Radio Credit Cards Move Closer

pvt_medic writes "CNN.com has an article about research that some major credit card companies (MasterCard and American Express) are putting into creating 'contactless' credit cards. These are similar to the Speedpass that ExxonMobil has been using for six years. What to people think about the prospect of this more widespread use of RFID? Is this something that will only lead to more credit card fraud, or will it provide more secure means of payment?" (The article comes from the Associated Press.)

Re:Credit Card Theft?

[KrispyKringle]

That's now how challenge/response works. See here.

Basically, the idea is that if both you and the authenticator know the secret password, but you don't want to transmit it, the authenticator sends you some random chunk of data, say message M. You encrypt it using some (presumably one-way) algorithm, using your password as the encryption key to create W. The authenticator also encrypts the same chunk, and, when you send back your W, compares it do his own known-good W. Assuming they match, it means you have the password. The password itself is never sent plaintext.

You seem to be assuming that there is one secret key for the whole system. This would be completely useless, and is obviously not the case. You would need one secret key per person, as I'm sure American Express knows.

Probably based on ISO 14443 Secure RFID spec

The spec has successfully been used by the German transmit authority to curtail fraud in their system.
It uses challenge-response encryption so it is very resistant to "man in the middle" attacks and snooping. Operates on a near-field magnetic-load method of communication.
This means that the main transmitter senses changes in the energy load as a method communication. The RFID tag just gets its power from the magnetic carrier and changes the magnetic load to communicate. This makes it more difficult to snoop than RF because the energy and communication transfer is bound into a closed loop.
One other point, magnetic load technology has a range that is proportional to the antenna. A 18 centimeter antenna has a range of 18 centimenters if it is built correctly. With a fundamental frequency of 13.56Mhz, the theoretical maximum range is 3 meters (16% of wavelength is the maximum range for the near field). This means that you would need a 3 meter (~10 foot) antenna to reach ten feet. People would tend to notice this.

Just some info.

Re:Well lets see...

[asr_man]

Wrong. RTFA. Consumer gets to make final "accept/reject" on purchase after card is scanned. Also, card includes challenge/response authentication (AMEX at least, MC we aren't told). As the article clearly states, knowing the RFID card number does not give a thief any practical means to use it.

Re:DoS vulnerable ?

[KrispyKringle]

I'm not an electrical engineer, but Google turns up this page for security proximity cards, which are essentially the same product.

The card is usually passive (without an internal battery) and consists of an antenna and an RFID ASIC (Application Specific Integrated Circuit). During operation, the transmitter sends out an electro-magnetic wave to establish a zone of surveillance. When a card enters this zone, the electromagnetic energy from the reader begins to energize the IC in the tag. Once the IC is energized, it goes through an initialization process and begins to broadcast its identity.

So it seems like the cards use induction to get just enough juice from the radio waves to power their internal circuitry. No battery needed.

Re:Well lets see...

[KrispyKringle]

Yes, let's look at protocols that use challenge-response. Kerberos uses a modified challenge-response method. Windows NT prior to 2K and XP used challenge reponse, now they use a modificaiton of the Kerberos method. VNC uses challenge-response, if I remember right. HTTP digest authentication uses challenge-response. Many mailservers, (POP and IMAP, as well as SMTP) use challenge-response (CRAM MD5). The notion of challenge-response is itself secure, if implemented properly.

Offhand, I can think of two big ways to screw up the implentation:

Replay attacks - if the challenge is consistent through multiple authentication sessions, an attacker can reuse a hash response from a previous session. The solution is simple; better psuedo-randomness (using the date/time is a pretty poor idea, since an attacker can simply challenge the card with a date in the future and retrieve the needed response).

Poor hashing - if the hash used on the response is reversible, the password is right there for the taking. Solution, use something known to be strong, like blowfish or MD5.

Assuming the makers aren't stupid, they have a cryptographically secure system on-hand. You make an assumption based on a few out-of-context or unrelated cases that all security is useless. This is silly; while I don't have a lot of faith in secure systems as a whole, the flaw is rarely in the cryptography backing them, if it is implemented correctly. The reason for this is obvious; cryptography, and computing complexity, are easily-understood enough that developing mathematical models for security is easy. For example, we know--or rather, we believe very fervently, but cannot prove--that factoring large numbers is very, very difficult. Therefore, we trust RSA when implemented properly. Similarly, we know--or at least believe very strongly--that certain algorithms are very, very difficult to reverse. Therefore, we trust that if a bad guy gets our password file, he can only try to find our passwords via brute-force.

The difficulty of sniffing and cracking the protocol used is probably much greater than that of simply getting a waiter at a restaurant to swipe the cards of customers through a skimmer (traditional cards, that is). And security is really not about absolute security; it's simply about making sure that defeating is is more trouble than it's worth (I believe Bruce Schnieder said this, but I could be mistaken).