Slashdot Mirror
Contactless Credit Cards
An anonymous reader writes "According to his article in EETimes, Visa and Philips are teaming up to introduce a so-called "contactless credit card". Basically it'll work like the proximity cards many of us use for access to our places of work or apartments. You won't need to physically swipe it, simply waving it over a reader is good enough."
Let's see. A crowded line at an amusement park... I'm sure I could pick up 100 credit card numbers an hour with my wiz-bang pocket card reader. "Excuse me sir... I didn't mean to bump into you..."
Other than the magnetic strip not wearing out, what's the advantage? Unless its short-range enough that passers-by can't steal your money, you'll still have to present it to a reader (the article mentions 20cm) Or perhaps they mean it can't be swiped (as in stolen.) It could mean the end of shoplifting though, just use the security scanners to read the RF tags in what has been taken and then take the money straight off the card. (Actually, that could be a great way to shop: pick things off the shelf, walk out and pay without having any queues at the checkout. Where's my patent lawyer?)
Don't go to a brothel if you want to buy broth
That's how I pay for gas at Mobil, with their Speedpass. It's a small keychain thing that looks like a black magot:
Well, that was how I paid for gas at Mobil. I cut my Speedpass open, took out the glass cylinder, and put it inside my Nextel i90 cell phone, it fit next to the battery. The Speedpass only lasted a few months before dieing. I haven't tried it again yet...
It was cool when it worked though, I just held my cell phone up to the pump to pay for gas.
tbdean
Hell, there's even a simpler problem: If I have more than one credit card which one will it "charge?" Or will it charge both?
...Assuming you're a lazy ass like me and don't take it out of your wallet when you swipe it to get into your building.
Not to be a twit, but I heard about this sort of "keep it in your pocket" magnetic technology being deployed already. Around February of this year, one of my English students in Tokyo, who worked for Sony/Ericsson, told me his company's "secret" new cell phone in development would have this mag card tech built in. It would replace the "Suica Card" existing tech, which is just a card you mash against the reader while keeping it in your wallet. The phone was due to hit the shelves in 6 months, which would be this August. Only in Japan, of course, which means it should be out in America around August 2005.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
These kinds of cards do not usually have any kind of power source. They rely on a alternating current magnetic field that the reader gives off. This magnetic field energizes the coil that is built into the card. This coil supplies power to the circuitry on the card which causes the card to send its ID via some kind of rf signal. There are no "smarts in the card itself. The card just sends its ID and a computer behind the scenes uses that ID info to open the door or pay the bill.
For those concerned about portable readers consider that a reader would have to send out a powering magnetic field and then capture the ID of the card. My guess is that all kinds of security could be built into these cards. The most obvious kind would be the use of an ID that contained a constantly changing code like the secure IDs many of us use to access various secured dialup and network devices. The only drawback is you would need some kind of contained power source in the card to power the secure ID ciruitry as it has to be constantly powered so it does not lose sychronization with the host system. My guess is the reader could still supply power for the RF signal while the secure ID part used a small lithium cell.
That way the ID would not only have to be correct but the security code would only be good for about 3 minutes. That would make these things fairly secure, probably moreso than a card and a PIN as the PIN can be noted via cameras and the quicksighted.
Physical theft of the card would be a problem but that would not be anything new to get used to.
dzimmerm
Jumping to correct solutions slowly is better than jumping to incorrect solutions quickly.
I didn't RTFA, but here's an idea to counter some people's fear that a technology like this would necessarily allow you to steal card numbers as you walk through a crowd.
The card could use a challenge/response system with the merchant. Each card has a symmetric key pair - the public key is your account number used for billing. The private key is known only to the card, and is used to sign a challenge phrase from the merchant. Challenge phrases would be unique to each transaction (given out by the financial institution per transaction). This way, cards couldn't be cloned.
Karma: -2147483648 (Mostly affected by integer overflow)
When I visited Hong Kong in 2001, I bought a subway pass with this technology.
If you buy more than about $10 US of subway services, you have the option to get a smart card. My whole stay that card left my wallet only once (to return it for a refund). Othere than that when I used the subway, I would just set my wallet on top of the read. It was so conveneient.
Even better, lots of vendors (such as convenience stores) let you pay using your subway credit.
I guess there are more security concerns when using this with a real credit card, but it seems like it should have happened in this country sooner.
http://yetanotherpoliticalrant.blogspot.com
to charge them, it's very much a physical action.
Physical, hardly.
Have you ever purchased anything online?
All I need is your number, name and expiry and I can charge your account all I want.
Credit card accounts are inherently very insecure. Prosecution is the only thing stopping (even more) massive fraud.
Leave it to those narrow-minded visionaries at VISA and Royal Phillips to come up with an even more insecure method of deploying consumer credit card information... via RF (wireless) technology.
If you think credit card fraud is rampant now, wait until card thieves get hold of a portable RF reader and begin walking down crowded streets...
Hey, that's fine with me. This gives me enough lead time to come out with a copper-lined wallet that prevents RF credit card theft. In fact, I'm racing to the patent office now!
Wouldn't the PKI scheme be used? That is to say that the card and card-reader share some key. I suppose that this would be just another variation on chip-card technology (EMV, Proton etc).
I kid. I don't have one and you can't "apply" for one either. Read more about it here and see it here.
My point is that the current credit card authentication system is so insecure that it doesn't really matter what the physical card is made of. The only thing that keeps massive fraud from occurring is the paper trail. It is easier to trace the money and prosecute that it is to secure the system. Securing the system would inconvenience the user and that is something that visa would never want. It is much easier to prosecute.
That being said we may see this attitude change in the future as online credit card databases allow fraud on a much larger scale.
For the record I can get a large number of credit cards (probably yours too) fairly easily:
Receipts carelessly tossed in a garbage can outside of certain stores (yes, many of them do print your full name, card number and exp. Date)
Hacking insecure online servers (many have 1000s of cards in plain text or weakly encrypted)
Grab your mail
Look in your recycling box
Look at your card over your shoulder
Hidden cameras, crooked cashiers/waiters etc
Set up a fake online store selling a few products very cheaply.
Set up a cheap porn site. (ala the Eros Island scam)
etc
I think the point is that proximity scanning is (slightly) easier than swiping -- especially since swiping isn't always straight-forward in my experience. (i.e., Clerk swipes card. Pause. Clerk swipes card. Pause. Clerk swipes card. Pause. Clerk enters number manually.) It might be nice to have the reading of a card number not be dependent on 1) the supple wrist of the user, 2) the condition of the card, 3) the speed and direction of the swiping motion . . . the list goes on and on.
Also, the wear and tear on the cards might actually be reduced enough to make them last more than a few months . . .
True. However, if fake ID's (such as driver's license) were sooo easy to get, they would be worthless as ID's. Yet, they are accepted as such almost everywhere. Strange. Hmmm...
Now, how many people are handwriting experts and would be able to make a meaningful comparison (assuming they even tried)? In any case, a handwriting sample is available to compare to (the "Please ask for ID" - ask me to write that if you want the same phrase.) And oh yes, my signature is on my driver's license, so there you have another thing to check against.
I think they better first check out the so-called "Smarter Card" from Cypak a Swedish firm that has a card with embedded CPU and RF, and a keypad built onto the card which requires the user to enter a PIN to validate use of the card. Seems to me that Cypak already has most of the relevant technology.
The whole idea of using the signature to validate the purchase is stupid if you ask me. Let's step through the process.
step 1: bad guy steals my card
step 2: bad guy goes to store
step 3: bad guy grabs a $1000 worth of stuff
step 4: clerk rings it up and swipes my card
step 5: CARD CLEARS - money gone
step 6: bad guy signs name
step 7: clerk then compares signatures
step 8: they're close, or could be close, but he doesn't really know because he's not an FBI handwriting expert. So what the heck does he do? He assumes it's OK. Then it's up to me to figure out what went wrong, PROVE IT, and fight for my money back. It will eventually come down to comparing signatures and will all be fixed.
Even if the clerk does think the signature is bad enough that it might be a bad guy, he can hold the card, but the stuff and the bad guy go right out the door. Then, let's start the process of getting my money back. Meanwhile, I'm out $1000
Say it is me with my own card, but I've had a bad day and I have a cold and my signature looks nothing like it did when I signed the card. Then what?
Signature comparing equals zero security. Only if a handwriting expert was the clerk would it be anywhere close to making sense.
All cards should require PINS and/or require photo ID. No exceptions. Online purchases should be governed by a list of changing PINS that your bank gives you via ATM reciepts or monthly bank statements. You'd have to remember the next two PINS maybe each day, but I'd rather do that than deal with fraud. Or we could go to biometrics, but I think we're closer to the PIN solution than refiting all the terminals with scanners.
[ http://www.dvigroup.net/self ]
So, someone gets a dummy card that looks real and holds that in their hand. but the stolen card is up your sleeve, and activates the electronics. Visual verification by the cashier? sure! Of course the signature looks right, you wrote it! But it seems like it might be a halfway decent technology if they can figure out how to avoid abuse like that. ah well, just my 857,345,246.4 rubles.
If you can read this, you are most likely close enough.
I used to work for Sears. I did this. One guy comes up, tried to buy something, I think a faucet, and gave me an unsigned credit card. I asked him for ID, he gave it to me, complaining, and I handed back the ID and the card, and asked him to sign it. He refused, started yelling, and walked out.
Mind you, the card quite clearly states 'not valid until signed'. And this wasn't an isolated incident, either.
That is why stores don't check signatures very well. Customers don't want the security it provides.
I'm not shy, I'm stalking my prey
So then I walked through the mall with my card scanner on and picked up about 15 valid numbers from people I passed.
Wanna go shopping?