Slashdot Mirror
Contactless Credit Cards
An anonymous reader writes "According to his article in EETimes, Visa and Philips are teaming up to introduce a so-called "contactless credit card". Basically it'll work like the proximity cards many of us use for access to our places of work or apartments. You won't need to physically swipe it, simply waving it over a reader is good enough."
http://www.paypass.com/ Currently beta testing in Florida...
Uhhh.. Visa is doing it. Which means if it actually happens, it'll be accepted at MANY more locations than speedpass. Additionally with a decent amount of storage and the high bit rates, you could use one card to buy stuff, get into your gym etc.
The technology in general can be a great convience, I have used them before and it means you don't have to fish the card in and out of your wallet, but what happens when you have more then one of this type of card in your wallet (the reader will read them all properly, but which to use?) and theft is a real concern.
Unless the also use a pin-number system, there is really nothing they can to to prevent theft. If you have a 'shielded wallet' or you have to press a button, then it defeats much of the point, and you have to actually get the card out.
I'm worried that they will try a type of encryption, (info on card is encrypted, and the CC co has the key in a central data base). Now if they were to do a new encryption key for each card, then great, but I could see them using one key for all of them, then what happens if that key is leaked. Even if they do that, it keeps the CC number safe so it cant be used online or such (assumming that the RFID number is even related to the actual CC number, which it probalby wouldn't be) it still cant stop someone from making a new RFID card to retransmit the info.
Basicly it all boils down to that there is no real way for the CC company to protect the card if it is contactless. with 20cm (about 8in) you could easilly walk around a mall with a reader in your pocket picking up the ids of the cards.
I had the pleasure of seeing a prototype credit card that had that feature. It was geared toward online purchases and basically worked like this:
The button is an excellent idea because you save transmitter life, although I'm sure there's a power supply that can live the life of a credit card. It also controls when the info is sent out. I wouldn't mind throwing a PIN on there either. Hell, I don't even have a credit card, just a check card, so I'm fine with PINs
Damn I like ordered lists!
If you have 2 side by side, then there can be issues when trying to use them.
This is something that I have seen with proximity cards for two seperate systems. When the two are together then when system A tries to contact Card A, Card B is also activated and the system cannot make any sense out of what it has received. Therefore no access.
In this case you have to seperate the two cards, in order to read them.
There has been talk about contactless smartcards for the past 10 years.
My concern would be that unscrupulous individuals would use portable readers to get your card number. It would be a form of pick-pocketing that wouldn't actually require any contact or much risk of getting caught.
Hopefully, the cards would use some sort of challenge/response system, rather than a fixed number that could be replayed to a terminal. Still, there are bound to be vulnerabilities, and we'll probably be reading about them in a couple of years.
I beg to differ. Credit card fraud runs in the billions of $ every year. One article claims the losses will be about (2002 figures) "$285 million over the holiday season in the United States." And that's just about 1 month's worth. Credit cards are anything but secure. Since consumers don't see the cost of the fraud directly, most are barely aware it exists. Of course, the cost is passed on in the form of higher fees and interest.
Merchants (and their employees) don't help matters any either. On all my cards, in the signature block, I put "Please ask for ID". (I've checked with Discover and they have no problems with that, BTW). Rarely do I get asked for ID.
Then there are merchants, such as the USPS, which won't accept the card without an actual signature. Don't need to show ID (I tested this), but it must have a signature or they won't accept it. It's an actual federal rule (I checked), so the clerk isn't doing anything wrong. Maybe it's just me, but I would trust a driver's license MORE than a signature with nothing to compare it too.
Not everyone agrees.
One god, one market, one truth, one consumer.
Most of the proximity cards are powered by the RF field that is used to interrogate it.
Still , a button would be nice. Even just a 'squeeze point' (eg squeeze the card whilst waving over reader) would be handy.
Then we could also have the obligatory "Squeeze the last cent out of my card jokes"
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
The EE Times article focuses on the technology is a bit light on details of what the card actually does, so I'm not sure if it is a stored-value card (like Octopus) or actually operates like a credit card. I would be surprised if it's the latter because of concerns about theft etc.
I would be interested to know how they would be able to stop "contactless thieves" in this case. It seems to me that scanners would become available for people to walk around zapping people's funds away from them. One nice thing about the tried and true swipecards is that to charge them, it's very much a physical action.
Not entirely true. One of the more common credit card scams here in Los Angeles is portable card scanners being carried by waiters in restaurants. As they take the card you've handed them back to scan it for the bill, they scan it in their personal scanner, which records the information for later use.
There is no meaningful physical location tied to this because you've given your card (intentionally) to someone you have to trust. If you eat at multiple restaurants over the course of a week, there's no easy way to trace the theft back to an individual location.
Mooniacs for iOS and Android
My cards usually crack from curvature long before the stripe is demagnetized or worn away. I guess that's what comes from sitting on your wallet all the time.
FWIW, Esso Canada (gas station chain) has been using keychain-dongles for rapid payment for about a year now. You just hold your keys in front of the coloured box on the pump for a few seconds and it prepares to make the sale exactly the way it would if you stuck your card in the stripe reader. They also put the same dongle-reader at each cash register so you can buy your morning coffee a few seconds faster....
The place where I used to work had these key fobs which worked like that. I thought it'd be cool that we just had to walk next to the door and it'd open it.
Not.
Even when directly contacting the sensor with the key fob in my pocket it didn't activate it. It had to be held infront of the device, almost touching it.
Whatever the range they say, I'm sure you're not going to be able to sniff out the RF signal by just sitting next to someone unless you have some expensive equipment.
I have two proximity cards on me at all times, for two different security systems. Whenever I swipe one card, and the other is too close, it will not work. There seems to be some interferance between the two cards. I assume that the reader machines would be able to tell if more than one card is detected, and the transaction would fail.
Japan has had contactless debit cards for quite some time, with technology developed by Sony. The Japan Railway East 'SUICA' cards are similar to the Octopus cards in Hong Kong.
l in g_12c.htmlD /europe/02/18/biz .trav.smart.cards.ap/
0 1. html
http://www.tcvb.or.jp/en/hot/sizzling/0112/sizz
and
http://edition.cnn.com/2003/WORL
Also the EDY cards use similar technology and are embedded into credit cards so one card can be both a swipable credit card as well as a contact-less debit card.
http://www.sony.net/Products/felica/contents04_
They do make contactless micro-processor smart cards. Schlumberger makes one, two, three, different versions.
From their site:
High-speed contactless operations are completed in less than 100 milliseconds and at distances of up to 10 cm from the reader. Security between different applications is ensured by two 48-bit diversified keys and specific access conditions per sector. Security is further reinforced by replay attack protection and a three-pass handshake, which manages the mutual authentication between the card and the reader. In addition, the Easyflex FastOS 2.0 fast anticollision algorithm allows more than one card to be processed by the reader at the same time.
Easyflex FastOS 2.0 communicates on the 13.56 MHz carrier frequency in compliance with the current ISO 14443-Type A standard and implements the standard Mifare protocol, allowing it to be used with the vast majority of contactless card systems.
Wow. Imagine starting your car just by sitting down...
You already can. Mercedes Benz, Porsche, and even certain Volkswagen models (just to name a few, I'm sure there's others) have this feature. You leave the keys in your pocket. To unlock the car, touch the door handle. To start the car, touch a button on the dashboard. To lock the car back up, just touch the outside door handle on your way out. The keys stay in your pocket the whole time. It works by actively seeking out your remote commander ("the clicker"), and if it finds it, it lets you in and lets you start it up. If it doesn't find it, or if it just plain fails to work, you can always take the remote out of your pocket and click. Or even... dare I say it, use the physical key itself. Anyway, it's pretty nifty stuff.
One thing to add...
Another reason credit card companies don't care? They are not the ones to foot the bills when a chargeback is initiated. It's the merchant who is out of the entire purchase, some insane chargeback fee, and the lost product.
Credit card companies will never care as long as the monetary loss due to fraud is LESS than the actual cost of pursuing the criminals.
eTrade SUCKS
I work for an ATM transaction processing company, and it would be really nice if that were possible.. but credit cards do NOT HAVE A MICRO-PROCESSOR (it cannot process a challenge response) in fact A credit card is only a magnetic number, all of the information is retrieved from your bank/Credit card company. The Grocery stores little card reader however does have a process, and Encryption of your card does start there..
In order to process an ATM transaction, your credit card number is sent off from the ATM/Grocery store/wherever to your bank(with debit cards, your pen number goes with it).. In the case of an ATM, the number is encrypted before being sent over an unsecure line (like a telphone line, internet, or in some cases a wireless connection). When the transaction makes it to the Processor, the transaction is sent directly to the bank via a direct link to them, or routed to another processor who has the cheapest processing surcharge (Usually your transaction switches hands 3 times). The bank then verifies your information and your Pin number if applicable before sending the approval code with pertinent information (name, address, account balance) or denial code to your ATM/Grocery store. There are other situations that get very complicated such as Reversals (an ATM does not have the money to dispense, so your account is credited) partial reversals (the ATM dispenses twenty, but you asked for 200) and processing link failures (the transaction was approved but because of a link failure, the cardholders account does not know if the money was dispensed).
Actually, that's less and less the case. With the exception of the "big" vendors who have enough fraud insurance (amazon, etc), more and more vendors are instituting stiff requirements on your card purchases such as: a) shipping only to the credit card billing address (or another address listed on your credit card), b) requiring that you enter the CCV (the three digit number printed on the signature stripe of the card), c) requiring that you enter your credit card's customer service number so they can contact your bank.
And almost all online vendors (except the really sketchy ones) require that you provide the credit card billing address when placing an order. If they don't match, the order won't go through. I have had several vendors call me when this happened because I typo'd the name of my street.
On a related note, I wish more and more brick and mortar stores would check your signature. To prove a point, my friend and I were making a purchase at a large national chain store, and he signed "Homer J Simpson" to the credit card receipt, and the cashier didn't care.
There is no sig, there is only Zuul.
The mag stripe isn't actually necessary for making the purchase. (If a store salesdroid tells you it is, demand to see the manager or take your business elsewhere). Only the card itself is required.
Back in the day, credit cards didn't have mag stripes. They were called charger plates, and they were placed in a machine along with a carbon sales slip, and when a roller was moved back and forth across the paper, an imprint of the card was made on the sales slip. And you signed it to charge something to your MasterCharge or BankAmericard.
The security was in actually having the card present at the checkout. That is still the case - you swipe it to prove that its there, or if the stripe doesn't work, they take an imprint of it (all places that take cards are supposed to have an imprint machine). That, combined with the signature, is in theory enough security. I'd wager a large portion of credit card fraud could be stopped if places would stop hiring illiterate 12 year olds at registers who can't even read, let alone compare signatures.
There is no sig, there is only Zuul.
Receipts carelessly tossed in a garbage can outside of certain stores (yes, many of them do print your full name, card number and exp. Date)
Shred receipts you don't need and keep secure those you do.
Hacking insecure online servers (many have 1000s of cards in plain text or weakly encrypted)
If you are going to purchase online via credit card, never allow the website to store the data "for your convenience" because then it is in their database. The site should have to ask for your cc# for each and every transaction. If they don't have the option not to store your card info, don't shop there and let them know why.
Consider getting a single, low limit card that you use exclusively for online purchases, particularly one that advertises online purchase protection.
Check you statement monthly or more often (if online statements are available.)
Grab your mail
This is a federal offense, but anyway. Don't forget your mail carrier at Christmas, Kwanza, Hanukah, whatever.
Look in your recycling box
Shred, shred, shred.
Look at your card over your shoulder
Be aware of your surroundings.
Hidden cameras, crooked cashiers/waiters etc
see: "Check your statement monthly" above.
Set up a fake online store selling a few products very cheaply.
Set up a cheap porn site. (ala the Eros Island scam)
Discover USENET pr0n, which is free. You don't mean you actually *pay* for pr0n do you?
"See ID" is consider invalid. The merchant is not allowed to accept any card with "See ID" written on it. They're supposed to make you sign the card and then compare that signature with another piece of signed identification. If you refuse to sign the card, they're not allowed to accept it. They usually do, of course, due to poor training or apathetic cashiers, but they're completely liable for any chargebacks in that case.
I'd wager a large portion of credit card fraud could be stopped if places would stop hiring illiterate 12 year olds at registers who can't even read, let alone compare signatures.
Of course, hiring anyone but illiterate 12 year olds at registers would cost more than the credit card fraud they'd stop.
You do realize that by percentage points, the deficit is smaller than it has been in years, right? Let's say you make $1000 a month, and you spend 1100 bucks a month. You're running a 100 dollar deficit, which is 10%. Now, let's say you make $10,000 a month, and spend $10,200 a month. You're running a 200 dollar deficit, but it's only a 2% deficit. Which is worse? By your (and other liberals) math, the 100 dollar deficit is better. By my (conservative) math, the $200, 2% deficit is better. So I look at this as the deficit will be the smallest percent of our GDP since before Clinton, whereas you see it as the largest amount ever. You tell me which makes more sense (hint, my way, which follows logic).
-Izrun
These are pretty basic questions that have already been figured out. A quick Google search brings up this little FAQ that you might find interesting: http://ntrg.cs.tcd.ie/mepeirce/Project/Mlists/mini faq.html
I read a few articles on "stealing" proximity card data. It's aparently not very hard..
One proximity card that I use requires almost physical contact to the reader, which is appropriate for a doorway.. But another card I use (same building, same card type) to open the garage gate reads the card within about a foot of the reader. I roll my car slowly by, casually holding the card out, and it reads with no contact.
With the appropriate equipment, you can read data from just about anyone's card at a distance. How close do you have to be? People get kinda close in elevators, or you can just be polite, and be holding an outside door for them while they walk by your briefcase/laptop bag/purse. For that matter, I guess your reader could be in the brown paper bag that appears to hold your lunch.
H2K2 had a lecture on it. Here's the lecture description. in July of 2002
"Proximity Cards: How Secure Are They?
Sunday, 6 pm
Area "B"
They're used everywhere but they could be making you even more vulnerable to privacy invasion. Delchi has been working with proximity based card systems for two years and has developed a method of casually extracting data from proximity cards in a public environment. Riding in an elevator, subway, or just walking down the hall, a person can bump into you, say "excuse me," and walk away with the decoded information from the proximity card in your pocket. It could then be possible to build a device that can capture and replay these snippets of information on demand or to even brute force a proximity card system. This talk will focus on the vulnerabilities of the systems and show a low power working prototype. Alternatives will be discussed, as well as other vulnerable aspects of proximity based building and computer access systems."
I've read some design information on it also, but can't seem to find the links right now. I don't know what the options are for protection of proximity cards.. Keep them in a foil pouch?
Serious? Seriousness is well above my pay grade.