an even more insecure method of deploying consumer credit card information... via RF (wireless) technology.
If you think credit card fraud is rampant now, wait until card thieves get hold of a portable RF reader and begin walking down crowded streets...
Hey, that's fine with me. This gives me enough lead time to come out with a copper-lined wallet that prevents RF credit card theft. In fact, I'm racing to the patent office now!
Reading some of the comments here about the security of these cards, and it makes me worry somewhat.
I used to sysadmin for a shell account company, and we saw huge amounts of credit card fraud, mostly from kids looking to run bots on IRC, or just because they collected shell accounts.
One thing I came away with from that experience was the definite feeling that Credit card companies don't seem to think it is in their interest to stop credit card fraud.
After all, if the owner of a card is frauded, the bill goes on their card, and interest is accrued. If the owner of the card isn't diligent, its possible they might just automatically pay the card off, without even realise they have been a victim of card fraud.
Certainly, the credit card companies don't seem to go after the fraudsters as much as they should. One of my friends on Dalnet used to regularly give the full details of people that she had discovered doing carding. One kid was so blatant, he put up a web page, with pictures of him holding up all the crap he had bought with stolen card numbers.
He was 12, and his mother didn't care in the slightest he was stealing. And neither did the credit card companies. The police were interested though, but he didn't have much repercussions - just a couple of weeks in a counselling center for kids.
Anyway, I digress.
Proximity cards are a great ieda. It means I can just wave my wallet near the scanner to pay for an item.
But, if this is not couple with some new form of identification currently not in use with credit cards (a pin number would suffice, or something biometric such as a thumb-print), then I fear that fraud will just increase.
People will get a hold of the scanners, and set up their iPod to capture the card numbers of anyone in proximit to it, and just walk up behind people, snapping up numbers.
Maybe I'm just getting paranoid.
The EE Times article focuses on the technology is a bit light on details of what the card actually does, so I'm not sure if it is a stored-value card (like Octopus) or actually operates like a credit card. I would be surprised if it's the latter because of concerns about theft etc.
Warning... the second link is troll droppings.
You have been warned.
Oh, my damn eyes.
AC
Wouldn't the PKI scheme be used? That is to say that the card and card-reader share some key. I suppose that this would be just another variation on chip-card technology (EMV, Proton etc).
other credit card industry players have had trials of similar systems in this field. also, Mobil has been using the Speedpass system for years which works in a very similar manner.
this really isn't anything new. put a very significant number of them out in the world and have a significant number of acceptance sites and THEN you have a first mover.
does anybody else smell the "21st century pick-pocket" here?
well, it's nothing one behind the ear wouldn't cure
The place where I used to work had these key fobs which worked like that. I thought it'd be cool that we just had to walk next to the door and it'd open it.
Not.
Even when directly contacting the sensor with the key fob in my pocket it didn't activate it. It had to be held infront of the device, almost touching it.
Whatever the range they say, I'm sure you're not going to be able to sniff out the RF signal by just sitting next to someone unless you have some expensive equipment.
...how is it going to know which card to use for the transaction?
Know what I'm going to do? Pick the lineup with the most customers. That way I'll have a pretty good chance of not acxtually having to pay for my stuff!
You're using her as bait, Master!
But my first thoughst are...
:P
Could it be too hard to snoop on the 'lil radiowaves or magnetic fields used in these things? I mean.. I'm first in line swiping a mall with a highpower transceiver for these things, harvesting credit cards.
Atleast there has to be an attached pin number or something.
And when you have to enter a secondary authentication token (such as the pin), I see no advantages over magnetic strips.
Oh yeah, except. "magnetic". These things prolly would be harder to destroy accidentally.
Bot Assisted Blogging
I kid. I don't have one and you can't "apply" for one either. Read more about it here and see it here.
(waves hand) "You will sell me these goods." :)
wqerqewrqewrqwerqwerqwerqwerqwerqwer test
Japan has had contactless debit cards for quite some time, with technology developed by Sony. The Japan Railway East 'SUICA' cards are similar to the Octopus cards in Hong Kong.
l in g_12c.htmlD /europe/02/18/biz .trav.smart.cards.ap/
0 1. html
http://www.tcvb.or.jp/en/hot/sizzling/0112/sizz
and
http://edition.cnn.com/2003/WORL
Also the EDY cards use similar technology and are embedded into credit cards so one card can be both a swipable credit card as well as a contact-less debit card.
http://www.sony.net/Products/felica/contents04_
Waves AmEx These aren't the droids you're looking for...
Obiwan was a bribe merchant!
...for women in a bar will be an even more graceful gesture than ever... Who says geeks can't be smooth!?
I've asked many people this but no one can give me a decent answer...
What kind of security check is it to write your signature after using your credit card?
I mean the signature is on the back of the card!
It's like having the password to your computer written on a piece of paper stuck to your monitor...
This is a problem with rfid type technology. The problem is that rfid is passive and to read it, you need an active rf source. Which makes you, unfortunately, very very visible. I'd like to see the Artful Dodger dodge a HARM missle.
Makes you wonder...
BOO! TERRO
They should name these card after presidents Bush. You can run up a huge deficit without touching anything.
Let's face it... credit cards are based on pretty old technology. Hell, there was a nice little 1970's film, can't remember the title off the top of my head, where one of the sub plots was a lady geek got fed up getting a job at a bank, proposed a security upgrade for their cash machines, got the cold sholder, and decided to rip off the cash machines. While I think it's a little far fetched to do such a thing from the safty of a van without modifying the equipment, it would be easy enough to visit a 2nd hand shop, buy a credit card terminal, modify it to relay all information it recieves, all the CC information as well as the pin associated, and transmit it to an outside source, which could be via radio or heck even one of those pay as you go phones. And because the technology is so dated, one can easily build a credit card writer, in fact I know 2600 had an artical on one you could build using cassette heads and a steper motor from a teac floppy drive (though 5.25 inch hard drive stepper moters are a whole lot more fun).
Now in the states this would be considered to be a federal crime, probally a felony, so kids don't try this at home. Damn sure this is a high crime in other parts of the world as well. My point is the struture of these cards we carry in our wallets are well documented and it's painfuly easy to create a credit card. Unlike paper currency, clerks often times don't even look at the piece of plastic you are shoving through the machine, and it's not like a cash machine cares. Again, don't try this at home, screwing with banks is bad... m'kay.
I would not be opposed to some form of smart chip, something that is a might bit more difficult to reproduce. I'm not nessicarly opposed to cards that use RF, provided that some form of physical authorization is required, like pin number, signature, thumb print. Both smart cards and RF cards can also be forged, but requires a bit more then essentally cassette tape, cassette head, stepper motor, and interface. Plus I want some form of authentication to demonstrated that I actually authorized a purchace.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
This idea is complete BS. There is no technical way is reach an adequate level of security using anything contactless to actually pay for something. Even with badass security measures like EMV (think personalized certificate in your smarcard, coming to a wallet near you very soon), there is still perfectly reasonable concerns, like "How am I sure that I'm actually talking with the right card/reader and not the one 2 meters away."
Now contactless cards can be very useful in one situation: identification. All those metro passes could be contactless because money isn't actually withdrawn from your account: the system just makes sure that you're you and that your account allows you to access this area. Also, from the point of view of an hacker, there is no way to make money by impersonating the backend system. They could try to make new cards, but the GSM system proves that you can actually prevent this from happening.
Now it seems that credit card companys are willing to take the risk. Fine, but who's gonna pay for fraud? Well, the user of course, and that means you and me.
Finally, the article is kind of vague. I'm not actually sure that they will allow you to pay wirelessly. I'm thinking that Visa and Phillips are actually building a contactless card/reader combination, but that the journalist elaborated mindlessly over this idea, as usual. Also he seems to be rolling contactless cards with application cards, which is an orthogonal feature altogether
Nobox: Only simple products.
There is an infinite sea of number sequences out there which look just like white noise.. but if you know precisely which sequence you sent, and what to look for, no one else is privy to it and can't see it at all.
Remember, the power ( RF "illumination" ) drops off as the square of the distance, so if you set this thing right, you hold the tag close, it will work, but pull it an inch or so out of range, forget it. Insufficient power to do a thing. And if its not illuminated with the correct source, it can't return data in sync... so this thing oughta be really hard to spoof.
Looks really neat to me.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
The idea that just waving a card in the proximity of a reader will make you poorer makes people uncomfortable. Poor feedback.
...um...
Our bus services recently switched to cards like that. People keep wondering, if the reader actually took the charge at all or charged them twice.
The fact that the card itself has no display to show its balance and the reader a mere 20 character display increases the discomfort.
If these cards aren't surrounded by proper interfaces, they will not get popular.
Argh, I forgot the "Didn't cost anything: I paid with my Visa" effect that guides people into personal bankruptcy. They seem very comfortable with that. So forget I said anything.
To bad they'll probably still make us type a pin on that greasy keypad.
As for previous posts about portable scanners, this could easily be solved by:
- Limit the range of the rf elements in the credit card.
- Have a scrambler card in your wallet that has greater range & RF output
- Build in some kind of biometric (like your picture showing up on the authorization terminal, privacy - blah blah blah...)
Dupe posts are
Can someone please answer this really obvious question? What is the point? With all the disadvantages mentionned above (stealing card details without you knowing, problems with multiple cards in a wallet meaning you have to take it out anyway etc etc) why would you want a proximity card anyway? There isn't any problem with normal chip cards as they are... (except they don't require a pin or anything yet). Why not just increase the security of normal chip cards first, which could probably be done without issuing anyone with a new card. The proximity concept doesn't solve any problems at all and simply adds more new ones.
Nick...
I think that's how SpeedPass works. It's really a faster way to buy things, but seems incredibly unsafe. If someone swipes that thing, you're done!
stuff |
Who's going to PAY for all these nifty new readers? Practically every store in the whole damn country takes credit cards, even all the mom-and-pop stores that have a little Tranz-330 behind the counter.
What is the store's incentive to spend what, probably $500-$1500 for a card reader for yet another kind of card (especially if they were already burned by a smart card program?)
And what is the public's incentive to get a card that nobody accepts? It's like the AmEx Blue - it's got a chip in it, but has anybody ever used it? I doubt it.
There have been various attempts to get non-magstripe cards as cash substitute cards in various US cities, and none ever do anything, because they can never surpass the chicken-and-egg deployment hurdle.
This is great. I'd much rather not slide my Visa through her slot.
Their rapid payment thingies may be inovative but these are guys that still claim there's no such thing as global warming or human rights in third world countries they exploit. Their track record is terrible. They're totally apallingly disgusting. If you really must drive, at least buy gas from somebody like BP who at least pays a little attention to the environment.
For more info stopesso.com
I think the point is that proximity scanning is (slightly) easier than swiping -- especially since swiping isn't always straight-forward in my experience. (i.e., Clerk swipes card. Pause. Clerk swipes card. Pause. Clerk swipes card. Pause. Clerk enters number manually.) It might be nice to have the reading of a card number not be dependent on 1) the supple wrist of the user, 2) the condition of the card, 3) the speed and direction of the swiping motion . . . the list goes on and on.
Also, the wear and tear on the cards might actually be reduced enough to make them last more than a few months . . .
Now someone can pick your wallet just by walking by.
Oops. Bumped into you. My bad. = Credit card info stolen with a portable reader.
..at least I know they do here in Germany and also in France. There, you have to enter it all the time wherever you pay. I don't know about here cause I pay in cash - CCs aren't used for small purchases here due to high fees the merchants have to pay.e l/PS_2002/spiegel.htm
Which leads us to an interesting point: the CC companies used to put the risk of fraud on the merchants. AFAIK, a German court toppled that some time ago, ruling that the CC company has to compensate for fraud and denied payments.
The result? Loads of online stores, possibly thousands, had their contracts terminated, only the big players offer payment by CC without high fees (usually 4% with PayPal) now.
If you can read German, read this: http://www.fun.de/deutsch/news/presse/pressespieg
That's what happens when something becomes unfavorable for the financial business - they drop the service.
This sounds interesting, but I think the best overall solution would be a card that works by its proximity to Redmond, Washington. Proximity in this context means any distance that can be covered by a provately owned network of satellites. A bank of customer service reps and security experts there could approve/disapprove each transaction, as well as compute the substantial tariffs/licensing fees. The process could be streamlined by including reps from the MPAA/RIAA.
Hey wait! Gotta go...I'm off to see my patent attorney, who is on retainer.
Evil is the money of root.
me! me! pick me! I'll do it!! Pick me!!!
with RF ID tags on merchandise and a proximity credit card, the stores can just ding a shoplifter when he/she walks out the door - or ding anybody else within range...
Maybe I'll pass on this idea - too much scope for fraud by the shop owners!
Oh well, what the hell...
Choosing EFT does't improve your own security unless you are worried about having picked up somebody else's card by mistake. It doesn't have beans to do with the guy who steals your card; he has no obligation to choose EFT.
Infuriate left and right
Receipts carelessly tossed in a garbage can outside of certain stores (yes, many of them do print your full name, card number and exp. Date)
Shred receipts you don't need and keep secure those you do.
Hacking insecure online servers (many have 1000s of cards in plain text or weakly encrypted)
If you are going to purchase online via credit card, never allow the website to store the data "for your convenience" because then it is in their database. The site should have to ask for your cc# for each and every transaction. If they don't have the option not to store your card info, don't shop there and let them know why.
Consider getting a single, low limit card that you use exclusively for online purchases, particularly one that advertises online purchase protection.
Check you statement monthly or more often (if online statements are available.)
Grab your mail
This is a federal offense, but anyway. Don't forget your mail carrier at Christmas, Kwanza, Hanukah, whatever.
Look in your recycling box
Shred, shred, shred.
Look at your card over your shoulder
Be aware of your surroundings.
Hidden cameras, crooked cashiers/waiters etc
see: "Check your statement monthly" above.
Set up a fake online store selling a few products very cheaply.
Set up a cheap porn site. (ala the Eros Island scam)
Discover USENET pr0n, which is free. You don't mean you actually *pay* for pr0n do you?
I wonder how many other locations in the states have confirmed cases of SARS? Conspiracy theories anyone?
I can picture it now... some girl rubs herself up on me at a bar, but little do I know she's actually buying herself a drink on me through my pants! Talk about beating the system!
I've seen something like this in Jason's Deli where you somehow have your credit card hooked on or glued to your cell phone and just quickly swipe it by to pay for overpriced food... Anyone know what the difference is between this and the one I am seeing in the Deli? On another note, I hope my girlfriend never gets a hold on one of these!
This idea is good in theory, it would certainly solve the worn out strip problem. However, it would only be a matter of time before a smart hacker genius crook would come up with a portable device he could carry around with him. He could steel money from your card just by brushing up against you on the bus or in a croud, or just by walking around the mall. Also it'd still need a strip for all the thousands of busineses that won't migrate to this technology until it catches on.
---- "Excuse me. Where's the children's gun section?"
Contactless credit cards seem to be merely the next insecure step in a series of steps that make our financial transactions more vulnerable to fraud. The legalization of digital signatures, and even the implementation of direct charges to checking accounts were earlier parts of this vulnerability process. The fraud that results from this perpetual weakening of our financial transactions will eventually be so common that people will demand a solution to the problem. The final result is the mandatory use of biometrics for general identification. The mark of the Beast would be required to buy a Big Mac. Barcodes on your forehead, anyone?
We Await Silent Trystero's Empire
Curiously, many of the Google links display "story not available". Are six week old stories normally flushed from on-line archives? In such cases use Googles's "cached" link to see the story.
http://www.mycreditcarddetails.co.uk/
Not only is there no magnetic stripe to swipe, but they are animated to the theme song from Magnum P.I.
The ______ Agenda
Contactless credit cards, and RFID implants. Hmmm. Who else is reminded of a mark on the forehead, or the right hand, without which no man might buy or sell any thing?
AMEX TESTING KEY-FOB TECHNOLOGY
CardLine (Thomson Media) (Front Page), May 23, 2003
American Express Co. is testing a contactless key-fob product that the card issuer plans to use small-ticket purchases. The product, which is called "ExpressPay by American Express," uses radio-frequency technology, says David Bonalle, AmEx's vice president and general manager for advanced payments and enterprise development.
Bonalle tells CardLine today that he can't talk about a rollout, but "we definitely see there is a lot of opportunity." So far ExpressPay is being used solely by AmEx employees, and it is accepted at only a few locations, including the cafeteria in AmEx's big processing center in Phoenix, and some local stores.
Users who wave the key-fob by a payment terminal reader can spend up to $150 per day. The average transaction takes 8.9 seconds compared with 12.4 seconds for cash and 15.4 seconds for credit card sales requiring no signature, according to Bonalle, who spoke today at Thomson Media's 15th Annual Card Forum & Expo in New Orleans.
Value for the card can be prepaid or charged to a regular AmEx card account. Users can get online monthly statements. Bonalle would not discuss pricing other than to say that AmEx is "following the discount-rate policy that's in place for mag-stripe (cards)."
AmEx began planning for a micropayments product late in 2001, he said, and AmEx is working to ensure that ExpressPay's technology is interoperable with other key-fob radio-frequency products such as Exxon Mobil Corp.'s Speedpass and MasterCard International's PayPass.
Where I live this technology is already in use. There are gas pumps here in Kansas labeled with a square area and a SPEEDPASS logo.
Speedpass Site
I don't know anything about the underlying technology, but it would seem phillips and visa have been beat to the punch.
[ http://www.dvigroup.net/self ]
"These aren't the droids you're looking for..."
To get this right, they will have to figure out a way to make the antennas a bit more durable than the one in my current work passcard, at least. I once made the mistake of keeping it in my wallet and it delaminated and the antenna broke after being sat on for a few days - and I only weigh 150 pounds! I replaced the card, and the second one delaminated after accidentally being slept on on the couch.
nuke the moon
This is a such a great idea. I can't begin to tell you how many hours I spend in frustration trying to line up my credit card with the swiper. Not to mention the huge amounts of dirt and grime that i have to clean off my cards every night!
Maybe they should just surgically implant a credit card in my brain so i can just *think* about buying something and it's done.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
perfect. maybe now the crackers will leave WLANs alone and go straight to the source.
I think they better first check out the so-called "Smarter Card" from Cypak a Swedish firm that has a card with embedded CPU and RF, and a keypad built onto the card which requires the user to enter a PIN to validate use of the card. Seems to me that Cypak already has most of the relevant technology.
The last proximity card I carried in my wallet erased all my credit cards. Does the new card erase itself after a few months, and take your $1700 balance with it?
I'm much funnier now that I'm a subscriber.
That just proves that American society cannot progress any more. I think Internet was the last Big Thing (TM) we've got from there.
Less is more !
The best thing about my proximity access card is that I don't have to take it out of my pocket or wallet to use it. I know that I carry at least 2 credit cards and 1 debit card. If I get my wallet close to the machine which one would it withdraw funds from?
is not really about looking for another payment method. After all, it's easy enough to pull out a wallet. The new technologies are designed to help retailers build loyalty programs unique to their chains. Speedpass was one of the first applications. Their RFID keypass is not only about payment, it's about providing a service that makes loyal customers. Since a driver already has his keys in his hands, and he is often in a rush, a keychain fob makes sense. I think about 6 million Speedpass tags have been distributed. To my knowledge, fraud has not been a big problem. Companies like Visa and Mastercard have brought out better tag technology that will eventually allow retailers to offer rewards and loyalty points based on purchases, like the airlines. There's even a company in Virginia that offers retailers just the loyalty tag -- without the payment. The point here is that shopping will soon be more like that on Amazon: your purchases will be tracked in real time, and special offers (based on previous purchases or similar aggregate data) will be tailored just for you.
Pro: My card won't wear out before it expires 6 years from now
Con: Now I can have my number stolen without comming into physical contact with the theif .
--This could be a pro if you consider it could make getting robbed a whole lot safer
See the Pictures of the Flood of '08
In both cases, Speedpass and the toll system, the heart of the device is a small radio transmitter that is actually powered by an RF field in the vicinity of either the gas pump or the toll booth. When bombarded with enough RF, a chip in the transponder sends back its serial number. The difference between the mini ones for Speedpass and the big ones at the toll booths are that the toll ones have to work much further away from the tx/rx antennas. I've never taken one apart, but I expect the antennas are much larger.
The problem with using a system like this for a credit card is that the transponder is dumb--it doesn't know what it's transmitting to, or whether it is appropriate to transmit your credit card number at that moment. If it gets hit with enough RF to energize the circuit, it transmits your account number. This would be very dangerous, for obvious reasons.
If I were building them, I would put a little 'fail-safe' on the top of the card: two metallic patches separated by a few millimeters, that you have to cover/connect with your thumb in order for the card to transmit. I'm not sure how complicated the circuit would be, but I have personally seen devices that have metal bars like that and use the capacitance to know whether a human hand is touching it or whether it's brushed up against an inanimate object.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The article discussed the pros and cons of smart cards, radio transponder devices, etc.
The article on the Technology Review website is subscriber only, but you can read it here.
Maybe I'm missing something but couldn't a thief just walk around in a crowd downloading people's card IDs? Then using a reverse process, transmit that info at a card reader and presto... he'd get what he ordered.
This is different from ordering online or anthing like that because the card never has to leave my wallet.
I don't think this is a problem with current RFID cards (such as SpeedPass) because it's not worth it (gas prices are low and the cost of the hardware is not trivial) but if this could be used for ANYTHING I think the motivation would be there.
Am I missing something?
'cuse me sir, you just bought this purple-metallic minivan with golden rims ... where would you like us to ship it?
So, someone gets a dummy card that looks real and holds that in their hand. but the stolen card is up your sleeve, and activates the electronics. Visual verification by the cashier? sure! Of course the signature looks right, you wrote it! But it seems like it might be a halfway decent technology if they can figure out how to avoid abuse like that. ah well, just my 857,345,246.4 rubles.
If you can read this, you are most likely close enough.
Looks to me like just a speedier way to suck money out of your bank account and charge you for the service to boot!
I don't know about everyone else but I go running scared when I see things like (paraphrased) "...standard method of allowing consumers to purchase content in their home..."
I can see it now.... "please wave your contactless credit card to watch this channel"....
42 - So long and thanks for all the fish.
Canada already has this. Esso gas stations can issue you a proximity keychain called the "Speedpass" which is linked to a Credit Card account you already have. Wave the thing in front of the pump, gas up, and go.
"Credit leads to debt.
Debt leads to interest.
Interest leads to...
Depreciation of capital expenditures over the lifetime of the loan."
The security card I use for work functions while it's still in my wallet. That's not a feature I want for my credit cards.
this is yet another example of why credit card companies blow goats. Do they have no concept of security?
fucking pathetic. security by insurance is not security at all.
If theft is a big issue (and putting it on the keychain would mean that you would report it instantly if it's lost), requiring a PIN wouldn't make the experience much worse.
Plus they have those cool Pegasus and Tiger logos that light up when the Speedpass is accepted. Much better user interface than those damn supermarket card readers ("Press OK to approve, yes the GREEN OK button, no, swipe again please...")
sulli
RTFJ.
With speedpass (and the other toll systems I would have to imagine) your credit card number isn't sent, only an acct number that can be referenced to your charge information on file.
So, one can't capture credit card numbers, but one could capture your acct number and transmit it manually to pay for tolls or gas on your dime.
[ http://www.dvigroup.net/self ]
Hmm not to sound like I have my own holy grail, but the SIM card in Europe is already used as a contactless form of payment. If you look at alot of vending machines for small items you'll see a phone number you can call :)
Yeah, but is it integrated into your cell phone?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Why bother with this?
If it's speed, then why don't you make stores have 24x7 links, or develop a wireless network for moble merchecnts (like hot dog vendors). Verrifiying cerdit cards takes far longer than to pulling it out of your wallet.
hmm... for fun I enjoy launching DDoS attacks against 127.87.42.5
Crooks have creative minds. Some crook somewhere will figure out that they can read the card while it is still in the wallet and then find a way to steal hundreds or thousands of credit card numbers.
I no longer use my credit card number over the telephone. I made a $9.95 purchase from an 800# on a TV ad and ended up being charged $99.95 three months later. In order to get credit for this charge, I had to report the fraud, cancel the credit card and have a new one issued and then contact all of my automated payments and change the card number.
It was a hassle I would rather not go through again. My boss was also hit by credit card thiefs and had a very similar experience. Two women I know had their identity stolen. It is NOT an uncommon crime and it can screw up people's lives pretty badly. I hate to think what would happen if the process were "automated" through the use of hidden electronic readers!
Thanks but no thanks. I like my mag-stripe card.
er not technically true - Visa Electron and Solo need to have an intact magnetic stripe. Terminals will refuse these sales if the card is not present as these are a confirm before sale card the till terminal will always call the bank to ID the card / funds
Here's the idea for making a mess of the contact-less credit card.
It's like creating a wireless extension chord that extends the cashier station's contact-less card reader's "reach" to well outside the store, down the street, or into the next zipcode.
Ouch.
rickI read a few articles on "stealing" proximity card data. It's aparently not very hard..
One proximity card that I use requires almost physical contact to the reader, which is appropriate for a doorway.. But another card I use (same building, same card type) to open the garage gate reads the card within about a foot of the reader. I roll my car slowly by, casually holding the card out, and it reads with no contact.
With the appropriate equipment, you can read data from just about anyone's card at a distance. How close do you have to be? People get kinda close in elevators, or you can just be polite, and be holding an outside door for them while they walk by your briefcase/laptop bag/purse. For that matter, I guess your reader could be in the brown paper bag that appears to hold your lunch.
H2K2 had a lecture on it. Here's the lecture description. in July of 2002
"Proximity Cards: How Secure Are They?
Sunday, 6 pm
Area "B"
They're used everywhere but they could be making you even more vulnerable to privacy invasion. Delchi has been working with proximity based card systems for two years and has developed a method of casually extracting data from proximity cards in a public environment. Riding in an elevator, subway, or just walking down the hall, a person can bump into you, say "excuse me," and walk away with the decoded information from the proximity card in your pocket. It could then be possible to build a device that can capture and replay these snippets of information on demand or to even brute force a proximity card system. This talk will focus on the vulnerabilities of the systems and show a low power working prototype. Alternatives will be discussed, as well as other vulnerable aspects of proximity based building and computer access systems."
I've read some design information on it also, but can't seem to find the links right now. I don't know what the options are for protection of proximity cards.. Keep them in a foil pouch?
Serious? Seriousness is well above my pay grade.
These aren't the droids we're lookin for.
So then I walked through the mall with my card scanner on and picked up about 15 valid numbers from people I passed.
Wanna go shopping?
I'm a student, took a class with Ed Felten last semester. We talked about credit cards, security, fraud, etc. and realized a few things
1) Signatures aren't really used to check your identity. They are used to dispute claims LATER: the store shows you the signtature on their receipt, you can see if it is yours or not. People are very good at recognizing their own signatures.
2) There is a lot of fraud, but the main issue is cost of fraud vs. cost of prevention. Implementing "secure" credit cards with microchips, forcing stricter requirements on merchants, etc. has a cost. If this cost is greater than that of the fraud, you accept the fraud as a necessary evil.
Why stick with the rectangular plastic card, can we make it into the shape of a Harry Potter wand that I can just wave around at the checkout?
file format to describe a bill to be paid. this file is transfered to your cell phone, pda, or whatever the hell we'll call them in 5 years. then a thumbprint reader will verify you are you and that you authorize the bill being paid, transfering the payment authorization, signed with your private key, to the bank.
Question
http://www.ironfroggy.com/
What if your signature actually was "PLEASE ASK FOR ID"?
yay ! Now I can spend money I don't have without even openning my wallet.
Mongrel News all the news that fits and froths
If you had contactless credit cards, there would be no such 'insulating' layer--the credit card would have to by definition transmit your credit card number in a usable form.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
online PIN function that you can sign up for. The idea that the brick and mortar vendor is going to check your signature vs the one on the back of the card, and the added bonus of a picture is supposed to make it even more secure. Reality is that the merchants rarely even glance at the card, and the most frequently stolen numbers come from resturants....
The problem with an EFT is the vendor HAS your money and you have very little leverage, with a credit transaction they've yet to be payed and you can use VISA as a moderator to deal with vendors who refuse to live up to their word.
In all cases KNOW your transactions and check often (daily)...
errr....umm...*whooosh* *whoosh* Is this thing on ?
I ran across this while meta-modding, and my first reaction was "WTF?". A post with that title seemed very out of place here on /. Then I read the post and thought, "Hmmm ... clever sociological experiment." Then I clicked through to the context (I rarely do that when I meta-mod) and read the other comments. *That* was interesting. Then I posted this response. BTW, if I had mod points, I would have marked it "Off-topic". But I didn't disagree with the Moderator who marked it Flamebait. After all, it certainly drew flames! Please let us know how your experiment turned out, and the reasoning behind this particular experiment. You're welcome.