Radio Credit Cards Move Closer

pvt_medic writes "CNN.com has an article about research that some major credit card companies (MasterCard and American Express) are putting into creating 'contactless' credit cards. These are similar to the Speedpass that ExxonMobil has been using for six years. What to people think about the prospect of this more widespread use of RFID? Is this something that will only lead to more credit card fraud, or will it provide more secure means of payment?" (The article comes from the Associated Press.)

Well lets see...

[AuMatar]

We have a method of payment that can subtract electronic mone from your account, with no input from you, and without your card ever leaving your wallet? Yeah, thats a great idea....

Re:Well lets see...

[whovian]

Not only that, but this part is the key:

Jeff Chasney, chief technical officer of CKE Restaurants Inc., which runs the Carl's Jr. and Hardee's fast-food chains, says the new cards are likely to increase sales because they are so easy to use and ensure that a consumer won't be limited by the cash in his wallet .

Nothing like tapping into the cowstomer's (sic) impulse buying, especially in the US.

Re:Well lets see...

[TedCheshireAcad]

Hey, guess who doesn't understand how a credit card works?

Credit card fraud costs the creditors more money than it costs the consumers. Remember, when you buy something on credit, it's not your money you're spending. It only costs you money when the monthly bill comes. If they are going to make a system for exchanging credit for goods, you better damn well believe it's gonna be as secure as possible.

Re:Well lets see...

[kautilya]

How about a mechanism which "shuts off" your card when you aren't at a checkout point? How about a personal "digital signature" device (RFID) to go with (which might have more general use) to sign your reciept? Now, combine this with free wifi access and programmable cell phones. There are many possibilities. I am not saying there aren't any problems, though. There are always issues with bugs and security. These are problems not associated with technology but with society and how good we can do a job.

Re:Well lets see...

[cpu_fusion]

> you better damn well believe
> it's gonna be as secure as possible

Oh yes, like the wonderfully secure state of credit card use on the Net right now.

It won't be *secure as possible* ... it will in fact, be as *secure as deemed needed* by beancounters. Those beancounters offset the minor inconvenience of a few hundred thousand people who have to deal with the shock & scare of being ripped off by holes in the new technology with the economic boost of a few more million people using their particular flavor of credit card.

Sure, the credit card companies might cover the losses (*might, after you fight*), but there's nothing like seeing a huge charge on your credit card, that you didn't make, and having to go through the hassle of getting it resolved.

Don't blindly think they make things "as secure as possible." That's not the economics of it.

Re:Well lets see...

[asr_man]

Wrong. RTFA. Consumer gets to make final "accept/reject" on purchase after card is scanned. Also, card includes challenge/response authentication (AMEX at least, MC we aren't told). As the article clearly states, knowing the RFID card number does not give a thief any practical means to use it.

Re:Well lets see...

What does the US have to do with this?

Re:Well lets see...

[Midnight+Thunder]

Wrong. RTFA. Consumer gets to make final "accept/reject" on purchase after card is scanned.

Lets just hope they get the issues sorted out, so we don't have a scenario where that even though one card was scanned that it picks up the signal from another card and hence charges the wrong one.

I have not played with the technology, but I feel that the onous is always on the technology to prove itself safe. Until then it is hard to assume the customer will be comfortable with it.

Re:Well lets see...

[SurgeonGeneral]

We have a method of payment that can subtract electronic mone from your account, with no input from you, and without your card ever leaving your wallet? Yeah, thats a great idea....

I see a great number of redundant posts all throughout stating this same idea.

I think you guys are being more than just a little shortsighted. You read something about a RFID credit card and jump to a horrendous number of conclusions about how this technology will be used. Give it a little thought:

The most likely candidate for a technology to be paired with this is Biometrics. We're all quite familiar with this technology, and its easy to see how it would be coupled with RFID CCs.

But we can come up with something a little less "futuristic". I belong to a tennis club that uses RFID encoded cards for entry in to the building, but they are also used for purchasing food. What happens? You swipe your wallet (containing the card), and the computer in front of the salesperson (yes we have those nowadays) brings up a picture of me and all my personal information. If anything seems fishy, they ask for a signiture.

Now considering that this technology is not going to be immediately implemented, and will not be forced upon the general public, I think we can give at the very least a few more years before it becomes ubiquitous. In that case, use your imagination (I know its hard since tech evolves so quickly) to come up with some solutions to the pedantic and generally trivial questions just like this one that everyone is posing.

Re:Well lets see...

[toast0]

If the merchant accepts cash and credit, there is no apparent difference to me (the consumer) in regards to sticker price; unless the merchant offers a cash discount (since merchant agreements usually prohibit credit charges)

Of course, factoring in the time value of money, it's cheaper for me to buy with credit, since I don't have to actually pay for it for 30-50 days.

Re:Well lets see...

[TwistedSpring]

Haha you're funny. Let's take a look at, say, Yahoo's instant messenger protocol, or practically any other protocol out there that uses challenge-response: It's cracked in under a few months. I'm not saying the CC companies are going to use a challenge-response method as simplistic as an instant messenger program, but RFIDs will not exactly be able to perform a large amount of calculation, they just don't have the power to provide a truely safe challenge/response mechanism, and let's face it if this system comes in, there will be plenty of opportunity for RFID sniffers to lurk around and pick up a ton of valid challenges and responses in order to reverse engineer the system.

This system demonstrates an incredible amount of faith in the stupidity of fraudsters, which is completely unfounded. Cracking is an incredibly well-known and well documented phenomena, look at DeCSS, C-DILLA and all those games you ripped off in the past 20 years. When the chances of getting at someone's cash are involved, the incentive becomes so much greater.

Re:Well lets see...

[T-Ranger]

Worst case is, as you have mentioned but I will highlight: you will have access to less credit that they have given you. I will repeat: wose case, you will have less access to a service someone is offering to you which they are not obligated to give you.

Foul! Your offering to lend me money, and now you wont! Oh no! You bastards!

And unless you complain about fraud either a lot (which makes the CC companies assume its YOU doing the fraud), or its over some amount like $3000, it gets reversed with basicly zero hasle.

Re:Well lets see...

[sonamchauhan]

I'm not the poster above but...

> Wrong. RTFA.
CYFM (Clean Your Filthy Mouth)

> Consumer gets to make final "accept/reject" on purchase after card is scanned.
I didn't see that in the article (it is possible I missed it). Please post the phrase from the article that specifies this. The article actually talks about 2 seperate cards - one from Amex, one from Mastercard.

The article does say:
In theory, the transaction could be intercepted without a consumer's knowledge by a technologically savvy thief intent on cloning a card. That's because RFID transmissions themselves are not encrypted.

However, the thief would have to get quite close to his target or have a very sensitive reader.

Also, the account number on the contactless cards is useful only in the RFID system -- it's not the same as a user's credit card number. A crook would thus not be able to use the card number to go on a fraudulent Internet shopping spree, for example.

> Also, card includes challenge/response authentication ...
Still susceptible to attack unless the customer gets to control a local UI *on* the card. (see my other post here).

Re:Well lets see...

[Ryosen]

Well, this is news to me. We pay 1.5% commission to Amex. In fact, of the major cards, they are the lowest commission rate, with Visa/MC charging 2.5%. Restaurants can pay upwards of 4.5% but that's as high as it gets.

Mods, please, downgrade the parent to over-rated. The AC has no idea what he is talking about. None.

Re:Well lets see...

[Ryosen]

I don't think that the issue is so much one of someone using your keychain to make purchases. Rather, it's some criminal scanning your tag as you walk past and using the information for fraudulent purchases of their own. I'm more worried about getting scammed this way than finding out that I supposedly bought a shirt the last time that I was walking through Macy's.

The technology is nothing new, of course. Mobil/Exxon has had this for several years in the form of SpeedPass. I've never used it, however, and never will. I'm more than willing to sacrifice the convenience of saving 10 seconds waving the little wand in front of the reader instead of scanning my card at the pump. I am a technologist. I know the limitations. I know the track-records of similar systems as well as those of the parties involved. Until this becomes mandatory (cards replaced by RFID devices), I won't have to worry about any problems, because I won't have one.

And, until the credit card companies pay every merchant on the face of the earth for the new devices, it will not become mandatory.

You'll notice that there aren't any "Speedpass-Only" Exxon stations around.

Re:Well lets see...

[KrispyKringle]

Yes, let's look at protocols that use challenge-response. Kerberos uses a modified challenge-response method. Windows NT prior to 2K and XP used challenge reponse, now they use a modificaiton of the Kerberos method. VNC uses challenge-response, if I remember right. HTTP digest authentication uses challenge-response. Many mailservers, (POP and IMAP, as well as SMTP) use challenge-response (CRAM MD5). The notion of challenge-response is itself secure, if implemented properly.

Offhand, I can think of two big ways to screw up the implentation:

Replay attacks - if the challenge is consistent through multiple authentication sessions, an attacker can reuse a hash response from a previous session. The solution is simple; better psuedo-randomness (using the date/time is a pretty poor idea, since an attacker can simply challenge the card with a date in the future and retrieve the needed response).

Poor hashing - if the hash used on the response is reversible, the password is right there for the taking. Solution, use something known to be strong, like blowfish or MD5.

Assuming the makers aren't stupid, they have a cryptographically secure system on-hand. You make an assumption based on a few out-of-context or unrelated cases that all security is useless. This is silly; while I don't have a lot of faith in secure systems as a whole, the flaw is rarely in the cryptography backing them, if it is implemented correctly. The reason for this is obvious; cryptography, and computing complexity, are easily-understood enough that developing mathematical models for security is easy. For example, we know--or rather, we believe very fervently, but cannot prove--that factoring large numbers is very, very difficult. Therefore, we trust RSA when implemented properly. Similarly, we know--or at least believe very strongly--that certain algorithms are very, very difficult to reverse. Therefore, we trust that if a bad guy gets our password file, he can only try to find our passwords via brute-force.

The difficulty of sniffing and cracking the protocol used is probably much greater than that of simply getting a waiter at a restaurant to swipe the cards of customers through a skimmer (traditional cards, that is). And security is really not about absolute security; it's simply about making sure that defeating is is more trouble than it's worth (I believe Bruce Schnieder said this, but I could be mistaken).

Re:Well lets see...

[thebes]

Ummm, Hello? That's called, memorizing a credit card number, expiry, and buying stuff on the internet.

A 16 digit number is nothing to memorize, and the expiry date can be pretty easy as well. There's lots of people out there (more so in the mathematics/physics field) that can just look at a number, and a few moments later, be able to write it down.

So really, what's to prevent someone who works at a restaurant who takes your CC and memorizes the number, let alone write it down?

Af far as security for internet purchases is made, there's no real change.

Re:Well lets see...

[Sneftel]

How is that any different than current credit cards?

Re:Well lets see...

[SuperMo0]

With current credit cards, you actually have to pull out the card and THINK. "Hmm... do I REALLY need this enough to charge it?" This doesn't apply to everyone, but to enough people that it makes a dent in sales.

However, with this radio card, you wouldn't even have to remove the card from your wallet/purse/whatever, so a lot of the effort is removed and therefore you don't have as much time to think about whether you "really need" what you're buying.

Re:Well lets see...

[SpaceRook]

I think this will help push sales if customer's spend less time in line. There have \been times where I've been waiting in line and thought, "Y'know, I don't REALLY need this 25 pack of CD-R's right now. I'm going to put it back on the shelf."

Re:Well lets see...

[The+Clockwork+Troll]

I suspect there are no Hardee's or Carl's Jr. chains in San Marino or Burkina Faso.

Re:Well lets see...

[TopShelf]

Are people really grabbing a product off the shelf, walking up to the register, and ONLY AS THEY'RE PULLING THEIR CREDIT CARD OUT start thinking, "gee, can I afford this?" If so, then I say fleece the morons for all they are worth. RFID in this instance provides a quicker transaction, and is thus a very very good thing.

As for the concerns about fraud, the credit card banks addressed this a couple years back by exposing most cardholders to only $50 liability in the event of false chargers, and many cards have taken that down to zero on many accounts.

Re:Well lets see...

[anthony_dipierro]

We have a method of payment that can subtract electronic mone[y] from your account, with no input from you, and without your card ever leaving your wallet?

Sounds like credit cards. What, you don't have your credit card numbers memorized?

Re:Well lets see...

Uhh.. couldn't the thief just "accept/reject" the purchase? =)

Re:Well lets see...

The poster is absolutely right. A close friend of mine works for American Express and is currently working on the contactless credit cards for Amex. He did a demo for me showing me how some of the software he wrote works with the card and the reader. I was really impressed at first, than I asked him what kind of cryptography they were using. He told me that it wasn't encrypted at all. I then asked him if it would be possible to steal the credit card information remotely using some type of radio snooping device. He told me he wasn't allowed to answer that question.

After talking to him more about the security (and he's very smart when it comes to cryptography and security) I came to find out that there were plans for adding security but it would cost to much.

I think some of the things my friend is working on are very cool but I for one will stay FAR away from contactless credit cards until they actually start using cryptography and are more than a glorified RFID tag.

Re:Well lets see...

[asr_man]

Yeah, electronic bill payment service really sucks.

Wait...

Re:Well lets see...

[Anonymous+Coed]

Actually what I do is "Y'know, I don't REALLY need this 25 pack of CD-R's right now. I'm going to drop it wherever I happen to be standing and just leave the store."

Re:Well lets see...

[Dutchmaan]

So hypothetically speaking, what's to stop a would be theif from scanning your card and then hitting an accept button without your knowledge?

Re:Well lets see...

Funny thing, over 10 billion dollars per year is already collected using similar technology in the US. If you live new a toll road or parking facility with RFID you may have already participated in this yourself.

In addition, in the coming months the FCC will likely approve a new band at 5.9 GHz for "Dedicated Short Range Communication" (DSRC). Among other things, this band will also be used to conduct Electronic Funds Transfers from vehicles and mobile devices.

Re:Well lets see...

Ka-chink ka-chink ... The sound of your money being swiped by some guy walking past you with a portable credit card scanner.

Theft of money will be even easier.

Re:Well lets see...

[BrainInAJar]

"Nothing like tapping into the cowstomer's (sic) impulse buying, especially in the US."

Yep... Boosts the economy. Helps even more if it's on credit (what with the credit based system and all)

Re:Well lets see...

[BrainInAJar]

The cash discount that some places offer usually has more to do with the place committing tax fraud than it does for amex/visa fees

Re:Well lets see...

[DriceX]

Well, this is news to me. We pay 1.5% commission to Amex. In fact, of the major cards, they are the lowest commission rate, with Visa/MC charging 2.5%. Restaurants can pay upwards of 4.5% but that's as high as it gets.

That's intersting. For my parent's busines the reverse is true. Amex is the most costly at ~3%, followed by Visa/MC at ~1.65%, and discover is the cheapest at 1.5%

Re:Well lets see...

That's intersting. For my parent's busines the reverse is true. Amex is the most costly at ~3%, followed by Visa/MC at ~1.65%, and discover is the cheapest at 1.5%

That's my experience as well, which is why Amex is less popular with merchants than visa/MC.

Although, if a merchant has annoyed me for some reason, I really enjoy taking paying with my Amex instead of visa!

Re:Well lets see...

[Ryosen]

It all depends on who the merchant account is through and your business classification. We just happened to find a good provider for retail. Amex tends to be higher for entertainment and restaurants than it is for retail, although I can't say I know why.

We also have a very small transaction rate - 12 cents for Visa/MC and Amex is a flat rate of $5/month.

To correct my earlier post, my partner just informed me that we pay 1% commission on Visa/MC. Amex has no commission and no transaction rate - just the flat $5 per month. That's good up to $5000 per month. After that, the rate is still very reasonable, although I don't know what it is off-hand. Amex is very supportive of small businesses. YMMV.

One thing that not many retailers are aware of is that you can shop around. Rates can be very competitive.

Re:Well lets see...

So, now all they have to do is put the RFID recievers by the doors also (and why not the johns as well? And probably will insist on their employees having a card on them as well...), so they can log who comes in and leaves, as well as if they make purchases... Hmm...

Re:Well lets see...

[sonamchauhan]

Hyuk - this got modded down. I assume some moderator is allergic to politeness.
But it makes some useful point to the overrated parent. Reposting...

-----
I'm not the poster above but...

> Wrong. RTFA.
CYFM (Clean Your Filthy Mouth)

> Consumer gets to make final "accept/reject" on purchase after card is scanned.
I didn't see that in the article (it is possible I missed it). Please post the phrase from the article that specifies this. The article actually talks about 2 seperate cards - one from Amex, one from Mastercard.

The article does say:
In theory, the transaction could be intercepted without a consumer's knowledge by a technologically savvy thief intent on cloning a card. That's because RFID transmissions themselves are not encrypted.

However, the thief would have to get quite close to his target or have a very sensitive reader.

Also, the account number on the contactless cards is useful only in the RFID system -- it's not the same as a user's credit card number. A crook would thus not be able to use the card number to go on a fraudulent Internet shopping spree, for example.

> Also, card includes challenge/response authentication ...
Still susceptible to attack unless the customer gets to control a local UI *on* the card. (see my other post here).

Re:Well lets see...

[FreezerJam]

You didn't deal with TwistedSpring's most important factor. RFID cards and tags have only the tiny amount of power that was beamed to them over the air.

All of your examples are fine, but you are assuming reasonable power is available. It isn't. Note the Amex card (as mentioned in the article) uses challenge-response based on 128-bit encryption. Is 128 bir RSA secure? Or will they be limited to triple-DES - with the key management issues the crop up under symmetric systems?

Schneier is right when he states that higher levels of absolute security does not automatically equate to higher levels of real security. But the converse is NOT true - if you lower the theoretical security of the system (say with smaller keys) eventually you will reach the point where you are no longer sufficiently secure.

Re:Well lets see...

[Dark+Bard]

I use to have something that could bleed my account dry without any input from me. It was called a wife.

Re:Well lets see...

Biometrics.. Yeah, until someone decides to kill you just to get your money, wise, very wise.

Re:Well lets see...

[SurgeonGeneral]

LOL! As if thats never happened before? Give me a break.

Re:Well lets see...

[jafac]

. . . . and then there are the 1000's of other people while standing in line, decide they need that copy of Weekly World News, and a Snickers bar.

Re:Well lets see...

[KrispyKringle]

We consider 128 bit SSL to be OK for credit card transactions. It's not absolute security, but it's secure enough that it doesn't make financial sense to break it just to get credit card numbers, especially when there are far easier methods. I don't really see any issues with the power consumption; presumably the card has enough power to do the 128 bit encryption that Amex said it does.

Re:Well lets see...

[Ryosen]

which is why Amex is less popular with merchants than visa/MC.

We actually prefer to take Amex over other cards, due to the rate structure. See my other post for more details.

Re:Well lets see...

[Trepalium]

The '128-bit' of SSL is symetric encryption. However, SSL first exchanges the 128-bit key over a 1024 or higher bit public key algorithim. I'm almost certain they won't have the processing power for public key encryption, so that leave symetrical encryption. And unfortunately, that also means that if someone leaks or steals the credit company's secret code, the encryption completely breaks down.

Re:Well lets see...

[KrispyKringle]

No, I don't think that's right. There is no secret code here. Challenge-response means that the secret code is the key for this particular card, which is known by both the issuer and the cardholder, but presumably no one else. If you are concerned about someone stealing the key, it's really no different than someone stealing your CC# directly.

Re:Well lets see...

[Trepalium]

Then how would the card know it's talking to the credit card agency, not a rogue reader? My feeling is they need to authenticate to each other some how, and while the credit card can authenticate to the CC company with a unique code, the reverse is not true. There could be a large number of secrets based on some arbitrary non-confidential criteria (name, issue date, etc), but it still means there has to be a shared secret of some kind.

How safe are they?

[Pingular]

They better be sure their encryption is up to scratch. I was reading just the other day ( I believe it was on Slashdot) that there are supercomputers now that can break 128bit encryption in a matter of minutes.

Re:How safe are they?

[filtersweep]

Yeah, and my office building handles much more sensitive data than a CC and it has much more, shall we say, more "mature" technology in the access cards used. I don't think it is that big of a deal. As it is, anyone with rudimentary "Radio Shack skills" can program a magnetic strip for an ordinary non-smart-card CC.

Re:How safe are they?

[xpl_the_myst]

Quote from the article --
"
In theory, the transaction could be intercepted without a consumer's knowledge by a technologically savvy thief intent on cloning a card. That's because RFID transmissions themselves are not encrypted.
"

But there's also -
"
American Express makes the RFID reader verify the card's authenticity with a "challenge-response" exchange that depends on 128-bit encryption encoded on the chip. ...
MasterCard says it uses a different security system but would not provide specifics.
"

I don't know what the two mean when put together, but I sure as hell hope they are encrypted.

Re:How safe are they?

[SolidGold]

This is a bunch of baloney. There are no computers that can break 128 bit encryption that fast. There was an article that had a supercomputer generating all the possible hashes that crypt() can produce for common unix passwords in 80 minutes, but that is not nearly the same thing.

Re:How safe are they?

[xpl_the_myst]

I think the parent is talking of the factoring of RSA-576 or RSA-128 or something like that recently. But that was no supercomputer - it was a distributed crack. Anyway, 128 is solid enough for now.

Re:How safe are they?

[LegionX]

Then, lets hope they don't intent to continue using the same old 4 # pin-code method.. gues how many microseconds the supercomputer would take to crack that :)

Re:How safe are they?

Bullshit, Sir Whacksalot. Nobody breaks 128 bit encryption to steal credit cards when there are much easier ways to do it.

Re:How safe are they?

[/dev/trash]

well damn I better stop using my SSL enabled browswer then to check important things.

Re:How safe are they?

[NateSac]

Yeah, like my credit card company wouldnt notice 10000 different guesses on my pin number before they locked out my acccount.

Re:How safe are they?

[SuperMo0]

The Mythbusters simply used a computer program on an ordinary old laptop and a card writer. Not hard at all.

Re:How safe are they?

[gl4ss]

as opposed to few unencrypted numbers you can copy with a pen from a visa?

.

Rejoice!

[drewbradford]

This will make charging people to walk past my house much easier. In the past it's been tough for me to collect the $50 that I charge.

Re:Rejoice!

[suso]

Sigh, why did this guy get marked as a troll? I thought it was funny too.

Re:Rejoice!

[G-funk]

Sigh, why did this guy get marked as a troll?

Yeah I agree... Sure, if he wanted to charge people to walk over his bridge, but past his house? Cummon, people! :-)

Faster than cash?

[Isopropyl]

"In some instances it's faster than cash," said Betsy Foran-Owens, a MasterCard vice president. "You're eliminating the fumble factor."

I agree. Nothing's more annoying than handing someone $10.15 for a $5.15 bill and watching the other person take out a calculator.

Re:Faster than cash?

[a+whoabot]

Aww, that makes me sad, 'cause there's people like that, and they're just not that bright, you know?

*Waits for "you're just a fag" insults...

Re:Faster than cash?

[the_2nd_coming]

what is more sad is watching Calc 1 students take out a calculator to figure out what:

(e^x)(e^2) is.

why is this more sad? if you are in calc, you have dedicated your life to understanding numbers up to this point and you have no understanding of exponent rules.

I might be a little dramatic, but it is bothersome

Re:Faster than cash?

fag

Re:Faster than cash?

They'll need to use a calculator to figure out what (e^(x+2)) is numerically anyway, so what's your point?

Re:Faster than cash?

[rbbs]

no i can beat you.
was in the post office buying stamps last week and a woman was with her daughter. she wanted four 28p stamps and couldn't work out how much to tell her daughter to put in the machine. she had written down 28+28+28+28 on a piece of paper and was adding it up manually...8+8, carry 1, um....

seriously...it made me realise i take some things for granted....

Re:Faster than cash?

[whovian]

That makes me recall an experience I had at a Walgreens. I gave the checkout lady (who must have been upwards of 70 years old) some paper money along with assorted coinage, as I wanted to lighten my pocket. She counted it up and pointed out that if I could come cup with X amount more in coins that she could give me back (a more useful coin like) a quarter. I wasn't even thinking about that; I just wanted to get rid of the damn pennies.

So I for one can attest to the fact that there are some quick witted people out there.

Re:Faster than cash?

[gcaseye6677]

Wow, and I thought only Americans were that ignorant. Looks like the British public schools could use some work too.

Re:Faster than cash?

1. Why not give them $6, $11 or $21 instead of making it hard for them. 2nd benefit is that you don't have pocket full of 1's at the end of a day. 3rd benefit the retailer doesn't have to keep grabbing more 1's from the safe because the cash drawer is empty of them. Give em a break.

2. Even the best counters of money, even if it's second nature, slow down after 8-12+ hours of doing it. If you want to experiece it get a job at a festival(music or otherwise) sometime and you will know the true meaning of handling money, giving change for thousands of customers in a single day. Trust me the brain doesn't count as fast after days like that.

Re:Faster than cash?

No, he's "Just" a fag. Yeesh... get it right.

Re:Faster than cash?

[FuzzyMan45]

actually, what i've noticed is that the old-timing cashiers (ones who have done it at least 10-15 years previous to now) are MUCH better at getting change correctly and quickly. Most cashiers aren't even trained to count your change back to you, they just read the change on the computer and give it back without making sure they didn't make an error. good cashiers rock.

Re:Faster than cash?

[SuperMo0]

e^2+x And I'm in AP Statistics, tyvm ^_^

Re:Faster than cash?

[the_2nd_coming]

e^(x+2) is a function you fliping moron!!!

not to mention, e^2 is a number all by itself!!!!

Re:Faster than cash?

e^(2+x), you mean :P

Re:Faster than cash?

[Texas+Rose+on+Lava+L]

if you are in calc, you have dedicated your life to understanding numbers up to this point

Not necessarily. You could be a liberal arts major who's only taking calc because it's required. Now if a math/engineering/science major was doing that, it would be sad.

Re:Faster than cash?

[Enonu]

For some reason while learning mathematics in elementary school, my teachers never tought me that 28 + 28 + 28 + 28 is the same as 25 + 25 + 25 + 25 + 3 + 3 + 3 + 3, 4 * 25 + 4 * 3, 100 + 12, 112. This is the way I do basic math on a daily basis, but I swear 98% of the population doesn't have any type of similar reasoning ability.

It's like I'm some type of circus side-show freak by being able to compute a 15% tip for dinner.

Re:Faster than cash?

they are exactly the same you moron!!!

Re:Faster than cash?

[the_2nd_coming]

I said I was being a bit dramatic, however if you are in calc you should know BASIC algebra.

Re:Faster than cash?

no they are not you fucktard

Re:Faster than cash?

oh yeah, there are no parenthesis in the first one...heh I thought you had just inverted the operands in the exponent :-p

Re:Faster than cash?

[bleak+sky]

Chunking! My favorite arithmetic trick!

Thank you for bringing a smile to my face--I was afraid I was the only one who actually did this...

Re:Faster than cash?

[bleak+sky]

Ugh... $10.15 - $5.15 is, wait for it, $5.00! No $1's, no change counting... How is this less easy for the cashier than handing him $6? Especially if you don't have a $5 bill?

Oh, wait, you're the idiot he was referring to...

Re:Faster than cash?

[ghost+cat]

When the last digit is >5, I usually do it the other way, i.e. 30*4 - 2*4

Re:Faster than cash?

It's not always that simple. You have to be able to get the whole thing done before some other distraction comes along and screws up your "scratch space" - you know, where you're keeping the (25 * 4) result while you put the second half together.

Obviously what I'm saying sounds stupid for this simple example, but consider what happens with bigger numbers. I'd rather go for the trusty watch-calc rather than worry about whether I transposed a mental digit or two while holding it off to the side.

Give me a piece of paper and it's not a problem since the numbers aren't going anywhere once written. I suspect there are others who work the same way.

easier to steal cc number

[jbplou]

Won't this make it easier to steal someones cc number now. Since all some will have to do is hide a sensor of some type in a mall or someplace that can pick up the radio frequency?

Scanners

[alset_tech]

Another reason to sniff the wireless frequencies. You may not be able to get into most cell networks these days, but this will bring all kinds of fun the the quest. Someone will figure out how to hack this inside three months. At least right now I have to match a signature (though nobody checks the card) and my debit card has my picture on it. God knows I won't want to get one of these.

Re:Scanners

[KrispyKringle]

It's not very hard to make this secure. This isn't done with current credit cards, but so long as we're building a new system, make 'em smart cards. Put a chip in them that stores a cryptographically random private key. When sent data (say, some random chunk to prevent a playback attack), it spits out the encrypted version. Then the credit card company can verify against the known public key (or give them a copy of the private key as well, so it's more like challenge-response) to make sure you really have the private key. Perfectly secure (at least until someone perfects quantum computing, or unless the NSA--who really doesn't need to waste time cracking my credit card--develops a way to factor large numbers).

Of course, for traditional use, like online, you could use the traditional CC#.

Re:Scanners

[Justice8096]

Good Idea - but how about a legitimate business? Like market research - I get all of the RFID's of customers at my store, then I go into a competitor's store when they are having a competing "sale" and see how much of my customers have been attracted, thus telling me if I should bother to start economic warfare against the competitor.

Re:Scanners

[Lumpy]

Hell I hacked the "secure" proximity access cards within 3 days here at work.

I made a device that let's me read a prox-card from about 4 feet away.... I walk past you and I now have your card's number. My engineering friend made a transmitter that coupled with a Sharp Zaurus and a serial cable can transmit the code.

So they might add some kind of encryption... if it's typical of the low-grade stuff that the credit industry uses, I probably will be able to get a good subset of data from the person in front of me by asking the card 20 times what it's content is, get the information that is encoded.

hell, I'm betting that these get cracked within a week of it's release.

Re:Scanners

[grahamsz]

The problem i see is that RFID's aren't active and smart chips dont work without an external power source. Seems like we're a long way off from coupling these together to make a wireless selfpowered smartcard.

Smartchips make a lot more sense for credit cards whereas rfid is better for security passes, subway cards etc...

Re:Scanners

[KrispyKringle]

Nah. The RFID's are smart-chips here. They're powered by induction from the RFID scanner. I did a little googling and found a description of a similar proximity-card. They'd have to have a power source to do challenge-response, as the article indicates.

No Problemo

[the+eric+conspiracy]

I predict a booming market in shielded wallets.

Re:No Problemo

[niko9]

Bah, the hackers will make their own

Scroll to the middle of the page.

Re:No Problemo

[jeffkjo1]

Is it really that hard for you to convert your tin foil hat into a tin foil wallet that you need to someone else to make one for you?

Re:No Problemo

[Deanasc]

Not if they're keychain dongles. Put all your money into Farraday Pockets.

Re:No Problemo

[ScrewMaster]

Yes, dare I say, a tinfoil wallet?

Re:No Problemo

Not for me, thanks. I'll go for shielded pants and protect more of my valuables in one go.

Bad Idea

[wsloand]

Now someone can pickpocket me by just bumping into me on the subway. It would be relatively simple to just read the card with a device in my pocket from someone else's pocket. How hard could it be to make your own RFID device that gives out the same number?

Re:Bad Idea

Its not that hard to read, but very hard to transmit with newer RFID. thats why people don't worry about using these as keys to blds. the concern about being charged unknowingly is still legit.

Re:Bad Idea

[KrispyKringle]

No. It doesn't work this way.

American Express makes the RFID reader verify the card's authenticity with a "challenge-response" exchange that depends on 128-bit encryption encoded on the chip. That strength of encryption is considered safe against "brute force" attacks, in which a hacker tries every possible combination.

MasterCard says it uses a different security system but would not provide specifics.

I don't really think they're that stupid. Presumable there's a secure private key on the card (in the AmEx system) that encrypts and spits back some random chunk of data. The credit card company does the same process and verifies that the encrypted chunks match. The key is never transmitted. Perfectly secure (similar to how VNC works, if I remember right, and to Kerberos). There are plenty of alternative methods (I posted a few minutes ago detailing how to do it with PKI), but if you trust the CC company, there's no real reason to use a private key only you have, and challenge/response is perfectly good.

Re:Bad Idea

[Scrameustache]

Now someone can pickpocket me by just bumping into me on the subway.

As opposed to before, when they just had to bump into you on the subway.

What an age we live in!

No signature...

[Penguin2212]

SO, bassically, if somebody steals my credit card thy can just stick it in their wallet and run up charges by literally waving the card in front of the clerk rather than having to physically look at the card and verify my signature like they're supposed to.

Re:No signature...

[Teddy+Beartuzzi]

Yup. The *one* security measure built in to credit cards, and now they think "let's gas that".

Because it's just so damn inconvenient to take a card out of your wallet. :rolls eyes:

PIN

[Duncan3]

You still have to enter your PIN in the little keypad... Hit the little confirm button for the maount...

It's not really saving that much time.

But it sure is cool! (for the crooks)

Re:PIN

[xpl_the_myst]

Credit card transactions don't usually require a PIN. Do these guys? I don't think so.

Re:PIN

[August_zero]

This is the thing:

I use a credit/debit card for everything, I seldom have more than $40 in cash on me. In place of a signature on the back of the card I have always put down "Check ID" To me this is the least that a store can do to reduce the chances that my stollen card might be used to purchase things for the thief. In recent years though I have noticed that many stores now have card swipes that the customer uses as opposed to the clerk. This looks like a time saving thing but really what it does is make it a lot easier to use a stollen card since there is no check. Why? because it saves time and many people seem to be more willing to save 10 seconds on a checkout than they are willing to take even a tiny step to protect their money. many stores now don't even require signatures for purchases under $25 or $50. I think that PIN numbers might help protect these radio cards, but I really don't think that retailers are going to bother with them. Time = money and faster checkouts mean having to pay fewer cashiers.

Perhaps I am just ignorant but why are we so damn set on shaving another 10 seconds off our checkout time at the local meijers? Its not like they ever have more than 2 cashiers for the 2000 people all trying to make purchases at once anyway.

Re:PIN

[Alrescha]

" In place of a signature on the back of the card I have always put down "Check ID" To me this is the least that a store can do to reduce the chances that my stollen card might be used to purchase things for the thief."

Checking anything other than the signature on the back of the credit card is usually in violation of the retailer's agreement with the credit card company.

A.

Re:PIN

[cjsnell]

It would save me a lot of time. My wallet is constantly erasing the mag stripes on my cards. I can't wait to ditch them for a contactless card.

Re:PIN

[toast0]

The card itself (checked a mastercard and a non-credit atm card) says 'Not valid unless signed', which would lead me to believe a merchant should refuse transactions from people with Check ID written on the card, unless they happen to be named 'Check ID'

The merchants who really care about the id of their purchasers ask to see my fake id when i use a stolen card anyhow.

Re:PIN

[devnullify]

I always thought the reason they (big retailers) brought in the customer-swiping was to make it more difficult for cashiers to collect card#/PIN combos. There were a rash of episodes around here where employees scanned the card into a bogus reader and then just eyeballed the PIN.

Of course, it's still possible by replacing the pinpad, but it's a lot more difficult.

As an aside, I didn't even realize they were supposed to check signatures on debit cards. It's never happened to me, not once. Of course, the debit card network here is entirely seperate from the CC network (Interac).

Re:PIN

many debit cards work the same as a credit card as far as the retailer is concerned. In fact, most debit cards used as debit cards will see a transaction fee levyed on the user where as when they are used as a credit card (no PIN needed) there is no such fee.

Re:PIN

"See ID" has been a very common practice for almost as long as there have been credit cards.

The merchants who really care about the id of their purchasers ask to see my fake id when i use a stolen card anyhow.


Well of course they can if they go through that much trouble. A very common type of credit card fraud though is still the lift the wallet and use the card before the owner cancels it. In these cases it is unlikely that the perp will have time to forge or alter the photo ID of the original card user.

Pointless anecdote: a friend of mine who happens to be black had his wallet stolen from a gym locker a couple years ago. The thief used the card at a local mall in a computer store buying a couple playstations and some games. The store chain who had some nice signs on display explaining how they always check ID for purchases over $50 totaly missed the fact that the dude with the stolen card was white while the photo ID of my friend who belonged to the card was obviously not. The

Great !

[moby]

I can see it now, virtual pick-pocketing. Just bump against the mark's wallet area and scan away. Nexxt go back home and crack away. Boy is this gonna be a good Christmas!

Re:Great !

No need to crack- just use a fake name to get a (portable) card reader like you were a small business that needed to take credit cards. You can do this now, but you would need to physically get ahold of the card (or at least the number) to run the charges. But with these new cards, all you need to do is bump into people.

Bring'em On!

[Jah-Wren+Ryel]

I have *the* patent on lead-lined wallets (and tin-foiled lined ones too) so I say the sooner these wireless cards come to market the sooner I can become a rich man!

Re:Bring'em On!

[irving47]

You forgot copper wire mesh. Like they use for faraday cages and the like.

Re:Bring'em On!

[Macsimus]

So you're saying you can turn lead into gold? Wow, and I thought alchemy was just a myth...

Fast food on me

[hugesmile]

Brilliant technology..

I walk into Wendy's and buy burgers for the next ten customers. great!!

Oh, and a thief can't steal your "REAL" credit card number, but they can duplicate your RFID, so they never NEED to steal your "REAL" credit card number.

This needs serious work!

There is a (sort of) working example

[jonbryce]

Transport for London's Oyster Card is a contactless ticketing system for the London Underground and London Buses.

At the moment, it can only hold season tickets, so it isn't a great problem if you accidently use it. From next year, you can hold other types of ticket in there as well.

It has some advantages, like being able to recharge it over the phone or online without having to wait for the tickets to arrive through the post.

You can get through the ticket barriers without taking it out your bag, though you have to hold the bag petty close to the sensor.

People don't like it because it allows TFL to trace your travel habits much more than they could before.

In the case of credit cards, I can't see how just holding it close to a sensor could be evidence of your approval of the transaction. You would need some sort of verification process like a signature or a PIN/password.

Widely used in Hong Kong

[G4from128k]

The Octopus card is widely used in Hong Kong. Its a stored value card, so its anonymous. It started life in the MTR (the local mass transit system) and has since expanded to convenience stores, Macdonalds, Starbucks, etc.

Re:Widely used in Hong Kong

[AndroidCat]

Ah! I was wondering what this quote meant:

A girl and a boy bump into each other -- surely an accident.
A girl and a boy bump and her handkerchief drops -- surely another accident.
But when a girl gives a boy a dead squid -- that had to mean something.
-- S. Morganstern, "The Silent Gondoliers"

It all makes perfect sense now.

A spare radio transmitter...

[Lane.exe]

A credit card charge station, and a direct deposit account...

A good vantage point at the local shopping mall and I'm a rich bastard.

Re:A spare radio transmitter...

[BlacKat]

The article indicates that the number on the RFID "card" isn't actually the credit card number, but rather a different number that's linked to the CC number.

So, it probably won't be long before the same crooks who set up ATM machines to sniff card number and PINs simply get one of these RFID payment terminals and a *very* sensitive reader and start charging every person in the local mall a couple bucks.

Do this during the busy holiday season and I bet 99% of the people wouldn't even notice. Heck, the theif could just make the name that shows up on the statements look like it's from one of the food court places or something.

Ah well... guess we'll see how it goes... the best thing to do is simply to not HAVE any credit cards, but then... I guess RFID debit cards would be even worse! :D

Re:A spare radio transmitter...

[Lane.exe]

Face it... we're either rich or screwed, depending on how ethical we want to be.

Many ways of security.

[AmoebafromSweden]

Well security against fraud and safer payment is one thing.

The biggest question is, how will the corporations treat our financial data? And how will the governments safeguard it.

Getting your card sacked is one thing, but getting your private information stolen, sold or whatever might be worse.

(me lives in sweden but have both amex and Visa)

Magnetical shielding

I want a magnetically shielded wallet NOW!

Seriously, if RFID and simillar techs become more common I will have to think of ways to protect myselff orm tracking. I am paranoid and that's a good thing.

In other news...

[JiggsJedi]

...tin foil panties being showcased in VictoRFID's Secret...

Re:In other news...

There might be something to be said for RFID equiped panties for tracking purposes.

Switches

[nrlightfoot]

They should build in an on off switch into these things. Maybe have it complete a circuit through your hand when you touch two contacts located on opposite sides of the card.

New Invention

[the+eric+conspiracy]

Combination cell phone, EZ-Pass and RFID jammer.

Credit Card Theft?

[Valen0]

"American Express makes the RFID reader verify the card's authenticity with a "challenge-response" exchange that depends on 128-bit encryption encoded on the chip. That strength of encryption is considered safe against "brute force" attacks, in which a hacker tries every possible combination."

This seems like a big mess waiting to happen. All it takes is one leak or crack of the secret key and the entire RFID credit card system will come crashing down.

Once the secret key gets out, we'll see thieves with mobile RFID scanners sniffing the cards and then putting the information into a database. The rate of credit card fraud will go up exponentially.

I will personally try and avoid these cards. They seem like a disaster waiting to happen.

Re:Credit Card Theft?

[KrispyKringle]

That's now how challenge/response works. See here.

Basically, the idea is that if both you and the authenticator know the secret password, but you don't want to transmit it, the authenticator sends you some random chunk of data, say message M. You encrypt it using some (presumably one-way) algorithm, using your password as the encryption key to create W. The authenticator also encrypts the same chunk, and, when you send back your W, compares it do his own known-good W. Assuming they match, it means you have the password. The password itself is never sent plaintext.

You seem to be assuming that there is one secret key for the whole system. This would be completely useless, and is obviously not the case. You would need one secret key per person, as I'm sure American Express knows.

What if...

[paul248]

What is the plausibility of having some sort of chip, say, embedded in your hand, that you could [this is the hard part] unlock through some kind of thought or muscle action that nobody could force you to perform? It could have a processor on board that uses a challenge-response system, so passwords can't be sniffed by a nearby device.

Scenario: you're logging into some website or making a purchase, and instead of typing a password, you put your hand near a reader, and think something that makes the device activate. Then the reader identifies who wants your password, and sends a challenge, and the device responds.

It's probably not very doable with current technology, but it probably be more secure than fingerprints, because the data stored in it could be changed if necessary.

Re:What if...

[The+Unabageler]

If you can elicit an electrical response from your brain, someone with a probe stuck in your head can do the same thing.

Re:What if...

[paul248]

Ah, just got another idea... maybe, before you scan, the reader could display a sort of morse code pattern on a LCD/LED display, and you have to tap out that pattern with your finger in order to authorize the chip for that transaction/login (assuming the chip is in your finger). That way, you couldn't accidentally login to another reader that happens to be nearby. And, there's no mind-reading technology needed.

Re:What if...

[toast0]

that you could [this is the hard part] unlock through some kind of thought or muscle action that nobody could force you to perform?

As villians are so fond of saying in movies: "We have ways of making you talk."

Of course, by talk they also mean authorize credit transactions. Money isn't that important, if some asshat wants you to buy him X so he doesn't shot you with the gun in your back, I'd suggest buying him X, and then calling your bank when he's off playing with it.

Re:What if...

[paul248]

I think this would be most useful for eliminiating passwords than anything else, and a lot of people hate passwords.

The merchant never touches it?

[rMortyH]

The idea that the merchant doesn't have to touch the card makes it pretty unlikely that they'll check the id and the signature of the buyer, so this encourages fraud. It should at least require a PIN.

Also, there is no way for the customer to control access to the card. My sister recently picked me up at Kennedy airport, and as she was holding the parking fee money out the window, the attendant charged the fee to her EZpass because he was too lazy to look up. There wasn't enough room on the pass so she got hit with a penalty. He wouldn't even look up from his paper when she complained.

So you'll have to keep your card in a metalic wallet, because the lack of physical contact means you can't really control when it's accessed.

It's interesting that I can build a wand and get someone's information off the license in their pocket. Now you could potentially get their credit card number too.

It may be slightly faster, but beyond that I don't see how it's better for the consumer or the business.

Re:The merchant never touches it?

[sonamchauhan]

Also, there is no way for the customer to control access to the card.

Seriously though, excellent point.
I made a similar point here in the article on fake ATMs -- even smartcards (contactless or otherwise) with PK crypto are susceptible to attack by fake-front ATMs unless they present an on-board interface so that the buyer can control the transaction.

Otherwise, the buyer will just see the seller make a "big sucking sound".

Re:The merchant never touches it?

[jonatha]

This isn't a simple replacement of the mag stripe with a contactless EEPROM. The card and the (remote) reader will have to interact via a cryptographic protocol, and in particular the reader will have to authenticate with the card so that the card knows that at the other end of the aether there's a terminal that's been blessed by somebody and someone will be held accountable if something untoward happens.

At least that's the theory. We'll see how well the protocols are designed...

Re:The merchant never touches it?

[egarrido16]

Few merchants checks credit card signatures.

Here's a funny link posted to slashdot some time ago: the credit card prank..

Re:The merchant never touches it?

[Wycliffe]

someone should mod this up.
This is hillarious.

Re:The merchant never touches it?

Either the range should be limited to a few inches, or there should be a sensor on the card that you have to touch.

Re:The merchant never touches it?

[Vulpine]

I am a retail clerk at a used book chain. You are right -- I do not verify the signature on the card matches the one on the credit card slip Instead I do verify that the card is signed at all. If the card is unsigned or says 'Check ID' I do not accept it without photo ID. This is the policy at my job and I follow it strictly unless I personally know the person (not even just one of our regulars).

Occasionally, people will actually get angry at me when I do this. This seems pretty dumb.

Supposedly, the Austin, TX PD also enforces the 'Check ID' policy, at least with cards that explicitly state it. Or so I am told, but I have seen no evidence of it. My check cards say 'Check ID' and I am rarely, if ever asked for ID. Mostly, my coworkers are the only ones who notice.

Now I am thinking about writing it on the front, but I don't think it would make much differance.

I know

[Transcendent]

What to people think about the prospect of this more widespread use of RFID? Is this something that will only lead to more credit card fraud, or will it provide more secure means of payment?

Fraud. All you have to do is take a small mobile credit card scanner and keep it in your pocket... walk around in a crouded shopping mall where everyones credit "cards" are in their pockets and see how many you can scan.

Unless it's encrypted ...

[xpl_the_myst]

... by a public key. But then, would all of them use just one key? (they should otherwise the sensor would have to remember lots of keys). I don't know how secure it is to use just one private-public key for the job.

Or some equivalent of SSL? Any more guesses?

Re:Unless it's encrypted ...

[SuperMo0]

My guess, judging by the article and the way the picture looked, is that, just like the speedpass, you'll have to hold the thing REALLY close to the sensor. It's not like the thing's broadcasting a 50 foot signal or anything.

The article also mentions that the card has no power until the electromagnetic waves from the sensor power it up. So a thief would not only have to get a reader, but he'd have to get something to charge the CARD, as well.

Re:Unless it's encrypted ...

[pjwhite]

I have a Speedpass, and it doesn't activate the "hot spot" on the pump until it's less than an inch away. There's really not that much difference between the Speedpass and a credit card with no visible markings, except that you don't have to remember which way up to put it in the card reader.

Security concerns about someone "scanning" a credit card using this radio technology from a distance is probably unfounded, unless you have it in your wallet and sit on the scanner.

Re:Unless it's encrypted ...

Whew! I was worried there for a minute. But you're right, no one would ever sit on anything that could hide a reader, oh wait, except for public bathrooms, oh yeah, and restaurants, oh and then there's movie theaters, hmm I guess there's walking in a crowd, and then there's church, but no one bad ever goes to church, and then there's leaning against a wall, and I suppose sitting on a park bench or taxi, well golly! I bet anyone could read it just about anywhere!

Coming soon...

[adept256]

How long before they decide to make one of these into an implant? I bet they have scientists working around the clock inventing new ways to spend money. So imagine when your credit runs out; They don't just cut up your card, they give you surgery. Obligatory aphorism: A fool and his money are soon parted.

Wardriving 3.0

[Wingnut64]

Looks like geeks just got a whole new reason to drive around with a laptop.

Not so evil/stupid

[Nasarius]

It looks like the card has to be held within about an inch or two of the reader. Kinda hard to steal other peoples' card info without their knowledge.

Re:Not so evil/stupid

[zurab]

It looks like the card has to be held within about an inch or two of the reader. Kinda hard to steal other peoples' card info without their knowledge.

For a thief that's a piece of cake in crowded public areas such as malls, markets, airports, public transportation, etc. except now he doesn't have to gain possession of the physical property, like a wallet, but simply stand in line or pass by closely next to another person. Encryption... that's a different topic.

Speaking of airports, they could install these scanners be used at security checkpoints in conjunction with now infamous CAPPS II. If a person is identified by such a scanner and "cleared" by the system then he/she can pass with relative ease; if not, then be subjected to comprehensive security checks and searches.

Re:Not so evil/stupid

[fltsimbuff]

While that may be true... From the way I have heard they work, the Range of an RFID signal is proportional to the power of the transmitter in the reader. Thus, if a theif takes a reader, or builds one that has higher than standard output power, they could probably get the info from it quite a distance away.... along with everyone else's in the area at the same time.

Replying to myself...

[Nasarius]

Yep:

However, the thief would have to get quite close to his target or have a very sensitive reader.

Cell phones

[SolidGold]

I don't see any reason to produce contact less credit cards. The technology should just be built into cell phones. Cell phones can be the only electronic gadget that anybody needs to carry around. It can be used as a pda, cell phone, clock, gps, credit card, camera, gameboy, remote control etc. It's just a matter of time for some of them.

Re:Cell phones

[fltsimbuff]

I can see it now... Cellphone viruses that copy to your phone, and send your financial transaction data to the writer, wirelessly over the Internet. Not so sure about this idea :P

Hijacked Redirector

[BigBlockMopar]

you can find a good review of the pros/cons here.

This AC hijacked my redirector for a goatse.cx link. Sorry.

Based on the time of the posting, this individual has a subscription and lives in Vermont. Check it out:

max4-190.greenmountainaccess.net - - [13/Dec/2003:18:13:42 -0500] "GET /iis HTTP/1.1" 301 325 "http://ask.slashdot.org/article.pl?sid=03/12/13/1 213221&mode=nested&tid=137&threshold=- 1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
max4-190.greenmountainaccess.net - - [13/Dec/2003:18:14:07 -0500] "GET /iis/ HTTP/1.1" 200 6363 "http://ask.slashdot.org/article.pl?sid=03/12/13/1 213221&mode=nested&tid=137&threshold=- 1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
max4-190.greenmountainaccess.net - - [13/Dec/2003:18:14:21 -0500] "GET /iis HTTP/1.1" 301 325 "http://ask.slashdot.org/article.pl?sid=03/12/13/1 213221&mode=nested&tid=137&threshold=- 1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
max4-190.greenmountainaccess.net - - [13/Dec/2003:18:14:52 -0500] "GET /iis/ HTTP/1.1" 200 6370 "http://ask.slashdot.org/article.pl?sid=03/12/13/1 213221&mode=nested&tid=137&threshold=- 1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
max4-190.greenmountainaccess.net - - [13/Dec/2003:18:15:59 -0500] "GET /cgi-bin/ HTTP/1.1" 403 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
max4-190.greenmountainaccess.net - - [13/Dec/2003:18:16:03 -0500] "GET /iis/ HTTP/1.1" 200 3498 "http://ask.slashdot.org/article.pl?sid=03/12/13/1 213221&mode=nested&tid=137&threshold=- 1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
max4-190.greenmountainaccess.net - - [13/Dec/2003:18:16:17 -0500] "GET /favicon.ico HTTP/1.1" 200 4710 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
max4-190.greenmountainaccess.net - - [13/Dec/2003:18:16:18 -0500] "GET /cgi-bin/redirect.pl HTTP/1.1" 302 269 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
max4-190.greenmountainaccess.net - - [13/Dec/2003:18:16:29 -0500] "GET /cgi-bin/redirect.pl HTTP/1.1" 302 269 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
max4-190.greenmountainaccess.net - - [13/Dec/2003:18:17:02 -0500] "GET /cgi-bin/redirect.pl?http://www.goatse.cx HTTP/1.1" 302 289 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
max4-190.greenmountainaccess.net - - [13/Dec/2003:18:17:14 -0500] "GET /cgi-bin/redirect.pl?http://www.goatse.cx HTTP/1.1" 302 289 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
max4-190.greenmountainaccess.net - - [13/Dec/2003:18:18:02 -0500] "GET /cgi-bin/redirect.pl?http://www.goatse.cx HTTP/1.1" 302 289 "http://ask.slashdot.org/comments.pl" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
max4-190.greenmountainaccess.net - - [13/Dec/2003:18:20:16 -0500] "GET /cgi-bin/redirect.pl?http://www.goatse.cx HTTP/1.1" 302 289 "http://ask.slashdot.org/comments.pl" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"

Re:Hijacked Redirector

Certainly you should apologise. Allowing your redirect script to redirect to any address specified amounts to little more than criminal neglect. You can't complain when people like the AC point out your security flaws.

Re:Hijacked Redirector

posting someone's IP is uncool dumbass. He used you, deal with it.

Re:Hijacked Redirector

Could someone please explain the need for a redirect script? Why not just post a link to the external site?

Re:Hijacked Redirector

Could someone please explain the need for a redirect script? Why not just post a link to the external site?

Logging the request so the webmaster can see which links people like.

RTFA

[KrispyKringle]

Christ. RTFA. Do you know what challenge-response is? I don't feel like repeating myself, so see here

Re:RTFA

[hugesmile]

I'm not Christ, but thanks for the compliment.

READ THE RFID SPECIFICATION.

OK, so what you're saying is that there's a challenge/response. BFD. So AMEX can verify that it's an AMEX in my wallet. They STILL didn't confirm that *I* am the customer.

RFID's can be read at a distance far greater than 2 inches (obviously, as they are used for inventory at much greater distances), so to pretend that this is secure because of challenge/response is ludicrous. Challenge me, I'll pass along the challenge to an nearby RFID, and respond with their response.

Not to mention that the RFID will blindly answer to all challenges, with responses. Calculating a private key is relatively trivial if I can define the inputs and observe the outputs. That's one of the first attacks that code-breakers will use. Simply send a few thousand challenges, observe the responses, and you have for yourself a nice mapping that can be used to discover the private key.

Good scheme, Sherlock.

Re:RTFA

[KrispyKringle]

No, you're wrong.

Each card has it's own private key. I don't know this for a fact, but it must be so, or, as you said, the challenge-response is so useless they would not bother to implement it.

The weaknesses in challenge-response are reversible hashes and replay attacks (predictable challenges, in other words). These are what you point out, and both are well-known (and easily dealt with).

The first--what you refer to when you mention sending a ``few thousand challenges'' is to simply use a proper strong one-way algorithm like blowfish or MD5. No matter how many responses you capture, you can't reverse it (this is not mathematically proven, but it is thought to be impossible to do anything more efficient than brute-force). Your comment on this indicates ignorance of how cryptosystems work, and I don't really feel like going into it further. Take my word, or do some reading (I'm not trying to be an ass, but I've studied this stuff, and you'll just have to take my word that reversability is not an issue if you have chosen a strong algorithm).

The second, what you refer to in ``pass[ing] along the challenge to an nearby RFID'' assumes only a single private key. This is not, as I said, the case, so it's meaningless. If you are instead referring to a replay attack, the answer is simply proper psuedorandom challenges. If you think you could simply pass the challenge to any nearby card and make it foot the bill instead, you'd be equally wrong. The card holder has to punch in a PIN on a keypad, as discussed in the article (hence my previous comment to RTFA). Either way (I'm not sure which one you mean), the system is plenty secure. Maybe not much more convenient than magnetic strips, but actually more secure.

Re:RTFA

[hugesmile]

The card holder has to punch in a PIN on a keypad, as discussed in the article (hence my previous comment to RTFA).

Perhaps you should read the article.. or look at the pretty pictures. There is no mention to keying in a PIN. In fact, it says

The transaction then proceeds through the credit card network just as if the card had been swiped.

I don't know where you are from, but in the US, I NEVER EVER key in a PIN on my credit cards. I don't even know if my credit cards HAVE a PIN. And so if the transactions proceed through the network as if the card had been swiped, then this implies that there is no PIN (since there is no PIN-check on a swiped card).

The picture shows NO keypad, and they make reference to the system being similar to ExxonMobil Speedpass and similar to the tags in supermarket discount programs, neither of which use PINS.

So you missed the boat on that one.

And nice try on guessing that I am ignorant of how cryptosystems work, since I originally pointed out the flaws in 802.11B 128-bit security, which was supposedly flawless and couldn't be reversed (and yet I performed the work in less than an hour of data collection).

Go ahead and blindly trust them. I don't really care. But get your facts straight.

Im with you

The question is not if you are paranoid or not, the question is are you paranoid enough?

Programmable?

[kautilya]

This is a great idea if cards are programmable. For example I can "shut off" my card using some kind of web interface or a cell phone! I can do this when I am not planning on using my cc for a while. i.e. I can disable and enable my card at will. This will boost security since you hold the switch if card will work or not though it sends wireless signal. Further, there shouldn't be many cases of "physical" stealing of credit cards but "electronic" thefts which are far more easier to track and minimise. Ofcourse, we are always skeptical of new technology until we see someone makes billions out of it.

Re:Programmable?

Can I choose the format that the card will broadcast? What if my taste in music isn't what the card is putting out? Will I attract the wrong listening audience?

prove it

[mabu]

I am always suspicious of any new technology whose benefit isn't readily obvious to its potential market. So the value of RFID cards are that you don't "fumble" as much? That's ridiculous. Most outlets allow the customer to swipe their own credit cards, so what is the difference between holding it in front of a reader and swiping it? I know some idiots can't line up the mag stripe on their card sometimes, but do we really need a whole new technology because of that?

It's obvious where the benefit of this is: surreptitious extraction of information and account data. Sit down on a bench with a reader in it, and all your credit card data was just captured. Walk in the door of an establishment and your RFID cards are scanned and the next day you get junk mail.

I feel the same way about "debit cards". These afford the consumer less protection and security than credit cards (which are protected under the Fair Credit Billing Act of 1976) yet this new gimmick was foisted upon consumers offering more convenience. BS.

No thanks. This is not any technology that benefits consumers from any angle I can see.

not sure I would even use them anyway

[AssFace]

I have a few credit cards now and the last time I actually had one swiped was well over 6 months ago if not closer to a year.
Ordering off of the web means the only card I swipe is my ATM card when I want cash.

That said - I do use my ATM card here when I don't have cash and they swipe it - which is arguably even scarier if you don't have any limits and or insurance of fraud on the ATM card.

Access cards

[HeX86]

The University of Nebraska at Omaha's dormatories use this technology for entry cards into buildings and the parking gates. You just wave these infront of these sensors and it lets you in the door.

Well what happens when you're in a crowd and someone is walking around with one of these sensors and waves it around at people's wallets and purses quietly picking up credit card numbers?

Surely they've thought of that though :)

What if you've got multiple cards?

[dbirchall]

A lot of people carry around at least one major credit card, at least one debit card issued by their bank that's VISA or MasterCard branded and can be used anywhere a credit card can, and at least one store credit card -- some of which (Macy's for example) are also now VISA or MasterCard branded and can be used anywhere.

Exactly how this system is going to magically know which card to use is... beyond me. Of course, MasterCard and Amex don't need to worry about that, because of course you're just going to have one card, with their brand on it, right?

Re:What if you've got multiple cards?

Isn't it obvious? It will use all of them. Bill each one. Because we all know that everyone uses the same PIN for every card. And how are you going to refute that?

VISA Customer Service: "Did you actually buy that item? Were you actually in the store?"
Customer: "Yes and Yes. But I got double charged!! I got charged on both my VISA and my Mastercard, but I only bought one item!"
VISA Customer Service: "That is obviously a Mastercard problem. They shouldn't be doing that! You had better call them!"

....30 minutes of call support later....

Mastercard Customer Service: "That is obviously a VISA problem. They shouldn't be doing that! You had better call them and get them to fix it!"
....30 minutes of call support later....

VISA Customer Service: "I am afraid that we cannot refund you your money for an item that YOU purchased."

Re:What if you've got multiple cards?

[FIGJAM]

When you call MasterCard or Visa customer service, you are generally forwarded to the card issuing company. MasterCard and Visa, etc are only companies with products that other organizations use. This is often a bank or could be any other card issuing company with a license from MasterCard or whichever company.

The purchased item in dispute is a 'challenge' to the vendor. One of the theoretical purchases would be challenged and it would be up to the vendor to prove that you purchased the item twice. If you wanted your MasterCard to make the purchase, you would contact the Visa issuing company (directly or indirectly through Visa customer support -- it is usually much faster to NOT call Visa/MasterCard direct... call the place you got the card from) and they would issue the challenge. When the vendor cannot prove you purchased the item twice, the (Visa) issuing company would credit your card account.

Re:What if you've got multiple cards?

[toast0]

Blah... calling the credit card company doesn't preserve your billing rights. Spend the hour writing a letter to both companies, and finding stamps.

Screw Credit

[gmhowell]

Screw credit cards, I always carry plenty of cash.

It's only a matter of time

[HangingChad]

Before someone figures out how to spoof EZ-Pass. Any challenge/response that goes out over the air can be sniffed. How long before some clever person figures out that to make X return signal you need a card coding of Y?

Anything that I have to carry around in a foil lined wallet to keep it from squealing on me or being charged without my knowledge just isn't worth the few seconds of convenience in my book. When we have to employ some wild weasel jammers on our person to keep the RFID tags in our clothes and wallet quiet it's gone too far.

Re:It's only a matter of time

[Phil+Wherry]

I believe there's some sort of sequence number sent as part of the response from the EZ-Pass toll transponder, and that it's incremented each time the transponder sends an interrogation response. When the toll reconcilation is done, an already-used sequence number or one that's lower than one previously used will flag the account for attention; this makes transponder cloning a relatively unrewarding activity. (Since toll reconciliation isn't a real-time process, the "lower than previously-used" test is actually a little more complicated than the way I've described it, but the basic idea is the same).

I'd imagine that the credit card scheme will include some kind of similar anti-duplication support, though this is just speculation on my part.

How safe are they?-DNA-with a bullet.

A DNA sized key would be impossible to crack.

Combine this with challenge-response that's resistent to "man in the middle" attacks.

And aura detectors, for those "is it alive, or is it dead?" situations.

security concept

[LuxFX]

The biggest security issue that I can think of off the top of my head (other than theft or loosing your wallet) is if there are scanners set up that might intercept your credit card information.

So here's a concept. When you make a purchase using the RFID credit card, these steps happen:
1. the cash register sends a HELO type signal
2. the credit card responds and requests an encryption key
3. the cash register randomly generates an asymmetric encryption key valid for that transaction only, and send the 'public' portion of the key to the credit card
4. the credit card encrypts the transaction information using the 'public' key it received and send it to the cash register
5. the cash register uses the 'private' key to decrypt the information and process the transaction.

This way, the only information being transmitted is either encrypted, or a public key which isn't useful in decrypting the information.

The other concern I can think of off the top of my head would be people carrying devices that could fake a transaction -- so a thief would just be walking behind somebody, making a transaction through a device in their pocket, and walk away without a trace. Not sure about this one, though the first step would be high security on the transaction protocol.

Re:security concept

WOW -- you just invented SSL.

Re:security concept

[LuxFX]

Ok, I admit I had no idea that what I was describing was SSL. It just seemed safer than the standard encryption mentioned in the article (which I finally got around to reading).

The article mentions that range is the primary protection against my second concern, but I find it conceivable that a significant power boost could bridge that....

<humerous anecdote>
I used to work in a building that required those proximity RFID security cards for entrace. They must have had the power cranked up plenty though, because we not only didn't have to take the card out of our wallet, but we didn't have to take our wallet out of our pants! A friend of mine, who was there long before I was, used to just back up to the door, especially if his hands were full.

And then one day he came up and found a homeless guy rubbing his butt against the door trying to get inside!
</humerous anecdote>

Re:security concept

[bobbabemagnet]

Asking an RFID tag to encrypt something is like asking a new born baby to do calculus. You can't ask a device which has no battery of its own to compute something.

Re:security concept

[swillden]

Asking an RFID tag to encrypt something is like asking a new born baby to do calculus. You can't ask a device which has no battery of its own to compute something.

What does having a battery have to do with it? They're powered by the reader.

Both contact and contactless smart cards (which are not the same as RFIDs, although the difference is one of complexity rather than technology) do have the capability to perform cryptographic operations, both symmetric and asymmetric, and with sufficiently large keys to be secure.

If you'd like to know what these devices can really do, rather than guessing, take a look at the specifications for this one. Dual interface (contact or RF usage), on-card fingerprint matcher, 2048-bit RSA, 168-bit 3DES, SHA-1 and MD-5 secure hashes, hardware random number generator, on-board Java VM for executing user programs, six different comm protocols supported, with comm speeds ranging from 9600bps to 424kbps. It performs a 1024-bit RSA public key operation in 18ms, a private key operation in 163ms and 168-bit DES operations in nanoseconds.

Oh, but it doesn't have a battery.

Re:security concept

[mystik]

Don't authenticate with the register --- Authenticate w/ the card's provider. This would raise the bar in the complexity required to steal your card info. (Would-be theves would need an active connection to the CC Provider, and a merchant account themselvs)

Since the register has to verify that you have sufficent funds for the transaction anyway, why not ask the card's provider for a signed [by the provider's] token, which the radio card will then respond to.

This scheme works where a trusted third party has to verify card details anyway. Card holders and merchants already trust CC card issuers to some degree. This scheme woulden't be sufficent for anonymous cash transfers --- where the radio card holds some value.

Re:security concept

[Twylite]

Please mod the parent up

Fortunately someone seems to know the difference between a contactless smart card and an RFID tag ;) Now that the card institutions have invested heavily in smart cards and EMV, they have no intention of going back to a simple insecure account number system like a regular magstripe card.

Extending EMV to use contactless smart cards will not be difficult, and will provide end-to-end security based on RSA and a PKI.

Re:security concept

[swillden]

Extending EMV to use contactless smart cards will not be difficult, and will provide end-to-end security based on RSA and a PKI.

Trivial, actually. Use T=CL rather than T=0 or T=1, and use the standard EMV structures. Using these dual interface cards, I've written apps that can use either contact or contactless mode and neither the application software nor the card knows or cares. In fact I can hook up both a PC/SC contact reader and a Philips Pegoda to a computer and you can place the card in either one, because the bottom layers of the app monitors both. The only difference you (or the business logic) notice is that the contactless mode moves data much faster.

I agree, after all of the EMV investment, there is no way in hell that banks are going to use dumb read-only RFIDs. Banks are stupid, but they're not *that* stupid ;-)

Pick Pockets

[cybercuzco]

You know, currently theres a problem with waiters and waitresses and other service industry folk (a few) that take your credit card while you are paying your check and read the card with a pocket reader, storing the info for later for credit card fraud. I can see pick pockets now: You are bumped into while walking, you check to make sure your wallet is there, which it is, but your info has been stolen by a contactless RFID system.

Probably based on ISO 14443 Secure RFID spec

The spec has successfully been used by the German transmit authority to curtail fraud in their system.
It uses challenge-response encryption so it is very resistant to "man in the middle" attacks and snooping. Operates on a near-field magnetic-load method of communication.
This means that the main transmitter senses changes in the energy load as a method communication. The RFID tag just gets its power from the magnetic carrier and changes the magnetic load to communicate. This makes it more difficult to snoop than RF because the energy and communication transfer is bound into a closed loop.
One other point, magnetic load technology has a range that is proportional to the antenna. A 18 centimeter antenna has a range of 18 centimenters if it is built correctly. With a fundamental frequency of 13.56Mhz, the theoretical maximum range is 3 meters (16% of wavelength is the maximum range for the near field). This means that you would need a 3 meter (~10 foot) antenna to reach ten feet. People would tend to notice this.

Just some info.

Re:Probably based on ISO 14443 Secure RFID spec

A 18 centimeter antenna has a range of 18 centimenters if it is built correctly. With a fundamental frequency of 13.56Mhz, the theoretical maximum range is 3 meters (16% of wavelength is the maximum range for the near field). This means that you would need a 3 meter (~10 foot) antenna to reach ten feet. People would tend to notice this.

Assuming these figures are correct (and I have no reason to doubt them), I would like to point out that a 2 foot (or slightly larger) antenna can easily be concealed in a shopping bag.

Or a 3 or 4 foot antenna can be hidden in a cane, crutch, or walking stick.

How many people in a mall come within 2-4 feet of you during the holiday season?

Also, what if a 10 foot antenna is put up next to a mall ENTRANCE, disguised as a holiday decoration (giant candycane,anyone?)

eeehyyyy, billy just wants you to know...

maybe you shoulda takea downa the page, huh? next timea it might nota bea a goatse upa therea, but maybe your assa.

I just tella youa this, 'coza I like youa, you know? I wouldn'ta want anythinga to happena to youra tendera anus...

Re:eeehyyyy, billy just wants you to know...

Please, sir, post the IP address of the stupid fuck who put up this child porn redirect.

The Raw Facts...

[AsnFkr]

..are that your credit card number is everywhere. If people want numbers, they will get them. If they get yours - then thats bad luck. All you have to do is keep an eye on your credit card statements and make sure all the charges are yours. If they aren't call the credit card company and tell them. It's easy as pie. I kills me when I see people overly paranoid about thier CC#'s. I mean, comeon...you go to a restraunt and GIVE your waitress or waiter your card to carry across the room away from your eyes and run it through the machine. If they wanted, it wouldnt be hard for them to copy the numbers. Then..up on the net in a flash. Point being...security for this type of thing is nice, but don't let yourself get lazy depending on it. Keep checking those statements!

Re:The Raw Facts...

Exactly. I don't particularly care about what happens to my credit card number.

If I forget my card on the counter at a store, and a thief uses it to charge things, my liability is limited by federal law to $50.

If I drop my wallet at the airport? $50.

If someone sniffs my credit card number off the RFID tag? $50.

Most large credit card companies (like the one I use) even waive the $50 charge as part of their service agreement.

This is ignoring the fact that it's *still* easier to bribe a waitress to get a credit card number than it is to go around sniffing them off of networks or RFID tags or whatever.

Easier still? Getting a program that will generate mathematically-valid credit card numbers by the thousands, which you then bounce off a authorization server to determine their validity.

The credit card companies are the ones who will be carrying the liability on a RFID system, not the consumer. They're presumably going to come up with a secure solution. If they don't, though, that's not my problem.

Re:The Raw Facts...

[anthony_dipierro]

If someone sniffs my credit card number off the RFID tag? $50.

Actually, that one would be $0. You're only responsible for $50 if you actually lose physical possession of your card.

Re:The Raw Facts...

[innerlimit]

the CC terminal i used to have at work allows the last statementen to be reprinted. These statementes reveal the cc# and expiry date... all that's needed to do some heavy internet shopping

This could be secure if.....

[G4from128k]

The two most common threats to consumers who would use the system would seem to be:

1. Charge Theft: the thief charges your card by bringing a payment terminal near you. This depends on the security of the payment terminals. If the credit card processing system authenticates the terminal, then it would be hard for the thief to use the terminal to get the money. Even if the thief steals a terminal, the only thing that would happen is that the money would go to the retailer where the thief obtained the payment terminal. The real threat comes from a home-made or modded terminal. But this approach also requires a break in to the credit card processor to hack a record for the hacked terminal to ensure that charges to that terminal goes to a destination of the thief's choosing.

2. Card Theft: the thief remotely steals a person's card. This seems highly unlikely. The card would need to provide enough data in a reasonable number of monitored transactions to enable the thief to deduce how the card would respond to any future transaction. I would assume that the system would use a highly encrypted challenge-response system that would make it hard to reverse engineer the parameters for the response from a reasonable number of data points. But if someone hacks or steals the algorithm that is used to create the cards, then all bets are off.

It seems like the system could be secure if the encryption is sufficiently good and the data terminals are well controlled.

Re:This could be secure if.....

The real threat comes from a home-made or modded terminal. But this approach also requires a break in to the credit card processor to hack a record for the hacked terminal to ensure that charges to that terminal goes to a destination of the thief's choosing.


Even easier: the theif get some fake ID and sets up a fake company (say, a home business), and gets a real terminal. He bump-charges a few hundred people per day for a month, withdraws the money and disappears. All the traces (if anyone even notices the $10-$20 charge point to the 'company', which the theif has abandoned.

This is doable (u)right now, but the theif needs to get the card (or at least the card number, expiration, and the name on the card.) Getting that info is tougher than bumbing into someone (unless you're a pick pocket, but how many pockets can a pick pocket pick in a day?)

Re:This could be secure if.....

[anthony_dipierro]

Even easier: the theif get some fake ID and sets up a fake company (say, a home business), and gets a real terminal. He bump-charges a few hundred people per day for a month, withdraws the money and disappears.

Too bad the merchant accounts won't let you withdraw the money for 90 days. Unless, of course, you've established credit with them, in which case they take the risk.

When 90% of your charges get charged back, you can expect not only to not be allowed to withdraw anything, but you can expect FBI agents to show up at your door.

Only more stupidity

[suso]

Ya know, this is one of my big pet peeves. First they put those self swipe things on the customer side with one of the intentions being to keep your card information to yourself. But that is pointless because all the stores have adopted a policy of checking your signature anyways. Appearently they don't see it as a security risk for the customer.

Now we're talking about radio credit cards? What is the point? The cashier is only going to ask to see it as well, the only thing it might hope to help is wearing out your card from swiping it so many times. I guess your wallet will make up for that by breaking it when you sit down and your wallet is in your back pocket.

Re:Only more stupidity

[suso]

See, they even say it in the article:

"The card companies say the system is much faster and safer because the card never leaves a customer's hand."

Dumb.

Re:Only more stupidity

[mabu]

Where you really get screwed is not the change in the technology from mag stripe to RFID. It's the banks switching you from a true credit card, to an ATM/debit account. Then you're not protected by law for the consequences of fradulent transactions.

Fraud ahoy!

[TwistedSpring]

Yes this will lead to more fraud. In the UK we've recently had a system put in where debit/credit cards are equipped with a chip that, to quote my documentation "is programmed to respond to [my] PIN choice". While that's probably not hard to crack if you steal a card (hey, you only have 9999 possibilities till the chip responds with an appropriate answer), there's also another problem. Instead of signing for purchases now I may be asked to "enter my PIN on a keypad and let the cashier swipe my card". WHAT? No WAY! Swipe a card, and you've just read enough data from it to make a copy. Enter a PIN into a keypad, and suddenly the fraudulent cashier has both a copy of the magnetic strip and a PIN. How quick and simple would it be to knock up a device like a laptop with card reader and PS2 numeric keypad attached and fool customers into getting their card AND PIN ripped off? Not difficult at all. I resolve to never pay with this method except from retailers I trust, and the RFID thing just seems to be yet another step in a dumb direction.

ATM Fraud

[sfe_software]

There's lots of discussion about how someone can just sniff the transaction or plant hidden RFID readers, and they are being debunked by the fact that there's some sort of challenge/response encryption.

Fine, except given that some thieves have gone as far as to obtain a legitimate ATM machine to steal ATM card/PIN numbers, how much more difficult would it be to obtain an RFID credit card reader? Whatever public keys or key database a scanner needs would be taken care of, as it would all be purchased/leased for a seeminly legal purpose. At this point it would be trivial to plant the reader in a location that people tend to walk by, and unless there's some kind of PIN verification, you've got all you need.

Thus, the user doesn't even have to knowingly make a transaction as with the ATM scams.

If there's PIN verification, an on/off switch, or a lead protective storage pouch... then we're in the same place we're at now; but if all it takes is the user to click "OK" on the scanner, then obviously there's no security there (only against accidental scans at a legitimate establishment).

Any thoughs?

That's Narrow-Minded

[cjsnell]

Who says that it has to be that insecure? I envision a little device that goes on a keychain (similar in that respect to SpeedPass), which has a little button on the side of it. You squeeze the button as you pass it over the scanner. Only when the button is squeezed does the transmitter in the device emit anything.

BTW, why are you so paranoid about a contactless credit card? Do you eat at restaurants and pay with a credit card? Chances are, if you do, some potentially sleazy waiter has taken your credit card out of your sight for a few minutes. Not only can he copy your card, chances are that he knows what city you live in and can then get your home (think billing) address out of the phone book. On top of that, he can look at what kind of clothes you wear and car you drive and make a guesstimate about your credit line.

Re:That's Narrow-Minded

[toast0]

I think the reason to get paranoid is that the new technology may make the card issuer more reluctant to refund fradulent charges.

For instance, on verified by visa/mastercard authenticode transactions, the merchant is not liable for chargebacks if the card holder says they didn't make the purchase.

Re:That's Narrow-Minded

[jasonbw]

As it is, if someone gets a hold of one of my credit cards, the only thing that will protect me is that message 'check id' that i write on my signature line. half the time the cashier ignores it.

as far as i can tell the entire reason behind this is that the card never leaves your hand. in a restuarant like your mentioning. the waitstaff would have to bring some type of wireless device to my table for me to pay. so there would be two instances where a sneaky individual apart from the server could intercept my info.

this doesn't seem like too much of a convinience, it sounds more like a way to get businesses to buy another piece of equipment from the CC companies.

beyond that, i have a wallet. my cards fit into a number of little slots in it. its pretty compact. but now i see having to carry around another keychain of devices.

Re:That's Narrow-Minded

Your shirts are stupid. First, selling images of postage stamps is copyright infringement and illegal. Second, the post office is a self-funded quasi-private organization that does not contribute funds to the US Government, so even if you think the US Government is engaging in terrorism, buying stamps from USPS doesn't support it.

Re:That's Narrow-Minded

[toast0]

First, this is really off topic, and you should probably send me email, or resolve I'm a stupid idiot and ignore me (or my sig). To this end, I have recently updated my email address and remove the spam proofing, so you should have no trouble sending me mail.

Regarding copyright infringement, you're may be right, but there may be fair use issues, and combined with the fact that there have been 3 shirts printed, i doubt the post office cares, but if they do, I'll be happy to take the shirts down. They'll probably contact cafepress first, and cafepress will take them down instead of me having to do anything.

Regarding funds. The postal service is a US government organization, that doesn't break even. Thus any funds we provide them (through stamps or otherwise) goes to offset bailout money congress will give them. To say nothing of the official mail that they deliver for the government without itemized charge.

Maybe I should revise the shirt to have an IRS 1040 form, but then I wouldn't have the cutesy Love messages or the dude with the gas mask. And I doubt I'd make any more sales.

The merchant never touches already

[MyNameIsFred]

The merchants don't touch the card in most of the stores I go into already. In most stores, I swipe the card myself. They use one of the electronic pen pads for me to record my signature. The cashier never even looks at the card. So in that respect it is no real change.

Since fraud is a major expenditure for credit card companies, I would guess that they would worry about the fraud implications of this new type of credit card. If they are seriously considering it, they must not believe it will increase fraud.

The Tube

[JoeBaldwin]

This reminds me of something London Underground has been doing for a few months now. Instead of having paper tickets, season ticket passengers can just wave a piece of plastic at a "validator", then at a ticket gate, and can then travel on the service.

HOWEVER...

With this idea, real money is involved, real money that I really don't want to lose. Thanks but no thanks.

2066

[Dylancable]

In next issue, How to create a wifi cc reader.

Things that consumers should avoid

[mabu]

This is just IMO FWIW but I believe RFID is one of many types of new services that really are more dangerous and insecure than they are beneficial. Technologies such as this shift the burden of responsibility from the merchant to the consumer. The big corporations have a vested interest in doing this and they engage in PR campaigns to snow-job consumers into thinking that their new products are better, when they are worse.

Here's a sampling of examples of things I'm talking about that consumers should avoid:

* RFID

Tremendous security & exploitation potential; virtually no discernable advantage to using this technology. Corporate interests claim the adoption of RFID will help reduce costs and curtail shoplifting and fraud. There is no real evidence to support this and consumers should be suspicious of this technology.

* Debit and ATM cards

Tremendous security and fraud potential. Not covered under many existing laws regarding credit card fraud. Regular credit cards are much more useful as the consumer shifts the burden to the merchant to prove a transaction was valid before paying for anything unauthorized (generally speaking but some banks have similar "consumer protections" they *claim* but credit card fraud protection is covered by Federal law). With debit cards, you lose and the burden is on you to prove the transaction is illegitimate. These are gimmicks designed to make money for the credit companies and give consumers less fraud protection. All the hype about identity and credit card theft is blown out of proportion and further used to scare consumers into, ironically, using technology that actually is less secure.

* Rebates

Misleading advertising; basically a tax on laziness. People should avoid purchasing anything that offers a rebate unless it's instant at the POS.

* Considated utility services

It's really bad to have multiple cards from the same bank, or use a single company for internet, cable and local phone service. The first time there is a billing snafu, every single one of your credit cards will be declined (if they're from the same bank - Citicorp loves to do that shit) or you lose phone, internet and cable TV if you're foolish enough to use one company for all these things.

In addition to that, there's the huge security and privacy issue of having one large company handle so many of your essential financial services and utilities. It's much more likely the information will be used against you than to enhance the quality/convenience of your life, so don't buy into the hype these companies spew about the "all on one bill convenience" they offer if you use one company for multiple services.

DoS vulnerable ?

[Jesrad]

If there a challenge-response, then the device is not entirely passive, so it must have an energy source ? Then it is possible to exhaust it with a lot of non-legit requests ?

Re:DoS vulnerable ?

[Knetzar]

If I remember correctly, small RFID devices can be powered by radio waves. So the act of sending a request to this device could give it enough power to send a response.

Re:DoS vulnerable ?

[KrispyKringle]

I'm not an electrical engineer, but Google turns up this page for security proximity cards, which are essentially the same product.

The card is usually passive (without an internal battery) and consists of an antenna and an RFID ASIC (Application Specific Integrated Circuit). During operation, the transmitter sends out an electro-magnetic wave to establish a zone of surveillance. When a card enters this zone, the electromagnetic energy from the reader begins to energize the IC in the tag. Once the IC is energized, it goes through an initialization process and begins to broadcast its identity.

So it seems like the cards use induction to get just enough juice from the radio waves to power their internal circuitry. No battery needed.

Re:DoS vulnerable ?

[furrygeek]

Presumably, the manufacturers have already considered this, but I wonder how these ICs might be effected by the x-ray machines at the airport. If they use induction to get power, couldn't they get fried by a strong energy source? Has anyone put one of these into a microwave oven? It might be an interesting experiment.

Re:DoS vulnerable ?

[KrispyKringle]

Old smartcards (maybe they are still like this, I don't know) like the kind used for transit fares and vending machines, had EEPROMS on them that were really just a bunch of memory cells packed together. They way they worked was that the number of ``full'' cells was the number of passes you had left.

Now these ROMS, like many others, were designed to be resettable by exposure to a bit of UV light. They were made this way for convenience; when the cards were first manufactured, to save time, they could all be zapped with a bit of light, set to ``full'', and then sold. Each time it was used, a machine would set one more cell to ``empty''.

The obvious problem, though, is that people found out, and used UV lights to get free transit passes, etc. What I find funny about the story is that you might think they'd build in a different encoding scheme, say, make it so that one or two bits must always be off, or else they know its a fraud (but this would make it take longer to manufacture, of course, and would mean they'd have to rebuild or reprogram their ticketing machines). What they did instead was build them with a little fuse bridge or something, I forget the details, so that if exposed to UV light twice, they blew and the card was junk.

Anyway, so many EEPROMs are designed like described above, to be resettable by UV light. But I imagine they've thought about it here. I think they cover the window, regardless. And X-rays may not be the right wavelength (though I really have no idea).

My Wallet

[KalvinB]

now wears a tinfoil hat.

Ben

Re:My Wallet

[AndroidCat]

If your head wears tinfoil pants .. I don't want to know.

Security.. bah.

[mindstrm]

Look. Here is what I care about with my credit card:

- If reasonable proof can't be shown that I personally authorized a transaction, I will not be held responsible for it.

That's it. That's all. The line of credit is between me and the issuer... the card is simply a token that represents that. Historically, you had to be there in PERSON to use one.. but everyone looks the other way for convenience, online work, etc.

I don't care what method visa or whoever comes up with to represent that token. If it's less convenient for me, I won't use it. If it somehow rips me off, I won't use it. If it makes me more liable for fraud, I won't use it. If they take all the risks, I don't care if it's a smart card or a credit card or a proximity card.

Now.. that said.. having proximity cards / RFID type cards does bother me.. it seems like a bad move. It doesn't give ME, the customer, anything I really want. So.. it simply won't fly.

I won't have my credit card dictated to me.. its' not about the card, it's about the agreement... and about credit.

I ask myself...

[johnnybegood]

...is all this work really worth it? If you think about it, what all of this work is going towards is a high-tech solution for people to be lazy. For some applications, sure it makes sense, like a high flow area such as bridge/highway tolls and paying for the subway etc. In areas like that it makes sense that the person, probably in a hurry, should be able to keep going, especially if they are in a car already traveling in excess of 50mph. But when you're talking about a credit card... you're gonna be in a store anyways, and you're gonna have to stop at the "register" where you will have to wait for all of the encrypted transactions to happen. At this point, why not just say hello to a friendly sales clerk (and if he isn't friendly, complain becuase that's what they're getting paid for) and hand him your credit card to swipe through a machine? What time is there really to be saved? Maybe 30 seconds? Is that worth your credit card being able to be hacked by just about anyone who wants to (because once one persone figures it out, everyone who wants to will know how). So i reiterate in asking myself why these companies are putting so much effort into being lazy, especially in something that will save negligable amounts of time?

Well lets see...Moo...ving money.

"Nothing like tapping into the cowstomer's (sic) impulse buying, especially in the US."

I believe that Gateway has a patent on that.

Bad deal

[acidrain69]

It is ONE LESS form of identification for someone to have. Instead of having a credit card with your signature and possibly picture on it, now you have a little piece of plastic with some embedded silicon that the sales person doesn't even have to LOOK at to verify you.

How is having some bits in a RFID chip any stronger security-wise than having bits on a magnetic stripe?

There is no consumer benefit to this. The only one who benefits is the company making the sale because it makes things easier to buy. That's just what we need. As if things werent' easy enough to buy already.

The only POSSIBLE benefit I can see to this for a consumer is it sounds more durable; no stripe to get worn down.

implanted

Although the implanted device has been talked about before, I think it should be harder to remove than having it placed just "under the skin". I think a better place to implant it would be up the nose like in "Total Recall"! At least the thieves would need more than a razor to remove it. They would need that cool self-guiding gizmo Arnold had to use to remove it. Imagine the screams as the thief tries to take it while you are in the mall.

Eventually cards will replace cash

[OldManAndTheC++]

No more bills or coins.

..and when change is outlawed, only outlaws will have change :)

Re:Eventually cards will replace cash

No more bills or coins. ..and when change is outlawed, only outlaws will have change :)

So beggers will be issued RFID readers allowing you to give them money :)

this would actually be easy to make secure

[sbma44]

RFID is inherently a passive technology. But don't confuse passive with always-on.

Why can't we just put a button on the little RFID dongle you would put on your keychain? Answer: we can. And this is what the CC companies should do. I know, speedpass doesn't implement it. But it would be very, very simple to do and go a long way toward easing my fears about this. I'm envisioning something similar to a Photon light.

Even better, why not pair it with an always-on RFID in your wallet, and only allow transactions when both are present? This'd prevent simple theft by valets, pursesnatchers, etc.

Re:this would actually be easy to make secure

[DarkHelmet]

why not pair it with an always-on RFID in your wallet

Why? So that when people steal your wallet, they automatically steal your identity as well.

It's bad enough having fake IDs floating around. Doesn't this become worse when RFID tags within your wallet confirm / spoof one's identity without the cashier even having to look at a picture?

As Cringley pointed out in his voting writeup, throwing technology at a problem is not always the solution.

Re:this would actually be easy to make secure

That would work but it seems like too much stuff. Still it's better than the safeguardes they have in place right now. I mean, you can already snag someones credit card and get free gas or groceries autmatically. The whole point for asking for personal information is usually just to verify authenticity anyway. I HATE being asked all sorts of personal questions by someone I don't know, I don't like it being on display for all sorts people to look at either. Off the top of my head I cannot think of anything other than a pin number or some kind of scan for identification like fingerprint or retinal. (I don't like that either) There has to be some way of proving you and only you are authorizing this transaction without having to anounce your birthdate, full name, social security number, mothers maiden name, birthplace, address, telephone number, drivers license number, work phone number, ect. That is a very tough problem to tackle.

Re:this would actually be easy to make secure

[sbma44]

no, not so that your identity could be stolen. So that transactions can't be processed without the presence of the wallet (or wherever) RFID *and* the manually activated keychain RFID. The wallet RFID could be of concern to the tinfoil hat crowd since it could be used for tracking; I'm sure other arrangements could be made for them -- they might just have to flip a switch on the wallet token to signify they're in "shopping mode".

RFIDs cost less than a quarter to make, and are tiny... I could see CC companies sending customers sets of them -- red, yellow, blue, maybe, and you have to have one of each on your person for transactions to work. Stick one in your wallet, another on your keychain, and a third goes in the tongue of your sneakers, under a velcro tab in your underwear waistband -- wherever. This would be considerably more secure than the current signed-slab-of-plastic method. True, "gimme your wallet!" would turn into "gimme all your personal effects!" But I think this is probably a bigger burden on the mugger than the muggee.

And I agree: the cashier *should* have to look at a picture. So why not send one down the wire when the transation is authorized? A device with a tiny LCD screen and a 56k modem would do the job, and certainly be within the financial reach of any business that needs to do CC processing. This would take care of the fake ID problem pretty well.

I agree, technology isn't always the solution. But I think a lot of the ./ crowd sees "RFID" and reads it as "evil". There are privacy concerns, to be sure. But this tech has positive applications as well.

Credit card copying!!!

[wizz+da+blizz]

So does this mean that the thiefs can copy my credit card without having to draw it trough a credit card recorder?

Or maybe...

Have the thing come apart into two pieces, no, make that four pieces, and have to be put back together to work. No, make that a hundred pieces, harder to hack, etc. Then flush the thing down the toilet, two pieces each day for a while, doing laundry on second Tuesdays, to wash the entire mess away forever. No charge, no debt. A whole is that which has beginning, middle and end. Find all the beginnings, middles and ends, and your're in business. Remember:
Credit cards are issued by Banks. A banker is a fellow who lends you his umbrella when the sun is shining, but wants it back the minute it begins to rain.

WHORIN' WHORIN' WHORIN', KEEP THAT KARMA COMIN'

RAWHIDE!

The first card

[Archfeld]

I get with a rfid tag will get cut up and the CC company will lose a gold card member :)

Oooooh laaaaaa

The martians are coming..

In Store Sensors

[nurb432]

With those things, the store could identify you as you come in, and target in store ads for you, using previous purchases as a guide.

Or once we have tagged currency, they can see if you can even afford to be in the store or not..

And provide records to the government, ' ya he was in our store at such-and-such a time date' ...

Liability

[mindstrm]

Actually, the liability is usually $50 MAX *if* the card is stolen, and then, only before you report it.

If it's just fraudulent use, but your card wasn't stolen, you are not liable for a penny.

Further, this $50 liability is somewhat misleading, as the credit card company cannot charge you unless they can prove that you authorized the transaction....

If there is no signature, and no evidence that you yourself received the goods... (say they had no signature because it was an internet purchase, but the shipping address was your house..... thats' good evidence that you authorized it)

they can't charge you a dime.

If your agreement says something other than that, you need to shop around.

I wish you people would read the article first...

...but this is slashdot, after all.

However, the thief would have to get quite close to his target or have a very sensitive reader.

Hmmm. Build a powerful RFID reader and walk through a large crowd of people collecting RFID numbers. Warwalking!

Also, the account number on the contactless cards is useful only in the RFID system -- it's not the same as a user's credit card number. A crook would thus not be able to use the card number to go on a fraudulent Internet shopping spree, for example.

But you could use it in person - build a RFID transmitter. After, the key fob never has to leave your pocket - how does the clerk know if it's real or the PDA-sized RIFD cloner in your pocket.

American Express makes the RFID reader verify the card's authenticity with a "challenge-response" exchange that depends on 128-bit encryption encoded on the chip. That strength of encryption is considered safe against "brute force" attacks, in which a hacker tries every possible combination.

It's good to know that some people have a clue in designing a secure system.

MasterCard says it uses a different security system but would not provide specifics.

I'll reserve judgment.

Much easier to fake?

[thogard]

Right now if you want to use someone elses number on a credit card, you need a blank that at least looks like a real card.

The new system allows you to take your own real card and fry it and carry around something bigger in a backpack and rip of merchants with ease.

There is quite a bit of security in the physical token that we call a credt card considering the other major part of the token is a 16 digit number.

tcejbus

how will you pay for things online with these? or will you just have to keep your credit card?

Bio methrics

[dassdraugen]

What would be nice is a card which stored your fingerprint or iris and stored this on the credit card. The credit card would communicate with the terminal by radio and all you would have to do was to touch or loock at the pay device. Privacy would ofcause be a issue. But atleast it would make the reacent ATM scams a bit more difficult...

Re:Bio methrics

Yeah, i can see now....Pay for it with arm and leg will have a whole new meaning

RFID = symptom of the real problem

[carcosa30]

You know, I share the concerns about RFID and pervasive cameras. But these are symptoms of the true problem, which is a spiralling police state in the US (as well as elsewhere) which is arrogating more and more authority to itself and behaving more belligerently.

It's also starting to intimidate dissidents.

If we could trust the government and corporations (yeah right) RFID would be no problem at all.

Since we can't, attacking RFID and other intrusive surveillance technologies is only applying a bandage to a gangrenous wound.

Or other 3rd world countries

such as Canada...

what is this Carl's Jr. you speak of? And what is with the apostrophe-s? I'm not sure what I would expect from a place called Carl's Jr. Hardees, on the other hand, definitely sounds like a gay bar.

Re:Or other 3rd world countries

[n9hmg]

The funny thing about that is that they're the same restaurant. In the eastern U.S., it's Hardees, and Carl's Jr. in the west. In high school, I was fired from the New Castle, Indiana Hardees for throwing away a hamburger patty another employee had dropped - "No customer saw it on the floor.".

Oh, and as Dave Barry said "The apostrophe is used mainly in hand-lettered small business signs to alert the reader than an "S" is coming up at the end of a word, as in: WE DO NOT EXCEPT PERSONAL CHECK'S, or: NOT RESPONSIBLE FOR ANY ITEM'S.". However, it is correct to use the apostrophe to indicate possession, except for the pronoun "it". I don't know why. So the western Hardees is the Jr. belonging to Carl. Such names usually come about because a well-known restaurant splits, and the new owners want to differentiate, or someone buys a known restaurant, and wants to indicate their own presence. In this case, it's one of those corporate focus-group names, like the non-word Japanese car names.

Here comes the ads

[JFMulder]

Paying for gas on your way to the mall : 20$
Eating at McDonalds when you're there : 6$
Doing you holiday shopping : 500$
The satisfaction of doing all this without even taking out your wallet : priceless.

Merchants around here ALWAYS check sig

[jridley]

Starting about a year or two ago, merchants around here (SE Michigan) started checking sigs on cards. Since then, I have NOT ONCE had anyone NOT check my signature. Drones in every place from the gas station to Best Buy to bookstores to grocery stores, they ALL ask for the card, and they check, and when they see that I haven't signed my card, they ask for ID.
BTW, they actually RECOMMEND not signing the card, because then the bearer WILL be asked for ID; it's an anti-fraud measure.

Re:Merchants around here ALWAYS check sig

[jridley]

Of course, after reading about the credit card prank, I realized that anyone stealing the card would just sign it themselves and not get checked. Guess I'll write PLEASE CHECK ID on it.

What, is swiping too hard?

Are we THAT lazy? We cant even swipe a stupid credit card? Now we just need something that can read our brains so we dont have to write or even use our hands!

About 5% of all transactions

Have something to do with fraud in the US.

That figure equates to roughly US$65 billion a year!

So who is making a tidy profit?

Sophistimicated Restaurants

[pipingguy]

Well, I guess that would put an end to my "dine'n'dash" solution to not having money while hungry.

possibilities

[tmortn]

RFID bauble triggers a query to the credit company, clerk has a display that shows your picture retrived from the CC companies database, or even better a quick cam is used to capture a picture as well for the transaction. Not for facial recognition to be used... unless its feasible time wise and cheap enough... but for a sales record and tacking down false offenders. Toss in a fingerprint ID scan and you have a tough nut to crack and a serious trail of evidence if you are a fraud.. IE fingerprint and picture.

so

Wave the card/key chain faub or whatever put your finger on the fingerprint widget and look at the camera, clerk compares you to the image on the screen and you go about your buisness. Fingerprint and image for the transaction are stored localy and remotely by the credit company. Reciept for the transaction is stored on the faub/card.

should not take more than a couple seconds once your used to it... deffiantly faster than the wait for reciept. sign return copy etc....

Now I'm not a huge fan of big brother stuff like this... not sure if I would really be for this one or not. But it could make face to face POS transactions fairly secure.

One question I have is if this becomes standard how does it affect online/phone transactions ? I suppose you still have a number but can that be improved upon ?

Who's behind the curtain???

[SwedeGeek]

Does anyone happen to know who the major players are in actually providing this technology to the likes of the CC companies and Wal-mart? It would seem those suppliers would have a lot more to gain from RFID being used than Visa, Amex, Wal-mart, etc. In my mind, this would not only play into how much they are promoting the implementation of RFID, but possibly make them greater security concerns than the CC companies themselves. While RFID itself is a standard, who knows what an individual chipmaker may do in "an effort to increase profits." I don't think the little fish would be much of a concern, as it's the big fish who can gobble others up and also have a better means to put up smoke and mirrors to hide any "poor" practices... Just looking to find out who to point my ACLU buddies at.

Simson who?

[boojum.cat]

From the article:

Others are more skeptical. Simson Garfinkel, another MIT researcher who follows RFID, said credit card companies ought to be using "smart" cards with public key cryptography, a very strong form of security.

Simson Garfinkel? Is that the guy who sang "Parsley, Sage, Rosemary, and Oregano"?

Erasing magnetic strips

Ok, I live in one of those state that issues a drivers license with a magnetic strip. Bars want to swipe your driver license to prove you are over 18 (somehow the gray hair isn't sufficient). But there's nothing to stop the bar (or other store) from downloading all of your personal information from your license. The solution: take a big magnet to your license.

So, is there an equivelent for RFID identification?

I don't know about you..

[Another+AC]

but I can't wait until these things take off!

I want to be able to pay for everything with RFID!

I want to be able to open my house with RFID!

I want to be able to start my car with it!

and then I want one embedded in my thumb!

Is that too much to ask?

Not in America!

Recipe for disaster

[Safety+Cap]

1. Crook moves through crowd with card sniffer, trolling for "contactless" credit cards (Times Square, anyone?)
2. Crook's PDA records all credit card numbers sniffed and transmits CC #s to secret underground lair
3. Gang of thieves in lair either purchase mass goods on line or burn stolen CC #s onto blank "contactless" CCs, for sale to small-time crooks and/or Hong Kong syndicates
4. Lots and lots of Profits, baby!

Next up, implant your "contactless" credit card under your skin for the no-hassle shopping experience. Oh, and for your safety, the Sicherheitspolizei will register and monitor your chip in case you are attacked by terrorists.

Robbery

[Infe]

Stick em up! Let me have your wallet!!!! ...sorry, look, I don't have my wallet, see, see, please don't hurt me

(whips out scanner)

Aha! Radio waves are coming from inside your coat! Hand it over sucker!

point of sale for VeriPay

[eegad]

This will establish the RFID readers at point of sale that will eventually serve VeriPay or something like it. Ummm... yikes.

useful at toll booths

[YouHaveSnail]

Wouldn't it be cool if you could just stick one of these on your dashboard or hold it out the window so that you can drive through a tollbooth and pay without even having to stop?

Oh, wait. We already have that. And nobody seems too concerned about fraud in that case.

Re:useful at toll booths

[Vegeta99]

... Except that my EZPass is linked to MY VEHICLE ONLY, and prepaid, whereas my SpeedPass IS tied to my bank account, but nothing else. Have the transponder, have the account. That's it.

RIFD Use it now! Fun and Profit!

[pyrote]

Card readers are really sensitive, I once confused a card reader from 2 feet away with my cell phone. called someone at the checkout and it asked me to enter my pin at wallmart. with some tweaking and a little magnetic stripe recording, I bet one can rig up a wireless device to do all this.

Heck bring your library card (no magnetic stripe) to wallmart and swipe it then transmit at the same time from your pocket... oh joy, RIFD simplified.

If I had selected VISA before calling, it makes me wonder if it would have processed!

RFID and Thieves...

Over the past couple of weeks, I've come to a disturbing conclusion about possible uses for RFID.
Most people have legitimate concerns about various corporations tracking what they buy, and where they go, but has anyone though about what would happen if RFID scanning equipment wound up in the hands of common thieves?
It recently occured to me (after several friend's have had cars broken into) that even if I have nothing of value in my car, thieves may still assume I do, and break a window in the hopes of walking off with a stack of CDs, or an iPod or similar.
Well, what happens when a thief can simply scan a vehicle (or house!) to determine what items of value are concealed inside!
think about it! scary!

my theory for why this was created...

[JimBobJoe]

Credit card companies make a certain amount per transaction from the merchant. They want you to charge your transaction as opposed to running it as a "debit" transaction that they don't make money on.

Credit card companies also know that people hate signing receipts, and that PIN numbers are more trusted (publicly) than signatures for credit card transactions (the reality is that the PIN adds little.) Indeed, a lot of restaurants (Chipotle, Wendys, ans gas stations of course) allow you to make CC purchases without signature.

So they are developing this system, which may or may not include a PIN, to differentiate the experience of using a credit card versus using your debit card. With any luck, just the little bit of convenience offered in not having to have your debit card swiped will convince you to use your V/MC/AMEX card instead.

If I'm right on this, V/C/AMEX will (temporarily) reduce merchant charges, if the merchant agrees to install the new equipment.

Lines

[SillySnake]

Working at Sears it's not uncommon to have 3-4 customers standing around the register in the middle of the department.. What's to say that someone leaning up against a register or simply walking by when the sale is totaled isn't going to charge them?
For example, the main register in our electronics department is right across from the VCRs and just down from the DVD players.. So busy times forces a crowded aisle where people are forced to squeeze past and often brush up against the register.

Security wise.. there are already so many instances of theft and fake cards that this probably won't create a significant number of problems anyway. Besides, most of the theft I encounter results from people opening up an account (Usually a Sears gold Mastercard) with a stolen social security number and a driver's license that their buddy at the DMV has made. All of which has nothing to do with the physical card itself.

Just great

[zeroprime]

now I have to worry about my phone interfering with my credit card too

Why not ?

[blockparty]

The Interstate highway systems in some states use an electronic pass like this except it's got a small lithium battery. You set up an account with them, (they ask for your personal info and keep it in their database) they give you the electronic pass, and you're set. You're supposed to mount it on your windsheild but I don't. I just leave it in the glove compartment and put it in an anti-static bag if I don't want it going off. Interestingly the exact same kind of anti-static bag used for PC boards. When I want to use it I just pull it out toss it up on the dash. If I travel with friends I sometimes pay for the toll by just bringing my pass with me. If their pass just happens to be in the car at the same time it gets charged too. If you have no money in your account you pass, but an orange "low account" light goes off at the toll station. Their's always a cop sitting there hehe. The pass has some kind of piezo buzzer inside of it - I'm told this is a very recent addition, the old ones did not have any kind of indicator. California has a pass.When I was in Kansas City the other day I noticed they have a k-pass (kansas) for the whole state of kansas. I took an old one apart that was from Oklahoma once and it was pretty thin! Not quite credit card thin but pretty good for 1996 technology. Do a google search for ELECTRONIC TOLL COLLECTION. My question is why don't they already have electronic credit cards in widespread use?

Skimming never was that simple

[NickSemyonov]

Imagine - crooks don,t need men behing the counter to steal mag stripe data for them, all they need is just a sort-of-wireless-POS (assuming protocol is known or reverse engineered) to get your card data. I think I'd stick to my old-fashined EMV chip card.

BAD!!

[schouwl]

Great now people can steal your money without getting your credit card out of you pocket!

Phones?

[idfubar]

Why can't I pay using a phone? Doubly convinient for vending machines, and makes my wallet slimmer!

Re:Phones?

[schouwl]

In Japan you can as well as pay using our ISP internet provider.

Money notes aren't verified either...

[Otis_INF]

... if you are the ligitimate owner or not. You give the note(s), you get your goods.

Here: you wave your card, you get the goods.

Re:Money notes aren't verified either...

[acidrain69]

But you have to HAVE the money note, a credit card is good up to your credit limit. You may have thousands in credit limit, but do you ever carry that much around in a wallet? No.

Big Brother's Best Friend

[Dark+Bard]

People are already being tracked on freeways using the signal from their speedpasses. It's bad enough that you can be tracked from your purchases by credit card. All we need is a system where you just need to walk through an area to be identifed. It can't be stopped. Between biometerics and chip based credit systems there will come a day when our location and a record of our movements will be known. The upside is solving more crimes. The downside is very little privacy. Politicians are already under a microscope. What if your movements and habits become public record? There are no laws preventing it. What if you are turned down for a job because you frequent strip joints? Or maybe you are considered at risk of being a pediphile because you regularly visit places that happen to have lots of children. It's not so rediculous. Credit information is already being used in hiring and profiles are being generated by your TiVo habits. Remember the profile that identified some one as a pregnant gay man? Personally I'm a big fan of cash.

It is NOT paranoia!!!

[instarx]

Although it is no joking matter, I for one welcome our new government "Patriot Scanning System" overloards.

Seriously, this technology is so dangerous it is not possible to be paranoid about it. We're concerned about a technology that will allow governments to track all its citizens at will, without their permission or knowledge. Here is a scenario:

You are walking down a street and a passive RFID detector senses your card. The RFID sensor belongs to the Homeland Security Administration's new "Patriot Scanning System" and the data is fed to a government computer that says you, Joe Blow, is in front of the opposition political party's office (or the gun shop or the AIDS clinic, the police station, or the Right to Life office - you take your pick). And it does that thousands of times a day for thousands of people. It also knows who you are with so the government now knows your associates. The next time you go to a government building you are stopped and held for questioning because...? You went to a right-to-life meeting and then to a gun shop and then to a hardware store. All of those were perfectly legal actions, yet you now have a red flag on your name in the computer that shouts "potential terrorist".

You just won't carry credit cards, you say? Riggght, but even then so what? All the RFID tags in your clothes from Eddie Bauer or KMart will have RFID tags in them so the government computers can track you with those as well. All you have to do is walk by a single detector and all your RFID tags are thereafter associated with you forever, and each tag "infects" any new tags each time you walk by the government's "Patriot Scanning System".

The government can know whenever you go to an anti-war rally or an anti-abortion rally or a pro-abortion rally or an airport or a train station or a protest against the administration...or, or, or. Think about it - is it so outlandish to think of the government having agents walking through the crowds at political rallies gathering ID information from credit cards?

And PLEASE, don't anyone give me that absurd argument that "if you're not doing anything wrong why do you mind the government knowing everything you do?". I'm a patriot and that WHY I mind.

could you speak up?

[dubiousmike]

"Is this something that will only lead to more credit card fraud, or will it provide more secure means of payment?"

I'm sorry. I used your speed pass for some free gas and I cant hear you over the pump noise.

way behind the times

And my bank/CC supplier won't even put my photo on my card.

now anyone can stand in a corner and charge u as

you walk by

I guess I just don't get 'speedpass'.

[DirkDaring]

Speedpass just seems stupid to me. It takes me a grand total of 4 or 5 seconds to take my credit card out of my wallet and run it through the slider.

As opposed to 1 second of brushing it against the speedpass pad.

So I save a few seconds. Big whoop?