Slashdot Mirror
Contactless Credit Cards
An anonymous reader writes "According to his article in EETimes, Visa and Philips are teaming up to introduce a so-called "contactless credit card". Basically it'll work like the proximity cards many of us use for access to our places of work or apartments. You won't need to physically swipe it, simply waving it over a reader is good enough."
Uhhh.. Visa is doing it. Which means if it actually happens, it'll be accepted at MANY more locations than speedpass. Additionally with a decent amount of storage and the high bit rates, you could use one card to buy stuff, get into your gym etc.
I had the pleasure of seeing a prototype credit card that had that feature. It was geared toward online purchases and basically worked like this:
The button is an excellent idea because you save transmitter life, although I'm sure there's a power supply that can live the life of a credit card. It also controls when the info is sent out. I wouldn't mind throwing a PIN on there either. Hell, I don't even have a credit card, just a check card, so I'm fine with PINs
Damn I like ordered lists!
My concern would be that unscrupulous individuals would use portable readers to get your card number. It would be a form of pick-pocketing that wouldn't actually require any contact or much risk of getting caught.
Hopefully, the cards would use some sort of challenge/response system, rather than a fixed number that could be replayed to a terminal. Still, there are bound to be vulnerabilities, and we'll probably be reading about them in a couple of years.
I beg to differ. Credit card fraud runs in the billions of $ every year. One article claims the losses will be about (2002 figures) "$285 million over the holiday season in the United States." And that's just about 1 month's worth. Credit cards are anything but secure. Since consumers don't see the cost of the fraud directly, most are barely aware it exists. Of course, the cost is passed on in the form of higher fees and interest.
Merchants (and their employees) don't help matters any either. On all my cards, in the signature block, I put "Please ask for ID". (I've checked with Discover and they have no problems with that, BTW). Rarely do I get asked for ID.
Then there are merchants, such as the USPS, which won't accept the card without an actual signature. Don't need to show ID (I tested this), but it must have a signature or they won't accept it. It's an actual federal rule (I checked), so the clerk isn't doing anything wrong. Maybe it's just me, but I would trust a driver's license MORE than a signature with nothing to compare it too.
Most of the proximity cards are powered by the RF field that is used to interrogate it.
Still , a button would be nice. Even just a 'squeeze point' (eg squeeze the card whilst waving over reader) would be handy.
Then we could also have the obligatory "Squeeze the last cent out of my card jokes"
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
The EE Times article focuses on the technology is a bit light on details of what the card actually does, so I'm not sure if it is a stored-value card (like Octopus) or actually operates like a credit card. I would be surprised if it's the latter because of concerns about theft etc.
I would be interested to know how they would be able to stop "contactless thieves" in this case. It seems to me that scanners would become available for people to walk around zapping people's funds away from them. One nice thing about the tried and true swipecards is that to charge them, it's very much a physical action.
Not entirely true. One of the more common credit card scams here in Los Angeles is portable card scanners being carried by waiters in restaurants. As they take the card you've handed them back to scan it for the bill, they scan it in their personal scanner, which records the information for later use.
There is no meaningful physical location tied to this because you've given your card (intentionally) to someone you have to trust. If you eat at multiple restaurants over the course of a week, there's no easy way to trace the theft back to an individual location.
Mooniacs for iOS and Android
My cards usually crack from curvature long before the stripe is demagnetized or worn away. I guess that's what comes from sitting on your wallet all the time.
FWIW, Esso Canada (gas station chain) has been using keychain-dongles for rapid payment for about a year now. You just hold your keys in front of the coloured box on the pump for a few seconds and it prepares to make the sale exactly the way it would if you stuck your card in the stripe reader. They also put the same dongle-reader at each cash register so you can buy your morning coffee a few seconds faster....
The place where I used to work had these key fobs which worked like that. I thought it'd be cool that we just had to walk next to the door and it'd open it.
Not.
Even when directly contacting the sensor with the key fob in my pocket it didn't activate it. It had to be held infront of the device, almost touching it.
Whatever the range they say, I'm sure you're not going to be able to sniff out the RF signal by just sitting next to someone unless you have some expensive equipment.
Japan has had contactless debit cards for quite some time, with technology developed by Sony. The Japan Railway East 'SUICA' cards are similar to the Octopus cards in Hong Kong.
l in g_12c.htmlD /europe/02/18/biz .trav.smart.cards.ap/
0 1. html
http://www.tcvb.or.jp/en/hot/sizzling/0112/sizz
and
http://edition.cnn.com/2003/WORL
Also the EDY cards use similar technology and are embedded into credit cards so one card can be both a swipable credit card as well as a contact-less debit card.
http://www.sony.net/Products/felica/contents04_
They do make contactless micro-processor smart cards. Schlumberger makes one, two, three, different versions.
From their site:
High-speed contactless operations are completed in less than 100 milliseconds and at distances of up to 10 cm from the reader. Security between different applications is ensured by two 48-bit diversified keys and specific access conditions per sector. Security is further reinforced by replay attack protection and a three-pass handshake, which manages the mutual authentication between the card and the reader. In addition, the Easyflex FastOS 2.0 fast anticollision algorithm allows more than one card to be processed by the reader at the same time.
Easyflex FastOS 2.0 communicates on the 13.56 MHz carrier frequency in compliance with the current ISO 14443-Type A standard and implements the standard Mifare protocol, allowing it to be used with the vast majority of contactless card systems.
Actually, that's less and less the case. With the exception of the "big" vendors who have enough fraud insurance (amazon, etc), more and more vendors are instituting stiff requirements on your card purchases such as: a) shipping only to the credit card billing address (or another address listed on your credit card), b) requiring that you enter the CCV (the three digit number printed on the signature stripe of the card), c) requiring that you enter your credit card's customer service number so they can contact your bank.
And almost all online vendors (except the really sketchy ones) require that you provide the credit card billing address when placing an order. If they don't match, the order won't go through. I have had several vendors call me when this happened because I typo'd the name of my street.
On a related note, I wish more and more brick and mortar stores would check your signature. To prove a point, my friend and I were making a purchase at a large national chain store, and he signed "Homer J Simpson" to the credit card receipt, and the cashier didn't care.
There is no sig, there is only Zuul.
The mag stripe isn't actually necessary for making the purchase. (If a store salesdroid tells you it is, demand to see the manager or take your business elsewhere). Only the card itself is required.
Back in the day, credit cards didn't have mag stripes. They were called charger plates, and they were placed in a machine along with a carbon sales slip, and when a roller was moved back and forth across the paper, an imprint of the card was made on the sales slip. And you signed it to charge something to your MasterCharge or BankAmericard.
The security was in actually having the card present at the checkout. That is still the case - you swipe it to prove that its there, or if the stripe doesn't work, they take an imprint of it (all places that take cards are supposed to have an imprint machine). That, combined with the signature, is in theory enough security. I'd wager a large portion of credit card fraud could be stopped if places would stop hiring illiterate 12 year olds at registers who can't even read, let alone compare signatures.
There is no sig, there is only Zuul.
I'd wager a large portion of credit card fraud could be stopped if places would stop hiring illiterate 12 year olds at registers who can't even read, let alone compare signatures.
Of course, hiring anyone but illiterate 12 year olds at registers would cost more than the credit card fraud they'd stop.