Slashdot Mirror
Contactless Credit Cards
An anonymous reader writes "According to his article in EETimes, Visa and Philips are teaming up to introduce a so-called "contactless credit card". Basically it'll work like the proximity cards many of us use for access to our places of work or apartments. You won't need to physically swipe it, simply waving it over a reader is good enough."
I like the convenience idea of it. The magnetic strip in my credit cards are usually destroyed/useless before the card even expires. Between rubbing against other credit cards, contact with the leather, and/or body sweat highly used cards are usually replaced before they ?expire?.
Where?s the security? I often wonder why the heck credit card purchases don?t require a PIN at the very least. Yeah, we?re all high tech and thumb prints and/or eye scans would be cool, but I?m all for having to know and enter a PIN on each and every purchase.
I tend to go for EFT payment whenever possible as I do have to enter a PIN. Shoulder surfing or a corrupt security camera guy is always a problem. I?m smart enough to remember a purchase PIN and a ATM/Cash type transaction PIN too. I suppose insurance costs and ?shrink? just isn?t too expensive yet?
I?d be impressed if there was a thumb reader built into each plastic card I waived around buying all my shit.
Mobile gas anyone?
They won't know where to send the bill!
Let's see. A crowded line at an amusement park... I'm sure I could pick up 100 credit card numbers an hour with my wiz-bang pocket card reader. "Excuse me sir... I didn't mean to bump into you..."
The nice thing from a security standpoint is that the credit card companies have it in their own best interest to make sure people feel confident using these new technologies. While a single cardholder could be at risk to lose a few thousand dollars, these companies have billions riding on these transactions. When it comes to secure computing, this is one industry that actually keeps it on the front burner...
Stop by my site where I write about ERP systems & more
Shielded wallets/credit card holders. Someone call ThinkGeek.
This sounds an awful lot like SpeedPass, which is at least 5 years old. Any idea what the difference is?
Other than the magnetic strip not wearing out, what's the advantage? Unless its short-range enough that passers-by can't steal your money, you'll still have to present it to a reader (the article mentions 20cm) Or perhaps they mean it can't be swiped (as in stolen.) It could mean the end of shoplifting though, just use the security scanners to read the RF tags in what has been taken and then take the money straight off the card. (Actually, that could be a great way to shop: pick things off the shelf, walk out and pay without having any queues at the checkout. Where's my patent lawyer?)
Don't go to a brothel if you want to buy broth
so THAT's why the Jedi Hand Wave works.
"These are not the droids you're looking for"
(handwave, subtle ka-ching! sound)
"These are not the droids I'm looking for.. move along..."
That's how I pay for gas at Mobil, with their Speedpass. It's a small keychain thing that looks like a black magot:
Well, that was how I paid for gas at Mobil. I cut my Speedpass open, took out the glass cylinder, and put it inside my Nextel i90 cell phone, it fit next to the battery. The Speedpass only lasted a few months before dieing. I haven't tried it again yet...
It was cool when it worked though, I just held my cell phone up to the pump to pay for gas.
tbdean
I've been using a contactless credit card for years. I type the number into an HTML form, and my card never comes within the same city as the merchant I'm purchasing something from. For that matter, it sometimes isn't in the same city as I am when I'm making the purchase -- for a couple months last year it was on a different continent.
In fact... let me see here... no, I still haven't gotten around to signing the back.
Tarsnap: Online backups for the truly paranoid
Read the article. Plenty of subtle reference to rights management and content control. Buy a DVD with this viper and have to wave it next to your DVD player to get it to play.
"Eve of Destruction", it's not just for old hippies anymore...
A hot chick rubbing your ass would be a sure sign something was wrong to any Slashdot reader.
You say you are smart enough to remember a purchase PIN and a ATM/Cash type transaction PIN, yet you also claim to be buying shit?
Most, if not all, of the smart people I know never, ever 'buy' shit....they seem to find a way where people continously give them shit, sometimes for no apparent reason. Now I know some would argue that this may well be a gift, but I've watched this happen, over and over, and I'm here to tell you, it seems like it doesn't matter what they do or what they say, someone will eventually give them shit. Really! I am not kidding! It's true!!
If you are having to pay for shit, may I suggest a crash course in shit 'taking'...you can sign up for one online I believe..perhaps right here, if you ask nice.
Not to be a twit, but I heard about this sort of "keep it in your pocket" magnetic technology being deployed already. Around February of this year, one of my English students in Tokyo, who worked for Sony/Ericsson, told me his company's "secret" new cell phone in development would have this mag card tech built in. It would replace the "Suica Card" existing tech, which is just a card you mash against the reader while keeping it in your wallet. The phone was due to hit the shelves in 6 months, which would be this August. Only in Japan, of course, which means it should be out in America around August 2005.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
I had the pleasure of seeing a prototype credit card that had that feature. It was geared toward online purchases and basically worked like this:
The button is an excellent idea because you save transmitter life, although I'm sure there's a power supply that can live the life of a credit card. It also controls when the info is sent out. I wouldn't mind throwing a PIN on there either. Hell, I don't even have a credit card, just a check card, so I'm fine with PINs
Damn I like ordered lists!
It's not a new concept. We already practice it here at Slashdot - we don't even have to read the article, we just get near the story and start spouting off comments.
You know, back when you could still afford to go out for dinner (DQ doesn't count), how the waitperson would bring the bill on a little plastic tray and lay it on the table....and you'd simply drop your c'card onto the bill...and then someone would take the tray and bill and c'card and....oh, wait, I get it...
Hello, I'm Dwayne, I'll be your card waver this evening.
These cards better have a small range (two feet max) or I don't see how you will manage to perserve the time-honored tradition of the grocery store line.
"Did you swipe your card?"
"Not yet."
"That's funny, because your total has already been paid!"
My concern would be that unscrupulous individuals would use portable readers to get your card number. It would be a form of pick-pocketing that wouldn't actually require any contact or much risk of getting caught.
Hopefully, the cards would use some sort of challenge/response system, rather than a fixed number that could be replayed to a terminal. Still, there are bound to be vulnerabilities, and we'll probably be reading about them in a couple of years.
These kinds of cards do not usually have any kind of power source. They rely on a alternating current magnetic field that the reader gives off. This magnetic field energizes the coil that is built into the card. This coil supplies power to the circuitry on the card which causes the card to send its ID via some kind of rf signal. There are no "smarts in the card itself. The card just sends its ID and a computer behind the scenes uses that ID info to open the door or pay the bill.
For those concerned about portable readers consider that a reader would have to send out a powering magnetic field and then capture the ID of the card. My guess is that all kinds of security could be built into these cards. The most obvious kind would be the use of an ID that contained a constantly changing code like the secure IDs many of us use to access various secured dialup and network devices. The only drawback is you would need some kind of contained power source in the card to power the secure ID ciruitry as it has to be constantly powered so it does not lose sychronization with the host system. My guess is the reader could still supply power for the RF signal while the secure ID part used a small lithium cell.
That way the ID would not only have to be correct but the security code would only be good for about 3 minutes. That would make these things fairly secure, probably moreso than a card and a PIN as the PIN can be noted via cameras and the quicksighted.
Physical theft of the card would be a problem but that would not be anything new to get used to.
dzimmerm
Jumping to correct solutions slowly is better than jumping to incorrect solutions quickly.
When I visited Hong Kong in 2001, I bought a subway pass with this technology.
If you buy more than about $10 US of subway services, you have the option to get a smart card. My whole stay that card left my wallet only once (to return it for a refund). Othere than that when I used the subway, I would just set my wallet on top of the read. It was so conveneient.
Even better, lots of vendors (such as convenience stores) let you pay using your subway credit.
I guess there are more security concerns when using this with a real credit card, but it seems like it should have happened in this country sooner.
http://yetanotherpoliticalrant.blogspot.com
I can see Amazon patenting 0-click technology with this...
- Danny
Leave it to those narrow-minded visionaries at VISA and Royal Phillips to come up with an even more insecure method of deploying consumer credit card information... via RF (wireless) technology.
If you think credit card fraud is rampant now, wait until card thieves get hold of a portable RF reader and begin walking down crowded streets...
Hey, that's fine with me. This gives me enough lead time to come out with a copper-lined wallet that prevents RF credit card theft. In fact, I'm racing to the patent office now!
Most of the proximity cards are powered by the RF field that is used to interrogate it.
Still , a button would be nice. Even just a 'squeeze point' (eg squeeze the card whilst waving over reader) would be handy.
Then we could also have the obligatory "Squeeze the last cent out of my card jokes"
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
Reading some of the comments here about the security of these cards, and it makes me worry somewhat.
I used to sysadmin for a shell account company, and we saw huge amounts of credit card fraud, mostly from kids looking to run bots on IRC, or just because they collected shell accounts.
One thing I came away with from that experience was the definite feeling that Credit card companies don't seem to think it is in their interest to stop credit card fraud.
After all, if the owner of a card is frauded, the bill goes on their card, and interest is accrued. If the owner of the card isn't diligent, its possible they might just automatically pay the card off, without even realise they have been a victim of card fraud.
Certainly, the credit card companies don't seem to go after the fraudsters as much as they should. One of my friends on Dalnet used to regularly give the full details of people that she had discovered doing carding. One kid was so blatant, he put up a web page, with pictures of him holding up all the crap he had bought with stolen card numbers.
He was 12, and his mother didn't care in the slightest he was stealing. And neither did the credit card companies. The police were interested though, but he didn't have much repercussions - just a couple of weeks in a counselling center for kids.
Anyway, I digress.
Proximity cards are a great ieda. It means I can just wave my wallet near the scanner to pay for an item.
But, if this is not couple with some new form of identification currently not in use with credit cards (a pin number would suffice, or something biometric such as a thumb-print), then I fear that fraud will just increase.
People will get a hold of the scanners, and set up their iPod to capture the card numbers of anyone in proximit to it, and just walk up behind people, snapping up numbers.
Maybe I'm just getting paranoid.
The EE Times article focuses on the technology is a bit light on details of what the card actually does, so I'm not sure if it is a stored-value card (like Octopus) or actually operates like a credit card. I would be surprised if it's the latter because of concerns about theft etc.
The place where I used to work had these key fobs which worked like that. I thought it'd be cool that we just had to walk next to the door and it'd open it.
Not.
Even when directly contacting the sensor with the key fob in my pocket it didn't activate it. It had to be held infront of the device, almost touching it.
Whatever the range they say, I'm sure you're not going to be able to sniff out the RF signal by just sitting next to someone unless you have some expensive equipment.
Japan has had contactless debit cards for quite some time, with technology developed by Sony. The Japan Railway East 'SUICA' cards are similar to the Octopus cards in Hong Kong.
l in g_12c.htmlD /europe/02/18/biz .trav.smart.cards.ap/
0 1. html
http://www.tcvb.or.jp/en/hot/sizzling/0112/sizz
and
http://edition.cnn.com/2003/WORL
Also the EDY cards use similar technology and are embedded into credit cards so one card can be both a swipable credit card as well as a contact-less debit card.
http://www.sony.net/Products/felica/contents04_
Waves AmEx These aren't the droids you're looking for...
Obiwan was a bribe merchant!
They do make contactless micro-processor smart cards. Schlumberger makes one, two, three, different versions.
From their site:
High-speed contactless operations are completed in less than 100 milliseconds and at distances of up to 10 cm from the reader. Security between different applications is ensured by two 48-bit diversified keys and specific access conditions per sector. Security is further reinforced by replay attack protection and a three-pass handshake, which manages the mutual authentication between the card and the reader. In addition, the Easyflex FastOS 2.0 fast anticollision algorithm allows more than one card to be processed by the reader at the same time.
Easyflex FastOS 2.0 communicates on the 13.56 MHz carrier frequency in compliance with the current ISO 14443-Type A standard and implements the standard Mifare protocol, allowing it to be used with the vast majority of contactless card systems.
They should name these card after presidents Bush. You can run up a huge deficit without touching anything.
I think the point is that proximity scanning is (slightly) easier than swiping -- especially since swiping isn't always straight-forward in my experience. (i.e., Clerk swipes card. Pause. Clerk swipes card. Pause. Clerk swipes card. Pause. Clerk enters number manually.) It might be nice to have the reading of a card number not be dependent on 1) the supple wrist of the user, 2) the condition of the card, 3) the speed and direction of the swiping motion . . . the list goes on and on.
Also, the wear and tear on the cards might actually be reduced enough to make them last more than a few months . . .